id: k8s-cpu-requests-not-set

info:
  name: CPU Requests not set in Deployments
  author: princechaddha
  severity: medium
  description: Checks for missing CPU requests in Kubernetes Deployments, which can lead to inadequate scheduling and resource allocation.
  impact: |
    Missing CPU requests in Kubernetes Deployments can cause poor scheduling decisions and suboptimal resource allocation, potentially leading to degraded application performance.
  remediation: |
    Set CPU requests for all containers in Kubernetes Deplayments to ensure efficient scheduling and resource allocation.
  reference:
    - https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/
  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security

flow: |
  code(1);
  for (let deployment of template.items) {
    set("deployment",deployment)
    javascript(1);
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: kubectl get deployments --all-namespaces --output=json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[]'

javascript:
  - code: |
        deployment = JSON.parse(template.deployment);
        if (!deployment.spec.template.spec.containers.some(container => container.resources && container.resources.requests && container.resources.requests.cpu)) {
          let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' lacks CPU requests.`);
          Export(result);
        }

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a00473045022100ce064fde6c02b2150739c4c898294016cbeabcf9da5ae8b4fce69862fb4c0b380220263897bc6d527e5e9ce91b2211864cbb8c373c2e1b168087d5b7b846704a067b:922c64590222798bb761d5b6d8e72950