Skip to content

The --bind-address argument is not set to 127.0.0.1

Description

Do not bind the scheduler service to non-loopback insecure addresses. The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface.

Fix - Buildtime

Kubernetes

  • Kind: Pod
piVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+    - kube-scheduler
+    - --bind-address=127.0.0.1
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0