Enable the APIPriorityAndFairness feature gate

An XCCDF Rule

Description

To limit the rate at which the API Server accepts requests, make sure that the API Priority and Fairness feature is enabled. Using APIPriorityAndFairness feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. To enable the APIPriorityAndFairness feature gate, make sure that the feature-gates API server argument, typically set in the config configMap in the openshift-kube-apiserver namespace contains APIPriorityAndFairness=true. Note that since Kubernetes 1.20, this feature gate is enabled by default. As a result, this rule is only applicable to OpenShift releases prior to 4.7 which was the first OCP release to ship Kubernetes 1.20.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/operator.openshift.io/v1/kubeapiservers/cluster API endpoint to the local /apis/operator.openshift.io/v1/kubeapiservers/cluster file.

Rationale

The APIPriorityAndFairness feature gate enables the use of the FlowSchema API objects which enforce a limit on the number of events that the API Server will accept in a given time slice In a large multi-tenant cluster, there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. It is recommended to limit the rate of events that the API Server will accept.

ID: xccdf_org.ssgproject.content_rule_api_server_api_priority_gate_enabled
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2

SRG-APP-000516-CTR-001325

1.2.9

CCE-83656-9
Updated: about 1 year ago