Skip to content

Commit

Permalink
Apply suggestions from code review
Browse files Browse the repository at this point in the history 
Co-authored-by: Tim Bannister <tim@scalefactory.com>
  • Loading branch information
@AnshumanTripathi @sftim
AnshumanTripathi and sftim authored May 12, 2024
1 parent b0b839d commit a56a358
Showing 1 changed file with 13 additions and 12 deletions.
25 changes: 13 additions & 12 deletions content/en/docs/concepts/security/hardening-guide/scheduler.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ This document covers how to improve the security posture of the Schduler.

A misconfigured scheduler can have security implications. Such a scheduler can target specific nodes and evict the workloads or applications that are sharing the node and its resources. This can aid an attacker with a [Yo-Yo attack](https://arxiv.org/abs/2105.00542): an attack on a vulnerable autoscaler.
<!-- body -->
## kube-scheduler configurations
## kube-scheduler configuration

### Scheduler Authentication & Authorization configuration options
{{<table caption="Authentication and Authorization Configurations">}}
### Scheduler authentication & authorization command line options
{{<table caption="Security advice for kube-scheduler command line options relating to authentication or authorization" >}}
| Configuration | Security hardening advice |
| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `authentication-kubeconfig` | Make sure to provide a proper kubeconfig so that the server calls are secure. This kubeconfig file should also maintained securely. |
Expand All @@ -27,31 +27,32 @@ A misconfigured scheduler can have security implications. Such a scheduler can t
| `authorization-always-allow-paths` | These paths should respond with data that is appropriate for anonymous authorization. Defaults to `/healthz,/readyz,/livez`. |
{{</table>}}

### Address configuration options
{{<table caption="Address Configurations">}}
| Configuration | Security hardening advice |
### Scheduler networking command line options
{{<table caption="Security advice for kube-scheduler command line options relating to networking" >}}
| Parameter | Security hardening advice |
| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `bind-address` | In most cases, the kube-scheduler does not need to be externally accessible. Setting the bind address to `localhost` is a secure practice. |
| `permit-address-sharing` | Set this configuration to `false` to disable connection sharing through `SO_REUSEADDR`. `SO_REUSEADDR` can lead to reuse of terminated connections that are in `TIME_WAIT` state. |
| `permit-address-sharing` | Set this to `false` to disable connection sharing through `SO_REUSEADDR`. `SO_REUSEADDR` can lead to reuse of terminated connections that are in `TIME_WAIT` state. |
| `permit-port-sharing` | Default `false`. Use the default unless you are confident you understand the security implications. |
{{</table>}}

### TLS configuration options
{{<table caption="Address Configurations">}}
| Configuration | Security hardening advice |
### Scheduler TLS command line options
{{<table caption="Security advice for kube-scheduler command line options relating to encryption in transit" >}}
| Parameter | Security hardening advice |
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `requestheader-client-ca-file` | Generally do not depend on authorization being already done for incoming requests. Always provide the root certificate bundle. This allows authorization to happen on each incoming request through `requestheader-allowed-names`. |
| `tls-cipher-suites` | Always provide a list of preferred cipher suites. This ensures encryption never happens with insecure cipher suites. |
{{</table>}}

## Scheduling configurations for custom schedulers
This section covers security hardening when using custom schedulers.
This section covers security hardening when using custom schedulers based on the Kubernetes
scheduling code.
The cluster administrator needs be careful with the plugins that use the `queueSort`, `filter`, or permit [extension points](https://github.com/docs/reference/scheduling/config/#extension-points).
Scheduling happens in a series of stages that are exposed through the extension points.
As a cluster administrator, you can enable plugins that define their own extension points.
Doing so can affect the defined scheduling behaviors of the kube-scheduler in your cluster.

When using a custom scheduler plugin extension points such as `queueSort`, `filter` and `permit` should be used with care.
When using a custom scheduler, plugin extension points such as `queueSort`, `filter` and `permit` should be used with care.

Exactly one plugin that uses the `queueSort` extension point can be enabled at a time. Any plugins that use `queueSort` should be scrutinized.

Expand Down

0 comments on commit a56a358

Please sign in to comment.