Detections
Analytics

Ensure that the --bind-address argument is set to 127.0.0.1

MEDIUM

Description

Description:

Do not bind the scheduler service to non-loopback insecure addresses.

Rationale:

The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface.

Remediation

Edit the Scheduler pod specification file '/etc/kubernetes/manifests/kube-scheduler.yaml' on the master node and ensure the correct value for the '--bind-address' parameter.

Policy Details

Rule Reference ID: AC_K8S_0131
CSP: Kubernetes
Remediation Available: No
Domain: Compliance Validation
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod

Frameworks