From 3fdfaab221a90a409d80c060d9a996ffd017a098 Mon Sep 17 00:00:00 2001 From: Erik Agterdenbos Date: Tue, 16 Apr 2024 21:54:05 +0200 Subject: [PATCH] Remove unnecessary 'request-timeout=300s' from hardening guide Signed-off-by: Erik Agterdenbos --- docs/known-issues.md | 1 - docs/security/hardening-guide.md | 2 -- docs/security/self-assessment.md | 12 ++++++++---- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/known-issues.md b/docs/known-issues.md index d2f38caaa..5f5d637b3 100644 --- a/docs/known-issues.md +++ b/docs/known-issues.md @@ -46,7 +46,6 @@ kube-apiserver-arg: - 'audit-log-maxage=30' - 'audit-log-maxbackup=10' - 'audit-log-maxsize=100' - - 'request-timeout=300s' - 'service-account-lookup=true' kube-controller-manager-arg: - 'terminated-pod-gc-threshold=10' diff --git a/docs/security/hardening-guide.md b/docs/security/hardening-guide.md index d64cb0a8b..31d0259a1 100644 --- a/docs/security/hardening-guide.md +++ b/docs/security/hardening-guide.md @@ -574,7 +574,6 @@ kube-apiserver-arg: - 'audit-log-maxage=30' - 'audit-log-maxbackup=10' - 'audit-log-maxsize=100' - - 'request-timeout=300s' - 'service-account-lookup=true' kube-controller-manager-arg: - 'terminated-pod-gc-threshold=10' @@ -598,7 +597,6 @@ kube-apiserver-arg: - 'audit-log-maxage=30' - 'audit-log-maxbackup=10' - 'audit-log-maxsize=100' - - 'request-timeout=300s' - 'service-account-lookup=true' kube-controller-manager-arg: - 'terminated-pod-gc-threshold=10' diff --git a/docs/security/self-assessment.md b/docs/security/self-assessment.md index a653cf734..3005f501f 100644 --- a/docs/security/self-assessment.md +++ b/docs/security/self-assessment.md @@ -1005,10 +1005,14 @@ Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13: **Result:** Not Applicable **Remediation:** -Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml -on the control plane node and set the --service-account-key-file parameter -to the public key file for service accounts. For example, -`--service-account-key-file=`. +The request timeout limits the duration of API requests. The default value of 60 seconds is +sufficiently low already. Only change the default value if necessary. When extending this +limit, make sure to keep it low enough. A large value can exhaust API server resources and +make it prone for Denial-of-Service attacks. + +Edit the config file /etc/rancher/k3s/config.yaml on the control plane node and remove the +--request-timeout parameter or set it to an appropriate value if needed. For example, +`--request-timeout=300s`. ### 1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)