Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 8. Working with clusters

You can view events in Red Hat OpenShift Service on AWS, which are based on events that happen to API objects in an Red Hat OpenShift Service on AWS cluster.

8.1.1. Understanding events
Copy link

Review the following information to learn how Red Hat OpenShift Service on AWS uses events to record information about real-world events in a resource-agnostic manner. Events also allow developers and administrators to consume information about system components in a unified way.

8.1.2. Viewing events using the CLI
Copy link

You can get a list of events in a given project by using the CLI.

Procedure

  • View events in a project by using a command similar to the following: 

    $ oc get events [-n <project>]
    Copy to Clipboard Toggle word wrap

    where:

    project
    Specifies the name of the project.

    For example: 

    $ oc get events -n openshift-config
    Copy to Clipboard Toggle word wrap

    Example output

    LAST SEEN   TYPE      REASON                   OBJECT                      MESSAGE
97m         Normal    Scheduled                pod/dapi-env-test-pod       Successfully assigned openshift-config/dapi-env-test-pod to ip-10-0-171-202.ec2.internal
97m         Normal    Pulling                  pod/dapi-env-test-pod       pulling image "gcr.io/google_containers/busybox"
97m         Normal    Pulled                   pod/dapi-env-test-pod       Successfully pulled image "gcr.io/google_containers/busybox"
97m         Normal    Created                  pod/dapi-env-test-pod       Created container
9m5s        Warning   FailedCreatePodSandBox   pod/dapi-volume-test-pod    Failed create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_dapi-volume-test-pod_openshift-config_6bc60c1f-452e-11e9-9140-0eec59c23068_0(748c7a40db3d08c07fb4f9eba774bd5effe5f0d5090a242432a73eee66ba9e22): Multus: Err adding pod to network "ovn-kubernetes": cannot set "ovn-kubernetes" ifname to "eth0": no netns: failed to Statfs "/proc/33366/ns/net": no such file or directory
8m31s       Normal    Scheduled                pod/dapi-volume-test-pod    Successfully assigned openshift-config/dapi-volume-test-pod to ip-10-0-171-202.ec2.internal
#...
    Copy to Clipboard Toggle word wrap

  • View events in your project from the Red Hat OpenShift Service on AWS console:

    1. Launch the Red Hat OpenShift Service on AWS console.
    2. Click Home Events and select your project.

    3. Move to resource that you want to see events. For example: Home Projects <project-name> <resource-name>.

      Many objects, such as pods and deployments, also have an Events tab, which shows events related to that object.

8.1.3. List of events
Copy link

Review the information in this section to learn about Red Hat OpenShift Service on AWS events.

Expand
Table 8.1. Configuration events
NameDescription

FailedValidation

Failed pod configuration validation.

Expand
Table 8.2. Container events
NameDescription

BackOff

Back-off restarting failed the container.

Created

Container created.

Failed

Pull/Create/Start failed.

Killing

Killing the container.

Started

Container started.

Preempting

Preempting other pods.

ExceededGracePeriod

Container runtime did not stop the pod within specified grace period.

Expand
Table 8.3. Health events
NameDescription

Unhealthy

Container is unhealthy.

Expand
Table 8.4. Image events
NameDescription

BackOff

Back off Ctr Start, image pull.

ErrImageNeverPull

The image’s NeverPull Policy is violated.

Failed

Failed to pull the image.

InspectFailed

Failed to inspect the image.

Pulled

Successfully pulled the image or the container image is already present on the machine.

Pulling

Pulling the image.

Expand
Table 8.5. Image Manager events
NameDescription

FreeDiskSpaceFailed

Free disk space failed.

InvalidDiskCapacity

Invalid disk capacity.

Expand
Table 8.6. Node events
NameDescription

FailedMount

Volume mount failed.

HostNetworkNotSupported

Host network not supported.

HostPortConflict

Host/port conflict.

KubeletSetupFailed

Kubelet setup failed.

NilShaper

Undefined shaper.

NodeNotReady

Node is not ready.

NodeNotSchedulable

Node is not schedulable.

NodeReady

Node is ready.

NodeSchedulable

Node is schedulable.

NodeSelectorMismatching

Node selector mismatch.

OutOfDisk

Out of disk.

Rebooted

Node rebooted.

