Controller Manager and Scheduler Security

The API server gets the lion's share of hardening attention: authentication, authorization, admission control, audit logging. Fair enough. But sitting right next to it on every control plane node are two components that quietly hold the keys to your cluster's identity system and workload placement. The kube-controller-manager holds the private key that signs every service account token. The kube-scheduler decides which node runs every Pod. Compromise either one, and the blast radius extends across the entire cluster.

This article covers the security posture of both components: what they do from a security perspective, how kubeadm configures their defaults, what the CIS Benchmark expects, and the attack surfaces that are easy to overlook. KCSA tests conceptual understanding of these controls, not hands-on configuration. But understanding why each flag exists, not just that it should be set, is what the exam rewards.