ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6870/kubernetes/rule.adoc
Hendrik Buchwald 3dd031e4f9
Modify rule S6870: Improve description (#4443)
2024-10-28 15:09:05 +00:00

148 lines
3.7 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Ephemeral storage in Kubernetes refers to temporary storage that is non-persistent,
meaning it does not retain data once the container or pod is terminated. This
type of storage is typically used for storing temporary files that a running
container can write and read. Examples of ephemeral storage include the container's
writable layer, emptyDir volumes, and log files.
The issue arises when a container is created without any defined limits for its
ephemeral storage usage. Without these limits, the container can potentially
consume all available ephemeral storage on the node where it is running.
=== What is the potential impact?
==== Resource exhaustion
Without a defined limit, a container can consume all available ephemeral storage
on a node. This can lead to resource exhaustion, where no more storage is
available for other containers or processes running on the same node. This could
cause these other containers or processes to fail or perform poorly.
==== Unpredictable application behavior
If a container exhausts the available ephemeral storage, it can lead to
unpredictable application behavior. For instance, if an application attempts to
write to the ephemeral storage and there is no space left, it may crash or
exhibit other unexpected behaviors.
== How to fix it
To prevent these issues, it is important to set limits on the amount of ephemeral
storage a container can use. This can be done through the
`resources.limits.ephemeral-storage` property of a container. Additionally, a
default limit for a namespace can be set using a `LimitRange` object through
`spec.limits[].default.ephemeral-storage`.
=== Code examples
==== Noncompliant code example
[source,yaml,diff-id=1,diff-type=noncompliant]
----
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- name: web # Noncompliant
image: nginx
volumeMounts:
- name: ephemeral
mountPath: "/tmp"
----
[source,yaml,diff-id=2,diff-type=noncompliant]
----
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- name: web # Noncompliant
image: nginx
volumeMounts:
- name: ephemeral
mountPath: "/tmp"
----
==== Compliant solution
[source,yaml,diff-id=1,diff-type=compliant]
----
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- name: web
image: nginx
resources:
limits:
ephemeral-storage: "2Gi"
volumeMounts:
- name: ephemeral
mountPath: "/tmp"
----
[source,yaml,diff-id=2,diff-type=compliant]
----
apiVersion: v1
kind: LimitRange
metadata:
name: storage-limit-range
namespace: namespace-with-limit-range
spec:
limits:
- default:
ephemeral-storage: "10Mi"
type: Container
---
apiVersion: v1
kind: Pod
metadata:
name: example
namespace: namespace-with-limit-range
spec:
containers:
- name: web
image: nginx
volumeMounts:
- name: ephemeral
mountPath: "/tmp"
----
=== How does this work?
By setting a limit on ephemeral storage, you ensure that a container cannot
consume more than the specified amount of temporary storage. This helps prevent
resource exhaustion and ensures more predictable application behavior.
== Resources
=== Documentation
* Kubernetes Documentation - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/[Resource Management for Pods and Containers]
=== Standards
* CWE - https://cwe.mitre.org/data/definitions/770[CWE-770 - Allocation of Resources Without Limits or Throttling]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Specify a storage limit for this container.
=== Highlighting
* Highlight the `containers` property.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink