question

IamCoder-6455 avatar image
0 Votes"
IamCoder-6455 asked IamCoder-6455 answered

Why I am getting AKS security recomendation even I have definied in deployment YAML: Container CPU and memory limits should be enforced

I am running a deployment in AKS cluster and below is my YAML where I have clearly defined cpu/memory request and limit. Question is why I am getting AKS security recommendation : Container CPU and memory limits should be enforced ?


125187-capture.png

apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-vote-back
namespace: my-dev
spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-back
template:
metadata:
labels:
app: azure-vote-back
spec:
containers:
- name: azure-vote-back
image: redis
resources:
requests:
cpu: 125m
memory: 256Mi
limits:
cpu: 100m
memory: 128Mi
ports:
- containerPort: 6379
name: redis


azure-kubernetes-service
capture.png (46.6 KiB)
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@IamCoder-6455 , Thank you for your question.

I can see that spec.template.spec.containers[0].resources.requests values are greater than those of spec.template.spec.containers[0].resources.requests. The requests must be less or equal to the limits. Can you please reset the values accordingly and check if it helps?

Container CPU and memory limits should be enforced:

Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).
We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.

(Related policy: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster)

Severity: Medium

0 Votes 0 ·

Thanks @srbose-msft for pointing out that request must be less or equal to limits. I tried that, but still security recommendation persists. Is there anything else I need to do?

One more question, till what time I need to wait to check whether recommendation applied or not? 15 minutes? Can I change this?

My updated YAML,

apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-vote-back
namespace: my-dev
spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-back
template:
metadata:
labels:
app: azure-vote-back
annotations:
container.apparmor.security.beta.kubernetes.io/azure-vote-back: runtime/default
spec:
containers:
- name: azure-vote-back
image: redis
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 100m
memory: 128Mi
ports:
- containerPort: 6379
name: redis
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000

0 Votes 0 ·

@ IamCoder-6455 , Thank you for your response.

On the Azure Portal please navigate to Azure Policy Assignments and then to the assignment for the Policy Container CPU and memory limits should be enforced. Check the Parameter value for Max allowed CPU units and Max allowed memory bytes in the Parameters section. If the values are lower than the spec.template.spec.containers[0].resources.requests mentioned in the Deployment/Pod manifest you can either Edit Assignment on the Azure Portal to update the Parameter values or set the spec.template.spec.containers[0].resources.requests values in the Deployment/Pod manifest to lower than the Policy Assignment Parameters values and check again.

Please do let us know if the issue still persists.

1 Vote 1 ·
Show more comments

1 Answer

IamCoder-6455 avatar image
0 Votes"
IamCoder-6455 answered

@IamCoder-6455. Thanks for the help. I was missing unit while updating Policy Assignment Parameters values . This is the correct way to do it and we need to pass unit as well (Mi or Gi for memory & m for cpu) and it's should be greater than or equal to YAML definition.


126233-capture.png



capture.png (10.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.