github.com/enmand/kubernetes@v1.2.0-alpha.0/docs/admin/resourcequota/README.md (about) 1 <!-- BEGIN MUNGE: UNVERSIONED_WARNING --> 2 3 <!-- BEGIN STRIP_FOR_RELEASE --> 4 5 <img src="http://kubernetes.io/img/warning.png" alt="WARNING" 6 width="25" height="25"> 7 <img src="http://kubernetes.io/img/warning.png" alt="WARNING" 8 width="25" height="25"> 9 <img src="http://kubernetes.io/img/warning.png" alt="WARNING" 10 width="25" height="25"> 11 <img src="http://kubernetes.io/img/warning.png" alt="WARNING" 12 width="25" height="25"> 13 <img src="http://kubernetes.io/img/warning.png" alt="WARNING" 14 width="25" height="25"> 15 16 <h2>PLEASE NOTE: This document applies to the HEAD of the source tree</h2> 17 18 If you are using a released version of Kubernetes, you should 19 refer to the docs that go with that version. 20 21 <strong> 22 The latest 1.0.x release of this document can be found 23 [here](http://releases.k8s.io/release-1.0/docs/admin/resourcequota/README.md). 24 25 Documentation for other releases can be found at 26 [releases.k8s.io](http://releases.k8s.io). 27 </strong> 28 -- 29 30 <!-- END STRIP_FOR_RELEASE --> 31 32 <!-- END MUNGE: UNVERSIONED_WARNING --> 33 Resource Quota 34 ======================================== 35 This example demonstrates how [resource quota](../../admin/admission-controllers.md#resourcequota) and 36 [limitsranger](../../admin/admission-controllers.md#limitranger) can be applied to a Kubernetes namespace. 37 See [ResourceQuota design doc](../../design/admission_control_resource_quota.md) for more information. 38 39 This example assumes you have a functional Kubernetes setup. 40 41 Step 1: Create a namespace 42 ----------------------------------------- 43 This example will work in a custom namespace to demonstrate the concepts involved. 44 45 Let's create a new namespace called quota-example: 46 47 ```console 48 $ kubectl create -f docs/admin/resourcequota/namespace.yaml 49 namespace "quota-example" created 50 $ kubectl get namespaces 51 NAME LABELS STATUS AGE 52 default <none> Active 2m 53 quota-example <none> Active 39s 54 ``` 55 56 Step 2: Apply a quota to the namespace 57 ----------------------------------------- 58 By default, a pod will run with unbounded CPU and memory requests/limits. This means that any pod in the 59 system will be able to consume as much CPU and memory on the node that executes the pod. 60 61 Users may want to restrict how much of the cluster resources a given namespace may consume 62 across all of its pods in order to manage cluster usage. To do this, a user applies a quota to 63 a namespace. A quota lets the user set hard limits on the total amount of node resources (cpu, memory) 64 and API resources (pods, services, etc.) that a namespace may consume. In term of resources, Kubernetes 65 checks the total resource *requests*, not resource *limits* of all containers/pods in the namespace. 66 67 Let's create a simple quota in our namespace: 68 69 ```console 70 $ kubectl create -f docs/admin/resourcequota/quota.yaml --namespace=quota-example 71 resourcequota "quota" created 72 ``` 73 74 Once your quota is applied to a namespace, the system will restrict any creation of content 75 in the namespace until the quota usage has been calculated. This should happen quickly. 76 77 You can describe your current quota usage to see what resources are being consumed in your 78 namespace. 79 80 ```console 81 $ kubectl describe quota quota --namespace=quota-example 82 Name: quota 83 Namespace: quota-example 84 Resource Used Hard 85 -------- ---- ---- 86 cpu 0 20 87 memory 0 1Gi 88 persistentvolumeclaims 0 10 89 pods 0 10 90 replicationcontrollers 0 20 91 resourcequotas 1 1 92 secrets 1 10 93 services 0 5 94 ``` 95 96 Step 3: Applying default resource requests and limits 97 ----------------------------------------- 98 Pod authors rarely specify resource requests and limits for their pods. 99 100 Since we applied a quota to our project, let's see what happens when an end-user creates a pod that has unbounded 101 cpu and memory by creating an nginx container. 102 103 To demonstrate, lets create a replication controller that runs nginx: 104 105 ```console 106 $ kubectl run nginx --image=nginx --replicas=1 --namespace=quota-example 107 replicationcontroller "nginx" created 108 ``` 109 110 Now let's look at the pods that were created. 111 112 ```console 113 $ kubectl get pods --namespace=quota-example 114 NAME READY STATUS RESTARTS AGE 115 ``` 116 117 What happened? I have no pods! Let's describe the replication controller to get a view of what is happening. 118 119 ```console 120 kubectl describe rc nginx --namespace=quota-example 121 Name: nginx 122 Namespace: quota-example 123 Image(s): nginx 124 Selector: run=nginx 125 Labels: run=nginx 126 Replicas: 0 current / 1 desired 127 Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed 128 No volumes. 129 Events: 130 FirstSeen LastSeen Count From SubobjectPath Reason Message 131 42s 11s 3 {replication-controller } FailedCreate Error creating: Pod "nginx-" is forbidden: Must make a non-zero request for memory since it is tracked by quota. 132 ``` 133 134 The Kubernetes API server is rejecting the replication controllers requests to create a pod because our pods 135 do not specify any memory usage *request*. 136 137 So let's set some default values for the amount of cpu and memory a pod can consume: 138 139 ```console 140 $ kubectl create -f docs/admin/resourcequota/limits.yaml --namespace=quota-example 141 limitrange "limits" created 142 $ kubectl describe limits limits --namespace=quota-example 143 Name: limits 144 Namespace: quota-example 145 Type Resource Min Max Request Limit Limit/Request 146 ---- -------- --- --- ------- ----- ------------- 147 Container memory - - 256Mi 512Mi - 148 Container cpu - - 100m 200m - 149 ``` 150 151 Now any time a pod is created in this namespace, if it has not specified any resource request/limit, the default 152 amount of cpu and memory per container will be applied, and the request will be used as part of admission control. 153 154 Now that we have applied default resource *request* for our namespace, our replication controller should be able to 155 create its pods. 156 157 ```console 158 $ kubectl get pods --namespace=quota-example 159 NAME READY STATUS RESTARTS AGE 160 nginx-fca65 1/1 Running 0 1m 161 ``` 162 163 And if we print out our quota usage in the namespace: 164 165 ```console 166 $ kubectl describe quota quota --namespace=quota-example 167 Name: quota 168 Namespace: quota-example 169 Resource Used Hard 170 -------- ---- ---- 171 cpu 100m 20 172 memory 256Mi 1Gi 173 persistentvolumeclaims 0 10 174 pods 1 10 175 replicationcontrollers 1 20 176 resourcequotas 1 1 177 secrets 1 10 178 services 0 5 179 ``` 180 181 You can now see the pod that was created is consuming explicit amounts of resources (specified by resource *request*), 182 and the usage is being tracked by the Kubernetes system properly. 183 184 Summary 185 ---------------------------- 186 Actions that consume node resources for cpu and memory can be subject to hard quota limits defined 187 by the namespace quota. The resource consumption is measured by resource *request* in pod specification. 188 189 Any action that consumes those resources can be tweaked, or can pick up namespace level defaults to 190 meet your end goal. 191 192 193 <!-- BEGIN MUNGE: GENERATED_ANALYTICS --> 194 []() 195 <!-- END MUNGE: GENERATED_ANALYTICS -->