Add check for the scheduler not having the bind address set

JAORMX · JAORMX · commit 4be94d4ffd8f · 2020-11-03T13:18:29.000+02:00
This addresses part of the CIS control 1.4.2
diff --git a/applications/openshift/scheduler/scheduler_no_bind_address/rule.yml b/applications/openshift/scheduler/scheduler_no_bind_address/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: ocp4
+
+title: Ensure that the bind-address parameter is not used
+
+description: |-
+  The Scheduler API service which runs on port 10251/TCP by default is used for
+  health and metrics information and is available without authentication or
+  encryption. As such it should only be bound to a localhost interface, to
+  minimize the cluster's attack surface.
+
+rationale: |-
+  In OpenShift 4, The Kubernetes Scheduler operator manages and updates the
+  Kubernetes Scheduler deployed on top of OpenShift. By default, the operator
+  exposes metrics via metrics service. The metrics are collected from the
+  Kubernetes Scheduler operator. Profiling data is sent to healthzPort,
+  the port of the localhost healthz endpoint. Changing this value may disrupt
+  components that monitor the kubelet health.
+
+references:
+  cis: 1.4.2
+
+severity: medium
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod") | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod
+    yamlpath: '.data["pod.yaml"]'
+    values:
+      - value: "bind-address"
+        operation: "pattern match"
+        type: "string"
+        entity_check: "none satisfy"
diff --git a/applications/openshift/scheduler/scheduler_no_bind_address/tests/ocp4/e2e.yml b/applications/openshift/scheduler/scheduler_no_bind_address/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: PASS
diff --git a/ocp4/profiles/cis.profile b/ocp4/profiles/cis.profile
@@ -113,6 +113,7 @@ selections:
   # 1.4.1 Ensure that the --profiling argument is set to false  (info only)
   # Handled by rbac_debug_role_protects_pprof
   # 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1
+    - scheduler_no_bind_address
 
   ### 2 etcd
   # 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate
