--event-qps argument is set to 0 or a level which ensures appropriate event capture








Set up the kubernetes integration.


Security relevant information should be captured. The --event-qps flag on the kubelet can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events not being logged; however, the unlimited setting of 0 could result in a denial-of-service on the kubelet.


It is important to capture all events and not restrict event creation. Events are an important source of security information and analytics that ensure that your environment is consistently monitored using the event data.


Run the following command on each node: ps -ef | grep kubelet. Review the value set for the --event-qps argument and determine whether this has been set to an appropriate level for the cluster. The value of 0 can be used to ensure that all events are captured. If the --event-qps argument does not exist, check that there is a Kubelet config file specified by --config and review the value in this location.


If using a kubelet config file, edit the file to set eventRecordQPS to an appropriate level. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service


Setting this parameter to 0 could result in a denial of service condition due to excessive events being created. The cluster’s event processing and storage systems should be scaled to handle expected event loads.

Default value

By default, --event-qps argument is set to 5.


  1. https://kubernetes.io/docs/admin/kubelet/
  2. https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/apis/kubeletconfig/v1beta1/types.go

CIS controls

Version 6.6 Maintenance, Monitoring, and Analysis of Audit Logs Maintenance