Theme

Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture

LOW

Description

Description:

Security relevant information should be captured. The '--eventRecordQPS' flag on the Kubelet can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events not being logged, however the unlimited setting of '0' could result in a denial of service on the kubelet.

Rationale:

It is important to capture all events and not restrict event creation. Events are an important source of security information and analytics that ensure that your environment is consistently monitored using the event data.

Setting this parameter to '0' could result in a denial of service condition due to excessive events being created. The cluster's event processing and storage systems should be scaled to handle expected event loads.

Remediation

Remediation Method 1:

If modifying the Kubelet config file, edit the kubelet-config.json file '/etc/kubernetes/kubelet/kubelet-config.json' and set the below parameter to 5 or a value greater or equal to 0

"eventRecordQPS": 5

Remediation Method 2:

If using executable arguments, edit the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf' on each worker node and add the below parameter at the end of the 'KUBELET_ARGS' variable string.

--eventRecordQPS=5

Remediation Method 3:

If using the api configz endpoint consider searching for the status of '"eventRecordQPS"' by extracting the live configuration from the nodes running kubelet.

**See detailed step-by-step configmap procedures in Reconfigure a Node's Kubelet in a Live Cluster, and then rerun the curl statement from audit process to check for kubelet configuration changes

kubectl proxy --port=8001 &

export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")

curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"

For all three remediations:
Based on your system, restart the 'kubelet' service and check status

systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
.

Policy Details

Rule Reference ID: AC_K8S_0004

CSP: Kubernetes

Remediation Available: No

Domain: Logging and Monitoring

Resource: kubernetes_kubelet_configuration

Resource Category: Management

Resource Type: Kublet Configuration

Frameworks

GDPR
NIST-800-53
NIST-CSF
HIPAA
CIS Kubernetes v1.4.0 Level 1
CIS Kubernetes v1.6.1 Level 2 - Worker Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 2
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 2 - Worker Node