CPU Limits Not Set
- Query id: 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda
- Query name: CPU Limits Not Set
- Platform: Kubernetes
- Severity: Low
- Category: Resource Management
- CWE: 400
- URL: Github
Description¶
CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
containers:
- name: app
image: images.my-company.example/app:v4
resources:
limits:
memory: "64Mi"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
resources:
requests:
memory: "64Mi"
cpu: "250m"
---
apiVersion: serving.knative.dev/v1
kind: Configuration
metadata:
name: dummy-config
namespace: knative-sequence
spec:
template:
spec:
containers:
- name: app
image: images.my-company.example/app:v4
resources:
limits:
memory: "64Mi"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
resources:
requests:
memory: "64Mi"
cpu: "250m"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
containers:
- name: app
image: images.my-company.example/app:v4
resources:
limits:
cpu: "500m"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"