Skip to content

Commit

Permalink
Update bind-address definition
Browse files Browse the repository at this point in the history 
Signed-off-by: Anshuman Tripathi <[email protected]>
  • Loading branch information
@AnshumanTripathi
AnshumanTripathi committed Feb 18, 2024
1 parent 2cae0ed commit 5958b41
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion content/en/docs/concepts/security/hardening-guide/scheduler.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ A misconfigured Scheduler can have security implications. Such a scheduler can t
{{<table caption="Address Configurations">}}
| Configuration | Description | Security Hardening Advice |
| --- | --- | --- |
|`bind-address`| The IP address on which to listen for the `--secure-port` port (mainly used for metrics and health checks). The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (`0.0.0.0` for IPv4 or `::` for IPv6), all interfaces and IP address families will be used. |In most cases, the kube-scheduler does not need to be externally accessible. Setting the bind address to `localhost` is a secure practice.|
|`bind-address`| The IP address on which to listen for the `--secure-port` port (mainly used for metrics and health checks). If blank or an unspecified address (`0.0.0.0` for IPv4 or `::` for IPv6), all interfaces and IP address families will be used. |In most cases, the kube-scheduler does not need to be externally accessible. Setting the bind address to `localhost` is a secure practice.|
|`permit-address-sharing` | If true, the kube-scheduler uses the `SO_REUSEADDR` socket option when binding its listening port, which allows more than one kube-scheduler process to bind on the same address and port. This allows binding to wildcard IP addresses (such as 0.0.0.0), or binding to specific IP addresess in parallel, and it avoids waiting for the kernel to release sockets in `TIME_WAIT` state.|Default `false`. Setting it to `true` will enable connection sharing through `SO_REUSEADDR`. Caution: `SO_REUSEADDR` can lead to reuse of terminated connections that are in `TIME_WAIT` state.|
|`permit-port-sharing`|If true, the kube-scheduler uses the `SO_REUSEPORT` socket option when binding its listening port, which allows more than one kube-scheduler process to bind on the same address and port.|Default `false`. Use the default unless you are confident you understand the security implications.|
{{</table>}}
Expand Down

0 comments on commit 5958b41

Please sign in to comment.