C-0121 - Ensure that the admission control plugin EventRateLimit is set

Framework

cis-v1.23-t1.0.1

Severity

Medium

Description of the the issue

Using EventRateLimit admission control enforces a limit on the number of events that the API Server will accept in a given time slice. A misbehaving workload could overwhelm and DoS the API Server, making it unavailable. This particularly applies to a multi-tenant cluster, where there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. Hence, it is recommended to limit the rate of events that the API server will accept.

Note: This is an Alpha feature in the Kubernetes 1.15 release.

Related resources

Pod

What does this control test

Limit the rate at which the API server accepts requests.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Verify that the --enable-admission-plugins argument is set to a value that includes EventRateLimit.

Remediation

Follow the Kubernetes documentation and set the desired limits in a configuration file.

Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameters.

--enable-admission-plugins=...,EventRateLimit,...
--admission-control-config-file=<path/to/configuration/file>

Impact Statement

You need to carefully tune in limits as per your environment.

Default Value

By default, EventRateLimit is not set.

Example

No example