Starting

Starting kubelet.

FailedAttachVolume

Failed to attach volume.

FailedDetachVolume

Failed to detach volume.

VolumeResizeFailed

Failed to expand/reduce volume.

VolumeResizeSuccessful

Successfully expanded/reduced volume.

FileSystemResizeFailed

Failed to expand/reduce file system.

FileSystemResizeSuccessful

Successfully expanded/reduced file system.

FailedUnMount

Failed to unmount volume.

FailedMapVolume

Failed to map a volume.

FailedUnmapDevice

Failed unmaped device.

AlreadyMountedVolume

Volume is already mounted.

SuccessfulDetachVolume

Volume is successfully detached.

SuccessfulMountVolume

Volume is successfully mounted.

SuccessfulUnMountVolume

Volume is successfully unmounted.

ContainerGCFailed

Container garbage collection failed.

ImageGCFailed

Image garbage collection failed.

FailedNodeAllocatableEnforcement

Failed to enforce System Reserved Cgroup limit.

NodeAllocatableEnforced

Enforced System Reserved Cgroup limit.

UnsupportedMountOption

Unsupported mount option.

SandboxChanged

Pod sandbox changed.

FailedCreatePodSandBox

Failed to create pod sandbox.

FailedPodSandBoxStatus

Failed pod sandbox status.

Expand
Table 8.7. Pod worker events
NameDescription

FailedSync

Pod sync failed.

Expand
Table 8.8. System Events
NameDescription

SystemOOM

There is an OOM (out of memory) situation on the cluster.

Expand
Table 8.9. Pod events
NameDescription

FailedKillPod

Failed to stop a pod.

FailedCreatePodContainer

Failed to create a pod container.

Failed

Failed to make pod data directories.

NetworkNotReady

Network is not ready.

FailedCreate

Error creating: <error-msg>.

SuccessfulCreate

Created pod: <pod-name>.

FailedDelete

Error deleting: <error-msg>.

SuccessfulDelete

Deleted pod: <pod-id>.

Expand
Table 8.10. Horizontal Pod AutoScaler events
NameDescription

SelectorRequired

Selector is required.

InvalidSelector

Could not convert selector into a corresponding internal selector object.

FailedGetObjectMetric

HPA was unable to compute the replica count.

InvalidMetricSourceType

Unknown metric source type.

ValidMetricFound

HPA was able to successfully calculate a replica count.

FailedConvertHPA

Failed to convert the given HPA.

FailedGetScale

HPA controller was unable to get the target’s current scale.

SucceededGetScale

HPA controller was able to get the target’s current scale.

FailedComputeMetricsReplicas

Failed to compute desired number of replicas based on listed metrics.

FailedRescale

New size: <size>; reason: <msg>; error: <error-msg>.

SuccessfulRescale

New size: <size>; reason: <msg>.

FailedUpdateStatus

Failed to update status.

Expand
Table 8.11. Volume events
NameDescription

FailedBinding

There are no persistent volumes available and no storage class is set.

VolumeMismatch

Volume size or class is different from what is requested in claim.

VolumeFailedRecycle

Error creating recycler pod.

VolumeRecycled

Occurs when volume is recycled.

RecyclerPod

Occurs when pod is recycled.

VolumeDelete

Occurs when volume is deleted.

VolumeFailedDelete

Error when deleting the volume.

ExternalProvisioning

Occurs when volume for the claim is provisioned either manually or via external software.

ProvisioningFailed

Failed to provision volume.

ProvisioningCleanupFailed

Error cleaning provisioned volume.

ProvisioningSucceeded

Occurs when the volume is provisioned successfully.

WaitForFirstConsumer

Delay binding until pod scheduling.

Expand
Table 8.12. Lifecycle hooks
NameDescription

FailedPostStartHook

Handler failed for pod start.

FailedPreStopHook

Handler failed for pre-stop.

UnfinishedPreStopHook

Pre-stop hook unfinished.

Expand
Table 8.13. Deployments
NameDescription

DeploymentCancellationFailed

Failed to cancel deployment.

DeploymentCancelled

Canceled deployment.

DeploymentCreated

Created new replication controller.

IngressIPRangeFull

No available Ingress IP to allocate to service.

