1.2.9 Ensure that the admission control plugin EventRateLimit is set

Information

Limit the rate at which the API server accepts requests.

Rationale:

Using EventRateLimit admission control enforces a limit on the number of events that the API Server will accept in a given time slice. A misbehaving workload could overwhelm and DoS the API Server, making it unavailable. This particularly applies to a multi-tenant cluster, where there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. Hence, it is recommended to limit the rate of events that the API server will accept.

Note: This is an Alpha feature in the Kubernetes 1.15 release.

Impact:

You need to carefully tune in limits as per your environment.

Solution

Follow the Kubernetes documentation and set the desired limits in a configuration file.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameters.

--enable-admission-plugins=...,EventRateLimit,...
--admission-control-config-file=<path/to/configuration/file>

Default Value:

By default, EventRateLimit is not set.

See Also

https://workbench.cisecurity.org/files/4111

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-15, CSCv7|8.3

Plugin: Unix

Control ID: 3de7a3bd71af99764d6521344c9f6ecaccf74362d39fea05e257ff90ce3d9ba4