Profile Applicability:
Level 1
Description:
The --streaming-connection-idle-timeout flag in Kubernetes determines the amount of time a streaming connection to the API server is allowed to remain idle before being closed. Setting this argument to 0 disables the idle timeout, potentially leading to resource exhaustion as idle connections will remain open indefinitely. This check ensures that the timeout is set to a reasonable value to protect resources and maintain the health of the API server.
Rationale:
Setting the --streaming-connection-idle-timeout to 0 allows idle connections to persist without closure, which can lead to a build-up of unused connections, consuming resources unnecessarily. A proper timeout value ensures that connections are closed after a period of inactivity, which helps in resource management and improves server stability.
Impact:
Pros:
Reduces the risk of resource exhaustion by ensuring idle connections are closed.
Helps maintain a healthy Kubernetes API server by automatically closing unused connections.
Cons:
If set to a value too low, it might disconnect active but low-traffic connections, potentially disrupting services.
Default Value:
The default value may vary depending on the Kubernetes version and configuration, but a reasonable value should be set to avoid idle connections.
Pre-requisites:
Ensure that the appropriate timeout value is configured based on the organization's workload and expected connection behavior.
Remediation
Test Plan:
Using Azure Console:
Access the Kubernetes cluster configuration settings.
Review the kube-apiserver configuration to check if the --streaming-connection-idle-timeout is set to a non-zero value.
Using Azure CLI:
Use the following command to check the current configuration of the --streaming-connection-idle-timeout:
ps aux | grep kube-apiserver
Ensure that the --streaming-connection-idle-timeout argument is not set to 0.
Implementation Plan:
Using Azure Console:
Access the kube-apiserver configuration.
Set the --streaming-connection-idle-timeout to a non-zero value (e.g., 5m for 5 minutes) to ensure proper resource management.
Using Azure CLI:
Update the --streaming-connection-idle-timeout flag by modifying the kube-apiserver configuration:
kubectl -n kube-system edit deployment kube-apiserver
Set the --streaming-connection-idle-timeout to an appropriate value (e.g., --streaming-connection-idle-timeout=5m).
Backout Plan:
Using Azure Console:
If the change causes issues, revert the --streaming-connection-idle-timeout to its original configuration or adjust the timeout value as necessary.
Using Azure CLI:
Revert the --streaming-connection-idle-timeout flag by modifying the configuration:
kubectl -n kube-system edit deployment kube-apiserver
Set the timeout to a value of 0 if required temporarily.