This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am running a deployment in AKS cluster and below is my YAML where I have clearly defined cpu/memory request and limit. Question is why I am getting AKS security recommendation : Container CPU and memory limits should be enforced ?
apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-vote-back
namespace: my-dev
spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-back
template:
metadata:
labels:
app: azure-vote-back
spec:
containers:
- name: azure-vote-back
image: redis
resources:
requests:
cpu: 125m
memory: 256Mi
limits:
cpu: 100m
memory: 128Mi
ports:
- containerPort: 6379
name: redis
@Mohammad Ajmal Yazdani , Thank you for your question.
I can see that spec.template.spec.containers[0].resources.requests values are greater than those of spec.template.spec.containers[0].resources.requests. The requests must be less or equal to the limits. Can you please reset the values accordingly and check if it helps?
Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).
We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.
(Related policy: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster)
Severity: Medium
Thanks @SRIJIT-BOSE-MSFT for pointing out that request must be less or equal to limits. I tried that, but still security recommendation persists. Is there anything else I need to do?
One more question, till what time I need to wait to check whether recommendation applied or not? 15 minutes? Can I change this?
My updated YAML,
apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-vote-back
namespace: my-dev
spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-back
template:
metadata:
labels:
app: azure-vote-back
annotations:
container.apparmor.security.beta.kubernetes.io/azure-vote-back: runtime/default
spec:
containers:
- name: azure-vote-back
image: redis
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 100m
memory: 128Mi
ports:
- containerPort: 6379
name: redis
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
@ IamCoder-6455 , Thank you for your response.
On the Azure Portal please navigate to Azure Policy Assignments and then to the assignment for the Policy Container CPU and memory limits should be enforced. Check the Parameter value for Max allowed CPU units and Max allowed memory bytes in the Parameters section. If the values are lower than the spec.template.spec.containers[0].resources.requests mentioned in the Deployment/Pod manifest you can either Edit Assignment on the Azure Portal to update the Parameter values or set the spec.template.spec.containers[0].resources.requests values in the Deployment/Pod manifest to lower than the Policy Assignment Parameters values and check again.
Please do let us know if the issue still persists.
Do I need to configure like this?
My YAML definition is,
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
And I have configured like below (greater than Limits),
Memory = 256
CPU = 100
]1
@SRIJIT-BOSE-MSFT . With my above settings, still I can see issue persists.
@Mohammad Ajmal Yazdani , Thank you for your response.
Based on the information available the best course of action would be to open a Microsoft Technical Support request on this issue.
Also, once you get the issue fixed, request you to reply back here on the thread with the resolution steps for the benefit of the community
@Mohammad Ajmal Yazdani . Thanks for the help. I was missing unit while updating Policy Assignment Parameters values . This is the correct way to do it and we need to pass unit as well (Mi or Gi for memory & m for cpu) and it's should be greater than or equal to YAML definition.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 21%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Can you please share the steps what you did yo fix the issue if i don’t have azure policy setup