-
Notifications
You must be signed in to change notification settings - Fork 48
/
C-0009-resourcelimits.json
27 lines (27 loc) · 1.48 KB
/
C-0009-resourcelimits.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
{
"name": "Resource limits",
"attributes": {
"controlTypeTags": [
"security"
]
},
"description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",
"remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod manifests.",
"rulesNames": [
"resource-policies"
],
"long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",
"test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory",
"controlID": "C-0009",
"baseScore": 7.0,
"example": "@controls/examples/c009.yaml",
"category": {
"name" : "Workload"
},
"scanningScope": {
"matches": [
"cluster",
"file"
]
}
}