Expand
Table 8.14. Scheduler events
NameDescription

FailedScheduling

Failed to schedule pod: <pod-namespace>/<pod-name>. This event is raised for multiple reasons, for example: AssumePodVolumes failed, Binding rejected etc.

Preempted

By <preemptor-namespace>/<preemptor-name> on node <node-name>.

Scheduled

Successfully assigned <pod-name> to <node-name>.

Expand
Table 8.15. Daemon set events
NameDescription

SelectingAll

This daemon set is selecting all pods. A non-empty selector is required.

FailedPlacement

Failed to place pod on <node-name>.

FailedDaemonPod

Found failed daemon pod <pod-name> on node <node-name>, will try to kill it.

Expand
Table 8.16. LoadBalancer service events
NameDescription

CreatingLoadBalancerFailed

Error creating load balancer.

DeletingLoadBalancer

Deleting load balancer.

EnsuringLoadBalancer

Ensuring load balancer.

EnsuredLoadBalancer

Ensured load balancer.

UnAvailableLoadBalancer

There are no available nodes for LoadBalancer service.

LoadBalancerSourceRanges

Lists the new LoadBalancerSourceRanges. For example, <old-source-range> <new-source-range>.

LoadbalancerIP

Lists the new IP address. For example, <old-ip> <new-ip>.

ExternalIP

Lists external IP address. For example, Added: <external-ip>.

UID

Lists the new UID. For example, <old-service-uid> <new-service-uid>.

ExternalTrafficPolicy

Lists the new ExternalTrafficPolicy. For example, <old-policy> <new-policy>.

HealthCheckNodePort

Lists the new HealthCheckNodePort. For example, <old-node-port> new-node-port>.

UpdatedLoadBalancer

Updated load balancer with new hosts.

LoadBalancerUpdateFailed

Error updating load balancer with new hosts.

DeletingLoadBalancer

Deleting load balancer.

DeletingLoadBalancerFailed

Error deleting load balancer.

DeletedLoadBalancer

Deleted load balancer.

As a cluster administrator, you can use the OpenShift Cluster Capacity Tool to view the number of pods that can be scheduled in your cluster. This allows you to increase the current resources before they become exhausted and to ensure any future pods can be scheduled. This capacity comes from an individual node host in a cluster, and includes CPU, memory, disk space, and others.

Review the following information to learn how to use the OpenShift Cluster Capacity Tool to simulate a sequence of scheduling decisions that determine how many instances of an input pod can be scheduled on the cluster before the cluster is exhausted of resources.

Note

The remaining allocatable capacity is a rough estimation, because it does not count all of the resources being distributed among nodes. It analyzes only the remaining resources and estimates the available capacity that is still consumable in terms of the number of instances of a pod with given requirements that can be scheduled in a cluster.

Also, pods might only have scheduling support on particular sets of nodes based on its selection and affinity criteria. As a result, the estimation of which remaining pods a cluster can schedule can be difficult.

You can run the OpenShift Cluster Capacity Tool as a stand-alone utility from the command line, or as a job in a pod inside an Red Hat OpenShift Service on AWS cluster. Running the tool as job inside of a pod enables you to run it multiple times without intervention.

You can run the OpenShift Cluster Capacity Tool from the command line to estimate the number of pods that can be scheduled onto your cluster.

You create a sample pod spec file, which the tool uses for estimating resource usage. The pod spec specifies its resource requirements as limits or requests. The cluster capacity tool takes the pod’s resource requirements into account for its estimation analysis.

Prerequisites

  1. Run the OpenShift Cluster Capacity Tool, which is available as a container image from the Red Hat Ecosystem Catalog. See the link in the "Additional resources" section.

