2015-07-12 04:04:52 +00:00
|
|
|
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
|
|
|
|
|
|
|
|
|
|
<!-- BEGIN STRIP_FOR_RELEASE -->
|
|
|
|
|
|
2015-07-16 17:02:26 +00:00
|
|
|
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
|
|
|
|
|
width="25" height="25">
|
|
|
|
|
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
|
|
|
|
|
width="25" height="25">
|
|
|
|
|
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
|
|
|
|
|
width="25" height="25">
|
|
|
|
|
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
|
|
|
|
|
width="25" height="25">
|
|
|
|
|
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
|
|
|
|
|
width="25" height="25">
|
|
|
|
|
|
|
|
|
|
<h2>PLEASE NOTE: This document applies to the HEAD of the source tree</h2>
|
|
|
|
|
|
|
|
|
|
If you are using a released version of Kubernetes, you should
|
|
|
|
|
refer to the docs that go with that version.
|
|
|
|
|
|
|
|
|
|
<strong>
|
|
|
|
|
The latest 1.0.x release of this document can be found
|
|
|
|
|
[here](http://releases.k8s.io/release-1.0/docs/admin/resource-quota.md).
|
|
|
|
|
|
|
|
|
|
Documentation for other releases can be found at
|
|
|
|
|
[releases.k8s.io](http://releases.k8s.io).
|
|
|
|
|
</strong>
|
|
|
|
|
--
|
2015-07-13 22:15:35 +00:00
|
|
|
|
2015-07-12 04:04:52 +00:00
|
|
|
<!-- END STRIP_FOR_RELEASE -->
|
|
|
|
|
|
|
|
|
|
<!-- END MUNGE: UNVERSIONED_WARNING -->
|
2015-07-17 22:35:41 +00:00
|
|
|
|
2015-07-17 23:29:29 +00:00
|
|
|
# Resource Quotas
|
|
|
|
|
|
|
|
|
|
When several users or teams share a cluster with a fixed number of nodes,
|
|
|
|
|
there is a concern that one team could use more than its fair share of resources.
|
|
|
|
|
|
|
|
|
|
Resource quotas are a tool for administrators to address this concern. Resource quotas
|
|
|
|
|
work like this:
|
|
|
|
|
- Different teams work in different namespaces. Currently this is voluntary, but
|
|
|
|
|
support for making this mandatory via ACLs is planned.
|
|
|
|
|
- Users put [compute resource limits](../user-guide/compute-resources.md) on their pods.
|
|
|
|
|
- The administrator creates a Resource Quota for each namespace.
|
2015-07-20 20:44:06 +00:00
|
|
|
- If creating a pod would cause the namespace to exceed any of the limits specified in the
|
|
|
|
|
the Resource Quota for that namespace, then the request will fail with HTTP status
|
2015-07-17 23:29:29 +00:00
|
|
|
code `403 FORBIDDEN`.
|
|
|
|
|
- If quota is enabled in a namespace and the user does not specify limits on the pod for each
|
|
|
|
|
of the resources for which quota is enabled, then the POST of the pod will fail with HTTP
|
|
|
|
|
status code `403 FORBIDDEN`. Hint: Use the LimitRange admission controller to force default
|
|
|
|
|
values of limits before the quota is checked to avoid this problem.
|
|
|
|
|
|
|
|
|
|
Examples of policies that could be created using namespaces and quotas are:
|
|
|
|
|
- In a cluster with a capacity of 32 GiB RAM, and 16 cores, let team A use 20 Gib and 10 cores,
|
|
|
|
|
let B use 10GiB and 4 cores, and hold 2GiB and 2 cores in reserve for future allocation.
|
|
|
|
|
- Limit the "testing" namespace to using 1 core and 1GiB RAM. Let the "production" namespace
|
|
|
|
|
use any amount.
|
|
|
|
|
|
2015-07-20 20:44:06 +00:00
|
|
|
In the case where the total capacity of the cluster is less than the sum of the quotas of the namespaces,
|
2015-07-17 23:29:29 +00:00
|
|
|
there may be contention for resources. This is handled on a first-come-first-served basis.
