radix-platform icon indicating copy to clipboard operation
radix-platform copied to clipboard

Published 20 hours ago verified publisher icon equinor

Container CPU and memory limits should be enforced [Medium]

Open emirgens opened this issue 9 months ago • 0 comments

Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack). We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

Remediation From the 'Unhealthy resources' tab, select the cluster. Defender for Cloud lists the pods without CPU and memory limits. To control a pod's limits, set quotas at the container level. Each container of a pod can specify one or both of the following: spec.containers[].resources.limits.cpu spec.containers[].resources.limits.memory After making your changes, redeploy the pod with the new limits.

  • [ ] cert-manager/cert-manager-cainjector-
  • [ ] cert-manager/cert-manager-webhook
  • [ ] external-secrets/external-secrets-operator-
  • [ ] external-secrets/external-secrets-operator-webhook-
  • [ ] external-secrets/external-secrets-operator-cert-controller-
  • [ ] tekton-pipelines/tekton-events-controller-
  • [ ] ingress-nginx/ingress-nginx-controller-
  • [ ] velero/velero-
  • [ ] monitor/grafana-
  • [ ] monitor/prometheus-blackbox-exporter-
  • [ ] monitor/prometheus-prometheus-operator-prometheus-
  • [ ] monitor/prometheus-operator-operator-
  • [ ] monitor/alertmanager-prometheus-operator-alertmanager-
  • [ ] monitor/kube-prometheus-stack-prometheus-node-exporter-
  • [ ] monitor/kube-prometheus-stack-kube-state-metrics-
  • [ ] radix-networkpolicy-canary-egressrulestopublicdns/batch-
  • [ ] radix-networkpolicy-canary-oauthdenyall/redis-
  • [ ] radix-networkpolicy-canary-allowradix/batch-
  • [ ] radix-networkpolicy-canary-allowradix/myjob-
  • [ ] radix-log-api-qa/server-
  • [ ] radix-log-api-prod/server-
  • [ ] radix-public-site-qa/public-site-
  • [ ] canarycicd-test3-prod/client-

Other

  • [ ] /radix-prepare-pipelines-
  • [ ] radix-pipeline-

Note: Although requests and limits can only be specified on individual containers, it is convenient to talk about pod resource limits. A Pod resource limit is the sum of the resource limits for all the containers in the pod

emirgens avatar Apr 25 '24 09:04 emirgens