Skip to main content

Risks

Operational configuration

Top security risks

In Kubernetes, the default settings provide minimal restrictions on resources such as CPU and memory. This lack of constraints can lead to resource contention, where a pod consumes more resources than available, potentially causing system failures. To address this, Kubernetes offers mechanisms such as LimitRanges and ResourceQuotas to manage and control resource usage effectively.

Resource Reservation with Kubelet

To prevent pods from consuming all available resources, Kubernetes allows reserving resources for the system. This ensures that the system has enough resources to perform essential operations even when pods demand high resources.

  1. System Reserved Resources: Configure the kubelet to reserve resources for system processes. For example, if a VM has 3 CPUs, you can reserve 1 CPU for the system, allowing Kubernetes to use the remaining 2 CPUs.
  2. Apply Kubelet Configuration: After updating the configuration, restart the kubelet and daemon.

By default, the kubelet configuration is located in /var/lib/kubelet/config.yaml.

Limiting API Resources with ResourceQuotas

ResourceQuotas allow you to define limits and requests for CPU, memory, and other Kubernetes objects within a namespace. This helps in managing resource usage and ensuring that no single namespace can exhaust cluster resources.

  1. Creating a ResourceQuota: Define resource quotas in a YAML file and apply them to the desired namespace.
  1. Example ResourceQuota for the Default Namespace: To secure the default namespace, apply minimal resource quotas to prevent unauthorized resource usage.

Managing Container Resources

To further control resource usage, specify resource limits and requests for individual containers within pods, deployments, daemon sets, etc.

  1. Defining Resource Limits and Requests: Add resource specifications to your container definitions in the YAML configuration.

Conclusion

Implementing LimitRanges and ResourceQuotas in Kubernetes is essential for managing and controlling resource usage within your cluster. By reserving system resources with kubelet, defining resource quotas, and setting resource limits for containers, you can prevent resource contention and ensure the stability and security of your Kubernetes environment. These measures help maintain a balanced and efficient use of resources, protecting your cluster from potential failures and performance issues.

follow these measures