|
|
|
|
|
|
|
|
|
|
Neither contention nor changes to quota will affect already-running pods.
|
2015-03-16 22:14:30 +00:00
|
|
|
|
|
|
|
|
## Enabling Resource Quota
|
|
|
|
|
|
2015-07-20 20:45:36 +00:00
|
|
|
Resource Quota support is enabled by default for many Kubernetes distributions. It is
|
2015-07-29 20:09:04 +00:00
|
|
|
enabled when the apiserver `--admission-control=` flag has `ResourceQuota` as
|
2015-05-26 01:53:32 +00:00
|
|
|
one of its arguments.
|
2015-03-16 22:14:30 +00:00
|
|
|
|
|
|
|
|
Resource Quota is enforced in a particular namespace when there is a
|
|
|
|
|
`ResourceQuota` object in that namespace. There should be at most one
|
|
|
|
|
`ResourceQuota` object in a namespace.
|
|
|
|
|
|
2015-07-17 23:29:29 +00:00
|
|
|
## Compute Resource Quota
|
|
|
|
|
|
|
|
|
|
The total sum of [compute resources](../user-guide/compute-resources.md) requested by pods
|
|
|
|
|
in a namespace can be limited. The following compute resource types are supported:
|
|
|
|
|
|
|
|
|
|
| ResourceName | Description |
|
|
|
|
|
| ------------ | ----------- |
|
|
|
|
|
| cpu | Total cpu limits of containers |
|
|
|
|
|
| memory | Total memory limits of containers
|
|
|
|
|
|
|
|
|
|
For example, `cpu` quota sums up the `resources.limits.cpu` fields of every
|
|
|
|
|
container of every pod in the namespace, and enforces a maximum on that sum.
|
|
|
|
|
|
2015-07-17 22:35:41 +00:00
|
|
|
## Object Count Quota
|
|
|
|
|
|
2015-03-16 22:14:30 +00:00
|
|
|
The number of objects of a given type can be restricted. The following types
|
|
|
|
|
are supported:
|
2015-04-05 09:56:03 +00:00
|
|
|
|
2015-03-16 22:14:30 +00:00
|
|
|
| ResourceName | Description |
|
|
|
|
|
| ------------ | ----------- |
|
|
|
|
|
| pods | Total number of pods |
|
|
|
|
|
| services | Total number of services |
|
|
|
|
|
| replicationcontrollers | Total number of replication controllers |
|
2015-07-16 00:28:59 +00:00
|
|
|
| resourcequotas | Total number of [resource quotas](admission-controllers.md#resourcequota) |
|
2015-04-08 21:03:56 +00:00
|
|
|
| secrets | Total number of secrets |
|
2015-07-16 00:28:59 +00:00
|
|
|
| persistentvolumeclaims | Total number of [persistent volume claims](../user-guide/persistent-volumes.md#persistentvolumeclaims) |
|
2015-03-16 22:14:30 +00:00
|
|
|
|
|
|
|
|
For example, `pods` quota counts and enforces a maximum on the number of `pods`
|
|
|
|
|
created in a single namespace.
|
|
|
|
|
|
2015-07-17 23:29:29 +00:00
|
|
|
You might want to set a pods quota on a namespace
|
|
|
|
|
to avoid the case where a user creates many small pods and exhausts the cluster's
|
|
|
|
|
supply of Pod IPs.