  2. Create a sample pod spec file:

    1. Create a YAML file similar to the following: 

      apiVersion: v1
kind: Pod
metadata:
  name: small-pod
  labels:
    app: guestbook
    tier: frontend
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: php-redis
    image: gcr.io/google-samples/gb-frontend:v4
    imagePullPolicy: Always
    resources:
      limits:
        cpu: 150m
        memory: 100Mi
      requests:
        cpu: 150m
        memory: 100Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: [ALL]
      Copy to Clipboard Toggle word wrap

    2. Create the cluster role: 

      $ oc create -f <file_name>.yaml
      Copy to Clipboard Toggle word wrap

      For example: 

      $ oc create -f pod-spec.yaml
      Copy to Clipboard Toggle word wrap

Procedure

  1. From the terminal, log in to the Red Hat Registry: 

    $ podman login registry.redhat.io
    Copy to Clipboard Toggle word wrap

  2. Pull the cluster capacity tool image: 

    $ podman pull registry.redhat.io/openshift4/ose-cluster-capacity
    Copy to Clipboard Toggle word wrap

  3. Run the cluster capacity tool: 

    $ podman run -v $HOME/.kube:/kube:Z -v $(pwd):/cc:Z  ose-cluster-capacity \
/bin/cluster-capacity --kubeconfig /kube/config --<pod_spec>.yaml /cc/<pod_spec>.yaml \
--verbose
    Copy to Clipboard Toggle word wrap

    where:

    <pod_spec>.yaml
    Specifies the pod spec to use.
    verbose
    Outputs a detailed description of how many pods can be scheduled on each node in the cluster.

    Example output

    small-pod pod requirements:
	- CPU: 150m
	- Memory: 100Mi

The cluster can schedule 88 instance(s) of the pod small-pod.

Termination reason: Unschedulable: 0/5 nodes are available: 2 Insufficient cpu,
3 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't
tolerate.

Pod distribution among nodes:
small-pod
	- 192.168.124.214: 45 instance(s)
	- 192.168.124.120: 43 instance(s)
    Copy to Clipboard Toggle word wrap

    In the above example, the number of estimated pods that can be scheduled onto the cluster is 88.

You can run the OpenShift Cluster Capacity Tool as a job inside of a pod by using a ConfigMap object. This allows you to run the tool multiple times without needing user intervention.

Prerequisites

  • Download and install the OpenShift Cluster Capacity Tool from the cluster-capacity repository. See the link in the "Additional resources" section.

Procedure

  1. Create the cluster role:

    1. Create a YAML file similar to the following: 

      kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-capacity-role
rules:
- apiGroups: [""]
  resources: ["pods", "nodes", "persistentvolumeclaims", "persistentvolumes", "services", "replicationcontrollers"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["replicasets", "statefulsets"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["policy"]
  resources: ["poddisruptionbudgets"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "watch", "list"]
      Copy to Clipboard Toggle word wrap

    2. Create the cluster role by running the following command: 

      $ oc create -f <file_name>.yaml
      Copy to Clipboard Toggle word wrap

      For example: 

      $ oc create sa cluster-capacity-sa
      Copy to Clipboard Toggle word wrap

  2. Create the service account: 

    $ oc create sa cluster-capacity-sa -n default
    Copy to Clipboard Toggle word wrap

  3. Add the role to the service account: 

    $ oc adm policy add-cluster-role-to-user cluster-capacity-role \
    system:serviceaccount:<namespace>:cluster-capacity-sa
    Copy to Clipboard Toggle word wrap

    where:

    <namespace>
    Specifies the namespace where the pod is located.

  4. Define and create the pod spec:

    1. Create a YAML file similar to the following: 

      apiVersion: v1
kind: Pod
metadata:
  name: small-pod
  labels:
    app: guestbook
    tier: frontend
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: php-redis
    image: gcr.io/google-samples/gb-frontend:v4
    imagePullPolicy: Always
    resources:
      limits:
        cpu: 150m
        memory: 100Mi
      requests:
        cpu: 150m
        memory: 100Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: [ALL]
      Copy to Clipboard Toggle word wrap

    2. Create the pod by running the following command: 

      $ oc create -f <file_name>.yaml
      Copy to Clipboard Toggle word wrap

      For example: 

      $ oc create -f pod.yaml
      Copy to Clipboard Toggle word wrap

  5. Created a config map object by running the following command: 

    $ oc create configmap cluster-capacity-configmap \
    --from-file=pod.yaml=pod.yaml
    Copy to Clipboard Toggle word wrap

    The cluster capacity analysis is mounted in a volume using a config map object named cluster-capacity-configmap to mount the input pod spec file pod.yaml into a volume test-volume at the path /test-pod.

