VMware Tanzu Mission Control

This is a false-positive warning triggered by an expected, cloud-provider-driven security enhancement.

The alert points to the readOnlyPort: 10255 setting on the GKE worker node's kubelet service. Historically, port 10255 was used as an unauthenticated, read-only port to scrape node metrics. Because it does not require authentication, it is considered a legacy security risk.

With the release of kubernetes v1.34, Google updated their GKE security baselines. When the node pool is upgraded, Tanzu Mission Control's inspection agents detect a configuration drift regarding this port compared to the node's previous state and flag it as a warning. TMC is successfully detecting the change, but in this specific scenario, the change is an intentional and secure lifecycle event managed by Google.

Because the cluster is perfectly healthy, no immediate action is strictly required. However, to clear the warning state from the TMC UI, one of the following paths can be chosen:

Option 1: Explicitly Disable the Read-Only Port: To align the GKE cluster's configuration and clear the configuration drift alert in TMC, the kubelet read-only port can be explicitly disabled on the GKE side.

1. Refer to the official Google Cloud documentation: Disable the kubelet read-only port in GKE clusters.

2. Once the port is explicitly disabled at the GKE control plane level, the TMC inspection agent will validate the new baseline, and the alert will automatically resolve.

Option 2: Safely Ignore the Alert: If modifying the GKE cluster configuration is not desired, this alert can be safely ignored. It will not impact workloads or cluster performance. 

Disable the kubelet read-only port in GKE clusters