Ensure that all daemonsets has resource limits

An XCCDF Rule

Description

When deploying an application, it is important to tune based on memory and CPU consumption, allocating enough resources for the application to function properly. Images provided by OpenShift Dedicated behave properly within the confines of the memory they are allocated. However, any application images must pay attention to the specific resources required to ensure they are available. If the node where a Pod is running has enough of a resource available, it's possible (and allowed) for a container to use more resource than its request for that resource specifies. However, a container is not allowed to use more than its resource limit.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/apps/v1/daemonsets?limit=500 API endpoint, filter with with the jq utility using the following filter [ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ] and persist it to the local /apis/apps/v1/daemonsets?limit=500#4d731297befcc53bdd195fca183d6192f0a5baf04a2a1086f5958978da5a03cb file.

Rationale

Resource requests/limits provide constraints that limit aggregate resource consumption per container. This helps prevent resource starvation. When deploying your application, it is important to tune based on memory and CPU consumption, allocating enough resources for the application to function properly.

ID: xccdf_org.ssgproject.content_rule_resource_requests_limits_in_daemonset
Severity: Medium
References: SC-6
Updated: about 1 year ago