-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathdata.yaml
109 lines (81 loc) · 4.42 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
metadata:
id: e1c469c1-89d2-5cbd-a1f1-fe8f636b151f
name: Ensure that the --streaming-connection-idle-timeout argument is not set to
0
profile_applicability: '* Level 1'
description: Do not disable timeouts on streaming connections.
rationale: |-
Setting idle timeouts ensures that you are protected against Denial-of-Service attacks, inactive connections and running out of ephemeral ports.
**Note:** By default, `--streaming-connection-idle-timeout` is set to 4 hours which might be too high for your environment.
Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.
audit: |-
**Audit Method 1:**
If using a Kubelet configuration file, check that there is an entry for `streamingConnectionIdleTimeout` is not set to `0`.
First, SSH to the relevant node:
Run the following command on each node to find the appropriate Kubelet config file:
```
ps -ef | grep kubelet
```
The output of the above command should return something similar to `--config /etc/kubernetes/kubelet/kubelet-config.json` which is the location of the Kubelet config file.
Open the Kubelet config file:
```
cat /etc/kubernetes/kubelet/kubelet-config.json
```
Verify that the `streamingConnectionIdleTimeout` argument is not set to `0`.
If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.
**Audit Method 2:**
If using the api configz endpoint consider searching for the status of `"streamingConnectionIdleTimeout":"4h0m0s"` by extracting the live configuration from the nodes running kubelet.
Set the local proxy port and the following variables and provide proxy port number and node name;
`HOSTNAME_PORT="localhost-and-port-number"`
`NODE_NAME="The-Name-Of-Node-To-Extract-Configuration" from the output of "kubectl get nodes"`
```
kubectl proxy --port=8001 &
export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")
curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
```
remediation: |-
**Remediation Method 1:**
If modifying the Kubelet config file, edit the kubelet-config.json file `/etc/kubernetes/kubelet/kubelet-config.json` and set the below parameter to a non-zero value in the format of #h#m#s
```
"streamingConnectionIdleTimeout":
```
**Remediation Method 2:**
If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0.
If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf` on each worker node and add the below parameter at the end of the `KUBELET_ARGS` variable string.
```
--streaming-connection-idle-timeout=4h0m0s
```
**Remediation Method 3:**
If using the api configz endpoint consider searching for the status of `"streamingConnectionIdleTimeout":` by extracting the live configuration from the nodes running kubelet.
**See detailed step-by-step configmap procedures in [Reconfigure a Node's Kubelet in a Live Cluster](https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/), and then rerun the curl statement from audit process to check for kubelet configuration changes
```
kubectl proxy --port=8001 &
export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")
curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
```
**For all three remediations:**
Based on your system, restart the `kubelet` service and check status
```
systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
```
impact: Long-lived connections could be interrupted.
default_value: |
See the EKS documentation for the default value.
references: "1. https://kubernetes.io/docs/admin/kubelet/\n2. https://github.com/kubernetes/kubernetes/pull/18552"
section: Kubelet
version: '1.0'
tags:
- CIS
- EKS
- CIS 3.2.5
- Kubelet
benchmark:
name: CIS Amazon Elastic Kubernetes Service (EKS)
version: v1.0.1
id: cis_eks
rule_number: 3.2.5
posture_type: kspm