Configure the API Server Minimum Request Timeout

An XCCDF Rule

Description

The API server minimum request timeout defines the minimum number of seconds a handler must keep a request open before timing it out. To set this, edit the openshift-kube-apiserver configmap and set min-request-timeout under the apiServerArguments field:

"apiServerArguments":{
  ...
  "min-request-timeout":[
    
  ],
  ...

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

Rationale

Setting global request timeout allows extending the API Server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 1800 seconds which might not be suitable for some environments. Setting the limit too low may result in excessive timeouts, and a limit that is too large may exhaust the API Server resources making it prone to Denial-of-Service attack. It is recommended to set this limit as appropriate and change the default limit of 1800 seconds only if needed.

ID: xccdf_org.ssgproject.content_rule_api_server_request_timeout
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2

SRG-APP-000516-CTR-001325

1.2.24
Updated: about 1 year ago