Container Requests Not Equal To It's Limits
- Query id: aee3c7d2-a811-4201-90c7-11c028be9a46
- Query name: Container Requests Not Equal To It's Limits
- Platform: Kubernetes
- Severity: Low
- Category: Resource Management
- URL: Github
Description¶
Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
containers:
- name: app
image: images.my-company.example/app:v4
resources:
requests:
cpu: "500m"
limits:
memory: "128Mi"
cpu: "500m"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
resources:
requests:
memory: "128Mi"
cpu: "500m"
limits:
cpu: "500m"
- name: app2
image: images.my-company.example/app:v4
resources:
requests:
memory: "64Mi"
cpu: "500m"
limits:
memory: "128Mi"
cpu: "500m"
- name: app3
image: images.my-company.example/app:v4
resources:
requests:
memory: "64Mi"
limits:
memory: "64Mi"
cpu: "500m"
- name: app4
image: images.my-company.example/app:v4
resources:
requests:
memory: "128Mi"
cpu: "500m"
limits:
memory: "128Mi"
- name: app5
image: images.my-company.example/app:v4
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
containers:
- name: app
image: images.my-company.example/app:v4
resources:
requests:
memory: "128Mi"
cpu: "500m"
limits:
memory: "128Mi"
cpu: "500m"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
resources:
requests:
memory: "128Mi"
cpu: "500m"
limits:
memory: "128Mi"
cpu: "500m"