Ensure that all deployments has resource limits

An XCCDF Rule

Description

When deploying an application, it is important to tune based on memory and CPU consumption, allocating enough resources for the application to function properly. Images provided by OpenShift Dedicated behave properly within the confines of the memory they are allocated. However, any application images must pay attention to the specific resources required to ensure they are available. If the node where a Pod is running has enough of a resource available, it's possible (and allowed) for a container to use more resource than its request for that resource specifies. However, a container is not allowed to use more than its resource limit.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/apps/v1/deployments?limit=500 API endpoint, filter with with the jq utility using the following filter [ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ] and persist it to the local /apis/apps/v1/deployments?limit=500#fd79d18d262885d436c6b8177af467dcb6dcf7ab53ab9e26deee622ce777a98f file.

Rationale

Resource requests/limits provide constraints that limit aggregate resource consumption per container. This helps prevent resource starvation. When deploying your application, it is important to tune based on memory and CPU consumption, allocating enough resources for the application to function properly.

ID: xccdf_org.ssgproject.content_rule_resource_requests_limits_in_deployment
Severity: Medium
References: SC-6
Updated: about 1 year ago