CloudWiki
Rules
Critical

Pod is internet facing (via ALB) and does not have CPU/MEM limits

Security & Compliance
No items found.
Description

When a pod is internet facing via Application Load Balancer (ALB) and does not have CPU/Memory limits, it can lead to several issues like resource contention, instability and potential denial of service attacks. If the pod does not have CPU/Memory limits set, it can lead to excessive usage of CPU/memory resources, which in turn can cause the pod to fail or become unresponsive. Additionally, if the pod is internet-facing, it can become a potential target for attacks. Attackers can use this as an opportunity to launch denial of service (DoS) attacks, which can overload the system with traffic and bring it down. Therefore, it is important to ensure that pods running in a public subnet are always configured with CPU/Memory limits and other security measures, such as Network ACLs, Security Groups and WAF rules, to prevent attacks and ensure the stability of the system.

Remediation

When a Pod is internet-facing, it is important to limit its CPU and memory usage to prevent resource exhaustion and potential denial of service (DoS) attacks. Here are some remediation steps to ensure that Pods are internet-facing and have CPU/MEM limits:

  1. Add resource limits to the Pod's container spec: Open the YAML file for the Pod and add the following lines to the container spec:

resources:
 limits:
   cpu: 1
   memory: 512Mi

This will limit the container to using 1 CPU and 512 MB of memory.

  1. Verify that the Pod is exposed via an Application Load Balancer (ALB): Check the Pod's service spec to see if it is exposed via an ALB. If not, create an ALB and update the service spec to use it.
  2. Use security groups to control traffic: Create a security group for the ALB and restrict inbound traffic to only allow the required protocols and ports.
  3. Monitor resource usage: Use monitoring tools like Amazon CloudWatch to monitor resource usage of the Pod and scale up or down if necessary.
  4. Regularly review and update configurations: Regularly review and update the Pod's configuration to ensure that it is up-to-date and secure.

By following these remediation steps, you can ensure that your Pods are internet-facing and have CPU/MEM limits, which can help prevent resource exhaustion and potential DoS attacks.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.