Profile applicability: Level 1
Do not disable timeouts on streaming connections.
Setting idle timeouts ensures that you are protected against Denial-of-Service attacks,
inactive connections and running out of ephemeral ports.
 |
NoteBy default,
--streaming-connection-idle-timeout is set to 4 hours which might be too high for your environment. Setting this as appropriate
would additionally ensure that such streaming connections are timed out after serving
legitimate use cases. |
|
NoteBy default,
streamingConnectionIdleTimeout is set to 4 hours. |
Impact
Long-lived connections could be interrupted.
Audit
OpenShift uses the kubernetes default of 4 hours for the
streaming-connection-idle-timeout argument. Unless the cluster administrator has added the value to the node configuration,
the default will be used. The value is a timeout for HTTP streaming sessions going
through a kubelet, like the port-forward, exec, or attach pod operations. The streaming-connection-idle-timeout should not be disabled by setting it to zero, but it can be lowered. |
NoteIf the value is set too low, then users using those features may experience a service
interruption due to the timeout.
|
The kubelet configuration is currently serialized as an ignition configuration, so
it can be directly edited. However, there is also a new
kubelet-config-controller added to the Machine Config Controller. This allows you to create a KubeletConfig custom resource to edit the kubelet parameters.Run the following command to view the streaming connection timeout for each node:
for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do
oc get --raw /api/v1/nodes/$node/proxy/configz | jq
'.kubeletconfig.streamingConnectionIdleTimeout'
done
Verify the values returned for each node are not 0.
Remediation
Follow the instructions in the OpenShift documentation to create a
kubeletconfig custom resource and set the streamingConnectionIdleTimeout to the desired value. Do not set the value to 0.