Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1920300

Summary: cri-o does not support configuration of stream idle time
Product: OpenShift Container Platform Reporter: John McMeeking <jmcmeek>
Component: NodeAssignee: Skyler Clark <skclark>
Node sub component: CRI-O QA Contact: Weinan Liu <weinliu>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: aos-bugs, decarr, mpatel, nagrawal, pehunt, tsweeney
Version: 4.5   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:36:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John McMeeking 2021-01-26 01:33:56 UTC 
Description of problem:
The Center for Internet Security has a Kubernetes security benchmark which recommends setting --streaming-connection-idle-timeout on kubelet to close idle streaming connections to containers.

In a Financial Services environment we are required to set the session timeout to 15 minutes.

Kubelet only passes --streaming-connection-idle-timeout to Dockershim and CRI-O does not have a configuration option to control this.


Version-Release number of selected component (if applicable):
Red Hat OpenShift on IBM Cloud v4.5
RHEL 7 is running kubelet directly (not RHCOS)


How reproducible:
Always


Steps to Reproduce:
1. TBD - Configure stream idle timeout for `oc exec` commands
2. Create an alpine pod and run `oc exec -it POD -- sh`
3. Do not enter any commands; wait for session to time out


Actual results:

While the kubelet service is configured with `--streaming-connection-idle-timeout=30m` the session has not timed out after 45 minutes.

Nor was I able to find mention of a setting in the CRI-O configuration that would allow this to be configured.


Expected results:
A cluster administrator should be able to configure an idle timeout for the streaming connection used for `oc exec` commands.


Additional info:
Kubelet only passes the --streaming-connection-idle-timeout to the Dockershim.

The parameter is referenced here in "getStreamingConfig":
https://github.com/kubernetes/kubernetes/blob/09f4baed35865d410febb3220811ca5c2fe1cf42/pkg/kubelet/kubelet.go#L2290
That function is called only only in kubelet_dockershim.go:
https://github.com/kubernetes/kubernetes/blob/a439bc55724f6560c14bf4e025946c0e6312629b/pkg/kubelet/kubelet_dockershim.go#L48

containerd addressed this by adding a stream_idle_time configuration option:
https://github.com/containerd/cri/issues/1057
https://github.com/containerd/cri/pull/1060
Comment 1 John McMeeking 2021-01-27 18:33:05 UTC 
Once this is fixed...  For IBM Cloud, can we simply install the new version of CRI-O and update the crio.conf?  Or will we need 4.5 and 4.6 versions of CRI-O?
Comment 2 Peter Hunt 2021-01-27 18:48:37 UTC 
It will first make its way into 4.8. If you need it earlier, we'll have to manually backport it to earlier versions.
Comment 3 John McMeeking 2021-01-27 20:33:05 UTC 
Got it.  Red Hat OpenShift on IBM Cloud will need this for versions 4.5 and later.
Comment 4 Neelesh Agrawal 2021-01-29 17:24:37 UTC 
moving to 4.8 based on prior comments.
Comment 5 Derek Carr 2021-02-02 19:24:38 UTC 
John - understood this is needed for 4.5+, the process to get it there will result in eventually cloning a BZ for each version that gets a backport.
Comment 6 Peter Hunt 2021-02-05 18:23:33 UTC 
4.8 version is attached
Comment 14 errata-xmlrpc 2021-07-27 22:36:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438