Kubernetes Dashboard / kubelet
KubernetesCI/CD6 credentials
kubelet Anonymous / Read-Only Access
kubernetes-dashboard-kubelet / kubelet-anonymous-access
kubelet can be configured to allow anonymous requests or expose read-only/metrics endpoints depending on Kubernetes version and flags. When enabled or left exposed, some node information, metrics, logs, or pod-related endpoints may be reachable without presenting a bearer token or client certificate.
Unauthenticated access
open defaultno authentication required- username
- none
- password
- none
Location
kubelet HTTPS :10250 and legacy read-only :10255 endpointsnode kubelet API, metrics, pods, logs, stats, or read-only endpoints when anonymous/read-only access is enabled
kubelet config.yaml, kubelet flags, node systemd unitsanonymous.authentication.enabled, authorization.mode, readOnlyPort, clientCAFile, and webhook authn/authz settings control access
kubelet startup logs and apiserver audit/node proxy logs showing anonymous or unauthenticated requests
Notes
This is config-dependent and represents absence of kubelet credential enforcement for specific endpoints, not a credential value. Impact depends on anonymous auth, authorization mode, readOnlyPort, network reachability, client certificate settings, and Kubernetes version.
Kubernetes Dashboard ServiceAccount Token
kubernetes-dashboard-kubelet / dashboard-service-account-token
Kubernetes Dashboard authenticates users with bearer tokens, commonly service account tokens or kubeconfig-derived tokens. High-privilege dashboard tokens can provide broad cluster access.
Looks like
patterneyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+Location
AuthorizationBearer token submitted to Dashboard or Kubernetes API
Kubernetes service account token Secrets, projected token volumes, and external vaults
kubeconfig, dashboard manifests, serviceaccount token filesdashboard auth token and kubeconfig context material
cluster bootstrap repos, Helm values, and lab manifests
Dashboard logs, apiserver audit logs, and proxy traces
kubeconfig Client Certificate / Key
kubernetes-dashboard-kubelet / kubeconfig-client-certificate
Dashboard users, kubectl clients, and automation may authenticate with kubeconfig files containing client certificates, private keys, bearer tokens, or exec-plugin credentials.
Looks like
patternclient-key-data:\s+[A-Za-z0-9+/=]+-----BEGIN (RSA |EC |OPENSSH |ENCRYPTED |)PRIVATE KEY-----Location
~/.kube/config, kubeconfigclusters, users, tokens, client certs, and private keys
Kubernetes Secrets, CI/CD variables, and workstation credential stores
accidentally committed kubeconfigs and cluster automation repos
support bundles, cluster backups, and exported admin configs
kubelet Client Certificate / Bearer Token
kubernetes-dashboard-kubelet / kubelet-client-cert-and-token
kubelet HTTPS endpoints can require client certificates or bearer tokens. Nodes also store kubelet client credentials used to talk to the apiserver.
Looks like
pattern-----BEGIN (RSA |EC |ENCRYPTED |)PRIVATE KEY-----Location
kubelet HTTPS API, metrics, logs, exec/portforward-related endpoints, and node proxy paths/var/lib/kubelet/pki/, /var/lib/kubelet/kubeconfigkubelet client certificate, server certificate, and kubeconfig credentials
node filesystem credential stores and cluster PKI backups
kubelet logs, apiserver audit logs, and node diagnostics
Cluster Admin RBAC Binding Secret
kubernetes-dashboard-kubelet / cluster-admin-rbac-secret
Dashboard deployments sometimes bind a service account to cluster-admin for convenience. The credential is the service account token or kubeconfig tied to that RBAC binding.
Location
ClusterRoleBinding, ServiceAccount, Secret, and Helm values granting Dashboard permissions
Kubernetes Secrets and projected service account token volumes
lab manifests and admin dashboard installation snippets
apiserver audit records showing Dashboard service account use
Notes
The RBAC binding is not itself secret, but it identifies which token/kubeconfig has cluster-admin blast radius.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.