It was found that the API server configuration parameter '--kubelet-certificate-authority'. Without it, the server does not validate the kubelet serving certificate which make the connection vulnerable to man-in-the-middle attack.
Recommended Mitigation
It is recommended to set the '--kubelet-certificate-authority' configuration parameter.