diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 20a6cca48a..f7cfde854a 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427) - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408) - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609) +- Update Kubernetes Scheduler service metadata to new format [(#9679)](https://github.com/prowler-cloud/prowler/pull/9679) + --- diff --git a/prowler/providers/kubernetes/services/scheduler/scheduler_bind_address/scheduler_bind_address.metadata.json b/prowler/providers/kubernetes/services/scheduler/scheduler_bind_address/scheduler_bind_address.metadata.json index 8455c6e5a4..b71acf2ba3 100644 --- a/prowler/providers/kubernetes/services/scheduler/scheduler_bind_address/scheduler_bind_address.metadata.json +++ b/prowler/providers/kubernetes/services/scheduler/scheduler_bind_address/scheduler_bind_address.metadata.json @@ -1,29 +1,37 @@ { "Provider": "kubernetes", "CheckID": "scheduler_bind_address", - "CheckTitle": "Ensure that the --bind-address argument is set to 127.0.0.1 for the Scheduler", + "CheckTitle": "Scheduler pod has --bind-address set to 127.0.0.1", "CheckType": [], "ServiceName": "scheduler", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "KubernetesScheduler", - "Description": "This check ensures that the Kubernetes Scheduler is bound to the loopback address (127.0.0.1) to minimize the cluster's attack surface. Binding to the loopback address prevents unauthorized network access to the Scheduler's health and metrics information.", - "Risk": "Binding the Scheduler to a non-loopback address exposes sensitive health and metrics information without authentication or encryption.", - "RelatedUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/", + "Severity": "high", + "ResourceType": "Pod", + "Description": "**Kubernetes scheduler** is configured with `--bind-address=127.0.0.1` so its health and metrics endpoints listen only on localhost.\n\nThe evaluation inspects scheduler pod commands for this bind address.", + "Risk": "Exposing scheduler endpoints on non-loopback addresses can:\n- leak cluster state and scheduling metrics (**confidentiality**)\n- aid recon that enables privilege escalation (**integrity**)\n- allow health endpoint abuse for DoS (**availability**)", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.datadoghq.com/security/default_rules/35s-cvw-j67/", + "https://github.com/kubernetes-sigs/kubespray/issues/4111", + "https://groups.google.com/g/prometheus-users/c/_aI-HySJ-xM", + "https://kodekloud.com/community/t/so-im-working-on-the-multiple-schedulers-exercise-i-had-actually-completed-th/18651", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" + ], "Remediation": { "Code": { - "CLI": "--bind-address=127.0.0.1", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-bind-address-argument-is-set-to-127001-1", - "Other": "", + "CLI": "", + "NativeIaC": "", + "Other": "1. SSH to the control plane node\n2. Open the static pod manifest: sudo vi /etc/kubernetes/manifests/kube-scheduler.yaml\n3. In spec.containers[0].command (or args) for kube-scheduler, add or set this exact flag: --bind-address=127.0.0.1\n4. Save the file; the kubelet will automatically restart the scheduler with the new setting", "Terraform": "" }, "Recommendation": { - "Text": "Bind the Scheduler to the loopback address for enhanced security.", - "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" + "Text": "Bind the scheduler to localhost with `--bind-address=127.0.0.1` and disable insecure serving (`--port=0`). Use the secure port with TLS, restrict access via private networks or network policies, and limit metrics exposure. Apply **least privilege** and **defense in depth**, and monitor access.", + "Url": "https://hub.prowler.com/check/scheduler_bind_address" } }, "Categories": [ + "cluster-security", "internet-exposed" ], "DependsOn": [], diff --git a/prowler/providers/kubernetes/services/scheduler/scheduler_profiling/scheduler_profiling.metadata.json b/prowler/providers/kubernetes/services/scheduler/scheduler_profiling/scheduler_profiling.metadata.json index 5142f5e2bc..420c11d37b 100644 --- a/prowler/providers/kubernetes/services/scheduler/scheduler_profiling/scheduler_profiling.metadata.json +++ b/prowler/providers/kubernetes/services/scheduler/scheduler_profiling/scheduler_profiling.metadata.json @@ -1,30 +1,37 @@ { "Provider": "kubernetes", "CheckID": "scheduler_profiling", - "CheckTitle": "Ensure that the --profiling argument is set to false", + "CheckTitle": "Kubernetes scheduler pod has profiling disabled", "CheckType": [], "ServiceName": "scheduler", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "KubernetesScheduler", - "Description": "Disable profiling in the Kubernetes Scheduler unless it is needed for troubleshooting. Profiling can reveal detailed system and application performance data, which might be exploited if exposed. Turning off profiling reduces the potential attack surface and performance overhead.", - "Risk": "While profiling is useful for identifying performance issues, it generates detailed data that could potentially expose sensitive information about the system and its performance characteristics.", - "RelatedUrl": "https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md", + "ResourceType": "Pod", + "Description": "**Kubernetes Scheduler** profiling configuration, specifically whether scheduler containers run with `--profiling=false` to keep the profiling API disabled.", + "Risk": "With **profiling enabled**, the pprof endpoints can expose **runtime internals** (stack traces, memory, goroutines), aiding reconnaissance and credential discovery, harming **confidentiality**.\n\nExtra CPU/heap usage can be abused for **DoS**, impacting **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://github.com/freach/kubernetes-security-best-practice", + "https://docs.datadoghq.com/security/default_rules/z7x-m3r-pb8/", + "https://kubernetes.io/docs/admin/kube-scheduler/", + "https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md", + "https://paper.bobylive.com/Security/CIS/CIS_Kubernetes_Benchmark_v1_3_0.pdf" + ], "Remediation": { "Code": { - "CLI": "--profiling=false", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false-2", - "Other": "", + "CLI": "", + "NativeIaC": "", + "Other": "1. SSH to the control-plane node\n2. Edit the scheduler manifest: `sudo vi /etc/kubernetes/manifests/kube-scheduler.yaml`\n3. In `spec.containers[].command`, add this flag (or change existing to false):\n ```\n --profiling=false\n ```\n4. Save the file; kubelet will automatically restart the scheduler with profiling disabled", "Terraform": "" }, "Recommendation": { - "Text": "To minimize exposure to performance data and potential vulnerabilities, ensure the --profiling argument in the Kubernetes Scheduler is set to false.", - "Url": "https://kubernetes.io/docs/admin/kube-scheduler/" + "Text": "Disable by default: set `--profiling=false` on the Scheduler.\n\nIf profiling is required, enable it only temporarily, restrict access with **network policies**, bind to loopback, and log/monitor usage. Apply **least privilege** and **defense in depth** to limit exposure.", + "Url": "https://hub.prowler.com/check/scheduler_profiling" } }, "Categories": [ - "trustboundaries" + "cluster-security" ], "DependsOn": [], "RelatedTo": [],