Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
An XCCDF Rule
Description
Two types of garbage collection are performed on an OpenShift Container Platform node:
- Container garbage collection: Removes terminated containers.
- Image garbage collection: Removes images not referenced by any running pods.
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node.
The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
- soft eviction for containers
- hard eviction for containers
- eviction for images
To configure, follow the directions in the documentation
This rule pertains to the nodefs.available
setting of the evictionHard
section.
Rationale
Garbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection.
- ID
- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available_worker
- Severity
- Medium
- Updated