From 50c8c02bc5f456146e101ea6929cbee6a25cbf94 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 20 Dec 2023 12:07:04 +0100 Subject: [PATCH] Create rule S6869: CPU limits should be enforced (#3515) --- rules/S6869/kubernetes/metadata.json | 29 +++++++ rules/S6869/kubernetes/rule.adoc | 111 +++++++++++++++++++++++++++ rules/S6869/metadata.json | 2 + 3 files changed, 142 insertions(+) create mode 100644 rules/S6869/kubernetes/metadata.json create mode 100644 rules/S6869/kubernetes/rule.adoc create mode 100644 rules/S6869/metadata.json diff --git a/rules/S6869/kubernetes/metadata.json b/rules/S6869/kubernetes/metadata.json new file mode 100644 index 00000000000..f99a1621e2b --- /dev/null +++ b/rules/S6869/kubernetes/metadata.json @@ -0,0 +1,29 @@ +{ + "title": "CPU limits should be enforced", + "type": "VULNERABILITY", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6869", + "sqKey": "S6869", + "scope": "All", + "securityStandards": { + "CWE": [ + 770 + ] + }, + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "unknown", + "code": { + "impacts": { + "MAINTAINABILITY": "MEDIUM", + "SECURITY": "MEDIUM" + }, + "attribute": "COMPLETE" + } +} \ No newline at end of file diff --git a/rules/S6869/kubernetes/rule.adoc b/rules/S6869/kubernetes/rule.adoc new file mode 100644 index 00000000000..eb7b7216c2a --- /dev/null +++ b/rules/S6869/kubernetes/rule.adoc @@ -0,0 +1,111 @@ +== Why is this an issue? + +A CPU limitation for a container is a specified boundary or restriction that +determines the maximum amount of CPU resources that a container can utilize. It +is a part of resource management in a containerized environment, and it is set +to ensure that a single container does not monopolize the CPU resources of the +host machine. + +CPU limitations are important for maintaining a balanced and efficient system. +They help in distributing resources fairly among different containers, ensuring +that no single container can cause a system-wide slowdown by consuming more than +its fair share of CPU resources. + +=== What is the potential impact? + +==== Performance degradation + +Without CPU limitations, a single container could monopolize all available CPU +resources, leading to a system-wide slowdown. Other containers or processes on +the same host might be deprived of the necessary CPU resources, causing them to +function inefficiently. + +==== System instability + +In extreme cases, a container with no CPU limit could cause the host machine to +become unresponsive. This can lead to system downtime and potential loss of +data, disrupting critical operations and impacting system reliability. + +== How to fix it + +=== Code examples + +==== Noncompliant code example + +[source,yaml,diff-id=1,diff-type=noncompliant] +---- +apiVersion: v1 +kind: Pod +metadata: + name: example +spec: + containers: # Noncompliant + - name: web + image: nginx +---- + +==== Compliant solution + +[source,yaml,diff-id=1,diff-type=compliant] +---- +apiVersion: v1 +kind: Pod +metadata: + name: example +spec: + containers: + - name: web + image: nginx + resources: + limits: + cpu: 0.5 +---- + +[source,yaml] +---- +apiVersion: v1 +kind: LimitRange +metadata: + name: cpu-limit-range + namespace: default-cpu-example +spec: + limits: + - default: + cpu: 0.5 + type: Container +---- + +=== How does this work? + +A limit can be set through the property `resources.limits.cpu` of a +container. Alternatively, a default limit for a namespace can be set with +`LimitRange`. + +== Resources + +=== Documentation + +* Kubernetes Documentation - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/[Resource Management for Pods and Containers] + +=== Standards + +* CWE - https://cwe.mitre.org/data/definitions/770[CWE-770 - Allocation of Resources Without Limits or Throttling] + + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +=== Message + +Specify a CPU limit for this container. + + +=== Highlighting + +* Highlight the `containers` property. + + +endif::env-github,rspecator-view[] diff --git a/rules/S6869/metadata.json b/rules/S6869/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S6869/metadata.json @@ -0,0 +1,2 @@ +{ +}