C-0009 - Resource limits
Framework
Severity
High
Description of the the issue
CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check for each container if there is a ‘limits’ field defined for both cpu and memory
Remediation
Define LimitRange and Resource Limits in the namespace or in the deployment/pod manifests.
Example
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
containers:
- name: app
image: images.my-company.example/app:v4
resources:
requests: #we make sure this is set
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi" #we make sure this is set
cpu: "500m"
Updated 11 days ago