Resource Quotas
Namespace-level ResourceQuota that enforces CPU, memory, and pod count limits to prevent resource exhaustion and DoS attacks.
Overview
This template creates a ResourceQuota that limits total CPU, memory, and pod count within a namespace. Without quotas, a single runaway or malicious pod can consume all node resources, causing denial-of-service for other critical workloads.
Security threat addressed: Resource exhaustion attacks (noisy neighbor, cryptojacking) can crash co-located applications and increase cloud costs dramatically.
When to use: Apply to every production namespace. Adjust the hard limits based on your cluster capacity and team allocation.
Threat Model
- Cryptojacking prevention: Resource quotas cap the CPU/memory a compromised pod can consume for crypto mining, limiting both the impact and cloud cost.
- DoS containment: Prevents a single namespace from exhausting cluster-wide resources, protecting other teams’ workloads.
- Pod proliferation blocking: The pod count limit prevents an attacker from spawning unlimited replica pods to amplify resource consumption.
MITRE ATT&CK:
- T1496 — Resource Hijacking: Without quotas, compromised containers can monopolize node resources for cryptomining, consuming all available CPU and inflating cloud bills.
Real-world scenario: An attacker compromises a pod and deploys a crypto miner. The miner tries to use all available CPU, but the ResourceQuota limits consumption to the namespace’s allocation, preventing impact on other services.
YAML Source
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resources
namespace: default
labels:
app.kubernetes.io/name: k8s-security
app.kubernetes.io/part-of: k8s-security-pro
app.kubernetes.io/managed-by: k8s-security-pro
spec:
# PREVENT RESOURCE EXHAUSTION (DoS)
# Without quotas, a single buggy or malicious pod can consume all CPU/Memory
# on a node, crashing other critical workloads (Noisy Neighbor problem).
hard:
requests.cpu: "4"
requests.memory: 8Gi
# ... truncated -- get full template at k8s-security.pro/pricingGet the complete template with all resource configurations, production-ready values, and environment-specific tuning in the Starter tier.
Installation
kubectl:
kubectl apply -f 06_resource_quotas.yamlHelm:
helm install k8s-security ./charts/k8s-security -f values-prod.yamlKustomize:
kubectl apply -k kustomize/overlays/prodVerification
# Check quota status and usage
kubectl get resourcequota compute-resources -n <namespace>
# Detailed quota view with used vs hard limits
kubectl describe resourcequota compute-resources -n <namespace>
# Test quota enforcement (create a pod exceeding limits)
kubectl run test-quota --image=nginx --restart=Never -n <namespace> --overrides='{"spec":{"containers":[{"name":"test","image":"nginx","resources":{"requests":{"cpu":"10"}}}]}}'
# Expected: Error from server (Forbidden): exceeded quotaCIS Benchmark References
- 5.2.6 — Minimize the admission of containers lacking resource limits. ResourceQuotas force all pods to declare resource requests.
- 5.2.11 — Ensure that containers define resource limits. Quotas enforce aggregate limits at the namespace level.
MITRE ATT&CK References
- T1496 — Resource Hijacking: Unrestricted resource consumption enables cryptojacking attacks. Quotas cap the maximum CPU and memory a namespace can use, limiting attacker impact.
Further Reading
- Kubernetes CIS Benchmark and SOC2 Compliance: A Practical Guide — Understand how resource management maps to CIS Benchmark and SOC2 availability controls.
Get Full Access to This Template
This template is included in the Starter tier and above.
View Pricing Plans