Ensure the --terminated-pod-gc-threshold argument for controller managers is set appropriately

Error: The --terminated-pod-gc-threshold argument for controller managers is not set appropriately

Bridgecrew Policy ID: BC_K8S_80
Checkov Check ID: CKV_K8S_106
Severity: MEDIUM

The --terminated-pod-gc-threshold argument for controller managers is not set appropriately

Description

Activate garbage collector on pod termination, as appropriate.. Garbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. The current setting for garbage collection is 12,500 terminated pods which might be too high for your system to sustain. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
  kind: Pod
  metadata:
    creationTimestamp: null
    labels:
      component: kube-controller-manager
      tier: control-plane
    name: kube-controller-manager
    namespace: kube-system
  spec:
    containers:
    - command:
      - kube-controller-manager
+     -  --terminated-pod-gc-threshold=555
      image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
      livenessProbe:
        failureThreshold: 8
        httpGet:
          host: 127.0.0.1
          path: /healthz
          port: 6443
          scheme: HTTPS
        initialDelaySeconds: 15
        timeoutSeconds: 15
      name: kube-controller-manager-should-pass
      resources:
        requests:
          cpu: 250m
      volumeMounts:
      - mountPath: /etc/kubernetes/
        name: k8s
        readOnly: true
      - mountPath: /etc/ssl/certs
        name: certs
      - mountPath: /etc/pki
        name: pki
    hostNetwork: true
    volumes:
    - hostPath:
        path: /etc/kubernetes
      name: k8s
    - hostPath:
        path: /etc/ssl/certs
      name: certs
    - hostPath:
        path: /etc/pki
      name: pki

Did this page help you?