kubelet - Do Not Disable Streaming Timeouts

Description

Timeouts for streaming connections should not be disabled as they help to prevent denial-of-service attacks. To configure streaming connection timeouts To set the streamingConnectionIdleTimeout option for the kubelet, create a KubeletConfig option along these lines:

apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
   name: kubelet-config-$pool
spec:
    machineConfigPoolSelector:
        matchLabels:
            pools.operator.machineconfiguration.openshift.io/$pool_name: ""
    kubeletConfig:
        streamingConnectionIdleTimeout:

Rationale

Ensuring connections have timeouts helps to protect against denial-of-service attacks as well as disconnect inactive connections. In addition, setting connections timeouts helps to prevent from running out of ephemeral ports.

ID: xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections_master
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

SRG-APP-000516-CTR-001325

4.2.5
Updated: about 1 year ago