C-0152 - Ensure that the Scheduler --bind-address argument is set to 127.0.0.1
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface
Related resources
Pod
What does this control test
Do not bind the scheduler service to non-loopback insecure addresses.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-scheduler
Verify that the --bind-address
argument is set to 127.0.0.1
Remediation
Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml
on the Control Plane node and ensure the correct value for the --bind-address
parameter
Impact Statement
None
Default Value
By default, the --bind-address
parameter is set to 0.0.0.0
Example
No example
Updated 9 days ago