Profile applicability: Level 1
Security relevant information should be captured. The
eventRecordQPS on the Kubelet configuration can be used to limit the rate at which events are gathered
and sets the maximum event creations per second. Setting this too low could result
in relevant events not being logged, however the unlimited setting of 0 could result
in a denial of service on the kubelet.It is important to capture all events and not restrict event creation. Events are
an important source of security information and analytics that ensure that your environment
is consistently monitored using the event data.
 |
NoteSee the Amazon EKS documentation for the default value.
|
Impact
Setting this parameter to 0 could result in a denial of service condition due to excessive
events being created. The cluster's event processing and storage systems should be
scaled to handle expected event loads.
Audit
Run the following command on each node:
sudo grep "eventRecordQPS" /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
Review the value set for the argument and determine whether this has been set to an
appropriate level for the cluster.
If the argument does not exist, check that there is a Kubelet config file specified
by
--config and review the value in this location.Remediation
If using a Kubelet config file, edit the file to set
eventRecordQPS: to an appropriate level. If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.Based on your system, restart the
kubelet service. For example:systemctl daemon-reload systemctl restart kubelet.service