Verify that the scheduler API service is protected by RBAC

An XCCDF Rule

Details
Profiles
Prose

Description

Do not bind the scheduler service to non-loopback insecure addresses.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger API endpoint to the local /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger file.

Rationale

The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface

ID: xccdf_org.ssgproject.content_rule_scheduler_service_protected_by_rbac
Severity: Medium
References: 1.4.2

2.2 2.2.1
Updated: 5 days ago