Kubernetes Kubelet must not disable timeouts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-245541	CNTR-K8-001300	SV-245541r754888_rule		Medium

Description
Idle connections from the Kubelet can be use by unauthorized users to perform malicious activity to the nodes, pods, containers, and cluster within the Kubernetes Control Plane. Setting the streaming connection idle timeout defines the maximum time an idle session is permitted prior to disconnect. Setting the value to "0" never disconnects any idle sessions. Idle timeouts must never be set to "0" and should be defined at a minimum of "5 minutes".

Description

Idle connections from the Kubelet can be use by unauthorized users to perform malicious activity to the nodes, pods, containers, and cluster within the Kubernetes Control Plane. Setting the streaming connection idle timeout defines the maximum time an idle session is permitted prior to disconnect. Setting the value to "0" never disconnects any idle sessions. Idle timeouts must never be set to "0" and should be defined at a minimum of "5 minutes".

STIG	Date
Kubernetes Security Technical Implementation Guide	2021-11-22

Details

Check Text ( C-48816r754886_chk )
Change to the /etc/sysconfig/ directory on the Kubernetes Master Node. Run the command: grep -i streaming-connection-idle-timeout kubelet If the setting streaming-connection-idle-timeout is set to "0" or the parameter is not configured in the Kubernetes Kubelet, this is a finding.

Fix Text (F-48771r754887_fix)
Edit the Kubernetes Kubelet file in the /etc/sysconfig directory on the Kubernetes Master Node. Set the argument "--streaming-connection-idle-timeout" to a value other than "0". Reset Kubelet service using the following command: service kubelet restart