Location: deployment/k8s/helm-chart/templates/seq-proxy/deployment.yaml (line 37, block containers)
Description:
In the Deployment manifest for the seq-proxy component, the resources.requests section is not defined (neither for CPU nor for memory).
In Kubernetes, resource requests specify the minimum guaranteed amount of compute resources that the scheduler reserves for a container when placing it on a node. Without these values, Kubernetes cannot guarantee that the Pod will receive sufficient resources to operate normally under resource contention on the node, resulting in either a BestEffort QoS class or an incorrectly classified Burstable QoS.
Impact:
-
Reduced Availability (Availability/DoS risk): seq-db-proxy is a critical infrastructure component (handling log/request routing). Under high node load, a container without requests becomes the prime candidate for CPU throttling or forcible eviction. This leads to loss of logs and metrics, directly affecting incident detection and investigation capabilities.
-
Non‑compliance: The absence of resource requests violates industry‑standard secure configuration requirements, specifically the CIS Kubernetes Benchmark (section 5.4.x – "Ensure CPU and memory resource requests are defined for all containers").
-
Noisy Neighbor effect: A malicious or misconfigured Pod running on the same node can consume all available resources, effectively crippling the proxy server.
Remediation:
Add a resources.requests block to the container specification.
Example fix (template):
containers:
- name: {{ .Chart.Name }}
# ... other settings ...
resources:
requests:
cpu: {{ .Values.resources.requests.cpu | default "100m" }}
memory: {{ .Values.resources.requests.memory | default "128Mi" }}
Location:
deployment/k8s/helm-chart/templates/seq-proxy/deployment.yaml(line 37, block containers)Description:
In the Deployment manifest for the
seq-proxycomponent, theresources.requestssection is not defined (neither for CPU nor for memory).In Kubernetes, resource requests specify the minimum guaranteed amount of compute resources that the scheduler reserves for a container when placing it on a node. Without these values, Kubernetes cannot guarantee that the Pod will receive sufficient resources to operate normally under resource contention on the node, resulting in either a
BestEffortQoS class or an incorrectly classifiedBurstableQoS.Impact:
Reduced Availability (Availability/DoS risk): seq-db-proxy is a critical infrastructure component (handling log/request routing). Under high node load, a container without requests becomes the prime candidate for CPU throttling or forcible eviction. This leads to loss of logs and metrics, directly affecting incident detection and investigation capabilities.
Non‑compliance: The absence of resource requests violates industry‑standard secure configuration requirements, specifically the CIS Kubernetes Benchmark (section 5.4.x – "Ensure CPU and memory resource requests are defined for all containers").
Noisy Neighbor effect: A malicious or misconfigured Pod running on the same node can consume all available resources, effectively crippling the proxy server.
Remediation:
Add a
resources.requestsblock to the container specification.Example fix (template):