Back to Security Rules

Rule Metadata

Last updated: 2024-01-15
🟡
Severity
MEDIUM
⚙️
Category
Configuration & Resource Hygiene
Version
v1.0.0
Downloads
1.2K
Author: Spotter Security Team
Created: 2024-01-10
Compliance:
CIS NIST

CPU Requests Not Set

Containers should define CPU requests to ensure proper scheduling and resource allocation.

YAML Configuration

rule.yaml YAML 
apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-config-004
  labels:
    severity: "medium" 
    category: "config"
  annotations:
    rules.spotter.dev/title: "CPU Requests Not Set"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-770"
    rules.spotter.dev/description: "Containers should define CPU requests to ensure proper scheduling and resource allocation."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
          - "apps"
          - "batch"
        versions:
          - "v1"
        kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
          - Job
        namespaces:
          include: ["*"]
          exclude: ["kube-system", "kube-public"]
  cel: |
    (object.kind == 'Pod' && has(object.spec.containers) && object.spec.containers.exists(c, !has(c.resources) || !has(c.resources.requests) || !has(c.resources.requests.cpu))) ||
    (object.kind != 'Pod' && has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c, !has(c.resources) || !has(c.resources.requests) || !has(c.resources.requests.cpu)))
  remediation:
    manual: "Set CPU requests for all containers in the pod spec."
  references:
    - title: "Managing Resources for Containers"
      url: "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"