Detections
Analytics
Ensure that the --streaming-connection-idle-timeout argument is not set to 0
LOW
Description
Description:
Do not disable timeouts on streaming connections.
Rationale:
Setting idle timeouts ensures that you are protected against Denial-of-Service attacks, inactive connections and running out of ephemeral ports.
Note: By default, '--streaming-connection-idle-timeout' is set to 4 hours which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.
Long-lived connections could be interrupted.
Remediation
Remediation Method 1:
If modifying the Kubelet config file, edit the kubelet-config.json file '/etc/kubernetes/kubelet/kubelet-config.json' and set the below parameter to a non-zero value in the format of #h#m#s
"streamingConnectionIdleTimeout": "4h0m0s"
You should ensure that the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf' does not specify a '--streaming-connection-idle-timeout' argument because it would override the Kubelet config file.
Remediation Method 2:
If using executable arguments, edit the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf' on each worker node and add the below parameter at the end of the 'KUBELET_ARGS' variable string.
--streaming-connection-idle-timeout=4h0m0s
Remediation Method 3:
If using the api configz endpoint consider searching for the status of '"streamingConnectionIdleTimeout":' by extracting the live configuration from the nodes running kubelet.
**See detailed step-by-step configmap procedures in Reconfigure a Node's Kubelet in a Live Cluster, and then rerun the curl statement from audit process to check for kubelet configuration changes
kubectl proxy --port=8001 &
export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")
curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
For all three remediations:
Based on your system, restart the 'kubelet' service and check status
systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
Policy Details
Frameworks
NIST-800-53
NIST-CSF
HIPAA
CIS Kubernetes v1.4.0 Level 1
CIS Kubernetes v1.6.1 Level 1 - Worker Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 1 - Worker Node
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1