Profile applicability: Level 1 - Worker Node
It is crucial to capture all security-relevant information, which is facilitated by
the eventRecordQPS setting in the Kubelet configuration that controls the rate of
event logging and sets the maximum number of event creations per second. Setting this
parameter too low might prevent important events from being logged, while an unlimited
setting of 0 could overload the Kubelet, leading to a denial of service. Events play
a key role in security monitoring and analytics, ensuring continuous oversight of
the environment. Therefore, it's important that the cluster’s event processing and
storage capacities are scaled appropriately to manage the expected event loads without
compromising service stability.
Impact
Setting this parameter to 0 could result in a denial of service condition due to excessive
events being created. The cluster's event processing and storage systems should be
scaled to handle expected event loads.
Audit
Run the following command on each node:
sudo grep "eventRecordQPS" /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
Review the value set for the argument and determine whether this has been set to an
appropriate level for the cluster. If the argument does not exist, check that there
is a Kubelet config file specified by
--config and review the value in this location.Remediation
If using a Kubelet config file, edit the file to set
eventRecordQPS to an appropriate level. If using command line arguments, edit the kubelet service
file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service