C-0134 - Ensure that the API Server --request-timeout argument is set as appropriate
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
Setting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.
Related resources
Pod
What does this control test
Set global request timeout for API server requests as appropriate.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --request-timeout
argument is either not set or set to an appropriate value.
Remediation
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
and set the below parameter as appropriate and if needed. For example,
--request-timeout=300s
Impact Statement
None
Default Value
By default, --request-timeout
is set to 60 seconds.
Example
No example
Updated 3 days ago