Merge pull request #38 from secureCodeBox/resource-limits

Add Resource Limits to Scans

Author: Weltraumschaf

operator/controllers/execution/scan_controller.go

@@ -31,6 +31,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	resource "k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -440,6 +441,16 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 								findingsUploadURL,
 							},
 							ImagePullPolicy: "Always",
+							Resources: corev1.ResourceRequirements{
+								Requests: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("200m"),
+									corev1.ResourceMemory: resource.MustParse("100Mi"),
+								},
+								Limits: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("400m"),
+									corev1.ResourceMemory: resource.MustParse("200Mi"),
+								},
+							},
 						},
 					},
 					AutomountServiceAccountToken: &automountServiceAccountToken,
@@ -599,19 +610,16 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 				},
 			},
 		},
-		// TODO Assign sane default limits for lurcher
-		// Resources: corev1.ResourceRequirements{
-		// 	Limits: map[corev1.ResourceName]resource.Quantity{
-		// 		"": {
-		// 			Format: "",
-		// 		},
-		// 	},
-		// 	Requests: map[corev1.ResourceName]resource.Quantity{
-		// 		"": {
-		// 			Format: "",
-		// 		},
-		// 	},
-		// },
+		Resources: corev1.ResourceRequirements{
+			Requests: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("20m"),
+				corev1.ResourceMemory: resource.MustParse("20Mi"),
+			},
+			Limits: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("100m"),
+				corev1.ResourceMemory: resource.MustParse("100Mi"),
+			},
+		},
 		VolumeMounts: []corev1.VolumeMount{
 			{
 				Name:      "scan-results",
@@ -1031,6 +1039,16 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 							Args:            cliArgs,
 							Env:             append(hook.Spec.Env, standardEnvVars...),
 							ImagePullPolicy: "IfNotPresent",
+							Resources: corev1.ResourceRequirements{
+								Requests: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("200m"),
+									corev1.ResourceMemory: resource.MustParse("100Mi"),
+								},
+								Limits: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("400m"),
+									corev1.ResourceMemory: resource.MustParse("200Mi"),
+								},
+							},
 						},
 					},
 				},

scanners/amass/templates/amass-scan-type.yaml

@@ -26,6 +26,8 @@ spec:
                 - name: "amass-config"
                   mountPath: "/amass/output/config.ini"
                   subPath: "config.ini"
+              resources:
+                {{- toYaml .Values.scannerJob.resources | nindent 16 }}
           volumes:
             - name: "amass-config"
               configMap:

scanners/amass/values.yaml

@@ -2,3 +2,6 @@ parserImage:
   registry: docker.io
   repository: scbexperimental/parser-amass
   tag: latest
+
+scannerJob:
+  resources: {}

scanners/kube-hunter/templates/kubehunter-scan-type.yaml

@@ -20,3 +20,5 @@ spec:
                 - '/wrapper.sh'
                 - '--report'
                 - 'json'
+              resources:
+                {{- toYaml .Values.scannerJob.resources | nindent 16 }}

scanners/kube-hunter/values.yaml

@@ -2,3 +2,6 @@ parserImage:
   registry: docker.io
   repository: scbexperimental/parser-kube-hunter
   tag: latest
+
+scannerJob:
+  resources: {}

scanners/nikto/templates/nikto-scan-type.yaml

@@ -22,3 +22,5 @@ spec:
                 - '/wrapper.sh'
                 - '-o'
                 - '/home/securecodebox/nikto-results.json'
+              resources:
+                {{- toYaml .Values.scannerJob.resources | nindent 16 }}

scanners/nikto/values.yaml

@@ -2,3 +2,6 @@ parserImage:
   registry: docker.io
   repository: scbexperimental/parser-nikto
   tag: latest
+
+scannerJob:
+  resources: {}

scanners/nmap/templates/nmap-scan-type.yaml

@@ -17,3 +17,5 @@ spec:
             - name: nmap
               image: scbexperimental/nmap:7.80
               command: ["nmap", "-oX", "/home/securecodebox/nmap-results.xml"]
+              resources:
+                {{- toYaml .Values.scannerJob.resources | nindent 16 }}

scanners/nmap/values.yaml

@@ -2,3 +2,6 @@ parserImage:
   registry: docker.io
   repository: scbexperimental/parser-nmap
   tag: latest
+
+scannerJob:
+  resources: {}

scanners/ssh_scan/templates/ssh-scan-scan-type.yaml

@@ -20,3 +20,5 @@ spec:
                 - "/app/bin/ssh_scan"
                 - "--output"
                 - "/home/securecodebox/ssh-scan-results.json"
+              resources:
+                {{- toYaml .Values.scannerJob.resources | nindent 16 }}