From 828ee5659ad8cbdd1ecd06e32c4717863e921972 Mon Sep 17 00:00:00 2001 From: Benedikt Schackenberg <6381261+BenediktSchackenberg@users.noreply.github.com> Date: Fri, 3 Apr 2026 17:49:42 +0000 Subject: [PATCH 1/3] fix(k8s): add resource limits to prevent unbounded CPU/memory consumption MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without limits, the DinD and workspace containers could consume all available node resources, causing OOM kills of other pods or DoS against the Kubernetes node. Added limits at 2x the requested values to allow reasonable burst while preventing runaway consumption: - dind: requests 8Gi/2CPU → limits 16Gi/4CPU - workspace: requests 4Gi/2CPU → limits 8Gi/4CPU Fixes #1447 Signed-off-by: Benedikt Schackenberg <6381261+BenediktSchackenberg@users.noreply.github.com> --- k8s/nemoclaw-k8s.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/k8s/nemoclaw-k8s.yaml b/k8s/nemoclaw-k8s.yaml index edc8748cf..413f5f909 100644 --- a/k8s/nemoclaw-k8s.yaml +++ b/k8s/nemoclaw-k8s.yaml @@ -30,8 +30,9 @@ spec: requests: memory: "8Gi" cpu: "2" - - # Workspace - runs official NemoClaw installer + limits: + memory: "16Gi" + cpu: "4" - name: workspace image: node:22 command: @@ -98,6 +99,9 @@ spec: requests: memory: "4Gi" cpu: "2" + limits: + memory: "8Gi" + cpu: "4" initContainers: # Configure Docker daemon for cgroup v2 From 78a402f589684d4fdf2105a6963223f7ee18a1aa Mon Sep 17 00:00:00 2001 From: Benedikt Schackenberg <6381261+BenediktSchackenberg@users.noreply.github.com> Date: Fri, 3 Apr 2026 17:56:49 +0000 Subject: [PATCH 2/3] fix(k8s): add ephemeral-storage limits and docker-storage sizeLimit Per CodeRabbit: CPU/memory limits were set but disk remained unbounded. The dind container writes Docker layers to an emptyDir volume; without ephemeral-storage limits, heavy image builds can exhaust node disk and trigger pod eviction. - dind: ephemeral-storage 20Gi request / 40Gi limit - workspace: ephemeral-storage 4Gi request / 8Gi limit - docker-storage emptyDir: sizeLimit 40Gi Signed-off-by: Benedikt Schackenberg <6381261+BenediktSchackenberg@users.noreply.github.com> --- k8s/nemoclaw-k8s.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/k8s/nemoclaw-k8s.yaml b/k8s/nemoclaw-k8s.yaml index 413f5f909..9beca39e1 100644 --- a/k8s/nemoclaw-k8s.yaml +++ b/k8s/nemoclaw-k8s.yaml @@ -30,9 +30,11 @@ spec: requests: memory: "8Gi" cpu: "2" + ephemeral-storage: "20Gi" limits: memory: "16Gi" cpu: "4" + ephemeral-storage: "40Gi" - name: workspace image: node:22 command: @@ -99,9 +101,11 @@ spec: requests: memory: "4Gi" cpu: "2" + ephemeral-storage: "4Gi" limits: memory: "8Gi" cpu: "4" + ephemeral-storage: "8Gi" initContainers: # Configure Docker daemon for cgroup v2 @@ -114,7 +118,8 @@ spec: volumes: - name: docker-storage - emptyDir: {} + emptyDir: + sizeLimit: "40Gi" - name: docker-socket emptyDir: {} - name: docker-config From fa33969dd21c5e7775e757fb778e8a2ec1cca861 Mon Sep 17 00:00:00 2001 From: Benedikt Schackenberg <6381261+BenediktSchackenberg@users.noreply.github.com> Date: Fri, 3 Apr 2026 18:02:33 +0000 Subject: [PATCH 3/3] fix(k8s): add minimal resource limits to init-docker-config container The init container performs a trivial write (single JSON file) but had no resource constraints. Added minimal bounds following defense-in-depth principles: - requests: 32Mi memory / 100m CPU - limits: 64Mi memory / 200m CPU Signed-off-by: Benedikt Schackenberg <6381261+BenediktSchackenberg@users.noreply.github.com> --- k8s/nemoclaw-k8s.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/k8s/nemoclaw-k8s.yaml b/k8s/nemoclaw-k8s.yaml index 9beca39e1..20a25c917 100644 --- a/k8s/nemoclaw-k8s.yaml +++ b/k8s/nemoclaw-k8s.yaml @@ -115,6 +115,13 @@ spec: volumeMounts: - name: docker-config mountPath: /etc/docker + resources: + requests: + memory: "32Mi" + cpu: "100m" + limits: + memory: "64Mi" + cpu: "200m" volumes: - name: docker-storage