**kubelet** — Agent running on each node that manages pods. The kubelet API (port 10250) is a frequent attack target. - **kube-proxy** — Manages network rules for service routing. - **Container Runtime** — Docker, containerd, or CRI-O actually runs the containers.