  6. Create the job using the below example of a job specification file:

    1. Create a YAML file similar to the following: 

      apiVersion: batch/v1
kind: Job
metadata:
  name: cluster-capacity-job
spec:
  parallelism: 1
  completions: 1
  template:
    metadata:
      name: cluster-capacity-pod
    spec:
        containers:
        - name: cluster-capacity
          image: openshift/origin-cluster-capacity
          imagePullPolicy: "Always"
          volumeMounts:
          - mountPath: /test-pod
            name: test-volume
          env:
          - name: CC_INCLUSTER
            value: "true"
          command:
          - "/bin/sh"
          - "-ec"
          - |
            /bin/cluster-capacity --podspec=/test-pod/pod.yaml --verbose
        restartPolicy: "Never"
        serviceAccountName: cluster-capacity-sa
        volumes:
        - name: test-volume
          configMap:
            name: cluster-capacity-configmap
      Copy to Clipboard Toggle word wrap

      where:

      spec.template.spec.containers.env
      Specifies a required environment variable that indicates the Cluster Capacity Tool is running inside a cluster as a pod.
      The pod.yaml key of the ConfigMap object is the same as the Pod spec file name, though it is not required. By doing this, the input pod spec file can be accessed inside the pod as /test-pod/pod.yaml.

    2. Run the cluster capacity image as a job in a pod by running the following command: 

      $ oc create -f cluster-capacity-job.yaml
      Copy to Clipboard Toggle word wrap

Verification

  1. Check the job logs to find the number of pods that can be scheduled in the cluster: 

    $ oc logs jobs/cluster-capacity-job
    Copy to Clipboard Toggle word wrap

    Example output

    small-pod pod requirements:
        - CPU: 150m
        - Memory: 100Mi

The cluster can schedule 52 instance(s) of the pod small-pod.

Termination reason: Unschedulable: No nodes are available that match all of the
following predicates:: Insufficient cpu (2).

Pod distribution among nodes:
small-pod
        - 192.168.124.214: 26 instance(s)
        - 192.168.124.120: 26 instance(s)
    Copy to Clipboard Toggle word wrap

You can use limit ranges to restrict resource consumption for specific objects in a project.

By default, containers run with unbounded compute resources on an Red Hat OpenShift Service on AWS cluster.

You can configure resource consumption for the following objects:

  • pods and containers: You can set minimum and maximum requirements for CPU and memory for pods and their containers.
  • Image streams: You can set limits on the number of images and tags in an ImageStream object.
  • Images: You can limit the size of images that can be pushed to an internal registry.
  • Persistent volume claims (PVC): You can restrict the size of the PVCs that can be requested.

If a pod does not meet the constraints imposed by the limit range, the pod cannot be created in the namespace.

8.3.1. About limit ranges
Copy link

You can set specific resource limits for a pod, container, image, image stream, or persistent volume claim (PVC) in a specific project by defining a LimitRange object. A limit range allows you to restrict resource consumption in that project.

All requests to create and modify resources are evaluated against each LimitRange object in the project. If the resource violates any of the enumerated constraints, the resource is rejected.

The following shows a limit range object for all components: pod, container, image, image stream, or PVC. You can configure limits for any or all of these components in the same object. You create a different limit range object for each project where you want to control resources.

Sample limit range object for a container

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: "Container"
      max:
        cpu: "2"
        memory: "1Gi"
      min:
        cpu: "100m"
        memory: "4Mi"
      default:
        cpu: "300m"
        memory: "200Mi"
      defaultRequest:
        cpu: "200m"
        memory: "100Mi"
      maxLimitRequestRatio:
        cpu: "10"
Copy to Clipboard Toggle word wrap

8.3.2. About component limits
Copy link

Review the following examples to learn the limit range parameters for each component for when you create or edit a LimitRange object.

The examples are broken out for clarity. You can create a single LimitRange object for any or all components as necessary.

Container limits

A limit range allows you to specify the minimum and maximum CPU and memory that each container in a pod can request for a specific project. If a container is created in the project, the container CPU and memory requests in the Pod spec must comply with the values set in the LimitRange object. If not, the pod does not get created. The following requirements must hold true:

  • The container CPU or memory request and limit must be greater than or equal to the min resource constraint for containers that are specified in the LimitRange object.
  • The container CPU or memory request and limit must be less than or equal to the max resource constraint for containers that are specified in the LimitRange object.

