The scheduler service should only be bound to localhost
Set up the kubernetes integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
Do not bind the scheduler service to non-loopback insecure addresses.
Rationale
The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster’s attack surface
Audit
Run the following command on the master node:
ps -ef | grep kube-scheduler
Verify that the --bind-address argument is set to 127.0.0.1.
Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml on the master node and ensure the correct value for the --bind-address parameter.
Impact
None
Default value
By default, the --bind-address parameter is set to 0.0.0.0.
References
- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/
CIS controls
Version 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.
Version 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.
