UCF STIG Viewer Logo

Kubernetes Kubelet must not disable timeouts.


Finding ID Version Rule ID IA Controls Severity
V-245541 CNTR-K8-001300 SV-245541r864032_rule Medium
Idle connections from the Kubelet can be used by unauthorized users to perform malicious activity to the nodes, pods, containers, and cluster within the Kubernetes Control Plane. Setting the streaming connection idle timeout defines the maximum time an idle session is permitted prior to disconnect. Setting the value to "0" never disconnects any idle sessions. Idle timeouts must never be set to "0" and should be defined at "5m" (the default is 4hr).
Kubernetes Security Technical Implementation Guide 2022-12-02


Check Text ( C-48816r863940_chk )
On the Kubernetes Control Plane, run the command:
ps -ef | grep kubelet
Check the config file (path identified by: --config):

Change to the directory identified by --config (example /etc/sysconfig/) run the command:
grep -i streaming-connection-idle-timeout kubelet

If the setting streaming-connection-idle-timeout is set to < "5m" or the parameter is not configured in the Kubernetes Kubelet, this is a finding.
Fix Text (F-48771r863941_fix)
Edit the Kubernetes Kubelet file in the --config directory on the Kubernetes Control Plane:

Set the argument "--streaming-connection-idle-timeout" to a value of "5m".

Reset Kubelet service using the following command:
service kubelet restart