-
Notifications
You must be signed in to change notification settings - Fork 16
/
data.yaml
44 lines (41 loc) · 1.75 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
metadata:
id: 17282e92-075f-593d-99eb-99346e4288ed
name: Ensure that the --request-timeout argument is set as appropriate
profile_applicability: '* Level 1 - Master Node'
description: Set global request timeout for API server requests as appropriate.
rationale: |-
Setting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed.
By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds.
But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack.
Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.
audit: |-
Run the following command on the Control Plane node:
```
ps -ef | grep kube-apiserver
```
Verify that the `--request-timeout` argument is either not set or set to an appropriate value.
remediation: |-
Edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` and set the below parameter as appropriate and if needed.
For example,
```
--request-timeout=300s
```
impact: None
default_value: |
By default, `--request-timeout` is set to 60 seconds.
references: |-
1. https://kubernetes.io/docs/admin/kube-apiserver/
2. https://github.com/kubernetes/kubernetes/pull/51415
section: API Server
version: '1.0'
tags:
- CIS
- Kubernetes
- CIS 1.2.23
- API Server
benchmark:
name: CIS Kubernetes V1.23
version: v1.0.1
id: cis_k8s
rule_number: 1.2.23
posture_type: kspm