Merge pull request #55 from nigeldouglas-itcarlow/patch-1

K01-insecure-workload-config [Add CPU Resource Constraints]

2022/en/src/K01-insecure-workload-configurations.md

@@ -60,7 +60,7 @@ metadata:
   name: read-only-fs
 spec:  
   containers:  
-
+  ...
   securityContext:  
     #read-only fs explicitly defined
     readOnlyRootFilesystem: true
@@ -89,6 +89,32 @@ spec:
     privileged: false
 ```
 
+**Resource constraints should be enforced**: By default, containers run with
+unbounded compute resources on a Kubernetes cluster. CPU requests and limits
+can be attributed to individual containers within a pod. If you don't specify
+a CPU limit for a container, it means there's no upper bound on the CPU
+resources it can consume. While this flexibility can be advantageous, it also
+poses a risk for potential resource abuse, such as crypto-mining, as the
+container could potentially utilize all available CPU resources on the
+hosting node.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: resource-limit-pod
+spec:
+  containers:
+  ...
+    resources:
+      limits:
+        cpu: "0.5" # 0.5 CPU cores
+        memory: "512Mi" # 512 Megabytes of memory
+      requests:
+        cpu: "0.2" # 0.2 CPU cores
+        memory: "256Mi" # 256 Megabytes of memory
+```
+
 ## How to Prevent
 
 Maintaining secure configurations throughout a large, distributed Kubernetes
@@ -100,8 +126,10 @@ can enforce that applications:
 
 1. Run as non-root user
 2. Run as non-privileged mode
-3. Set AllowPrivilegeEscalation: False to disallow child process from getting
-   more privileges than its parents
+3. Set AllowPrivilegeEscalation: False to disallow child process from
+getting more privileges than its parents.
+4. Set a LimitRange to constrain the resource allocations for each applicable
+object kind in a namespace.
 
 Tools such as Open Policy Agent can be used as a policy engine to detect these
 common misconfigurations. The CIS Benchmark for Kubernetes can also be used as a