Ensure that all statefulsets has resource limits

An XCCDF Rule

Description

When deploying an application, it is important to tune based on memory and CPU consumption, allocating enough resources for the application to function properly. Images provided by OpenShift Dedicated behave properly within the confines of the memory they are allocated. However, any application images must pay attention to the specific resources required to ensure they are available. If the node where a Pod is running has enough of a resource available, it's possible (and allowed) for a container to use more resource than its request for that resource specifies. However, a container is not allowed to use more than its resource limit.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/apps/v1/statefulsets?limit=500 API endpoint, filter with with the jq utility using the following filter [ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ] and persist it to the local /apis/apps/v1/statefulsets?limit=500#8d6153e1d390bfded0691b6d802abc0c434bec03b48011eb1a059b227346a8ce file.

Rationale

Resource requests/limits provide constraints that limit aggregate resource consumption per container. This helps prevent resource starvation. When deploying your application, it is important to tune based on memory and CPU consumption, allocating enough resources for the application to function properly.

ID: xccdf_org.ssgproject.content_rule_resource_requests_limits_in_statefulset
Severity: Medium
References: SC-6
Updated: about 1 year ago