C-0121 - Ensure that the admission control plugin EventRateLimit is set
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
Using EventRateLimit
admission control enforces a limit on the number of events that the API Server will accept in a given time slice. A misbehaving workload could overwhelm and DoS the API Server, making it unavailable. This particularly applies to a multi-tenant cluster, where there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. Hence, it is recommended to limit the rate of events that the API server will accept.
Note: This is an Alpha feature in the Kubernetes 1.15 release.
Related resources
Pod
What does this control test
Limit the rate at which the API server accepts requests.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --enable-admission-plugins
argument is set to a value that includes EventRateLimit
.
Remediation
Follow the Kubernetes documentation and set the desired limits in a configuration file.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
and set the below parameters.
--enable-admission-plugins=...,EventRateLimit,...
--admission-control-config-file=<path/to/configuration/file>
Impact Statement
You need to carefully tune in limits as per your environment.
Default Value
By default, EventRateLimit
is not set.
Example
No example
Updated 9 days ago