漏洞描述
Checks for missing CPU requests in Kubernetes Deployments, which can lead to inadequate scheduling and resource allocation.
k8s-cpu-requests-not-set: CPU Requests not set in Deployments
PoC代码[已公开]
id: k8s-cpu-requests-not-set
info:
name: CPU Requests not set in Deployments
author: princechaddha
severity: medium
description: Checks for missing CPU requests in Kubernetes Deployments, which can lead to inadequate scheduling and resource allocation.
impact: |
Missing CPU requests in Kubernetes Deployments can cause poor scheduling decisions and suboptimal resource allocation, potentially leading to degraded application performance.
remediation: |
Set CPU requests for all containers in Kubernetes Deplayments to ensure efficient scheduling and resource allocation.
reference:
- https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
flow: |
code(1);
for (let deployment of template.items) {
set("deployment",deployment)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get deployments --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[]'
javascript:
- code: |
deployment = JSON.parse(template.deployment);
if (!deployment.spec.template.spec.containers.some(container => container.resources && container.resources.requests && container.resources.requests.cpu)) {
let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' lacks CPU requests.`);
Export(result);
}
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022001ebebc6619f3db3dc9ca5e25aacadd7327988e4b095b3d6fb58ac3cddad85be022100cd14263e3f4420db97d978a0920b6281ffe9c203b3bf46a0aec23801cbe860a6:922c64590222798bb761d5b6d8e72950