|
2015-03-16 22:14:30 +00:00
|
|
|
|
|
|
|
|
## Viewing and Setting Quotas
|
2015-07-17 22:35:41 +00:00
|
|
|
|
2015-03-16 22:14:30 +00:00
|
|
|
Kubectl supports creating, updating, and viewing quotas
|
2015-07-17 02:01:02 +00:00
|
|
|
|
2015-07-19 05:43:48 +00:00
|
|
|
```console
|
2015-03-16 22:14:30 +00:00
|
|
|
$ kubectl namespace myspace
|
|
|
|
|
$ cat <<EOF > quota.json
|
|
|
|
|
{
|
2015-06-05 19:47:15 +00:00
|
|
|
"apiVersion": "v1",
|
2015-03-16 22:14:30 +00:00
|
|
|
"kind": "ResourceQuota",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "quota",
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"hard": {
|
|
|
|
|
"memory": "1Gi",
|
|
|
|
|
"cpu": "20",
|
|
|
|
|
"pods": "10",
|
|
|
|
|
"services": "5",
|
|
|
|
|
"replicationcontrollers":"20",
|
|
|
|
|
"resourcequotas":"1",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
EOF
|
2015-07-16 00:20:39 +00:00
|
|
|
$ kubectl create -f ./quota.json
|
2015-03-16 22:14:30 +00:00
|
|
|
$ kubectl get quota
|
|
|
|
|
NAME
|
|
|
|
|
quota
|
|
|
|
|
$ kubectl describe quota quota
|
|
|
|
|
Name: quota
|
|
|
|
|
Resource Used Hard
|
|
|
|
|
-------- ---- ----
|
|
|
|
|
cpu 0m 20
|
|
|
|
|
memory 0 1Gi
|
|
|
|
|
pods 5 10
|
|
|
|
|
replicationcontrollers 5 20
|
|
|
|
|
resourcequotas 1 1
|
|
|
|
|
services 3 5
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Quota and Cluster Capacity
|
2015-07-17 22:35:41 +00:00
|
|
|
|
2015-07-17 23:29:29 +00:00
|
|
|
Resource Quota objects are independent of the Cluster Capacity. They are
|
|
|
|
|
expressed in absolute units. So, if you add nodes to your cluster, this does *not*
|
|
|
|
|
automatically give each namespace the ability to consume more resources.
|
2015-03-16 22:14:30 +00:00
|
|
|
|
|
|
|
|
Sometimes more complex policies may be desired, such as:
|
|
|
|
|
- proportionally divide total cluster resources among several teams.
|
|
|
|
|
- allow each tenant to grow resource usage as needed, but have a generous
|
|
|
|
|
limit to prevent accidental resource exhaustion.
|
2015-07-17 23:29:29 +00:00
|
|
|
- detect demand from one namespace, add nodes, and increase quota.
|
2015-03-16 22:14:30 +00:00
|
|
|
|
|
|
|
|
Such policies could be implemented using ResourceQuota as a building-block, by
|
2015-06-16 21:48:51 +00:00
|
|
|
writing a 'controller' which watches the quota usage and adjusts the quota
|
2015-07-24 21:52:18 +00:00
|
|
|
hard limits of each namespace according to other signals.
|
2015-07-17 23:29:29 +00:00
|
|
|
|
|
|
|
|
Note that resource quota divides up aggregate cluster resources, but it creates no
|
|
|
|
|
restrictions around nodes: pods from several namespaces may run on the same node.
|
2015-05-14 22:12:45 +00:00
|
|
|
|
2015-07-16 00:28:59 +00:00
|
|
|
## Example
|
2015-07-17 22:35:41 +00:00
|
|
|
|
2015-07-24 21:52:18 +00:00
|
|
|
See a [detailed example for how to use resource quota](../user-guide/resourcequota/).
|
2015-07-16 00:28:59 +00:00
|
|
|
|
2015-07-17 23:29:29 +00:00
|
|
|
## Read More
|
|
|
|
|
|
|
|
|
|
See [ResourceQuota design doc](../design/admission_control_resource_quota.md) for more information.
|
|
|
|
|
|
2015-05-14 22:12:45 +00:00
|
|
|
|
2015-07-14 00:13:09 +00:00
|
|
|
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
|
2015-07-10 19:39:25 +00:00
|
|
|
[]()
|
2015-07-14 00:13:09 +00:00
|
|
|
<!-- END MUNGE: GENERATED_ANALYTICS -->
|
