Profile Applicability:
Level 1
Description:
The --streaming-connection-idle-timeout argument in Kubernetes controls the timeout duration for idle streaming connections to the Kubernetes API server. This check ensures that the --streaming-connection-idle-timeout argument is not set to 0, as setting it to 0 disables the timeout, potentially causing idle connections to remain open indefinitely, which can lead to resource exhaustion and performance degradation.
Rationale:
Setting the --streaming-connection-idle-timeout to 0 disables the timeout for idle streaming connections, which means that connections that are not actively transmitting data will stay open indefinitely. This can lead to unnecessary resource consumption and the potential for DoS (Denial of Service) attacks, as idle connections may consume server resources unnecessarily. Ensuring that the timeout is properly configured helps manage resources efficiently and prevents idle connections from degrading the performance of the Kubernetes API server.
Impact:
Pros:
Helps manage server resources efficiently by closing idle connections after a specific timeout.
Prevents potential resource exhaustion due to idle connections.
Improves overall system performance by ensuring that connections are properly cleaned up when no longer in use.
Cons:
If set too low, it may lead to unwanted disconnections, especially for workloads that rely on long-lived connections.
Requires careful tuning to balance between resource management and workload requirements.
Default Value:
By default, the --streaming-connection-idle-timeout argument is set to a non-zero value, but it can be manually configured. Setting it to 0 disables the timeout, which is not recommended.
Pre-requisites:
Ensure that the API server and Kubelet are configured with proper connection timeout settings and that connections are closed or cleaned up after a reasonable period of inactivity.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the API server configuration to verify that the --streaming-connection-idle-timeout argument is not set to 0.
Ensure that the timeout is configured to a reasonable value to manage idle connections without impacting legitimate workloads.
Using Azure CLI:
1. Use the following command to check if the --streaming-connection-idle-timeout argument is set to 0 in the API server configuration:
kubectl describe pod kube-apiserver -n kube-system | grep --streaming-connection-idle-timeout
2. If the value is set to 0, update it to a reasonable non-zero value to enable proper connection timeout handling.
Implementation Plan:
Using Azure Console:
1. In the Azure portal, go to your AKS cluster and access the API server configuration.
2. Ensure that the --streaming-connection-idle-timeout argument is set to a reasonable value, such as 1m (1 minute), to close idle connections after a short time:
--streaming-connection-idle-timeout=1m
3. Apply the updated configuration to ensure that idle connections are properly closed after the specified timeout period.
Using Azure CLI:
1. To modify the API server configuration and set the --streaming-connection-idle-timeout argument, use the following command:
kubectl set env deployment kube-apiserver --streaming-connection-idle-timeout=1m
2. Restart the API server to apply the changes:
systemctl restart kube-apiserver
Backout Plan:
Using Azure Console:
If setting the --streaming-connection-idle-timeout to a non-zero value causes issues, revert the changes in the Azure portal by setting the timeout to a higher or lower value as required.
Using Azure CLI:
1. If setting the --streaming-connection-idle-timeout argument causes issues, revert the configuration by setting it back to 0 or a more appropriate timeout:
kubectl set env deployment kube-apiserver --streaming-connection-idle-timeout=0
2. Restart the API server for the changes to take effect:
systemctl restart kube-apiserver
References:
Kubernetes API Server Configuration
Kubernetes Command-Line Flags