Detections
Analytics
Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture
LOW
Description
Description:
Security relevant information should be captured. The eventRecordQPS on the Kubelet configuration can be used to limit the rate at which events are gathered and sets the maximum event creations per second. Setting this too low could result in relevant events not being logged, however the unlimited setting of '0' could result in a denial of service on the kubelet.
Rationale:
It is important to capture all events and not restrict event creation. Events are an important source of security information and analytics that ensure that your environment is consistently monitored using the event data.
Setting this parameter to '0' could result in a denial of service condition due to excessive events being created. The cluster's event processing and storage systems should be scaled to handle expected event loads.
Remediation
If using a Kubelet config file, edit the file to set 'eventRecordQPS:' to an appropriate level.
If using command line arguments, edit the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubeadm.conf' on each worker node and set the below parameter in 'KUBELET_SYSTEM_PODS_ARGS' variable.
Based on your system, restart the 'kubelet' service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Policy Details
Frameworks
NIST-800-53
NIST-CSF
HIPAA
CIS Kubernetes v1.4.0 Level 1
CIS Kubernetes v1.6.1 Level 2 - Worker Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 2
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 2
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 2 - Worker Node
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1