K8s Manifest Missing Resource Limits — Pod Can Consume Unbounded CPU/Memory - IssueFinder - SN 23 #1447
Description
Description
The K8s manifest defines resources.requests (8Gi memory, 2 CPU) but no resources.limits for either the DinD or workspace containers. Without limits, containers can consume unbounded CPU and memory, enabling DoS against the Kubernetes node and OOM kills of other pods.
Impact
Unbounded resource consumption can crash the node or affect other workloads.
Affected Area
- File(s): k8s/nemoclaw-k8s.yaml (lines 33-35, 85-87)
Reproduction Steps
- Read the K8s manifest:
grep -A 5 'resources:' k8s/nemoclaw-k8s.yaml - Observe: no
resources:section exists — no CPU/memory limits or requests - Deploy in a shared cluster:
kubectl apply -f k8s/nemoclaw-k8s.yaml kubectl describe pod nemoclaw -n nemoclaw | grep -A 10 'Resources'
- The DinD container can consume all available node resources
Environment
- OS: Any (Kubernetes node)
- NemoClaw Version: v0.1.0
- Branch: main
- Runtime: Kubernetes
- Container / Orchestration Info: K8s Pod (no resource limits)
- Network Setup: Default K8s networking
Debug Output
# Check current resource usage:
kubectl top pod nemoclaw -n nemoclaw
# No limits set — container can consume unlimited CPU/memory
# Verify no resource specs in manifest:
grep -c 'resources:\|limits:\|requests:' k8s/nemoclaw-k8s.yaml
# Expected: 0 — no resource specifications foundLogs
# kubectl describe output showing no resource limits:
$ kubectl describe pod nemoclaw -n nemoclaw | grep -A 5 Limits
Limits: <none>
Requests: <none>
# ↑ Unbounded resource consumption — OOM kills or CPU starvation possibleChecklist
- I confirmed this bug is reproducible
- I searched existing issues and this is not a duplicate