OpenShift- limit/Quota/LimitRange

Khemnath chauhan
5 min readJan 20, 2024

The goal in this topic is to study how to limit the resources consumed by OpenShift objects — containers, pods, and projects.

Defining Resource Requests and Limits for Pods:

Resource requests:
Used for scheduling and to indicate that a pod cannot run with less than the specified amount of compute resources. The scheduler tries to find a node with sufficient compute resources to satisfy the pod requests.
Resource limits:
Used to prevent a pod from using up all compute resources from a node. The node that runs a pod configures the Linux kernel cgroups feature to enforce the pod’s resource limits.

Sample Code:

spec:
containers:
- image: your-image:latest
name: apache-web
resources:
requests:
cpu: "10m"
memory: 20Mi
limits:
cpu: "80m"
memory: 100Mi

We can use command sets the same requests and limits as the above example:

$ oc set resources deployment apache-web --requests cpu=10m,memory=20Mi \
--limits cpu=80m,memory=100Mi

The oc describe node command displays detailed information about a node, including information about the pods running on the node. For each pod, it shows CPU requests and limits, as well as memory requests and limits. If a request or limit has not been specified, then the pod will show a 0 for that column.

Applying Quotas:

OpenShift Container Platform can enforce quotas that track and limit the use of two kinds of resources:
Object counts: The number of Kubernetes resources, such as pods, services, and routes.
Compute resources: The number of physical or virtual hardware resources, such as CPU, memory, and storage capacity.

** ResourceQuota constraints are applied for the project as a whole.

The following table describes some resources that a quota can restrict by their count or number:

The following table describes some compute resources that can be restricted by a quota:

The following listing show a ResourceQuota resource defined using YAML syntax. This example specifies quotas for both the number of resources and the use of compute resources:

apiVersion: v1 
kind: ResourceQuota
metadata:
name: poc-quota
spec:
hard:
services: “15”
cpu: “1100m”
memory: “2.5Gi”

Command line to create same Resource Quota:

$ oc create quota poc-quota --hard services=15,cpu=1100,memory=2.5Gi

An active quota can be deleted by name using the oc delete command:

Applying Limit Ranges:

A LimitRange resource, also called a limit, defines the default, minimum, and maximum values for compute resource requests, and the limits for a single pod or container defined inside the project. A resource request or limit for a pod is the sum of its containers.

The difference between a limit range and a resource quota is that- a limit range defines valid ranges and default values for a single pod, and a resource quota defines only top values for the sum of all pods in a project.

apiVersion: "v1"
kind: "LimitRange"
metadata:
name: "poc-limits"
spec:
limits:
- type: "Pod"
max:
cpu: "500m"
memory: "750Mi"
min:
cpu: "10m"
memory: "5Mi"
- type: "Container"
max:
cpu: "500m"
memory: "750Mi"
min:
cpu: "10m"
memory: "5Mi"
default:
cpu: "100m"
memory: "100Mi"
defaultRequest:
cpu: "20m"
memory: "20Mi"
- type: openshift.io/Image
max:
storage: 1Gi
- type: openshift.io/ImageStream
max:
openshift.io/image-tags: 10
openshift.io/images: 20
- type: "PersistentVolumeClaim"
min:
storage: "1Gi"
max:
storage: "50Gi

The above means code means-

POD:
The maximum amount of CPU and memory that all containers within a pod can consume. A new pod that exceeds the maximum limits is not created. An existing pod that exceeds the maximum limits is restarted.

The minimum amount of CPU and memory consumed across all containers within a pod. A pod that does not satisfy the minimum requirements is not created. Because many pods only have one container, you might set the minimum pod values to the same values as the minimum container values.

CONTAINER:
The maximum amount of CPU and memory that an individual container within a pod can consume. A new container that exceeds the maximum limits does not create the associated pod. An existing container that exceeds the maximum limits restarts the entire pod.

The minimum amount of CPU and memory that an individual container within a pod can consume. A container that does not satisfy the minimum requirements prevents the associated pod from being created.

The default maximum amount of CPU and memory that an individual container can consume. This is used when a CPU resource limit or a memory limit is not defined for the container.

The default CPU and memory an individual container requests. This default is used when a CPU resource request or a memory request is not defined for the container. If CPU and memory quotas are enabled for a namespace, then configuring the defaultRequest section allows pods to start, even if the containers do not specify resource requests.

IMAGE:
The maximum image size that can be pushed to the internal registry

The maximum number of image tags and versions that an image stream resource can reference.

PVC:
The minimum and maximum sizes allowed for a persistent volume claim.

--

--