K01-insecure-workload-config [Add CPU Resource Constraints]

The 2023 Cloud-Native Security & Usage Report highlighted how 59% of containers running in Kubernetes has no CPU limits, and 49% of containers had no memory limits enforced. That's why I suggested resource constraints as a clear example of insecure workload configuration.

2022/en/src/K01-insecure-workload-configurations.md

@@ -88,6 +88,28 @@ spec:
     #non-privileged 
     privileged: false
 ```
+**Resource constraints should be enforced**: By default, containers run with unbounded compute resources on a Kubernetes 
+cluster. CPU requests and limits can be attributed to an individual Containers within a Pod. If you don't specify a CPU 
+limit for a Container, it means there's no upper bound on the CPU resources it can consume. While this flexibility can 
+be advantageous, it also poses a risk for potential resource abuse, such as crypto-mining, as the Container could 
+potentially utilize all available CPU resources on the hosting Node.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: resoure-limit-pod
+spec:
+  containers:
+  ...
+      resources:
+        limits:
+          cpu: "0.5" # 0.5 CPU cores
+          memory: "512Mi" # 512 Megabytes of memory
+        requests:
+          cpu: "0.2" # 0.2 CPU cores
+          memory: "256Mi" # 256 Megabytes of memory
+```
 
 ## How to Prevent
 
@@ -102,6 +124,8 @@ can enforce that applications:
 2. Run as non-privileged mode
 3. Set AllowPrivilegeEscalation: False to disallow child process from getting
    more privileges than its parents
+4. Set a LimitRange to constrain the resource allocations for each applicable 
+   object kind in a namespace. 
 
 Tools such as Open Policy Agent can be used as a policy engine to detect these
 common misconfigurations. The CIS Benchmark for Kubernetes can also be used as a