Description of problem:
The Center for Internet Security has a Kubernetes security benchmark which recommends setting --streaming-connection-idle-timeout on kubelet to close idle streaming connections to containers.

In a Financial Services environment we are required to set the session timeout to 15 minutes.

Kubelet only passes --streaming-connection-idle-timeout to Dockershim and CRI-O does not have a configuration option to control this.


Version-Release number of selected component (if applicable):
Red Hat OpenShift on IBM Cloud v4.5
RHEL 7 is running kubelet directly (not RHCOS)


How reproducible:
Always


Steps to Reproduce:
1. TBD - Configure stream idle timeout for `oc exec` commands
2. Create an alpine pod and run `oc exec -it POD -- sh`
3. Do not enter any commands; wait for session to time out


Actual results:

While the kubelet service is configured with `--streaming-connection-idle-timeout=30m` the session has not timed out after 45 minutes.

Nor was I able to find mention of a setting in the CRI-O configuration that would allow this to be configured.


Expected results:
A cluster administrator should be able to configure an idle timeout for the streaming connection used for `oc exec` commands.


Additional info:
Kubelet only passes the --streaming-connection-idle-timeout to the Dockershim.

The parameter is referenced here in "getStreamingConfig":
https://github.com/kubernetes/kubernetes/blob/09f4baed35865d410febb3220811ca5c2fe1cf42/pkg/kubelet/kubelet.go#L2290
That function is called only only in kubelet_dockershim.go:
https://github.com/kubernetes/kubernetes/blob/a439bc55724f6560c14bf4e025946c0e6312629b/pkg/kubelet/kubelet_dockershim.go#L48

containerd addressed this by adding a stream_idle_time configuration option:
https://github.com/containerd/cri/issues/1057
https://github.com/containerd/cri/pull/1060