yaml.kubernetes.best-practice.no-fractional-cpu-limits.no-fractional-cpu-limits
semgrepAuthor
161
Download Count*
License
When you set a fractional CPU limit on a container, the CPU cycles available will be throttled, even though most nodes can handle processes alternating between using 100% of the CPU.
Run Locally
Run in CI
Defintion
rules:
- id: no-fractional-cpu-limits
patterns:
- pattern-inside: |
limits:
...
- pattern: |
cpu: $CPU_LIMIT
- metavariable-regex:
metavariable: $CPU_LIMIT
regex: \d{0,3}m
fix: "cpu: 1000m"
message: When you set a fractional CPU limit on a container, the CPU cycles
available will be throttled, even though most nodes can handle processes
alternating between using 100% of the CPU.
severity: WARNING
languages:
- yaml
metadata:
category: best-practice
technology:
- kubernetes
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
no-fractional-cpu-limits.test.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: mumbledj
namespace: mumble
labels:
app: mumbledj
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: mumbledj
template:
metadata:
labels:
app: mumbledj
spec:
containers:
- name: app
command: [/bin/mumbledj, --config, /etc/mumbledj/mumbledj.yaml]
image: underyx/mumbledj
volumeMounts:
- name: mumbledj-cache
mountPath: /root/.cache
- name: mumbledj-config
mountPath: /etc/mumbledj
readOnly: true
resources:
limits:
# ruleid: no-fractional-cpu-limits
cpu: 100m
memory: 64Mi
requests:
# ok: no-fractional-cpu-limits
cpu: 20m
memory: 32Mi
- name: app
image: panubo/sshd:1.1.0
env:
- name: SSH_USERS
value: monosnap:667:667,sharex:749:749
- name: SFTP_MODE
value: "true"
ports:
- containerPort: 22
volumeMounts:
- name: images
mountPath: /data/i.underyx.me
- name: config
mountPath: /etc/ssh
- name: authorized-keys
mountPath: /etc/authorized_keys
lifecycle:
postStart:
exec:
command: [chmod, "0777", /data/i.underyx.me]
livenessProbe:
tcpSocket:
port: 22
initialDelaySeconds: 30
periodSeconds: 30
resources:
limits:
# ok: no-fractional-cpu-limits
cpu: 1000m
memory: 512Mi
requests:
cpu: 10m
memory: 8Mi
- name: app
image: plexinc/pms-docker:public
ports:
- containerPort: 3005
hostPort: 3005
- containerPort: 8324
hostPort: 8324
- containerPort: 32400
hostPort: 32400
- containerPort: 32469
hostPort: 32469
- containerPort: 1900
hostPort: 1900
protocol: UDP
- containerPort: 32410
hostPort: 32410
protocol: UDP
- containerPort: 32412
hostPort: 32412
protocol: UDP
- containerPort: 32413
hostPort: 32413
protocol: UDP
- containerPort: 32414
hostPort: 32414
protocol: UDP
env:
- name: TZ
value: Europe/Prague
- name: PLEX_UID
value: "797"
- name: PLEX_GID
value: "797"
- name: PLEX_CLAIM
valueFrom:
secretKeyRef:
name: plex-env
key: PLEX_CLAIM
- name: ADVERTISE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
volumeMounts:
- name: plex-config
mountPath: /config
- name: plex-media
mountPath: /media
- name: plex-transcode
mountPath: /transcode
livenessProbe:
tcpSocket:
port: 32400
initialDelaySeconds: 30
periodSeconds: 30
resources:
limits:
# ok: no-fractional-cpu-limits
cpu: 4000m
memory: 2Gi
requests:
cpu: 1000m
memory: 1Gi
volumes:
- name: mumbledj-cache
emptyDir: {}
- name: mumbledj-config
secret:
secretName: mumbledj-config
Short Link: https://sg.run/WgWZ