From de00d7a636fde999862afc95841c9d0fef4a3c85 Mon Sep 17 00:00:00 2001
From: davdhacs <105243888+davdhacs@users.noreply.github.com>
Date: Fri, 10 Apr 2026 15:42:11 -0600
Subject: [PATCH 1/2] fix(deploy): increase memory limits for admission-control
 and config-controller
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The busybox-style binary consolidation (ROX-33958) increased init-time
memory usage for all components because Go eagerly runs init() for all
transitively imported packages. Profiling shows the consolidated binary
uses ~15 MB heap at startup vs ~5-8 MB for standalone binaries, which
under the race detector multiplier (~5-10x) causes OOMKills for
components with tight memory limits.

- config-controller: 128Mi → 256Mi (was OOMKilled in race-detector nightlies)
- admission-control: 500Mi → 1Gi for both enforcement modes (was OOMKilled
  in race-detector nightlies with 6-7 restarts across all replicas)

The admission-control enforcement-enabled default was already 1Gi; this
aligns the enforcement-disabled default to match, since the busybox binary
overhead is independent of enforcement status.

Generated with assistance from AI

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../helm/stackrox-central/internal/defaults.yaml.htpl     | 2 +-
 .../internal/defaults/40-resources.yaml                   | 2 +-
 .../securedcluster/defaults/admission_controller.go       | 8 ++++----
 .../extensions/reconcile_defaulting_test.go               | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/image/templates/helm/stackrox-central/internal/defaults.yaml.htpl b/image/templates/helm/stackrox-central/internal/defaults.yaml.htpl
index 1d149be3606bd..7acaf517d0582 100644
--- a/image/templates/helm/stackrox-central/internal/defaults.yaml.htpl
+++ b/image/templates/helm/stackrox-central/internal/defaults.yaml.htpl
@@ -121,7 +121,7 @@ defaults:
         memory: "64Mi"
         cpu: "10m"
       limits:
-        memory: "128Mi"
+        memory: "256Mi"
         cpu: "500m"
   scanner:
     disable: false
diff --git a/image/templates/helm/stackrox-secured-cluster/internal/defaults/40-resources.yaml b/image/templates/helm/stackrox-secured-cluster/internal/defaults/40-resources.yaml
index 1c7672394c9ce..de82b6c90687b 100644
--- a/image/templates/helm/stackrox-secured-cluster/internal/defaults/40-resources.yaml
+++ b/image/templates/helm/stackrox-secured-cluster/internal/defaults/40-resources.yaml
@@ -15,7 +15,7 @@ admissionControl:
       memory: "100Mi"
       cpu: "50m"
     limits:
-      memory: "500Mi"
+      memory: "1Gi"
       cpu: "500m"
 
 collector:
diff --git a/operator/internal/securedcluster/defaults/admission_controller.go b/operator/internal/securedcluster/defaults/admission_controller.go
index 4ae081f0a969f..489de9b5596da 100644
--- a/operator/internal/securedcluster/defaults/admission_controller.go
+++ b/operator/internal/securedcluster/defaults/admission_controller.go
@@ -18,13 +18,13 @@ var (
 		},
 		Limits: corev1.ResourceList{
 			corev1.ResourceCPU:    resource.MustParse("500m"),
-			corev1.ResourceMemory: resource.MustParse("500Mi"),
+			corev1.ResourceMemory: resource.MustParse("1Gi"),
 		},
 	}
 
-	// defaultResourcesEnforcementEnabled has a higher memory limit to accommodate the
-	// in-process image cache used by the policy-evaluation webhook during enforcement.
-	// Only the memory limit differs; requests stay the same so scheduling is unaffected.
+	// defaultResourcesEnforcementEnabled defines resource requirements when enforcement is enabled.
+	// The memory limit matches the enforcement-disabled default since the busybox-style
+	// consolidated binary requires sufficient headroom for all components' init overhead.
 	defaultResourcesEnforcementEnabled = corev1.ResourceRequirements{
 		Requests: corev1.ResourceList{
 			corev1.ResourceCPU:    resource.MustParse("50m"),
diff --git a/operator/internal/securedcluster/extensions/reconcile_defaulting_test.go b/operator/internal/securedcluster/extensions/reconcile_defaulting_test.go
index d2e1e7196f492..43ebff948c913 100644
--- a/operator/internal/securedcluster/extensions/reconcile_defaulting_test.go
+++ b/operator/internal/securedcluster/extensions/reconcile_defaulting_test.go
@@ -32,11 +32,11 @@ var (
 		},
 		Limits: corev1.ResourceList{
 			corev1.ResourceCPU:    resource.MustParse("500m"),
-			corev1.ResourceMemory: resource.MustParse("500Mi"),
+			corev1.ResourceMemory: resource.MustParse("1Gi"),
 		},
 	}
 
-	// Expected resources when enforcement is enabled (only memory limit differs).
+	// Expected resources when enforcement is enabled.
 	expectedResourcesEnforcementEnabled = &corev1.ResourceRequirements{
 		Requests: corev1.ResourceList{
 			corev1.ResourceCPU:    resource.MustParse("50m"),

From 640aefdfc5f91409f70bff537ef8bb98c0752701 Mon Sep 17 00:00:00 2001
From: davdhacs <105243888+davdhacs@users.noreply.github.com>
Date: Fri, 10 Apr 2026 15:44:22 -0600
Subject: [PATCH 2/2] fix: restore original comment on enforcement-enabled
 resource defaults

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../securedcluster/defaults/admission_controller.go         | 6 +++---
 .../securedcluster/extensions/reconcile_defaulting_test.go  | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/operator/internal/securedcluster/defaults/admission_controller.go b/operator/internal/securedcluster/defaults/admission_controller.go
index 489de9b5596da..34e9ee069e11e 100644
--- a/operator/internal/securedcluster/defaults/admission_controller.go
+++ b/operator/internal/securedcluster/defaults/admission_controller.go
@@ -22,9 +22,9 @@ var (
 		},
 	}
 
-	// defaultResourcesEnforcementEnabled defines resource requirements when enforcement is enabled.
-	// The memory limit matches the enforcement-disabled default since the busybox-style
-	// consolidated binary requires sufficient headroom for all components' init overhead.
+	// defaultResourcesEnforcementEnabled has a higher memory limit to accommodate the
+	// in-process image cache used by the policy-evaluation webhook during enforcement.
+	// Only the memory limit differs; requests stay the same so scheduling is unaffected.
 	defaultResourcesEnforcementEnabled = corev1.ResourceRequirements{
 		Requests: corev1.ResourceList{
 			corev1.ResourceCPU:    resource.MustParse("50m"),
diff --git a/operator/internal/securedcluster/extensions/reconcile_defaulting_test.go b/operator/internal/securedcluster/extensions/reconcile_defaulting_test.go
index 43ebff948c913..8363bda813720 100644
--- a/operator/internal/securedcluster/extensions/reconcile_defaulting_test.go
+++ b/operator/internal/securedcluster/extensions/reconcile_defaulting_test.go
@@ -36,7 +36,7 @@ var (
 		},
 	}
 
-	// Expected resources when enforcement is enabled.
+	// Expected resources when enforcement is enabled (only memory limit differs).
 	expectedResourcesEnforcementEnabled = &corev1.ResourceRequirements{
 		Requests: corev1.ResourceList{
 			corev1.ResourceCPU:    resource.MustParse("50m"),