CNTR-K8-001300 - Kubernetes Kubelet must not disable timeouts.

Information

Idle connections from the Kubelet can be used by unauthorized users to perform malicious activity to the nodes, pods, containers, and cluster within the Kubernetes Control Plane. Setting the streaming connection idle timeout defines the maximum time an idle session is permitted prior to disconnect. Setting the value to '0' never disconnects any idle sessions. Idle timeouts must never be set to '0' and should be defined at '5m' (the default is 4hr).

Solution

Edit the Kubernetes Kubelet file in the /etc/sysconfig directory on the Kubernetes Master Node. Set the argument '--streaming-connection-idle-timeout' to a value of '5m'. Reset Kubelet service using the following command:

service kubelet restart

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R5_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-10, CAT|II, CCI|CCI-001133, Rule-ID|SV-245541r821621_rule, STIG-ID|CNTR-K8-001300, Vuln-ID|V-245541

Plugin: Unix

Control ID: 739c98f46291b10dc1abd97589b29d199266e3038c53c6e3ca364cb0cc1db976