C-0284 - Ensure that the Kubelet is configured to limit pod PIDS

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-v1.10.0

Severity

Low

Description of the the issue

Ensure that the Kubelet sets limits on the number of PIDs that can be created by pods running on the node. By default pods running in a cluster can consume any number of PIDs, potentially exhausting the resources available on the node. Setting an appropriate limit reduces the risk of a denial of service attack on cluster nodes.

Related resources

What does this control test

Ensure that the Kubelet sets limits on the number of PIDs that can be created by pods running on the node.

How to check it manually

Review the Kubelet's start-up parameters for the value of --pod-max-pids, and check the Kubelet configuration file for the PodPidsLimit . If neither of these values is set, then there is no limit in place.

Remediation

Decide on an appropriate level for this parameter and set it, either via the --pod-max-pids command line parameter or the PodPidsLimit configuration file setting.

Impact Statement

Setting this value will restrict the number of processes per pod. If this limit is lower than the number of PIDs required by a pod it will not operate.

Default Value

By default the number of PIDs is not limited.

Example

No example