K8s Security Pro
#07 Resource Management starter

Limit Range

A LimitRange that sets default CPU and memory requests/limits for containers that do not specify them, preventing over-provisioning.

CIS Benchmark
5.2.65.2.11
MITRE ATT&CK
T1496

Overview

This template creates a LimitRange that automatically assigns default CPU and memory requests and limits to any container that does not specify them. While ResourceQuotas enforce aggregate limits, LimitRanges ensure every individual container has a baseline resource configuration.

Security threat addressed: Developers often forget to set resource specifications. Without defaults, the scheduler cannot make informed placement decisions, leading to over-provisioned nodes and potential resource starvation.

When to use: Apply alongside ResourceQuotas in every production namespace. LimitRanges serve as a safety net for containers without explicit resource specifications.

Threat Model

  • Resource starvation prevention: Containers without limits can consume unbounded resources, starving other workloads on the same node.
  • Scheduler efficiency: Default requests allow the scheduler to bin-pack pods correctly, preventing node overcommitment.
  • Cost control: Guaranteed baseline resource allocation prevents unpredictable cloud costs from runaway pods.

MITRE ATT&CK:

  • T1496 — Resource Hijacking: Without per-container limits, a compromised container can consume all node resources for crypto mining.

Real-world scenario: A developer deploys a new service without resource limits. A bug causes a memory leak, consuming all node memory and triggering OOM kills on other pods. LimitRange prevents this by enforcing a maximum memory limit.

YAML Source

apiVersion: v1
kind: LimitRange
metadata:
  name: mem-limit-range
  namespace: default
  labels:
    app.kubernetes.io/name: k8s-security
    app.kubernetes.io/part-of: k8s-security-pro
    app.kubernetes.io/managed-by: k8s-security-pro
spec:
  limits:
  - default:
      memory: 512Mi
      cpu: 500m
    defaultRequest:
      memory: 256Mi
      cpu: 250m
    type: Container
# ... truncated -- get full template at k8s-security.pro/pricing

Get the complete template with min/max constraints, ratio limits, and storage defaults in the Starter tier.

Installation

kubectl:

kubectl apply -f 07_limit_range.yaml

Helm:

helm install k8s-security ./charts/k8s-security -f values-prod.yaml

Kustomize:

kubectl apply -k kustomize/overlays/prod

Verification

# Check LimitRange configuration
kubectl get limitrange mem-limit-range -n <namespace>

# View detailed defaults
kubectl describe limitrange mem-limit-range -n <namespace>

# Test that a pod without resources gets defaults applied
kubectl run test-defaults --image=nginx --restart=Never -n <namespace>
kubectl get pod test-defaults -n <namespace> -o jsonpath='{.spec.containers[0].resources}'

CIS Benchmark References

  • 5.2.6 — Minimize the admission of containers lacking resource limits. LimitRanges ensure containers always have limits, even if not explicitly configured.
  • 5.2.11 — Ensure that containers define resource limits. Default limits act as a safety net.

MITRE ATT&CK References

  • T1496 — Resource Hijacking: Unbounded containers can be exploited for cryptojacking. LimitRanges enforce per-container maximums as a defense-in-depth measure.

Further Reading

Get Full Access to This Template

This template is included in the Starter tier and above.

View Pricing Plans
← All Templates Get All Templates →