Pod or container without LimitRange This product is not supported for your selected
Datadog site . (
).
Id: kubernetes-pod-or-container-without-limit-range
Platform: Kubernetes
Severity: Low
Category: Insecure Configurations
Learn More Description Each namespace must include an associated LimitRange policy to ensure resource allocations for Pods, containers, and PersistentVolumeClaims remain within defined boundaries. The rule checks resources of kinds Pod, Deployment, DaemonSet, StatefulSet, ReplicaSet, ReplicationController, Job, CronJob, and PersistentVolumeClaim and reports when no LimitRange exists in the same namespace (or in ‘default’ when the namespace is not set).
Compliant Code Examples apiVersion : v1
kind : Pod
metadata :
name : frontend
namespace : myPod2
spec :
containers :
- name : app
image : images.my-company.example/app:v4
securityContext :
allowPrivilegeEscalation : false
resources :
requests :
memory : "64Mi"
cpu : "250m"
limits :
memory : "128Mi"
cpu : "500m"
---
apiVersion : v1
kind : LimitRange
metadata :
name : cpu-min-max-demo-lr
namespace : myPod2
spec :
limits :
- max :
cpu : "800m"
min :
cpu : "200m"
type : Container
apiVersion : apps/v1
kind : DaemonSet
metadata :
name : fluentd-elasticsearch
namespace : kube-system2
labels :
k8s-app : fluentd-logging
spec :
selector :
matchLabels :
name : fluentd-elasticsearch
template :
metadata :
labels :
name : fluentd-elasticsearch
spec :
tolerations :
- key : node-role.kubernetes.io/master
operator : Exists
effect : NoSchedule
containers :
- name : fluentd-elasticsearch
image : quay.io/fluentd_elasticsearch/fluentd:v2.5.2
resources :
limits :
memory : 200Mi
requests :
cpu : 100m
memory : 200Mi
volumeMounts :
- name : varlog
mountPath : /var/log
- name : varlibdockercontainers
mountPath : /var/lib/docker/containers
readOnly : true
terminationGracePeriodSeconds : 30
volumes :
- name : varlog
hostPath :
path : /var/log
- name : varlibdockercontainers
hostPath :
path : /var/lib/docker/containers
---
apiVersion : v1
kind : LimitRange
metadata :
name : cpu-min-max-demo-lr
namespace : kube-system2
spec :
limits :
- max :
cpu : "800m"
min :
cpu : "200m"
type : Container
Non-Compliant Code Examples apiVersion : v1
kind : Pod
metadata :
name : frontend1
namespace : myPod
spec :
containers :
- name : app
image : images.my-company.example/app:v4
securityContext :
allowPrivilegeEscalation : false
resources :
requests :
memory : "64Mi"
cpu : "250m"
limits :
memory : "128Mi"
cpu : "500m"
apiVersion : v1
kind : Pod
metadata :
name : frontend2
spec :
containers :
- name : app
image : images.my-company.example/app:v4
securityContext :
allowPrivilegeEscalation : false
resources :
requests :
memory : "64Mi"
cpu : "250m"
limits :
memory : "128Mi"
cpu : "500m"
apiVersion : apps/v1
kind : DaemonSet
metadata :
name : fluentd-elasticsearch
namespace : kube-system
labels :
k8s-app : fluentd-logging
spec :
selector :
matchLabels :
name : fluentd-elasticsearch
template :
metadata :
labels :
name : fluentd-elasticsearch
spec :
tolerations :
- key : node-role.kubernetes.io/master
operator : Exists
effect : NoSchedule
containers :
- name : fluentd-elasticsearch
image : quay.io/fluentd_elasticsearch/fluentd:v2.5.2
resources :
limits :
memory : 200Mi
requests :
cpu : 100m
memory : 200Mi
volumeMounts :
- name : varlog
mountPath : /var/log
- name : varlibdockercontainers
mountPath : /var/lib/docker/containers
readOnly : true
terminationGracePeriodSeconds : 30
volumes :
- name : varlog
hostPath :
path : /var/log
- name : varlibdockercontainers
hostPath :
path : /var/lib/docker/containers
