Check: CNTR-K8-001300
      
      
        
  Kubernetes STIG:
  CNTR-K8-001300
  
    (in versions v2 r4 through v2 r3)
  
      
      
    
  Title
Kubernetes Kubelet must not disable timeouts. (Cat II impact)
Discussion
Idle connections from the Kubelet can be used by unauthorized users to perform malicious activity to the nodes, pods, containers, and cluster within the Kubernetes Control Plane. Setting the streamingConnectionIdleTimeout defines the maximum time an idle session is permitted prior to disconnect. Setting the value to "0" never disconnects any idle sessions. Idle timeouts must never be set to "0" and should be defined at "5m" (the default is 4hr).
Check Content
Follow these steps to check streaming-connection-idle-timeout: 1. On the Control Plane, run the command: ps -ef | grep kubelet If the "--streaming-connection-idle-timeout" option exists, this is a finding. Note the path to the config file (identified by --config). 2. Run the command: grep -i streamingConnectionIdleTimeout <path_to_config_file> If the setting "streamingConnectionIdleTimeout" is set to less than "5m" or is not configured, this is a finding.
Fix Text
Follow these steps to configure streaming-connection-idle-timeout: 1. On the Control Plane, run the command: ps -ef | grep kubelet Remove the "--streaming-connection-idle-timeout" option if present. Note the path to the config file (identified by --config). 2. Edit the Kubernetes Kubelet file in the --config directory on the Kubernetes Control Plane: Set the argument "streamingConnectionIdleTimeout" to a value of "5m".
Additional Identifiers
Rule ID: SV-245541r1069469_rule
Vulnerability ID: V-245541
Group Title: SRG-APP-000190-CTR-000500
Expert Comments
      
        
        
      
      
        
  CCIs
      
      
        
        
      
    
  | Number | Definition | 
|---|---|
| CCI-001133 | Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. | 
      
        
        
      
      
        
  Controls
      
      
        
        
      
    
  | Number | Title | 
|---|---|
| SC-10 | Network Disconnect |