3.2.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)

Views:

Profile applicability: Level 1

Do not disable timeouts on streaming connections.

Setting idle timeouts ensures that you are protected against Denial-of-Service attacks, inactive connections and running out of ephemeral ports.

Note

By default, --streaming-connection-idle-timeout is set to 4 hours which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.

Note

See the GKE documentation for the default value.

Impact

Long-lived connections could be interrupted.

Audit

Audit Method 1:

SSH to each node and execute the following command to find the running kubelet process:
```
ps -ef | grep kubelet
```
If the command line for the process includes the argument streaming-connection-idle-timeout, verify that it is not set to 0.
If the streaming-connection-idle-timeout argument is not present in the output of the above command, refer instead to the config argument that specifies the location of the Kubelet config file e.g. --config /etc/kubernetes/kubelet-config.yaml.
Open the Kubelet config file:
```
cat /etc/kubernetes/kubelet-config.yaml
```
Verify that the streamingConnectionIdleTimeout argument is not set to 0.

Audit Method 2:

If using the api configz endpoint consider searching for the status of "streamingConnectionIdleTimeout":"4h0m0s" by extracting the live configuration from the nodes running kubelet.

Set the local proxy port and the following variables and provide proxy port number and node name:

HOSTNAME_PORT="localhost-and-port-number" NODE_NAME="The-Name-Of-Node-To-Extract-Configuration"
                     from the output of "kubectl get nodes"

kubectl proxy --port=8001 & 

export HOSTNAME_PORT=localhost:8001 (example host and port number) 
export NODE_NAME=gke-cluster-1-pool1-5e572947-r2hg (example node name from 
"kubectl get nodes") 

curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"

Remediation

Remediation Method 1:

If modifying the Kubelet config file, edit the kubelet-config.json file /etc/kubernetes/kubelet-config.yaml and set the below parameter to a non-zero value in the format of #h#m#s:

"streamingConnectionIdleTimeout": "4h0m0s"

Ensure that the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf does not specify a --streaming-connection-idle-timeout argument because it would override the Kubelet config file.

Remediation Method 2:

If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf on each worker node and add the below parameter at the end of the KUBELET_ARGS variable string:

--streaming-connection-idle-timeout=4h0m0s

Remediation Method 3:

If using the api configz endpoint consider searching for the status of "streamingConnectionIdleTimeout" by extracting the live configuration from the nodes running kubelet.

**See detailed step-by-step configmap procedures in Reconfigure a Node's Kubelet in a Live Cluster, and then rerun the curl statement from audit process to check for kubelet configuration changes:

kubectl proxy --port=8001 & 

export HOSTNAME_PORT=localhost:8001 (example host and port number) 
export NODE_NAME=gke-cluster-1-pool1-5e572947-r2hg (example node name from 
"kubectl get nodes") 

curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"

For all three remediation methods:

Based on your system, restart the kubelet service and check status:

systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l