V-245541—Kubernetes Kubelet must not disable timeouts.

CAT II - Medium

CNTR-K8-001300

>Control Description

Idle connections from the Kubelet can be used by unauthorized users to perform malicious activity to the nodes, pods, containers, and cluster within the Kubernetes Control Plane. Setting the streamingConnectionIdleTimeout defines the maximum time an idle session is permitted prior to disconnect. Setting the value to "0" never disconnects any idle sessions. Idle timeouts must never be set to "0" and should be defined at "5m" (the default is 4hr).

>Check Content

Follow these steps to check streaming-connection-idle-timeout: 1. On the Control Plane,

$ps -ef | grep kubelet

If the "--streaming-connection-idle-timeout" option exists, this is a finding. Note the path to the config file (identified by --config). 2.

$grep -i streamingConnectionIdleTimeout <path_to_config_file>

If the setting "streamingConnectionIdleTimeout" is set to less than "5m" or is not configured, this is a finding.

>Remediation

Follow these steps to configure streaming-connection-idle-timeout: 1. On the Control Plane,

$ps -ef | grep kubelet

Remove the "--streaming-connection-idle-timeout" option if present. Note the path to the config file (identified by --config). 2. Edit the Kubernetes Kubelet file in the --config directory on the Kubernetes Control Plane: Set the argument "streamingConnectionIdleTimeout" to a value of "5m".

>CCI References

CCI-001133

Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.

>Cross-Framework Mappings

NIST SP 800-53 r5

via DISA CCI List

SC-10

Compare

Ask AI

Configure your API key to use AI features.