C-0009 - Resource limits

Framework

Severity

High

Description of the the issue

CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check for each container if there is a ‘limits’ field defined for both cpu and memory

Remediation

Define LimitRange and Resource Limits in the namespace or in the deployment/pod manifests.

Example

apiVersion: v1
kind: Pod
metadata:
  name: frontend
spec:
  containers:
  - name: app
    image: images.my-company.example/app:v4
    resources:
      requests:            #we make sure this is set
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"    #we make sure this is set
        cpu: "500m"