☑️ Ensure each container fully utilizes CPU with no limitations
A container's CPU request typically defines a priority. If several different containers (CGroups) want to run on a contended system, workloads with larger CPU requests are allocated more CPU time than workloads with small requests.
Kubernetes configures CPU shares for a CGroup. At times of congestion, the CFS will allocate more CPU time to the higher priority processes.
In the absence of a CPU limit, the request acts as a priority for how much relative CPU time containers get. This allows your workloads to use the CPU without an artificial limit or starvation.
Targeted objects by this rule (types of kind
): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Complexity: easy (What does this mean?)
Policy as code identifier: EKS_INVALID_CPU_LIMIT
This rule will fail
If a container has a CPU limit configured:
resources:
requests:
cpu: "128Mi"
limits:
cpu: "128Mi"
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Ensure each container fully utilizes CPU with no limitations [1 occurrence]
💡 Invalid key `limits.cpu` - refrain from setting a CPU limit to better utilize the CPU and prevent starvation
How to fix this failure
Do not configure a CPU limit:
resources:
requests:
cpu: "128Mi"