Details

Limit the rate at which the API server accepts requests.

Rationale:

Using EventRateLimit admission control enforces a limit on the number of events that the API Server will accept in a given time slice. In a large multi-tenant cluster, there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. Hence, it is recommended to limit the rate of events that the API server will accept.

Note: This is an Alpha feature in the Kubernetes 1.11 release.

Solution

Follow the Kubernetes documentation and set the desired limits in a configuration file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube- apiserver.yaml and set the below parameters.

–enable-admission-plugins=…,EventRateLimit,…
–admission-control-config-file=

Impact:

You need to carefully tune in limits as per your environment.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2125

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-6
• CSCv6|8.4

Source

• Tenable.com/audits