Pod or container without ResourceQuota This product is not supported for your selected
Datadog site . (
).
Id: kubernetes-pod-or-container-without-resource-quota
Platform: Kubernetes
Severity: Low
Category: Insecure Configurations
Learn More Description Each namespace must have a ResourceQuota that limits the total resources consumed by Pods, containers, and PersistentVolumeClaims. The rule checks common workload kinds (Pod, Deployment, DaemonSet, StatefulSet, ReplicaSet, ReplicationController, Job, CronJob) and PersistentVolumeClaims and flags resources whose namespace does not have an associated ResourceQuota. If a resource omits a namespace, it is treated as belonging to the “default” namespace.
Compliant Code Examples apiVersion : v1
kind : Pod
metadata :
name : pod2
namespace : myNewPod2
spec :
containers :
- name : app
image : images.my-company.example/app:v4
securityContext :
allowPrivilegeEscalation : false
resources :
requests :
memory : "64Mi"
cpu : "250m"
limits :
memory : "128Mi"
cpu : "500m"
---
apiVersion : v1
kind : ResourceQuota
metadata :
name : pods-high
namespace : myNewPod2
spec :
hard :
cpu : "1000"
memory : 200Gi
pods : "10"
scopeSelector :
matchExpressions :
- operator : In
scopeName : PriorityClass
values : [ "high" ]
apiVersion : apps/v1
kind : DaemonSet
metadata :
name : fluentd-elasticsearch
namespace : my-kube-system2
labels :
k8s-app : fluentd-logging
spec :
selector :
matchLabels :
name : fluentd-elasticsearch
template :
metadata :
labels :
name : fluentd-elasticsearch
spec :
tolerations :
- key : node-role.kubernetes.io/master
operator : Exists
effect : NoSchedule
containers :
- name : fluentd-elasticsearch
image : quay.io/fluentd_elasticsearch/fluentd:v2.5.2
resources :
limits :
memory : 200Mi
requests :
cpu : 100m
memory : 200Mi
volumeMounts :
- name : varlog
mountPath : /var/log
- name : varlibdockercontainers
mountPath : /var/lib/docker/containers
readOnly : true
terminationGracePeriodSeconds : 30
volumes :
- name : varlog
hostPath :
path : /var/log
- name : varlibdockercontainers
hostPath :
path : /var/lib/docker/containers
---
apiVersion : v1
kind : ResourceQuota
metadata :
name : pods-high
namespace : my-kube-system2
spec :
hard :
cpu : "1000"
memory : 200Gi
pods : "10"
scopeSelector :
matchExpressions :
- operator : In
scopeName : PriorityClass
values : [ "high" ]
Non-Compliant Code Examples apiVersion : v1
kind : Pod
metadata :
name : pod1
namespace : myNewPod
spec :
containers :
- name : app
image : images.my-company.example/app:v4
securityContext :
allowPrivilegeEscalation : false
resources :
requests :
memory : "64Mi"
cpu : "250m"
limits :
memory : "128Mi"
cpu : "500m"
apiVersion : v1
kind : Pod
metadata :
name : pod2
spec :
containers :
- name : app
image : images.my-company.example/app:v4
securityContext :
allowPrivilegeEscalation : false
resources :
requests :
memory : "64Mi"
cpu : "250m"
limits :
memory : "128Mi"
cpu : "500m"
apiVersion : apps/v1
kind : DaemonSet
metadata :
name : fluentd-elasticsearch
namespace : my-kube-system
labels :
k8s-app : fluentd-logging
spec :
selector :
matchLabels :
name : fluentd-elasticsearch
template :
metadata :
labels :
name : fluentd-elasticsearch
spec :
tolerations :
- key : node-role.kubernetes.io/master
operator : Exists
effect : NoSchedule
containers :
- name : fluentd-elasticsearch
image : quay.io/fluentd_elasticsearch/fluentd:v2.5.2
resources :
limits :
memory : 200Mi
requests :
cpu : 100m
memory : 200Mi
volumeMounts :
- name : varlog
mountPath : /var/log
- name : varlibdockercontainers
mountPath : /var/lib/docker/containers
readOnly : true
terminationGracePeriodSeconds : 30
volumes :
- name : varlog
hostPath :
path : /var/log
- name : varlibdockercontainers
hostPath :
path : /var/lib/docker/containers
