Applying Quotas

OKD can enforce quotas that track and limit the use of two kinds of resources:

  • Object counts: The number of Kubernetes resources, such as pods, services, and routes.

  • Compute resources: The number of physical or virtual hardware resources, such as CPU, memory, and storage capacity.

Imposing a quota on the number of Kubernetes resources improves the stability of the OKD control plane, by avoiding unbounded growth of the Etcd database. Quotas on Kubernetes resources also avoids exhausting other limited software resources, such as IP addresses for services.

In a similar way, imposing a quota on the amount of compute resources avoids exhausting the compute capacity of a single node in an OKD cluster. It also avoids having one application starve other applications in a shared cluster by using all the cluster capacity.

OKD manages quotas for the number of resources and the use of compute resources in a cluster by using a ResourceQuota resource, or a quota. A quota specifies hard resource usage limits for a project. All attributes of a quota are optional, meaning that any resource that is not restricted by a quota can be consumed without bounds.

Although a single quota resource can define all of the quotas for a project, a project can contain multiple quotas. For example, one quota resource might limit compute resources, such as total CPU allowed or total memory allowed.

Another quota resource might limit object counts, such as the number of pods allowed or the number of services allowed. The effect of multiple quotas is cumulative, but it is expected that two different ResourceQuota resources for the same project do not limit the use of the same type of Kubernetes or compute resource. For example, two different quotas in a project should not both attempt to limit the maximum number of pods allowed.

The following table describes some resources that a quota can restrict by their count or number.

Resource Name Quota Description
pods Total number of pods
replicationcontrollers Total number of replication controllers
services Total number of services
secrets Total number of secrets
persistentvolumeclaims Total number of persistent volume claims

The following table describes some compute resources that can be restricted by a quota.

Compute Resource Name Quota Description
cpu (requests.cpu) Total CPU use across all containers
memory (requests.memory) Total memory use across all containers
storage ( Total storage requests by containers across all persistent volume claims

Quota attributes can track either resource requests or resource limits for all pods in the project.

By default, quota attributes track resource requests. To track resource limits instead, prefix the compute resource name with limits, for example, limits.cpu.

The following listing show a ResourceQuota resource defined using YAML syntax. This example specifies quotas for both the number of resources and the use of compute resources:

apiVersion: v1
kind: ResourceQuota
    name: dev-quota
        services: "10"
        cpu: "1300m"
        memory: "1.5Gi"

Resource units are the same for pod resource requests and resource limits, for example: Gi means GiB, and m means millicores. One millicore is the equivalent to 1/1000 of a single CPU core.

Resource quotas can be created in the same way as any other OKD resource; that is, by passing a YAML or JSON resource definition file to the oc create command:

[user@demo ~]$ oc create --save-config -f dev-quota.yml

Another way to create a resource quota is by using the oc create quota command, for example:

oc create quota dev-quota --hard services=10,cpu=1300,memory=1.5Gi

Use the oc get resourcequota command to list available quotas, and use the oc describe resourcequota command to view usage statistics related to any hard limits defined in the quota, for example:

oc get resourcequota

Without arguments, the oc describe quota command displays the cumulative limits set for all ResourceQuota resources in the project.

oc describe quota

An active quota can be deleted by name using the oc delete command:

oc delete resourcequota QUOTA

When a quota is first created in a project, the project restricts the ability to create any new resources that might violate a quota constraint until it has calculated updated usage statistics.

After a quota is created and usage statistics are up-to-date, the project accepts the creation of new content. When a new resource is created, the quota usage is incremented immediately. When a resource is deleted, the quota use is decremented during the next full recalculation of quota statistics for the project.

Quotas are applied to new resources, but they do not affect existing resources. For example, if you create a quota to limit a project to 15 pods, but there are already 20 pods running, then the quota will not remove the additional 5 pods that exceed the quota.

If a modification to a project exceeds the quota for a resource count, then the action is denied by the server and an appropriate error message is returned to the user. However, if the modification exceeds the quota for a compute resource, then the operation does not fail immediately;

OKD retries the operation several times, giving the administrator an opportunity to increase the quota or to perform another corrective action, such as bringing a new node online.