CPU Limits Not Set

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-config-003
  labels:
    severity: "medium"
    category: "config"
  annotations:
    rules.spotter.dev/title: "CPU Limits Not Set"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-770"
    rules.spotter.dev/description: "Containers should have CPU limits defined to prevent excessive CPU consumption."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
          - "apps"
          - "serving.knative.dev"
        versions:
          - "v1"
        kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
          - Job
          - Configuration
        namespaces:
          include: ["*"]
          exclude: ["kube-system", "kube-public"]
  cel: |
    (object.kind == 'Pod' && has(object.spec.containers) && object.spec.containers.exists(c, !has(c.resources) || !has(c.resources.limits) || !has(c.resources.limits.cpu))) ||
    (object.kind == 'Configuration' && has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c, !has(c.resources) || !has(c.resources.limits) || !has(c.resources.limits.cpu))) ||
    (object.kind in ['Deployment', 'StatefulSet', 'DaemonSet', 'Job'] && has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c, !has(c.resources) || !has(c.resources.limits) || !has(c.resources.limits.cpu)))
  remediation:
    manual: "Set CPU limits for all containers in the pod spec."
  references:
    - title: "Managing Resources for Containers"
      url: "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: frontend
    spec:
      containers:
        - name: app
          image: images.my-company.example/app:v4
          resources:
            limits:
              memory: "64Mi"
        - name: log-aggregator
          image: images.my-company.example/log-aggregator:v6
          resources:
            requests:
              memory: "64Mi"
              cpu: "250m"

- name: insecure sample 2 should fail
  pass: false
  input: |
    apiVersion: serving.knative.dev/v1
    kind: Configuration
    metadata:
      name: dummy-config
      namespace: knative-sequence
    spec:
      template:
        spec:
          containers:
            - name: app
              image: images.my-company.example/app:v4
              resources:
                limits:
                  memory: "64Mi"
            - name: log-aggregator
              image: images.my-company.example/log-aggregator:v6
              resources:
                requests:
                  memory: "64Mi"
                  cpu: "250m"

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: frontend
    spec:
      containers:
      - name: app
        image: images.my-company.example/app:v4
        resources:
          limits:
            cpu: "500m"

      - name: log-aggregator
        image: images.my-company.example/log-aggregator:v6
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-config-003
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-config-003
spec:
  # Add your VAP configuration here

Rule Metadata

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub