1.2.2 Ensure that the --address argument is set to 127.0.0.1

Information

Do not bind the scheduler service to non-loopback insecure addresses.

Rationale:

The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface

Solution

Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml on the master node and ensure the correct value for the --address parameter

Impact:

None

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|9.1

Plugin: Unix

Control ID: 59e3664cb7e16d2a61824982ad2961c3e0ed5f84b6eb2aba30d7a0b57697e9fe