lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Kubernetes Dashboard / kubelet

KubernetesCI/CD6 credentials

Credentials6 documented
01

kubelet Anonymous / Read-Only Access

kubernetes-dashboard-kubelet / kubelet-anonymous-access

kubelet can be configured to allow anonymous requests or expose read-only/metrics endpoints depending on Kubernetes version and flags. When enabled or left exposed, some node information, metrics, logs, or pod-related endpoints may be reachable without presenting a bearer token or client certificate.

no authsecretusername/password

Unauthenticated access

open default
no authentication required
username
none
password
none

Location

public interface
kubelet HTTPS :10250 and legacy read-only :10255 endpoints

node kubelet API, metrics, pods, logs, stats, or read-only endpoints when anonymous/read-only access is enabled

config file
kubelet config.yaml, kubelet flags, node systemd units

anonymous.authentication.enabled, authorization.mode, readOnlyPort, clientCAFile, and webhook authn/authz settings control access

logs

kubelet startup logs and apiserver audit/node proxy logs showing anonymous or unauthenticated requests

Notes

This is config-dependent and represents absence of kubelet credential enforcement for specific endpoints, not a credential value. Impact depends on anonymous auth, authorization mode, readOnlyPort, network reachability, client certificate settings, and Kubernetes version.

02

Kubernetes Dashboard ServiceAccount Token

kubernetes-dashboard-kubelet / dashboard-service-account-token

Kubernetes Dashboard authenticates users with bearer tokens, commonly service account tokens or kubeconfig-derived tokens. High-privilege dashboard tokens can provide broad cluster access.

generated on installuser definedsecrettoken

Looks like

pattern
pattern

JWT-style Kubernetes service account token accepted by Dashboard or apiserver

eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+

Location

http header
Authorization

Bearer token submitted to Dashboard or Kubernetes API

secret store

Kubernetes service account token Secrets, projected token volumes, and external vaults

config file
kubeconfig, dashboard manifests, serviceaccount token files

dashboard auth token and kubeconfig context material

source code

cluster bootstrap repos, Helm values, and lab manifests

logs

Dashboard logs, apiserver audit logs, and proxy traces

03

kubeconfig Client Certificate / Key

kubernetes-dashboard-kubelet / kubeconfig-client-certificate

Dashboard users, kubectl clients, and automation may authenticate with kubeconfig files containing client certificates, private keys, bearer tokens, or exec-plugin credentials.

generated on installuser definedsecretkey pair

Looks like

pattern
pattern

base64-encoded Kubernetes kubeconfig client private key field

client-key-data:\s+[A-Za-z0-9+/=]+
pattern

client private key material used by Kubernetes kubeconfig authentication

-----BEGIN (RSA |EC |OPENSSH |ENCRYPTED |)PRIVATE KEY-----

Location

config file
~/.kube/config, kubeconfig

clusters, users, tokens, client certs, and private keys

secret store

Kubernetes Secrets, CI/CD variables, and workstation credential stores

source code

accidentally committed kubeconfigs and cluster automation repos

artifact

support bundles, cluster backups, and exported admin configs

04

kubelet Client Certificate / Bearer Token

kubernetes-dashboard-kubelet / kubelet-client-cert-and-token

kubelet HTTPS endpoints can require client certificates or bearer tokens. Nodes also store kubelet client credentials used to talk to the apiserver.

generated on installuser definedsecretkey pair

Looks like

pattern
pattern

kubelet client/server private key material

-----BEGIN (RSA |EC |ENCRYPTED |)PRIVATE KEY-----

Location

public interface
kubelet HTTPS API, metrics, logs, exec/portforward-related endpoints, and node proxy paths
config file
/var/lib/kubelet/pki/, /var/lib/kubelet/kubeconfig

kubelet client certificate, server certificate, and kubeconfig credentials

secret store

node filesystem credential stores and cluster PKI backups

logs

kubelet logs, apiserver audit logs, and node diagnostics

06

Cluster Admin RBAC Binding Secret

kubernetes-dashboard-kubelet / cluster-admin-rbac-secret

Dashboard deployments sometimes bind a service account to cluster-admin for convenience. The credential is the service account token or kubeconfig tied to that RBAC binding.

user definedgenerated on installsecrettoken

Location

config file

ClusterRoleBinding, ServiceAccount, Secret, and Helm values granting Dashboard permissions

secret store

Kubernetes Secrets and projected service account token volumes

source code

lab manifests and admin dashboard installation snippets

logs

apiserver audit records showing Dashboard service account use

Notes

The RBAC binding is not itself secret, but it identifies which token/kubeconfig has cluster-admin blast radius.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.