Allow Operational Container Scanning maximum memory setting to be configured via Agent configuration to avoid OOMKilled errors
Proposal
Operational Container Scanning is no longer dependent on having the Starboard Operator installed and can be scheduled via the Agent configuration.
However there isn't any way to configure the maximum amount of memory available to the scanner pods.
The memory setting is essential to be able to avoid pods failing with OOMKilled
errors when the images are large (at present the memory limit is hard coded to 500MB).
Updates
Note that the implementation plan has been updated based on feedback from this thread in the MR.
Implementation Plan
- Add
resource_requirements
tocontainer_scanning
config of theagent config
file-
Example config
container_scanning: cadence: '10 * * * *' vulnerability_report: namespaces: - default resource_requirements: limits: cpu: 100m memory: 500Mi requests: cpu: 100m memory: 500Mi
-
- Update module logic to parse
resource_requirements
andscan config
^-
If only
agent_config
is configured withscan config
- Scanner should use
agent_config's
scan config
with defaultresource_requirements
- Scanner should use
-
If only
agent_config
is configured withscan config
andresource_requirements
- Scanner should use
agent_config's
scan config
as well as configuredresource_requirements
- Scanner should use
-
If only
scan_execution_policy
is configured- Scanner should use
scan_execution_policy's
scan config
with defaultresource_requirements
- Scanner should use
- If
scan_execution_policy
is configured andagent_config
has bothscan config
andresource_requirements
- Scanner should use
scan_execution_policy's
scan config
as well as configuredresource_requirements
- Scanner should use
-
If only
scan_execution_policy
is configured andagent_config
hasresource_requirements
- Scanner should use
scan_execution_policy's
scan config
with configuredresource_requirements
- Scanner should use
-
If only
^ scan config
refers to cadence
and vulnerability_report
- Update operational container scanning docs to:
- Specify that
scan_execution_policy
takes precedence overagent_config
if both are configured - Include instructions on configuring resource requirements
- Specify that
Implementation Plan
-
Instarboard_config.go, check if thetrivy.resources
config values have one of the following environment variables set. If they do, override the default with the set values.TRIVY_CPU_RESOURCE_REQUEST
TRIVY_CPU_RESOURCE_LIMIT
TRIVY_MEMORY_RESOURCE_REQUEST
TRIVY_MEMORY_RESOURCE_LIMIT
-
Add new values to the helm chartvalues.ymlcontainer_scanning: trivy: resources: {} # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi
-
Usethe deployment templateto add these values to the pod's environment variables.