It is recommended to limit the CPU and memory usage of Kubernetes pods to ensure the stability and efficiency of the overall system. However, in some cases, pods may be exposed to the internet via a Network Load Balancer (NLB) without any CPU or memory limits, which can potentially cause issues such as resource starvation or even system crashes. Therefore, it is important to ensure that all internet-facing pods have CPU and memory limits configured.
To remediate the issue of a Pod being internet-facing (via NLB) and not having CPU/MEM limits, follow the below steps:
- Set resource limits for the container in the Pod's YAML configuration file.
- Add the appropriate values for the CPU and memory limits under the resources section.
- Update the Pod using the kubectl apply -f <pod-configuration-file.yaml> command.
- Verify that the changes are applied by running the kubectl describe pod <pod-name> command and looking for the Limits section under Conditions.
- If the Pod is still internet-facing, check the Network Load Balancer (NLB) configuration to ensure that it is configured correctly.
- Verify that the Pod is no longer internet-facing by testing the connection to the Pod using curl or a similar tool.
- If the Pod is still internet-facing, consider implementing additional network security measures, such as implementing a firewall or using Kubernetes Network Policies.
- Ensure that all future Pods are created with CPU/MEM limits and are not internet-facing unless required.
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.