Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not encourage adding CPU limits #3723

Open
nemobis opened this issue Dec 2, 2024 · 4 comments
Open

Do not encourage adding CPU limits #3723

nemobis opened this issue Dec 2, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@nemobis
Copy link

nemobis commented Dec 2, 2024

What steps did you take and what happened:

OPA katekeeper appeared on my cluster with AKS defaults. Now I get bunch of logs of the kind:

container has no resource limits

What did you expect to happen:

No encouragement to add CPU limits should be in the default policies.

Anything else you would like to add:

CPU limits are often harmful and should only be added after careful consideration. Kyverno also has stopped encouraging them: kyverno/kyverno#799

Environment:

  • Gatekeeper version: mcr.microsoft.com/oss/open-policy-agent/gatekeeper:v3.17.1, sha256:8b4c5d52f6fba917ef23bc3c41613ffd336f8473c444081196030fe08f7f2b64
  • Kubernetes version: 1.29
@nemobis nemobis added the bug Something isn't working label Dec 2, 2024
@nemobis
Copy link
Author

nemobis commented Dec 2, 2024

The example policy was added a while ago: d733e7d

@sozercan
Copy link
Member

sozercan commented Dec 3, 2024

Agreed on this, we recently removed cpu limits from Gatekeeper deployment too #2326.

However, Azure policies are not directly related to Gatekeeper open-source project. Do you mind creating an issue in https://github.com/azure/aks for tracking Azure policy updates for this?

We can use this issue to track removal in agilebank demo https://github.com/open-policy-agent/gatekeeper/blob/master/demo/agilebank/templates/k8scontainterlimits_template.yaml

@charleswool
Copy link

@nemobis Are you using deployment safeguard?

@nemobis
Copy link
Author

nemobis commented Dec 4, 2024

Agreed on this, we recently removed cpu limits from Gatekeeper deployment too

Good. Speaking of which, CPU requests are too high. 10m would probably be enough; on the busiest nodes I get CPU usage between 10m and 40m.

Do you mind creating an issue in https://github.com/azure/aks for tracking Azure policy updates for this?

I'll think about it but they have dozens of dubious policies and I'm not so interested in contributing to a proprietary Microsoft project. I'm just disabling the "feature" entirely for now.

Are you using deployment safeguard?

Not that I know...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants