C-0004 - Resources memory limit and request

Framework

Severity

High

Description of the the issue

This control identifies all Pods for which the memory limit is not set.Note, this control is configurable. See below the details.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

This control identifies all Pods for which the memory limit is not set.

Remediation

Set the memory limit or use exception mechanism to avoid unnecessary notifications.

Configuration

This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.

memory_request_max

memory_request_max
Ensure a memory resource request is set and is under this defined maximum value.

memory_request_min

memory_request_min
Ensure a memory resource request is set and is above this defined minimum value.

memory_limit_max

memory_limit_max
Ensure a memory resource limit is set and is under this defined maximum value.

memory_limit_min

memory_limit_min
Ensure a memory resource limit is set and is under this defined maximum value.

Example

apiVersion: v1
kind: Pod
metadata:
  name: frontend
spec:
  containers:
  - name: app
    image: images.my-company.example/app:v4
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"    #we make sure this is set
        cpu: "500m"