Profile applicability: Level 1 - Worker Node
It is crucial to capture all security-relevant information, which is facilitated by
the
eventRecordQPS setting in the Kubelet configuration that controls the rate of event
logging and
sets the maximum number of event creations per second. Setting this parameter too
low might
prevent important events from being logged, while an unlimited setting of 0 could
overload the
Kubelet, leading to a denial of service. Events play a key role in security monitoring
and
analytics, ensuring continuous oversight of the environment. Therefore, it's important
that the
cluster’s event processing and storage capacities are scaled appropriately to manage
the
expected event loads without compromising service stability.
Impact
Setting this parameter to 0 could result in a denial of service condition due to excessive
events being created. The cluster's event processing and storage systems should be
scaled to handle expected event loads.
Audit
Run the following command on each node:
sudo grep "eventRecordQPS" /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
Review the value set for the argument and determine whether this has been set to an
appropriate level for the cluster. If the argument does not exist, check that there
is a Kubelet config file specified by
--config and review the value in this location.Remediation
If using a Kubelet config file, edit the file to set
eventRecordQPS to an appropriate level. If using command line arguments, edit the kubelet service
file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service