We’re writing to remind you about an upcoming security improvement in Google Kubernetes Engine (GKE).
We understand this change may impact your workflows and have provided additional information below to assist you with the transition.
What you need to know
We have identified an unauthenticated "read-only" port (10255) in the Kubelet server, which could result in a potential data leak or compromise, if not turned off.
Due to this security issue, we will disable port 10255 in the following phases:
GKE version 1.32 and higher: Port 10255 will be disabled by default on new clusters. You can still enable it, if necessary, but it is not recommended.
Note: There is no change to port 10255 on existing clusters, even on clusters upgraded to 1.32.
Future GKE versions: Port 10255 will be completely disabled with no option to enable it.
Note: We will send further notifications before turning off port 10255 completely.
What you need to do
To improve the security of your GKE clusters, we recommend you proactively disable port 10255 (on GKE versions 1.26.4-gke.500 or higher) by following the instructions outlined in the GKE Guide.
Note:
Please migrate any applications currently using port 10255 to the more secure Kubelet port 10250. Once all clusters in your environment are no longer using port 10255, you can implement a custom org policy to prevent future use of this port on new and existing clusters.
From Google Cloud:
We’re writing to remind you about an upcoming security improvement in Google Kubernetes Engine (GKE).
We understand this change may impact your workflows and have provided additional information below to assist you with the transition.
What you need to know
We have identified an unauthenticated "read-only" port (10255) in the Kubelet server, which could result in a potential data leak or compromise, if not turned off.
Due to this security issue, we will disable port 10255 in the following phases:
GKE version 1.32 and higher: Port 10255 will be disabled by default on new clusters. You can still enable it, if necessary, but it is not recommended. Note: There is no change to port 10255 on existing clusters, even on clusters upgraded to 1.32. Future GKE versions: Port 10255 will be completely disabled with no option to enable it. Note: We will send further notifications before turning off port 10255 completely. What you need to do
To improve the security of your GKE clusters, we recommend you proactively disable port 10255 (on GKE versions 1.26.4-gke.500 or higher) by following the instructions outlined in the GKE Guide.
Note:
Please migrate any applications currently using port 10255 to the more secure Kubelet port 10250. Once all clusters in your environment are no longer using port 10255, you can implement a custom org policy to prevent future use of this port on new and existing clusters.