Why is this an issue?

A memory limit is a configuration that sets the maximum amount of memory that a container can use. It is part of the resource management functionality of Kubernetes, which allows for the control and allocation of computational resources to containers.

When a memory limit is set for a container, Kubernetes ensures that the container does not exceed the specified limit. If a container tries to use more memory than its limit, the system will reclaim the excess memory, which could lead to termination of processes within the container.

Without a memory limit, a container can potentially consume all available memory on a node, which can lead to unpredictable behavior of the container or the node itself. Therefore, defining a memory limit for each container is a best practice in Kubernetes configurations. It helps in managing resources effectively and ensures that a single container does not monopolize the memory resources of a node.

What is the potential impact?

Denial of Service

Without a memory limit, a container can consume all available memory on a node. This could lead to a Denial of Service (DoS) condition where other containers on the same node are starved of memory. These containers may slow down, become unresponsive, or even crash, affecting the overall functionality and availability of applications running on them.

Inefficient Resource Allocation

When containers lack specified resource requests, the Kubernetes scheduler may not make optimal decisions about pod placement and resource contention management. This could result in the scheduler placing a resource-intensive pod on a node with insufficient resources, leading to performance issues or even node failure.

How to fix it

Code examples

To avoid potential issues specify a memory limit for each container.

Noncompliant code example

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web # Noncompliant
      image: nginx

Compliant solution

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      resources:
        limits:
          memory: 100Mi

How does this work?

A limit can be set through the property resources.limits.memory of a container. Alternatively, a default limit for a namespace can be set with LimitRange.

Resources

Documentation

• Kubernetes Documentation - Configure Default Memory Requests and Limits for a Namespace

Standards

• CWE - CWE-770 - Allocation of Resources Without Limits or Throttling