Profile applicability: Level 1
A LimitRange policy constrains individual resources per Pod or container within a
particular namespace by enforcing maximum compute and storage resources. Only one
LimitRange constraint can be created per namespace.
Audit
Run the following command and review limit range policies:
kubectl get limitranges --all-namespaces
Add LimitRange policies to constrain container resources.
Remediation
Create a limit range policy with a default request and limit, as well as min and max
requests, for each container.
LimitRange support is enabled by default in Kubernetes 1.10 and newer. The following
YAML file specifies a LimitRange with a default request and limit, as well as a min
and max request, for each container.
apiVersion: v1
kind: LimitRange
metadata:
name: cpu-min-max-demo-lr
spec:
limits
- default:
cpu: 1
defaultRequest:
cpu: 0.5
max:
cpu: 2
min:
cpu 0.5
type: Container
A LimitRange can be applied to a namespace with:
kubectl apply -f <example-LimitRange>.yaml --namespace=<Enter-Namespace>
After the LimitRange configuration is applied, all containers created in the namespace
are assigned the default CPU request and limit, if not specified. All containers in
the namespace must have a CPU request greater than or equal to the minimum value and
less than or equal to the maximum CPU value or the container will not be instantiated.