Description of problem: The Center for Internet Security has a Kubernetes security benchmark which recommends setting --streaming-connection-idle-timeout on kubelet to close idle streaming connections to containers. In a Financial Services environment we are required to set the session timeout to 15 minutes. Kubelet only passes --streaming-connection-idle-timeout to Dockershim and CRI-O does not have a configuration option to control this. Version-Release number of selected component (if applicable): Red Hat OpenShift on IBM Cloud v4.5 RHEL 7 is running kubelet directly (not RHCOS) How reproducible: Always Steps to Reproduce: 1. TBD - Configure stream idle timeout for `oc exec` commands 2. Create an alpine pod and run `oc exec -it POD -- sh` 3. Do not enter any commands; wait for session to time out Actual results: While the kubelet service is configured with `--streaming-connection-idle-timeout=30m` the session has not timed out after 45 minutes. Nor was I able to find mention of a setting in the CRI-O configuration that would allow this to be configured. Expected results: A cluster administrator should be able to configure an idle timeout for the streaming connection used for `oc exec` commands. Additional info: Kubelet only passes the --streaming-connection-idle-timeout to the Dockershim. The parameter is referenced here in "getStreamingConfig": https://github.com/kubernetes/kubernetes/blob/09f4baed35865d410febb3220811ca5c2fe1cf42/pkg/kubelet/kubelet.go#L2290 That function is called only only in kubelet_dockershim.go: https://github.com/kubernetes/kubernetes/blob/a439bc55724f6560c14bf4e025946c0e6312629b/pkg/kubelet/kubelet_dockershim.go#L48 containerd addressed this by adding a stream_idle_time configuration option: https://github.com/containerd/cri/issues/1057 https://github.com/containerd/cri/pull/1060
Once this is fixed... For IBM Cloud, can we simply install the new version of CRI-O and update the crio.conf? Or will we need 4.5 and 4.6 versions of CRI-O?
It will first make its way into 4.8. If you need it earlier, we'll have to manually backport it to earlier versions.
Got it. Red Hat OpenShift on IBM Cloud will need this for versions 4.5 and later.
moving to 4.8 based on prior comments.
John - understood this is needed for 4.5+, the process to get it there will result in eventually cloning a BZ for each version that gets a backport.
4.8 version is attached
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438