Awesome
Dostainer - Kubernetes Resource Exhaustion PoC Container
This container contains three scripts to demonstrate resource exhaustion from within a Kubernetes clusters:
- Allocate all remaining RAM
- Allocate all remaining disk space
- Fork bomb all the things! (on courtesy of Chris who also demonstrated that in one of our last presentations)
Those exhaustion attacks work in many K8s environments as default settings do not include proper resource limits - and each of those can/does render one node useless (which will eventually upon pod failover spread through the cluster).
Hardening measures are added to dosploy.yaml and listed below:
- Memory Restrictions
- Ephemeral Storage Limits
- Keep in mind that storage limits may not apply to other volumes attached to a pod.
- Pod PID Limit
- The PID limit is configured on the
kubeletlevel and applies to all pods, i.e. you cannot configure individual PID limits per pod.
- The PID limit is configured on the