forked from jetstack/jetstack-secure
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpods.json
58 lines (58 loc) · 4 KB
/
pods.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
{
"sections": [
{
"rules": [
{
"missing": false,
"success": false,
"links": [
"https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu",
"https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#how-pods-with-resource-limits-are-run"
],
"remediation": "All `containers` in a Pod should have a `resources.limits.cpu` value set, which is given in relative `CPU` units based on a single virtual CPU core or hyperthread. Choosing appropriate CPU limit values generally requires some experimentation and benchmarking. The chosen value should be just above the normal maximum CPU utilisation of the workload.",
"description": "The CPU limits of containers specify the maximum amount of CPU time that container should get, and are summed together to determine the total maximum CPU time that a Pod should get. It a Pod exceeds this it will experience CPU throttling.",
"name": "CPU limits set",
"id": "container_cpu_limit"
},
{
"missing": false,
"success": false,
"links": [
"https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory",
"https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#how-pods-with-resource-limits-are-run"
],
"remediation": "All `containers` in a Pod should have a `resources.limits.memory` value set, which is given in bytes with optional units such as `M` for multiples of 1,000,000 bytes, or `Ki` for multiples of 1,024 bytes. Choosing appropriate memory limit values generally requires some experimentation and benchmarking. The chosen value should be just above the normal maximum memory usage of the workload.",
"description": "The memory limits of containers specify the maximum amount of memory that container should get, and are summed together to determine the total maximum memory that a Pod should get. If a Pod exceeds this it will experience an ‘out of memory’ (OOM) termination.",
"name": "Memory limits set",
"id": "container_mem_limit"
}
],
"description": "Containers can specify resource requests and limits for CPU and memory. The limits define the maximum resources they can use and are used by Kubelet to determine if a Pod should be killed.",
"name": "Resources",
"id": "resources"
},
{
"rules": [
{
"missing": false,
"success": true,
"links": [
"https://kubernetes.io/docs/concepts/containers/images/"
],
"remediation": "Determine the version of images in use and set them explicitly in the `image` specification for all `containers`. When new versions become available change the tag explicitly to upgrade, and ensure the new image version still works as desired, rolling back to the previous one if required.",
"description": "By default images without a tag specified used the `latest` tag. This means if a new image is released it will be used on new Pods without any explicit upgrade. If the functionality of the image has changed, for example with new versions of software, then this can cause unexpected behaviour. Because the upgrade happens implicitly there is no opportunity to review changes. There is also no way to roll back, or run multiple Deployments to phase a new version in. As the image is fetched when a Pod starts Deployment can have multiple versions of an image in use, which can cause inconsistent behaviour between replicas.",
"name": "Image has explicit tag or SHA",
"id": "explicit_image_tag"
}
],
"name": "Images",
"id": "2.3"
}
],
"description": "This policy contains example rules to describe best-practice Pod configuration.",
"name": "Pods",
"package": "pods_basic",
"cluster": "",
"timestamp": "0001-01-01T00:00:00Z",
"id": ""
}