Skip to content

0429-k8s-qps - Kubernetes Events QPS Flag Can Be Used to Limit the Rate of Collected Events

Rule ID

  • 0429-k8s-qps

Category

  • Container

Level

  • Info

Compatible Versions

  • Linux

Description

  • The events qps flag on Kubernetes can be used to limit the rate of collected events. Setting it too low may result in relevant events not being recorded, but setting it to 0 may lead to a denial of service on Kubernetes.

Scan Frequency

  • 0 */30 * * *

Theoretical Basis

  • Capturing all events without limiting event creation. Events are an important source of security information and analysis, ensuring that event data is consistently monitored across your environment.

Risk Items

  • Container Security

Audit Method

  • Execute the following command to verify:
ps -ef | grep kubelet | grep event-qps

Remediation

  • The kubelet can start in two ways: Check if there is a configuration file: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf. If the file exists, set the parameter --event-qps=5. If the file does not exist, the kubelet starts via command line. Check the kubelet startup parameters -config, open the file, check if the parameter eventRecordQPS exists, and set it to 5 or higher.

After completing the settings, restart the kubelet: 

systemctl daemon-reload
systemctl restart kubelet.service

Impact

  • Setting this parameter to 0 may lead to a denial of service condition due to the creation of too many events. The cluster's event processing and storage systems should be scaled to handle the expected event load.

Default Value

  • By default: --event-qps=5

References

CIS Controls

  • None

Feedback

Is this page helpful? ×