Runtime Security performance impact

Kubernetes environments can be dynamic, and Runtime Security's performance impact depends on both the workload being run in a given environment and the cluster’s applied rulesets. This topic documents the recommended resource configuration for different node sizes.

Runtime Security’s performance depends directly on the number of syscalls overall and the number of those syscalls that trigger active runtime rules for the cluster. Different applications have varying volumes of syscalls and resource usage impact on Runtime Security. The table below is a recommended configuration based on Trend Micro's test environment, which you may need adjust based on your actual environment. All values in the following table are for a single node of the stated size.

We recommend that you maintain the default size settings for the majority of components, and adjust only the Falco and Scout resources using the recommendations in the table above, and within the Helm chart using overrides file. If you encounter persistent Out Of Memory (OOM) kill issues, consider allocating additional resources to your cluster to ensure it meets the requirements listed in Kubernetes system requirements for Container Security.

If your instance differs from the sizes listed above, we recommend that you set the following resource limits for Falco and Scout: