Ensure the --request-timeout argument is set appropriately

Error: The --request-timeout argument is not set appropriately

Bridgecrew Policy ID: BC_K8S_71
Checkov Check ID: CKV_K8S_95
Severity: MEDIUM

The --request-timeout argument is not set appropriately

Description

Set global request timeout for API server requests as appropriate. Setting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+   - kube-apiserver
+   - --request-timeout=2m3s
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...