4.2.13 Ensure that a limit is set on pod PIDs

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Ensure that the Kubelet sets limits on the number of PIDs that can be created by pods running on the node.

Rationale:

By default pods running in a cluster can consume any number of PIDs, potentially exhausting the resources available on the node. Setting an appropriate limit reduces the risk of a denial of service attack on cluster nodes.

Impact:

Setting this value will restrict the number of processes per pod. If this limit is lower than the number of PIDs required by a pod it will not operate.

Solution

Decide on an appropriate level for this parameter and set it, either via the --pod-max-pids command line parameter or the PodPidsLimit configuration file setting.

Default Value:

By default the number of PIDs is not limited.

See Also

https://workbench.cisecurity.org/benchmarks/16828