C-0152 - Ensure that the Scheduler --bind-address argument is set to 127.0.0.1

Framework

cis-v1.23-t1.0.1

Severity

Medium

Description of the the issue

The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface

Related resources

Pod

What does this control test

Do not bind the scheduler service to non-loopback insecure addresses.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-scheduler

Verify that the --bind-address argument is set to 127.0.0.1

Remediation

Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml on the Control Plane node and ensure the correct value for the --bind-address parameter

Impact Statement

None

Default Value

By default, the --bind-address parameter is set to 0.0.0.0

Example

No example