Part 02: How to force quotas limit to Kubernetes resources

This blog is a continuation of previous blog series https://goglides.io/2020/03/03/limit-range-kubernetes/

Limiting Pod Compute Resources

I am going to use limitrange-demo2 namespace. It will be easier to test features without affecting the previous deployment. Create a file limitrange-pod.yaml with the following content.

apiVersion: v1
kind: Namespace
metadata:
  name: limitrange-demo2
---
apiVersion: v1
kind: LimitRange
metadata:
  name: limit-mem-cpu-per-pod
  namespace: limitrange-demo2
spec:
  limits:
  - max:
      cpu: "2"
      memory: "2Gi"
    type: Pod

kubectl apply -f limitrange-pod.yaml

namespace/limitrange-demo2 created
limitrange/limit-mem-cpu-per-pod created

Now create the busybox2.yaml file with the following content.

apiVersion: v1
kind: Pod
metadata:
  name: busybox2
  namespace: limitrange-demo2
spec:
  containers:
  - name: busybox-cnt01
    image: busybox
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo hello from cnt01; sleep 10;done"]
    resources:
      requests:
        memory: "100Mi"
        cpu: "100m"
      limits:
        memory: "200Mi"
        cpu: "500m"
  - name: busybox-cnt02
    image: busybox
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo hello from cnt02; sleep 10;done"]
    resources:
      requests:
        memory: "100Mi"
        cpu: "100m"
  - name: busybox-cnt03
    image: busybox
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo hello from cnt03; sleep 10;done"]
    resources:
      limits:
        memory: "200Mi"
        cpu: "500m"
  - name: busybox-cnt04
    image: busybox
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo hello from cnt04; sleep 10;done"]

Apply it,

kubectl apply -f busybox2.yaml

You will see the following Output:
Error from server (Forbidden): error when creating "limitrange-pod.yaml": pods "busybox2" is forbidden: [maximum cpu usage per Pod is 2.  No limit is specified, maximum memory usage per Pod is 2Gi.  No limit is specified]

Here I am hitting a different issue, only the first container busybox-cnt01 has “request” and “limit” configured. But since I am deploying this pod in new namespace limitrange-demo2 so there is no default value assigned to a container if limit/request not assigned explicitly from manifests. Lets me create a default LimitRange using the following,

apiVersion: v1
kind: LimitRange
metadata:
  name: limit-mem-cpu-per-container
  namespace: limitrange-demo2
spec:
  limits:
  - default:
      cpu: "700m"
      memory: "900Mi"
    defaultRequest:
      cpu: "110m"
      memory: "111Mi"
    type: Container

Once you apply this try to redeploy busybox2 again.

kubectl apply -f busybox2.yaml

You will see the following Output:
Error from server (Forbidden): error when creating "limitrange-pod.yaml": pods "busybox2" is forbidden: [maximum cpu usage per Pod is 2, but limit is 2400m, maximum memory usage per Pod is 2Gi, but limit is 2306867200]

The reason for this is, any container which is missing limits and request will be assigned a default cpu: 700m and default memory: 900Mi. So for busybox2 example.

busybox-cnt01 -> cpu -> 500m
busybox-cnt02 -> cpu -> 700m (missing limits)
busybox-cnt03 -> cpu -> 500m
busybox-cnt04 -> cpu -> 700m (missing limits)

And sum total is 2400m which is violating pods limitRange criteria of 2 CPU. Same thing is valid for memory limits.