apiVersion: v1
kind: ResourceQuota
metadata:
name: core-object-counts
spec:
hard:
configmaps: "10" (1)
persistentvolumeclaims: "4" (2)
replicationcontrollers: "20" (3)
secrets: "10" (4)
services: "10" (5)
A resource quota, defined by a ResourceQuota
object, provides constraints
that limit aggregate resource consumption per project. It can limit the quantity
of objects that can be created in a project by type, as well as the total amount
of compute resources and storage that may be consumed by resources in that project.
See the Developer Guide for more on compute resources. |
The following describes the set of compute resources and object types that may be managed by a quota.
A pod is in a terminal state if |
Resource Name | Description |
---|---|
|
The sum of CPU requests across all pods in a non-terminal state cannot exceed
this value. |
|
The sum of memory requests across all pods in a non-terminal state cannot
exceed this value. |
|
The sum of CPU requests across all pods in a non-terminal state cannot exceed
this value. |
|
The sum of memory requests across all pods in a non-terminal state cannot
exceed this value. |
|
The sum of CPU limits across all pods in a non-terminal state cannot exceed this value. |
|
The sum of memory limits across all pods in a non-terminal state cannot exceed this value. |
Resource Name | Description |
---|---|
|
The sum of storage requests across all persistent volume claims in any state cannot exceed this value. |
|
The total number of persistent volume claims that can exist in the project. |
|
The sum of storage requests across all persistent volume claims in any state that have a matching storage class, cannot exceed this value. |
|
The total number of persistent volume claims with a matching storage class that can exist in the project. |
Resource Name | Description |
---|---|
|
The total number of pods in a non-terminal state that can exist in the project. |
|
The total number of replication controllers that can exist in the project. |
|
The total number of resource quotas that can exist in the project. |
|
The total number of services that can exist in the project. |
|
The total number of secrets that can exist in the project. |
|
The total number of |
|
The total number of persistent volume claims that can exist in the project. |
|
The total number of image streams that can exist in the project. |
Each quota can have an associated set of scopes. A quota will only measure usage for a resource if it matches the intersection of enumerated scopes.
Adding a scope to a quota restricts the set of resources to which that quota can apply. Specifying a resource outside of the allowed set results in a validation error.
Scope | Description |
---|---|
Terminating |
Match pods where |
NotTerminating |
Match pods where |
BestEffort |
Match pods that have best effort quality of service for either |
NotBestEffort |
Match pods that do not have best effort quality of service for |
A BestEffort scope restricts a quota to limiting the following resources:
pods
A Terminating, NotTerminating, and NotBestEffort scope restricts a quota to tracking the following resources:
pods
memory
requests.memory
limits.memory
cpu
requests.cpu
limits.cpu
After a resource quota for a project is first created, the project restricts the ability to create any new resources that may violate a quota constraint until it has calculated updated usage statistics.
After a quota is created and usage statistics are updated, the project accepts the creation of new content. When you create or modify resources, your quota usage is incremented immediately upon the request to create or modify the resource.
When you delete a resource, your quota use is decremented during the next full recalculation of quota statistics for the project. A configurable amount of time determines how long it takes to reduce quota usage statistics to their current observed system value.
If project modifications exceed a quota usage limit, the server denies the action, and an appropriate error message is returned to the user explaining the quota constraint violated, and what their currently observed usage stats are in the system.
When allocating compute resources, each container may specify a request and a limit value each for CPU and memory. Quotas can restrict any of these values.
If the quota has a value specified for requests.cpu
or requests.memory
,
then it requires that every incoming container make an explicit request for
those resources. If the quota has a value specified for limits.cpu
or
limits.memory
, then it requires that every incoming container specify an
explicit limit for those resources.
apiVersion: v1
kind: ResourceQuota
metadata:
name: core-object-counts
spec:
hard:
configmaps: "10" (1)
persistentvolumeclaims: "4" (2)
replicationcontrollers: "20" (3)
secrets: "10" (4)
services: "10" (5)
1 | The total number of ConfigMap objects that can exist in the project. |
2 | The total number of persistent volume claims (PVCs) that can exist in the project. |
3 | The total number of replication controllers that can exist in the project. |
4 | The total number of secrets that can exist in the project. |
5 | The total number of services that can exist in the project. |
apiVersion: v1
kind: ResourceQuota
metadata:
name: openshift-object-counts
spec:
hard:
openshift.io/imagestreams: "10" (1)
1 | The total number of image streams that can exist in the project. |
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resources
spec:
hard:
pods: "4" (1)
requests.cpu: "1" (2)
requests.memory: 1Gi (3)
limits.cpu: "2" (4)
limits.memory: 2Gi (5)
1 | The total number of pods in a non-terminal state that can exist in the project. |
2 | Across all pods in a non-terminal state, the sum of CPU requests cannot exceed 1 core. |
3 | Across all pods in a non-terminal state, the sum of memory requests cannot exceed 1Gi. |
4 | Across all pods in a non-terminal state, the sum of CPU limits cannot exceed 2 cores. |
5 | Across all pods in a non-terminal state, the sum of memory limits cannot exceed 2Gi. |
apiVersion: v1
kind: ResourceQuota
metadata:
name: besteffort
spec:
hard:
pods: "1" (1)
scopes:
- BestEffort (2)
1 | The total number of pods in a non-terminal state with BestEffort quality of service that can exist in the project. |
2 | Restricts the quota to only matching pods that have BestEffort quality of service for either memory or CPU. |
