-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow setting --max-fd argument to uwsgi to stop it from getting OOMKilled in Kubernetes #10384
Conversation
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🔴 Risk threshold exceeded. Adding a reviewer if one is configured in notification list: @mtesauro @grendel513 Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The code changes in this pull request focus on improving the security and reliability of the DefectDojo application, a popular open-source application security management tool. The key changes include:
Overall, the changes in this pull request appear to be focused on improving the security and reliability of the DefectDojo application, which is a positive step from an application security perspective. However, it's important to ensure that the new configuration parameters, such as the Files Changed:
Powered by DryRun Security |
I can see that the tests are failing due to changes being made to files that that I (or @hoeg) is not allowed to alter. How should I handle this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be good to go after a quick typo fix
Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
Description
Reopening #9564
This PR fixes the issue described in issue #9562 regarding uWSGI that under some circumstances will take up an unnecessary amount of resources on a kubernetes node leading to the pod getting OOMKilled.
We introduce the possibility to set the --max-fd argument when starting up uWSGI to mitigate this issue.
Test results
I have tested the fix on a kubernetes cluster where it prevented the pod from getting OOMKilled. For more information see #9562.
Documentation
It is not clear to me where the documentation should be updated.