ArmoBest, NSA, YAML-scanning, AllControls
CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
Check for each container if there is a ‘limits’ field defined for both cpu and memory
Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.
apiVersion: v1 kind: Pod metadata: name: frontend spec: containers: - name: app image: images.my-company.example/app:v4 resources: requests: #we make sure this is set memory: "64Mi" cpu: "250m" limits: memory: "128Mi" #we make sure this is set cpu: "500m"
Updated about 2 months ago