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resources-long-running
spec:
hard:
pods: "4" (1)
limits.cpu: "4" (2)
limits.memory: "2Gi" (3)
scopes:
- NotTerminating (4)
1 | The total number of pods in a non-terminal state. |
2 | Across all pods in a non-terminal state, the sum of CPU limits cannot exceed this value. |
3 | Across all pods in a non-terminal state, the sum of memory limits cannot exceed this value. |
4 | Restricts the quota to only matching pods where spec.activeDeadlineSeconds is
set to nil . Build pods will fall under NotTerminating unless the
RestartNever policy is applied. |
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resources-time-bound
spec:
hard:
pods: "2" (1)
limits.cpu: "1" (2)
limits.memory: "1Gi" (3)
scopes:
- Terminating (4)
1 | The total number of pods in a non-terminal state. |
2 | Across all pods in a non-terminal state, the sum of CPU limits cannot exceed this value. |
3 | Across all pods in a non-terminal state, the sum of memory limits cannot exceed this value. |
4 | Restricts the quota to only matching pods where spec.activeDeadlineSeconds >=0 . For example,
this quota would charge for build or deployer pods, but not long running pods like a web server or database. |
apiVersion: v1
kind: ResourceQuota
metadata:
name: storage-consumption
spec:
hard:
persistentvolumeclaims: "10" (1)
requests.storage: "50Gi" (2)
gold.storageclass.storage.k8s.io/requests.storage: "10Gi" (3)
silver.storageclass.storage.k8s.io/requests.storage: "20Gi" (4)
silver.storageclass.storage.k8s.io/persistentvolumeclaims: "5" (5)
bronze.storageclass.storage.k8s.io/requests.storage: "0" (6)
bronze.storageclass.storage.k8s.io/persistentvolumeclaims: "0" (7)
1 | The total number of persistent volume claims in a project |
2 | Across all persistent volume claims in a project, the sum of storage requested cannot exceed this value. |
3 | Across all persistent volume claims in a project, the sum of storage requested in the gold storage class cannot exceed this value. |
4 | Across all persistent volume claims in a project, the sum of storage requested in the silver storage class cannot exceed this value. |
5 | Across all persistent volume claims in a project, the total number of claims in the silver storage class cannot exceed this value. |
6 | Across all persistent volume claims in a project, the sum of storage requested in the bronze storage class cannot exceed this value. When this is set to 0 , it means bronze storage class cannot request storage. |
7 | Across all persistent volume claims in a project, the sum of storage requested in the bronze storage class cannot exceed this value. When this is set to 0 , it means bronze storage class cannot create claims. |
To create a quota, first define the quota to your specifications in a file, for example as seen in Sample Resource Quota Definitions. Then, create using that file to apply it to a project:
$ oc create -f <resource_quota_definition> [-n <project_name>]
For example:
$ oc create -f resource-quota.json -n demoproject
You can view usage statistics related to any hard limits defined in a project’s quota by navigating in the web console to the project’s Quota page.
You can also use the CLI to view quota details:
First, get the list of quotas defined in the project. For example, for a project called demoproject:
$ oc get quota -n demoproject NAME AGE besteffort 11m compute-resources 2m core-object-counts 29m
Then, describe the quota you are interested in, for example the core-object-counts quota:
$ oc describe quota core-object-counts -n demoproject Name: core-object-counts Namespace: demoproject Resource Used Hard -------- ---- ---- configmaps 3 10 persistentvolumeclaims 0 4 replicationcontrollers 3 20 secrets 9 10 services 2 10
When a set of resources are deleted, the synchronization time frame of resources
is determined by the resource-quota-sync-period
setting in the
/etc/origin/master/master-config.yaml file.
Before quota usage is restored, a user may encounter problems when attempting to
reuse the resources. You can change the resource-quota-sync-period
setting
to have the set of resources regenerate at the desired amount of time (in
seconds) and for the resources to be available again:
kubernetesMasterConfig:
apiLevels:
- v1beta3
- v1
apiServerArguments: null
controllerArguments:
resource-quota-sync-period:
- "10s"
After making any changes, restart the master services to apply them.
# systemctl restart origin-master-api origin-master-controllers
Adjusting the regeneration time can be helpful for creating resources and determining resource usage when automation is used.
The |
If a quota has been defined for your project, see Deployment Resources for considerations on any deployment configurations.
This feature is tech preview and subject to change in future releases. |
If a resource is not managed by quota, a user has no restriction on the amount of resource that can be consumed. For example, if there is no quota on storage related to the gold storage class, the amount of gold storage a project can create is unbounded.
For high-cost compute or storage resources, administrators may want to require an explicit quota be granted in order to consume a resource. For example, if a project was not explicitly given quota for storage related to the gold storage class, users of that project would not be able to create any storage of that type.
In order to require explicit quota to consume a particular resource, the following stanza should be added to the master-config.yaml.
admissionConfig:
pluginConfig:
ResourceQuota:
configuration:
apiVersion: resourcequota.admission.k8s.io/v1alpha1
kind: Configuration
limitedResources:
- resource: persistentvolumeclaims (1)
matchContains:
- gold.storageclass.storage.k8s.io/requests.storage (2)
1 | The group/resource to whose consumption is limited by default. |
2 | The name of the resource tracked by quota associated with the group/resource to limit by default. |
In the above example, the quota system will intercept every operation that
creates or updates a PersistentVolumeClaim
. It checks what resources understood
by quota would be consumed, and if there is no covering quota for those resources
in the project, the request is denied. In this example, if a user creates a
PersistentVolumeClaim
that uses storage associated with the gold storage class,
and there is no matching quota in the project, the request is denied.