98 lines
2.4 KiB
Plaintext
98 lines
2.4 KiB
Plaintext
== Why is this an issue?
|
|
|
|
A CPU limitation for a container is a specified boundary or restriction that
|
|
determines the maximum amount of CPU resources that a container can utilize. It
|
|
is a part of resource management in a containerized environment, and it is set
|
|
to ensure that a single container does not monopolize the CPU resources of the
|
|
host machine.
|
|
|
|
CPU limitations are important for maintaining a balanced and efficient system.
|
|
They help in distributing resources fairly among different containers, ensuring
|
|
that no single container can cause a system-wide slowdown by consuming more than
|
|
its fair share of CPU resources.
|
|
|
|
=== What is the potential impact?
|
|
|
|
==== Performance degradation
|
|
|
|
Without CPU limitations, a single container could monopolize all available CPU
|
|
resources, leading to a system-wide slowdown. Other containers or processes on
|
|
the same host might be deprived of the necessary CPU resources, causing them to
|
|
function inefficiently.
|
|
|
|
==== System instability
|
|
|
|
In extreme cases, a container with no CPU limit could cause the host machine to
|
|
become unresponsive. This can lead to system downtime and potential loss of
|
|
data, disrupting critical operations and impacting system reliability.
|
|
|
|
== How to fix it
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,yaml,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: example
|
|
spec:
|
|
containers:
|
|
- name: web # Noncompliant
|
|
image: nginx
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,yaml,diff-id=1,diff-type=compliant]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: example
|
|
spec:
|
|
containers:
|
|
- name: web
|
|
image: nginx
|
|
resources:
|
|
limits:
|
|
cpu: 0.5
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
A limit can be set through the property `resources.limits.cpu` of a
|
|
container. Alternatively, a default limit for a namespace can be set with
|
|
`LimitRange`.
|
|
|
|
== Resources
|
|
|
|
=== Documentation
|
|
|
|
* Kubernetes Documentation - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/[Resource Management for Pods and Containers]
|
|
|
|
=== Standards
|
|
|
|
* CWE - https://cwe.mitre.org/data/definitions/770[CWE-770 - Allocation of Resources Without Limits or Throttling]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Specify a CPU limit for this container.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
* Highlight the key of the first child of the container that does not specify a CPU limit.
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|