ResourceQuota / LimitRange

Jan 1, 0001

Definition

ResourceQuota and LimitRange are Kubernetes objects used to manage resource allocation within a namespace. ResourceQuota sets constraints on the total amount of resources (like CPU and memory) that can be consumed by all the pods in a namespace, ensuring fair distribution and preventing resource exhaustion. LimitRange, on the other hand, defines minimum and maximum resource limits for individual pods or containers, helping to enforce resource usage policies and prevent any single pod from monopolizing resources.

Secure Settings Example

apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-resources
  namespace: my-namespace
spec:
  hard:
    pods: "10"
    requests.cpu: "4"
    requests.memory: "16Gi"
    limits.cpu: "8"
    limits.memory: "32Gi"
---
apiVersion: v1
kind: LimitRange
metadata:
  name: resource-limits
  namespace: my-namespace
spec:
  limits:
  - max:
      cpu: "2"
      memory: "4Gi"
    min:
      cpu: "200m"
      memory: "256Mi"
    type: Container

Insecure Settings Example

apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-resources
  namespace: my-namespace
spec:
  hard:
    pods: "1000"  # Excessive number of pods allowed
    requests.cpu: "1000"  # Unreasonably high CPU request
    requests.memory: "1Ti"  # Unreasonably high memory request
---
apiVersion: v1
kind: LimitRange
metadata:
  name: resource-limits
  namespace: my-namespace
spec:
  limits:
  - max:
      cpu: "100"
      memory: "1Ti"  # Excessive memory limit
    min:
      cpu: "10m"  # Too low, may lead to resource starvation
      memory: "16Mi"  # Too low, may lead to resource starvation
    type: Container

ResourceQuota / LimitRange

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter