Update memory resource validation in C-0004 control

slashben · slashben · commit c5bd9ca47974 · 2025-03-12T11:24:12.000+02:00
- Modify memory resource validation to use `quantity().asInteger()` for correct parsing
- Update test cases to use Kubernetes memory unit suffixes (Mi, Gi, Ki)
- Expand memory resource configuration range in default and basic control configurations
- Ensure consistent memory resource validation across Pod, Workload, and CronJob resources

Signed-off-by: Ben &lt;ben@armosec.io&gt;
diff --git a/configuration/basic-control-configuration.yaml b/configuration/basic-control-configuration.yaml
@@ -45,10 +45,10 @@ settings:
   - 5
   maxHighVulnerabilities:
   - 10
-  memoryLimitMax: 256
-  memoryLimitMin: 32
-  memoryRequestMax: 256
-  memoryRequestMin: 32
+  memoryLimitMax: 4294967296
+  memoryLimitMin: 0
+  memoryRequestMax: 4294967296
+  memoryRequestMin: 0
   publicRegistries:
   - docker.io
   - gcr.io
diff --git a/controls/C-0004/policy.yaml b/controls/C-0004/policy.yaml
@@ -28,27 +28,27 @@ spec:
   validations:
     - expression: >
         object.kind != 'Pod' || object.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
-        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
-        params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
+        params.settings.memoryRequestMin <= quantity(container.resources.requests.memory).asInteger() &&
+        params.settings.memoryRequestMax >= quantity(container.resources.requests.memory).asInteger()) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
-        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
-        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
+        params.settings.memoryLimitMin <= quantity(container.resources.limits.memory).asInteger()&&
+        params.settings.memoryLimitMax >= quantity(container.resources.limits.memory).asInteger()))
       message: "Pods contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"
 
     - expression: >
         ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
-        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
-        params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
+        params.settings.memoryRequestMin <= quantity(container.resources.requests.memory).asInteger() &&
+        params.settings.memoryRequestMax >= quantity(container.resources.requests.memory).asInteger()) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
-        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
-        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
+        params.settings.memoryLimitMin <= quantity(container.resources.limits.memory).asInteger() &&
+        params.settings.memoryLimitMax >= quantity(container.resources.limits.memory).asInteger()))
       message: "Workloads contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"
 
     - expression: >
         object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
-        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
-        params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
+        params.settings.memoryRequestMin <= quantity(container.resources.requests.memory).asInteger() &&
+        params.settings.memoryRequestMax >= quantity(container.resources.requests.memory).asInteger()) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
-        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
-        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
+        params.settings.memoryLimitMin <= quantity(container.resources.limits.memory).asInteger() &&
+        params.settings.memoryLimitMax >= quantity(container.resources.limits.memory).asInteger()))
       message: "CronJob contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"
diff --git a/controls/C-0004/tests.json b/controls/C-0004/tests.json
@@ -11,25 +11,25 @@
         "template": "pod.yaml",
         "expected": "fail",
         "field_change_list": [
-            "spec.containers.[0].resources.requests.memory=128"
+            "spec.containers.[0].resources.requests.memory=128Mi"
         ]
     },
     {
         "name": "Pod with container having memory request and limits set and both values in the limit is allowed",
         "template": "pod.yaml",
         "expected": "pass",
         "field_change_list": [
-            "spec.containers.[0].resources.requests.memory=128",
-            "spec.containers.[0].resources.limits.memory=128"
+            "spec.containers.[0].resources.requests.memory=128Mi",
+            "spec.containers.[0].resources.limits.memory=128Mi"
         ]
     },
     {
-        "name": "Pod with container having memory request and limits set and values not in the limit is blocked",
+        "name": "Pod with container having memory request and limits set and values out of the range is blocked",
         "template": "pod.yaml",
         "expected": "fail",
         "field_change_list": [
-            "spec.containers.[0].resources.requests.memory=16",
-            "spec.containers.[0].resources.limits.memory=512"
+            "spec.containers.[0].resources.requests.memory=16Mi",
+            "spec.containers.[0].resources.limits.memory=512Gi"
         ]
     },
     {
@@ -44,15 +44,17 @@
         "template": "deployment.yaml",
         "expected": "pass",
         "field_change_list": [
-            "spec.template.spec.containers.[0].resources.requests.memory=128",
-            "spec.template.spec.containers.[0].resources.limits.memory=128"
+            "spec.template.spec.containers.[0].resources.requests.memory=128Mi",
+            "spec.template.spec.containers.[0].resources.limits.memory=128Mi"
         ]
     },
     {
         "name": "CronJob with container having memory request and limits set and both values in the limit is allowed",
         "template": "cronjob.yaml",
         "expected": "pass",
         "field_change_list": [
+            "spec.jobTemplate.spec.template.spec.containers.[0].resources.requests.memory=128Ki",
+            "spec.jobTemplate.spec.template.spec.containers.[0].resources.limits.memory=128Ki"
         ]
     }
 ]
diff --git a/test-resources/default-control-configuration.yaml b/test-resources/default-control-configuration.yaml
@@ -46,10 +46,10 @@ settings:
   - 5
   maxHighVulnerabilities:
   - 10
-  memoryLimitMax: 256
-  memoryLimitMin: 32
-  memoryRequestMax: 256
-  memoryRequestMin: 32
+  memoryLimitMax: 4294967296
+  memoryLimitMin: 0
+  memoryRequestMax: 4294967296
+  memoryRequestMin: 0
   publicRegistries:
   - docker.io
   - gcr.io

