k8s-resources-defined¶
CPU, Memory requests and limit should be set
It is highly recommended to specify resource requests and limits for both CPU and memory. You can do this by adding a resources
section in your Pod spec.
By default, Kubernetes will allocate CPU and memory resources automatically, but more likely than not it will result in an uneven, unfair split amongst your Pods.
The security risk is that when under an attack (or even legitimate heavy traffic) you may end up running out of resources in one component of your cluster and it might impact the stability of the other Pods. By clearly specifying the resources, it will allow for a given Pod to be killed and replaced by a new one and scale out horizontally as the demand grows.
Examples¶
Insecure Example
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-deployment
spec:
replicas: 1
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web-container
image: gcr.io/akiho-playground/gke-grpc-sample-web:v1.2.34
command:
- nginx
- -g
- "daemon off;"
ports:
- containerPort: 80
readinessProbe:
httpGet:
path: /status
port: 80
initialDelaySeconds: 5
periodSeconds: 5
# `resources` is missing !
Secure Example
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-deployment
spec:
replicas: 1
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web-container
image: gcr.io/akiho-playground/gke-grpc-sample-web:v1.2.34
command:
- nginx
- -g
- "daemon off;"
ports:
- containerPort: 80
readinessProbe:
httpGet:
path: /status
port: 80
initialDelaySeconds: 5
periodSeconds: 5
resources:
requests:
cpu: 50m
memory: 1Gi
limits:
cpu: 1000m
memory: 2Gi