Challenge, Hard,  on  KubernetesSecurity

Disable API Server NodePort and Configure kube-scheduler Resource Requests

Omkar Shelke
by  Omkar Shelke

Scenario

You are managing a Kubernetes control plane node cplane-01. During a routine audit, two misconfigurations have been flagged — one is a security risk exposing the API server to the outside world, and the other is a resource management gap that could starve critical control plane components.

Your job is to identify and fix both issues before they impact the cluster.

Task

Two issues need to be resolved:

Issue 1
Issue 2

The Kubernetes API server is currently exposed via a NodePort on port 32222, making it reachable directly from outside the cluster. This is a security risk — the API server should only be reachable through its default ClusterIP Service inside the cluster.

Hint 1 — Disable API Server NodePort

The kube-apiserver is a static pod managed by the kubelet. Its configuration is controlled entirely through flags in the manifest file. Look for the flag that controls how the kubernetes Service is exposed, and consider what happens to the Service after the flag is removed.

# where are static pod manifests located?
ls /etc/kubernetes/manifests/

# how do you inspect the kubernetes service?
kubectl get svc kubernetes -o yaml

Documentation

The kube-scheduler static pod has no CPU resource requests defined. Without resource requests, the scheduler can consume unbounded node resources and starve other control plane components. Configure a CPU resource request equal to 5% of the node's allocatable CPU.

After updating the kube-scheduler manifest, make sure the scheduler pod is running using kubectl get pod kube-scheduler-cplane-01 -n kube-system.

Hint 2 — Configure kube-scheduler CPU Request

Before editing the manifest, first inspect what the node actually has available — not its capacity, but its allocatable CPU. Then think about how Kubernetes expresses CPU in millicores.

# how do you check what a node has available?
kubectl describe node cplane-01 | grep -i allocatable -A6

# how do you view the current kube-scheduler manifest?
sudo cat /etc/kubernetes/manifests/kube-scheduler.yaml

Example calculation:

Suppose cplane-01 reports 1 allocatable CPUs. Convert to millicores first, then take 5%:

1 CPU × 1000 = 1000m total
1000m × 5 / 100 = 50m set this as your CPU request

Documentation

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge disable-api-server-nodeport-configure-kube-scheduler-resource-requests-cefcbdc5

This will create a local copy of the challenge content in a directory named disable-api-server-nodeport-configure-kube-scheduler-resource-requests-cefcbdc5. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge disable-api-server-nodeport-configure-kube-scheduler-resource-requests-cefcbdc5

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge