Resource policies

漏洞解析

漏洞扫描样例

[control: Resource policies] failed 😥
Description: CPU and memory resources should have a limit set for every container to prevent resource exhaustion.
   Namespace security
      Deployment - nginx
Summary - Passed:0   Warning:0   Failed:1   Total:1
Remediation: Define LimitRange and ResourceQuota policies to limit resource usage for namespaces or nodes.

描述: 应该为每个容器设置CPU和内存资源的限制,以防止资源耗尽。

加固方案

1.为namespace配置LimitRange

原理描述:

基于命名空间创建全局缺省配额,保证容器存在默认配额,避免异常资源占用(如:死循环导致的高CPU占用)容器影响同一worker节点上其他容器正常运行,进而提升系统整理稳定性。

配置样例:

  1. 创建一个namespace:
$ kubectl create ns security
  1. namespace下容器创建缺省配额:
$ cat <<EOF | kubectl apply -n security -f -
apiVersion: v1
kind: LimitRange
metadata:
  name: default-limit-range
spec:
  limits:
  - default:
      memory: 512Mi
      cpu: 0.5
    defaultRequest:
      memory: 256Mi
      cpu: 0.2
    type: Container
EOF
  1. 创建样例应用:
$ cat <<EOF | kubectl apply -n security -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
EOF
  1. 查看pod:
$ kubectl describe pod -n security -l app=nginx |grep -C 3 Requests
    Limits:
      cpu:     500m
      memory:  512Mi
    Requests:
      cpu:        200m
      memory:     256Mi
    Environment:  <none>

证明缺省配额生效。

此时kubescape重新扫描后发现,security依然存在漏洞

[control: Resource policies] failed 😥
Description: CPU and memory resources should have a limit set for every container to prevent resource exhaustion.
   Namespace security
      LimitRange - default-limit-range
Summary - Passed:1   Warning:0   Failed:1   Total:2
Remediation: Define LimitRange and ResourceQuota policies to limit resource usage for namespaces or nodes.

2.为namespace配置ResourceQuota

原理描述:

基于命名空间创建配额总额,利用ResourceQuota限制命名空间中所有容器的内存请求总量,同样也可以限制内存限制总量、CPU请求总量、CPU限制总量。

配置样例:

  1. security命名空间创建配额:
$ cat <<EOF | kubectl apply -n security -f -
apiVersion: v1
kind: ResourceQuota
metadata:
  name: ns-resource-quota
spec:
  hard:
    requests.cpu: "1"
    requests.memory: 1Gi
    limits.cpu: "2"
    limits.memory: 2Gi
EOF

ResourceQuotasecurity命名空间中设置了如下要求:

  • 每个容器必须有内存请求和限制,以及CPU请求和限制。
  • 所有容器的内存请求总和不能超过1 GiB
  • 所有容器的内存限制总和不能超过2 GiB
  • 所有容器的CPU请求总和不能超过1 cpu
  • 所有容器的CPU限制总和不能超过2 cpu

3.为容器添加配额

原理描述:

为不同容器显示配置合适的配额,而不使用缺省值,可以更合理的管理资源

配置样例:

  1. 删除前面步骤中创建的Deployment对象
$ kubectl delete -n security Deployment/nginx
deployment.apps "nginx" deleted
  1. 创建样例应用:
$ cat <<EOF | kubectl apply -n security -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: 500m
            memory: 512Mi
          requests:
            cpu: 500m
            memory: 512Mi
EOF

此时kubescape重新扫描后发现,security依然存在漏洞

[control: Resource policies] failed 😥
Description: CPU and memory resources should have a limit set for every container to prevent resource exhaustion.
   Namespace security
      LimitRange - default-limit-range
Summary - Passed:2   Warning:0   Failed:1   Total:3
Remediation: Define LimitRange and ResourceQuota policies to limit resource usage for namespaces or nodes.

怀疑为kubescapebug

总结

通过三种方式对资源配额进行加固:

  1. LimitRange
  2. ResourceQuota
  3. 容器的resources字段

其中,LimitRange为必需方案,保证命名空间下的容器有一个缺省配额。ResourceQuota为推荐方案,非必须。

而为每个容器显示设置配额为强烈推荐方案。

Copyright © weiliang 2021 all right reserved,powered by Gitbook本书发布时间: 2024-04-22 16:03:41

results matching ""

    No results matching ""