4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0

Information

Do not disable timeouts on streaming connections.

Rationale:

Setting idle timeouts ensures that you are protected against Denial-of-Service attacks, inactive connections and running out of ephemeral ports.

Note: By default, --streaming-connection-idle-timeout is set to 4 hours which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.

Impact:

Long-lived connections could be interrupted.

Solution

If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a value other than 0.
If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.

--streaming-connection-idle-timeout=5m

Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

Default Value:

By default, --streaming-connection-idle-timeout is set to 4 hours.

See Also

https://workbench.cisecurity.org/benchmarks/16828

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Unix

Control ID: e26959cc299d9ce5c2edff8bcbc6b81b2be98ae34ab3ab70123dca8c4f4c7b71