style

Signed-off-by: Anshuman Tripathi <[email protected]>
kubernetes · Oct 6, 2024 · 3257350 · 3257350
1 parent 5f7cff8
commit 3257350
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/content/en/docs/concepts/security/hardening-guide/scheduler.md b/content/en/docs/concepts/security/hardening-guide/scheduler.md
@@ -20,6 +20,7 @@ This can aid an attacker with a [Yo-Yo attack](https://arxiv.org/abs/2105.00542)
 ## kube-scheduler configuration
 
 ### Scheduler authentication & authorization command line options
+
 When setting up authentication configuration, it should be made sure that kube-scheduler's authentication remains consistent with kube-api-server's authentication. If any request has missing authentication headers, the authentication should happen through the kube-api-server allowing all authentication to be consistent in the cluster.
 
 
@@ -44,10 +45,13 @@ When setting up authentication configuration, it should be made sure that kube-s
 
 
 ## Scheduling configurations for custom schedulers
+
 When using custom schedulers based on the Kubernetes scheduling code, cluster administrators need to be careful with
 plugins that use the following [extension points](/docs/reference/scheduling/config/#extension-points), `queueSort`, `prefilter`, `filter`, or `permit`.
 These extension points control various stages of a scheduling process, and the wrong configuration can impact the kube-scheduler's behavior in your cluster.
 
+### Key considerations
+
 - Exactly one plugin that uses the `queueSort` extension point can be enabled at a time. Any plugins that use `queueSort` should be scrutinized.
 - Plugins that implement the `prefilter` or `filter` extension point can potentially mark all nodes as unschedulable. This can bring scheduling of new pods to a halt.
 - Plugins that implement the `permit` extension point  can prevent or delay the binding of a Pod. Such plugins should be thoroughly reviewed by the cluster administrator.
@@ -77,4 +81,5 @@ the  `queueSort`, `filter` and `permit` extension points are disabled.
 If you use this kube-scheduler configuration, and don't run any custom scheduler, and you then define a Pod with  `.spec.schedulerName` set to `nonexistent-scheduler` (or any other scheduler name that doesn't exist in your cluster), no events would be generated for a pod.
 
 ## Disallow labeling nodes
+
 A cluster administrator should ensure that cluster users cannot label the nodes. A malicious actor can use `nodeSelector` to schedule workloads on nodes where those workloads should not be present.