Analysis of a Kubernetes Hack

kubeadm seems to configure the kubelet with `--authorization-mode=Webhook`, which prevents the use of the exec API by unauthenticated users:<p><pre><code> $ curl -vk -X POST https:&#x2F;&#x2F;...:10250&#x2F;exec&#x2F;test ... &lt; HTTP&#x2F;1.1 403 Forbidden ... Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy) </code></pre> OTOH some endpoints on the `--read-only-port=10255` API are completely open for unauthenticated requests... that leaks all the pod metadata&#x2F;spec&#x2F;status information:<p><pre><code> $ curl http:&#x2F;&#x2F;...:10255&#x2F;pods {&quot;kind&quot;:&quot;PodList&quot;,&quot;apiVersion&quot;:&quot;v1&quot;,&quot;metadata&quot;:{},&quot;items&quot;:[{&quot;metadata&quot;:{&quot;name&quot;:&quot;kube-proxy-knfqg&quot;,&quot;generateName&quot;:&quot;kube-proxy-&quot;,&quot;namespace&quot;:&quot;kube-system&quot;, ...} </code></pre> Not what I expected, and the `--authorization-mode=AlwaysAllow` default seems like a very bad idea :&#x2F;

I&#x27;m trying to understand what the issue here was. Did they publicly expose the kubelet port on the internet?