Memory requests not defined

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Memory requests not defined

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 229588ef-8fde-40c8-8756-f4f2b5825ded

Cloud Provider: k8s

Framework: Kubernetes

Severity: Medium

Category: Resource Management

Learn More

Provider Reference

Description

Memory requests should be defined for each container to allow the kubelet to reserve the requested system resources and prevent over-provisioning on individual nodes.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: memory-demo
  namespace: mem-example
spec:
  containers:
  - name: memory-demo-ctr
    image: polinux/stress
    resources:
      limits:
        memory: "200Mi"
      requests:
        memory: "100Mi"
    command: ["stress"]
    args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"]

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment-ctr-neg
  labels:
    app: test-neg
spec:
  replicas: 3
  selector:
    matchLabels:
      app: test-ctr-neg
  template:
    metadata:
      labels:
        app: test-ctr-neg
    spec:
      containers:
        - name:  pause
          image: k8s.gcr.io/pause
          resources:
            limits:
              cpu: 0.5
              memory: 512Mi
            requests:
              cpu: 0.5
              memory: 512Mi

Non-Compliant Code Examples

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment2
  labels:
    app: test2
spec:
  replicas: 3
  selector:
    matchLabels:
      app: test2
  template:
    metadata:
      labels:
        app: test2
    spec:
      containers:
        - name:  pause
          image: k8s.gcr.io/pause
          resources:
            limits:
              cpu: 0.5
              memory: 512Mi

apiVersion: v1
kind: Pod
metadata:
  name: memory-demo
  namespace: mem-example
spec:
  containers:
  - name: memory-demo-ctr-1
    image: polinux/stress
    resources:
      limits:
        memory: "200Mi"
      requests:
        cpu: "0.5"
    command: ["stress"]
    args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"]
---
apiVersion: v1
kind: Pod
metadata:
  name: memory-demo-1
  namespace: mem-example
spec:
  containers:
  - name: memory-demo-ctr-2
    image: polinux/stress
    resources:
      limits:
        memory: "200Mi"
    command: ["stress"]
    args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"]
---
apiVersion: v1
kind: Pod
metadata:
  name: memory-demo-2
  namespace: mem-example
spec:
  containers:
  - name: memory-demo-ctr-3
    image: polinux/stress
    command: ["stress"]
    args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"]
---
apiVersion: v1
kind: Pod
metadata:
  name: memory-demo-3
  namespace: mem-example
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
    - name: sec-ctx-vol
      emptyDir: { }
  containers:
  - name: memory-demo-ctr-4
    image: polinux/stress
    command: ["stress"]