1.1.36 Ensure that the admission control plugin EventRateLimit is set

Information

Limit the rate at which the API server accepts requests.

Rationale:

Using 'EventRateLimit' admission control enforces a limit on the number of events that the API Server will accept in a given time slice. In a large multi-tenant cluster, there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. Hence, it is recommended to limit the rate of events that the API server will accept.

Note: This is an Alpha feature in the Kubernetes 1.11 release.

Solution

Follow the Kubernetes documentation and set the desired limits in a configuration file.

Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' and set the below parameters.

--enable-admission-plugins=...,EventRateLimit,...
--admission-control-config-file=

See Also

https://workbench.cisecurity.org/files/2421

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SC-39, 800-53|SI-16, CSCv6|8.4, CSCv7|8.3

Plugin: Unix

Control ID: 2851a2f1240a5cb2292c4428fc011be244c023808175a8df4c6aed83cf5c64b5