docs/doc/source/security/kubernetes/resource-management.rst
Juanita Balaraj 8a8059a1e4 PSP Removal in support of transition to k8s 1.25/1.26
Updated Patchset 1 comments
Removed topic from an archived folder
Commented out related links to these topics
Removed all PSP topics
Story: 2010590
Task: 50961

Change-Id: If129ebfc9f4622f69114c5dac0163a5e84caa27f
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
2024-10-09 19:12:30 +00:00

3.7 KiB

Resource Management

Kubernetes supports two types of resource policies, LimitRange and ResourceQuota.

LimitRange

By default, containers run with unbounded resources on a Kubernetes cluster. Obviously this is bad as a single Pod could monopolize all available resources on a worker node. A LimitRange is a policy to constrain resource allocations (for Pods or Containers) in a particular namespace.

Specifically a LimitRange policy provides constraints that can:

  • Enforce minimum and maximum compute resources usage per Pod or Container in a namespace.
  • Enforce minimum and maximum storage request per PersistentVolumeClaim in a namespace.
  • Enforce a ratio between request and limit for a resource in a namespace.
  • Set default request/limit for compute resources in a namespace and automatically inject them to Containers at runtime.

See https://kubernetes.io/docs/concepts/policy/limit-range/ for more details.

An example of LimitRange policies for the billing-dept-ns namespace of the example in Private Namespace and Restricted RBAC <private-namespace-and-restricted-rbac> is shown below:

apiVersion: v1
kind: LimitRange
metadata:
  name: mem-cpu-per-container-limit
  namespace: billing-dept-ns
spec:
  limits:
  - max:
      cpu: "800m"
      memory: "1Gi"
    min:
      cpu: "100m"
      memory: "99Mi"
    default:
      cpu: "700m"
      memory: "700Mi"
    defaultRequest:
      cpu: "110m"
      memory: "111Mi"
    type: Container
---
apiVersion: v1
kind: LimitRange
metadata:
  name: mem-cpu-per-pod-limit
  namespace: billing-dept-ns
spec:
  limits:
  - max:
      cpu: "2"
      memory: "2Gi"
    type: Pod
---
apiVersion: v1
kind: LimitRange
metadata:
  name: pvc-limit
  namespace: billing-dept-ns
spec:
  limits:
  - type: PersistentVolumeClaim
    max:
      storage: 3Gi
    min:
      storage: 1Gi
---
apiVersion: v1
kind: LimitRange
metadata:
  name: memory-ratio-pod-limit
  namespace: billing-dept-ns
spec:
  limits:
  - maxLimitRequestRatio:
      memory: 10
    type: Pod

ResourceQuota

A ResourceQuota policy object provides constraints that limit aggregate resource consumption per namespace. It can limit the quantity of objects that can be created in a namespace by type, as well as the total amount of compute resources that may be consumed by resources in that project. ResourceQuota limits can be created for cpu, memory, storage and resource counts for all standard namespaced resource types such as secrets, configmaps, etc.

See https://kubernetes.io/docs/concepts/policy/resource-quotas/ for more details.

An example of ResourceQuota policies for the billing-dept-ns namespace of Private Namespace and Restricted RBAC <private-namespace-and-restricted-rbac> is shown below:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: resource-quotas
  namespace: billing-dept-ns
spec:
  hard:
    persistentvolumeclaims: "1"
    services.loadbalancers: "2"
    services.nodeports: "0"