chore(kubernetes): enhance metadata for scheduler service (#9679)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
2026-03-22 03:08:23 +00:00 · 2026-03-05 12:08:47 +01:00
parent a5763289dd
commit fe9dbdfd2c
3 changed files with 30 additions and 22 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -15,6 +15,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update Kubernetes Core service metadata to new format [(#9676)](https://github.com/prowler-cloud/prowler/pull/9676)
 - Update Kubernetes Kubelet service metadata to new format [(#9677)](https://github.com/prowler-cloud/prowler/pull/9677)
 - Update Kubernetes RBAC service metadata to new format [(#9678)](https://github.com/prowler-cloud/prowler/pull/9678)
+- Update Kubernetes Scheduler service metadata to new format [(#9679)](https://github.com/prowler-cloud/prowler/pull/9679)

 ---

--- a/prowler/providers/kubernetes/services/scheduler/scheduler_bind_address/scheduler_bind_address.metadata.json
+++ b/prowler/providers/kubernetes/services/scheduler/scheduler_bind_address/scheduler_bind_address.metadata.json
@@ -1,30 +1,34 @@
 {
  "Provider": "kubernetes",
  "CheckID": "scheduler_bind_address",
-  "CheckTitle": "Ensure that the --bind-address argument is set to 127.0.0.1 for the Scheduler",
+  "CheckTitle": "Scheduler pod has --bind-address set to 127.0.0.1",
  "CheckType": [],
  "ServiceName": "scheduler",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "KubernetesScheduler",
+  "Severity": "high",
+  "ResourceType": "Pod",
  "ResourceGroup": "container",
-  "Description": "This check ensures that the Kubernetes Scheduler is bound to the loopback address (127.0.0.1) to minimize the cluster's attack surface. Binding to the loopback address prevents unauthorized network access to the Scheduler's health and metrics information.",
-  "Risk": "Binding the Scheduler to a non-loopback address exposes sensitive health and metrics information without authentication or encryption.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/",
+  "Description": "**Kubernetes scheduler** is configured with `--bind-address=127.0.0.1` so its health and metrics endpoints listen only on localhost.\n\nThe evaluation inspects scheduler pod commands for this bind address.",
+  "Risk": "Exposing scheduler endpoints on non-loopback addresses can:\n- leak cluster state and scheduling metrics (**confidentiality**)\n- aid recon that enables privilege escalation (**integrity**)\n- allow health endpoint abuse for DoS (**availability**)",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--bind-address=127.0.0.1",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-bind-address-argument-is-set-to-127001-1",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node\n2. Open the static pod manifest: sudo vi /etc/kubernetes/manifests/kube-scheduler.yaml\n3. In spec.containers[0].command (or args) for kube-scheduler, add or set this exact flag: --bind-address=127.0.0.1\n4. Save the file; the kubelet will automatically restart the scheduler with the new setting",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Bind the Scheduler to the loopback address for enhanced security.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/"
+      "Text": "Bind the scheduler to localhost with `--bind-address=127.0.0.1` and disable insecure serving (`--port=0`). Use the secure port with TLS, restrict access via private networks or network policies, and limit metrics exposure. Apply **least privilege** and **defense in depth**, and monitor access.",
+      "Url": "https://hub.prowler.com/check/scheduler_bind_address"
    }
  },
  "Categories": [
+    "cluster-security",
    "internet-exposed"
  ],
  "DependsOn": [],
--- a/prowler/providers/kubernetes/services/scheduler/scheduler_profiling/scheduler_profiling.metadata.json
+++ b/prowler/providers/kubernetes/services/scheduler/scheduler_profiling/scheduler_profiling.metadata.json
@@ -1,31 +1,34 @@
 {
  "Provider": "kubernetes",
  "CheckID": "scheduler_profiling",
-  "CheckTitle": "Ensure that the --profiling argument is set to false",
+  "CheckTitle": "Scheduler pod has profiling disabled",
  "CheckType": [],
  "ServiceName": "scheduler",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "KubernetesScheduler",
+  "ResourceType": "Pod",
  "ResourceGroup": "container",
-  "Description": "Disable profiling in the Kubernetes Scheduler unless it is needed for troubleshooting. Profiling can reveal detailed system and application performance data, which might be exploited if exposed. Turning off profiling reduces the potential attack surface and performance overhead.",
-  "Risk": "While profiling is useful for identifying performance issues, it generates detailed data that could potentially expose sensitive information about the system and its performance characteristics.",
-  "RelatedUrl": "https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md",
+  "Description": "**Kubernetes Scheduler** profiling configuration, specifically whether scheduler containers run with `--profiling=false` to keep the profiling API disabled.",
+  "Risk": "With **profiling enabled**, the pprof endpoints can expose **runtime internals** (stack traces, memory, goroutines), aiding reconnaissance and credential discovery, harming **confidentiality**.\n\nExtra CPU/heap usage can be abused for **DoS**, impacting **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/admin/kube-scheduler/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--profiling=false",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false-2",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control-plane node\n2. Edit the scheduler manifest: `sudo vi /etc/kubernetes/manifests/kube-scheduler.yaml`\n3. In `spec.containers[].command`, add this flag (or change existing to false):\n   ```\n   --profiling=false\n   ```\n4. Save the file; kubelet will automatically restart the scheduler with profiling disabled",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "To minimize exposure to performance data and potential vulnerabilities, ensure the --profiling argument in the Kubernetes Scheduler is set to false.",
-      "Url": "https://kubernetes.io/docs/admin/kube-scheduler/"
+      "Text": "Disable by default: set `--profiling=false` on the Scheduler.\n\nIf profiling is required, enable it only temporarily, restrict access with **network policies**, bind to loopback, and log/monitor usage. Apply **least privilege** and **defense in depth** to limit exposure.",
+      "Url": "https://hub.prowler.com/check/scheduler_profiling"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security"
  ],
  "DependsOn": [],
  "RelatedTo": [],