Original file line number	Diff line number	Diff line change
`@@ -11,25 +11,25 @@`
`11`	`11`	`"template": "pod.yaml",`
`12`	`12`	`"expected": "fail",`
`13`	`13`	`"field_change_list": [`
`14`		`- "spec.containers.[0].resources.requests.memory=128"`
	`14`	`+ "spec.containers.[0].resources.requests.memory=128Mi"`
`15`	`15`	`]`
`16`	`16`	`},`
`17`	`17`	`{`
`18`	`18`	`"name": "Pod with container having memory request and limits set and both values in the limit is allowed",`
`19`	`19`	`"template": "pod.yaml",`
`20`	`20`	`"expected": "pass",`
`21`	`21`	`"field_change_list": [`
`22`		`- "spec.containers.[0].resources.requests.memory=128",`
`23`		`- "spec.containers.[0].resources.limits.memory=128"`
	`22`	`+ "spec.containers.[0].resources.requests.memory=128Mi",`
	`23`	`+ "spec.containers.[0].resources.limits.memory=128Mi"`
`24`	`24`	`]`
`25`	`25`	`},`
`26`	`26`	`{`
`27`		`- "name": "Pod with container having memory request and limits set and values not in the limit is blocked",`
	`27`	`+ "name": "Pod with container having memory request and limits set and values out of the range is blocked",`
`28`	`28`	`"template": "pod.yaml",`
`29`	`29`	`"expected": "fail",`
`30`	`30`	`"field_change_list": [`
`31`		`- "spec.containers.[0].resources.requests.memory=16",`
`32`		`- "spec.containers.[0].resources.limits.memory=512"`
	`31`	`+ "spec.containers.[0].resources.requests.memory=16Mi",`
	`32`	`+ "spec.containers.[0].resources.limits.memory=512Gi"`
`33`	`33`	`]`
`34`	`34`	`},`
`35`	`35`	`{`
`@@ -44,15 +44,17 @@`
`44`	`44`	`"template": "deployment.yaml",`
`45`	`45`	`"expected": "pass",`
`46`	`46`	`"field_change_list": [`
`47`		`- "spec.template.spec.containers.[0].resources.requests.memory=128",`
`48`		`- "spec.template.spec.containers.[0].resources.limits.memory=128"`
	`47`	`+ "spec.template.spec.containers.[0].resources.requests.memory=128Mi",`
	`48`	`+ "spec.template.spec.containers.[0].resources.limits.memory=128Mi"`
`49`	`49`	`]`
`50`	`50`	`},`
`51`	`51`	`{`
`52`	`52`	`"name": "CronJob with container having memory request and limits set and both values in the limit is allowed",`
`53`	`53`	`"template": "cronjob.yaml",`
`54`	`54`	`"expected": "pass",`
`55`	`55`	`"field_change_list": [`
	`56`	`+ "spec.jobTemplate.spec.template.spec.containers.[0].resources.requests.memory=128Ki",`
	`57`	`+ "spec.jobTemplate.spec.template.spec.containers.[0].resources.limits.memory=128Ki"`
`56`	`58`	`]`
`57`	`59`	`}`
`58`	`60`	`]`