If the LimitRange object defines a max CPU, you do not need to define a CPU request value in the Pod spec. But you must specify a CPU limit value that satisfies the maximum CPU constraint specified in the limit range. The following requirements must hold true:

  • The ratio of the container limits to requests must be less than or equal to the maxLimitRequestRatio value for containers that is specified in the LimitRange object.

    If the LimitRange object defines a maxLimitRequestRatio constraint, any new containers must have both a request and a limit value. Red Hat OpenShift Service on AWS calculates the limit-to-request ratio by dividing the limit by the request. This value should be a non-negative integer greater than 1.

    For example, if a container has cpu: 500 in the limit value, and cpu: 100 in the request value, the limit-to-request ratio for cpu is 5. This ratio must be less than or equal to the maxLimitRequestRatio.

If the Pod spec does not specify a container resource memory or limit, the default or defaultRequest CPU and memory values for containers specified in the limit range object are assigned to the container.

Container LimitRange object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: "Container"
      max:
        cpu: "2"
        memory: "1Gi"
      min:
        cpu: "100m"
        memory: "4Mi"
      default:
        cpu: "300m"
        memory: "200Mi"
      defaultRequest:
        cpu: "200m"
        memory: "100Mi"
      maxLimitRequestRatio:
        cpu: "10"
Copy to Clipboard Toggle word wrap

where:

metadata.name
Specifies the name of the limit range object.
spec.limit.max.cpu
Specifies the maximum amount of CPU that a single container in a pod can request.
spec.limit.max.memory
Specifies the maximum amount of memory that a single container in a pod can request.
spec.limit.min.cpu
Specifies the minimum amount of CPU that a single container in a pod can request.
spec.limit.min.memory
Specifies the minimum amount of memory that a single container in a pod can request.
spec.limit.default.cpu
Specifies the default amount of CPU that a container can use if not specified in the Pod spec.
spec.limit.default.memory
Specifies the default amount of memory that a container can use if not specified in the Pod spec.
spec.limit.defaultRequest.cpu
Specifies the default amount of CPU that a container can request if not specified in the Pod spec.
spec.limit.defaultRequest.memory
Specifies the default amount of memory that a container can request if not specified in the Pod spec.
spec.limit.maxLimitRequestRatio.cpu
Specifies the maximum limit-to-request ratio for a container.
Pod limits

A limit range allows you to specify the minimum and maximum CPU and memory limits for all containers across a pod in a given project. To create a container in the project, the container CPU and memory requests in the Pod spec must comply with the values set in the LimitRange object. If not, the pod does not get created.

If the Pod spec does not specify a container resource memory or limit, the default or defaultRequest CPU and memory values for containers specified in the limit range object are assigned to the container.

Across all containers in a pod, the following requirements must hold true:

  • The container CPU or memory request and limit must be greater than or equal to the min resource constraints for pods that are specified in the LimitRange object.
  • The container CPU or memory request and limit must be less than or equal to the max resource constraints for pods that are specified in the LimitRange object.
  • The ratio of the container limits to requests must be less than or equal to the maxLimitRequestRatio constraint specified in the LimitRange object.

Pod LimitRange object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: "Pod"
      max:
        cpu: "2"
        memory: "1Gi"
      min:
        cpu: "200m"
        memory: "6Mi"
      maxLimitRequestRatio:
        cpu: "10"
Copy to Clipboard Toggle word wrap

where:

metadata.name
Specifies the name of the limit range object.
spec.limit.max.cpu
Specifies the maximum amount of CPU that a pod can request across all containers.
spec.limit.max.memory
Specifies the maximum amount of memory that a pod can request across all containers.
spec.limit.min.cpu
Specifies the minimum amount of CPU that a pod can request across all containers.
spec.limit.min.memory
Specifies the minimum amount of memory that a pod can request across all containers.
spec.limit.maxLimitRequestRatio.cpu
Specifies the maximum limit-to-request ratio for a container.
Image limits

A limit range allows you to specify the maximum size of an image that can be pushed to an OpenShift image registry.

When pushing images to an OpenShift image registry, the following requirement must hold true:

  • The size of the image must be less than or equal to the max size for images that is specified in the LimitRange object.

