Resource policies
漏洞解析
漏洞扫描样例
[control: Resource policies] failed 😥
Description: CPU and memory resources should have a limit set for every container to prevent resource exhaustion.
Namespace security
Deployment - nginx
Summary - Passed:0 Warning:0 Failed:1 Total:1
Remediation: Define LimitRange and ResourceQuota policies to limit resource usage for namespaces or nodes.
描述: 应该为每个容器设置
CPU和内存资源的限制,以防止资源耗尽。
加固方案
1.为namespace配置LimitRange
原理描述:
基于命名空间创建全局缺省配额,保证容器存在默认配额,避免异常资源占用(如:死循环导致的高CPU占用)容器影响同一worker节点上其他容器正常运行,进而提升系统整理稳定性。
配置样例:
- 创建一个
namespace:
$ kubectl create ns security
- 为
namespace下容器创建缺省配额:
$ cat <<EOF | kubectl apply -n security -f -
apiVersion: v1
kind: LimitRange
metadata:
name: default-limit-range
spec:
limits:
- default:
memory: 512Mi
cpu: 0.5
defaultRequest:
memory: 256Mi
cpu: 0.2
type: Container
EOF
- 创建样例应用:
$ cat <<EOF | kubectl apply -n security -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
EOF
- 查看
pod:
$ kubectl describe pod -n security -l app=nginx |grep -C 3 Requests
Limits:
cpu: 500m
memory: 512Mi
Requests:
cpu: 200m
memory: 256Mi
Environment: <none>
证明缺省配额生效。
此时kubescape重新扫描后发现,security依然存在漏洞
[control: Resource policies] failed 😥
Description: CPU and memory resources should have a limit set for every container to prevent resource exhaustion.
Namespace security
LimitRange - default-limit-range
Summary - Passed:1 Warning:0 Failed:1 Total:2
Remediation: Define LimitRange and ResourceQuota policies to limit resource usage for namespaces or nodes.
2.为namespace配置ResourceQuota
原理描述:
基于命名空间创建配额总额,利用ResourceQuota限制命名空间中所有容器的内存请求总量,同样也可以限制内存限制总量、CPU请求总量、CPU限制总量。
配置样例:
- 为
security命名空间创建配额:
$ cat <<EOF | kubectl apply -n security -f -
apiVersion: v1
kind: ResourceQuota
metadata:
name: ns-resource-quota
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2Gi
EOF
ResourceQuota在security命名空间中设置了如下要求:
- 每个容器必须有内存请求和限制,以及
CPU请求和限制。 - 所有容器的内存请求总和不能超过
1 GiB - 所有容器的内存限制总和不能超过
2 GiB - 所有容器的
CPU请求总和不能超过1 cpu - 所有容器的
CPU限制总和不能超过2 cpu
3.为容器添加配额
原理描述:
为不同容器显示配置合适的配额,而不使用缺省值,可以更合理的管理资源
配置样例:
- 删除前面步骤中创建的
Deployment对象
$ kubectl delete -n security Deployment/nginx
deployment.apps "nginx" deleted
- 创建样例应用:
$ cat <<EOF | kubectl apply -n security -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 500m
memory: 512Mi
EOF
此时kubescape重新扫描后发现,security依然存在漏洞
[control: Resource policies] failed 😥
Description: CPU and memory resources should have a limit set for every container to prevent resource exhaustion.
Namespace security
LimitRange - default-limit-range
Summary - Passed:2 Warning:0 Failed:1 Total:3
Remediation: Define LimitRange and ResourceQuota policies to limit resource usage for namespaces or nodes.
怀疑为kubescape的bug
总结
通过三种方式对资源配额进行加固:
LimitRangeResourceQuota- 容器的
resources字段
其中,LimitRange为必需方案,保证命名空间下的容器有一个缺省配额。ResourceQuota为推荐方案,非必须。
而为每个容器显示设置配额为强烈推荐方案。