Details
Do not bind the scheduler service to non-loopback insecure addresses.
Rationale:
The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster’s attack surface
Solution
Edit the Scheduler pod specification file ‘/etc/kubernetes/manifests/kube-scheduler.yaml’ on the master node and ensure the correct value for the ‘–address’ parameter
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.