Ensure that the port parameter is zero
An XCCDF Rule
Description
The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface.
warning alert: Warning
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-
{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-scheduler{{else}}/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod{{end}}API endpoint, filter with with thejqutility using the following filter{{if ne .hypershift_cluster "None"}}[.items[0].spec.containers[0].args | join(" ")]{{else}}[.data."pod.yaml"]{{end}}and persist it to the local
Rationale
In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to healthzPort, the port of the localhost healthz endpoint. Changing this value may disrupt components that monitor the kubelet health.
- ID
- xccdf_org.ssgproject.content_rule_scheduler_port_is_zero
- Severity
- Medium
- References
- Updated