Admission control plugin EventRateLimit is set

kubernetes

Classification:

compliance

Framework:

cis-kubernetes

Control:

1.2.10

Set up the kubernetes integration.

Description

Limit the rate at which the API server accepts requests.

Rationale

Using EventRateLimit admission control enforces a limit on the number of events that the API Server will accept in a given time slice. A misbehaving workload could overwhelm and DoS the API Server, making it unavailable. This particularly applies to a multi-tenant cluster, where there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. Hence, it is recommended to limit the rate of events that the API server will accept. Note: This is an Alpha feature in the Kubernetes 1.15 release.

Audit

Run the following command on the master node:

ps -ef | grep kube-apiserver

Verify the --enable-admission-plugins argument is set to a value that includes EventRateLimit.

Remediation

Follow the Kubernetes documentation and set the desired limits in a configuration file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameters. –enable-admission-plugins=…,EventRateLimit,… –admission-control-config-file=<path/to/configuration/file>

Impact

You need to carefully tune in limits as per your environment.

Default value

By default, EventRateLimit is not set.

References

  1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#eventratelimit 3. https://github.com/staebler/community/blob/9873b632f4d99b5d99c38c9b15fe2f8b93d0a746/contributors/design-proposals/admission_control_event_rate_limit.md

CIS controls

Version 6 8.4 Enable Anti-exploitation Features (i.e. DEP, ASLR, EMET) Enable anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), virtualization/containerization, etc. For increased protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET) that can be configured to apply these protections to a broader set of applications and executables. Version 7 8.3 Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables.