ksv011 - "Enforcing CPU limits prevents DoS via resource exhaustion" - Setting cpu limit is antipattern

[ktzsolt]

Description

https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0011/

Setting limits for CPU is considered antipattern by many sources and even the linked google best practice page doesn't tell explicitly to set cpu limit: https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits

It is better to set requests only to get guaranteed CPU for containers and let the containers use up any idle CPU time that is available. When a container uses more CPU than it's requested thus not leaving any free CPU and another container starts some work and needs CPU set by its cpu request than k8s will throttle the first container so the second container can have it's requested CPU.

It's better explained here: https://home.robusta.dev/blog/stop-using-cpu-limits

What do you think?

Target

Kubernetes

Scanner

Misconfiguration

[simar7]

hi @ktzsolt thanks for sharing this. If limits are set and requests are not, Kubernetes sets the requests to the limit. In this case you are right that any unused compute will be wasted as it won't be available to the resources that could use it.

It is an interesting conversation, while I mostly agree with what you shared that instead of setting CPU limits, we can instead set requests and we have a check for that as well https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0015/

Setting both guarantees the resource to get a CPU allocation between the limit and the request value.