Memory Requests Not Defined
- Query id: 229588ef-8fde-40c8-8756-f4f2b5825ded
- Query name: Memory Requests Not Defined
- Platform: Kubernetes
- Severity: Medium
- Category: Resource Management
- CWE: 400
- URL: Github
Description¶
Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: memory-demo
namespace: mem-example
spec:
containers:
- name: memory-demo-ctr-1
image: polinux/stress
resources:
limits:
memory: "200Mi"
requests:
cpu: "0.5"
command: ["stress"]
args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"]
---
apiVersion: v1
kind: Pod
metadata:
name: memory-demo-1
namespace: mem-example
spec:
containers:
- name: memory-demo-ctr-2
image: polinux/stress
resources:
limits:
memory: "200Mi"
command: ["stress"]
args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"]
---
apiVersion: v1
kind: Pod
metadata:
name: memory-demo-2
namespace: mem-example
spec:
containers:
- name: memory-demo-ctr-3
image: polinux/stress
command: ["stress"]
args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"]
---
apiVersion: v1
kind: Pod
metadata:
name: memory-demo-3
namespace: mem-example
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: { }
containers:
- name: memory-demo-ctr-4
image: polinux/stress
command: ["stress"]
Positive test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment2
labels:
app: test2
spec:
replicas: 3
selector:
matchLabels:
app: test2
template:
metadata:
labels:
app: test2
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
resources:
limits:
cpu: 0.5
memory: 512Mi
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: memory-demo
namespace: mem-example
spec:
containers:
- name: memory-demo-ctr
image: polinux/stress
resources:
limits:
memory: "200Mi"
requests:
memory: "100Mi"
command: ["stress"]
args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"]
Negative test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment-ctr-neg
labels:
app: test-neg
spec:
replicas: 3
selector:
matchLabels:
app: test-ctr-neg
template:
metadata:
labels:
app: test-ctr-neg
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
resources:
limits:
cpu: 0.5
memory: 512Mi
requests:
cpu: 0.5
memory: 512Mi