Image LimitRange object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: openshift.io/Image
      max:
        storage: 1Gi
Copy to Clipboard Toggle word wrap

where:

metadata.name
Specifies the name of the limit range object.
spec.limit.max.storage
Specifies the maximum size of an image that can be pushed to an OpenShift image registry.
Warning

The image size is not always available in the manifest of an uploaded image. This is especially the case for images built with Docker 1.10 or higher and pushed to a v2 registry. If such an image is pulled with an older Docker daemon, the image manifest is converted by the registry to schema v1 lacking all the size information. No storage limit set on images prevent it from being uploaded.

The issue is being addressed.

Image stream limits

A limit range allows you to specify limits for image streams.

For each image stream, the following requirements must hold true:

  • The number of image tags in an ImageStream specification must be less than or equal to the openshift.io/image-tags constraint in the LimitRange object.
  • The number of unique references to images in an ImageStream specification must be less than or equal to the openshift.io/images constraint in the limit range object.

Imagestream LimitRange object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: openshift.io/ImageStream
      max:
        openshift.io/image-tags: 20
        openshift.io/images: 30
Copy to Clipboard Toggle word wrap

where

metadata.name
Specifies the name of the LimitRange object.
spec.limit.max.openshift.io/image-tags
Specifies the maximum number of unique image tags in the imagestream.spec.tags parameter in imagestream spec.
spec.limit.max.openshift.io/images
Specifies the maximum number of unique image references in the imagestream.status.tags parameter in the imagestream spec.

The openshift.io/image-tags resource represents unique image references. Possible references are an ImageStreamTag, an ImageStreamImage and a DockerImage. Tags can be created using the oc tag and oc import-image commands. No distinction is made between internal and external references. However, each unique reference tagged in an ImageStream specification is counted just once. It does not restrict pushes to an internal container image registry in any way, but is useful for tag restriction.

The openshift.io/images resource represents unique image names recorded in image stream status. It allows for restriction of a specific number of images that can be pushed to the OpenShift image registry. Internal and external references are not distinguished.

Persistent volume claim limits

A limit range allows you to restrict the storage requested in a persistent volume claim (PVC).

Across all persistent volume claims in a project, the following requirements must hold true:

  • The resource request in a persistent volume claim (PVC) must be greater than or equal the min constraint for PVCs that is specified in the LimitRange object.
  • The resource request in a persistent volume claim (PVC) must be less than or equal the max constraint for PVCs that is specified in the LimitRange object.

PVC LimitRange object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: "PersistentVolumeClaim"
      min:
        storage: "2Gi"
      max:
        storage: "50Gi"
Copy to Clipboard Toggle word wrap

where:

metadata.name
Specifies the name of the LimitRange object.
spec.limit.min.storage
Specifies the minimum amount of storage that can be requested in a persistent volume claim.
spec.limit.max.storage
Specifies the maximum amount of storage that can be requested in a persistent volume claim.

8.3.3. Creating a Limit Range
Copy link

You can define LimitRange objects to set specific resource limits for a pod, container, image, image stream, or persistent volume claim (PVC) in a specific project. A limit range allows you to restrict resource consumption in that project.

Procedure

  1. Create a LimitRange object with your required specifications: 

    apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: "Pod"
      max:
        cpu: "2"
        memory: "1Gi"
      min:
        cpu: "200m"
        memory: "6Mi"
    - type: "Container"
      max:
        cpu: "2"
        memory: "1Gi"
      min:
        cpu: "100m"
        memory: "4Mi"
      default:
        cpu: "300m"
        memory: "200Mi"
      defaultRequest:
        cpu: "200m"
        memory: "100Mi"
      maxLimitRequestRatio:
        cpu: "10"
    - type: openshift.io/Image
      max:
        storage: 1Gi
    - type: openshift.io/ImageStream
      max:
        openshift.io/image-tags: 20
        openshift.io/images: 30
    - type: "PersistentVolumeClaim"
      min:
        storage: "2Gi"
      max:
        storage: "50Gi"
    Copy to Clipboard Toggle word wrap

    where:

    metadata.name
    Specifies a name for the LimitRange object.
    spec.limit.type.Pod
    Specifies limits for a pod, specify the minimum and maximum CPU and memory requests as needed.
    spec.limit.type.Container
    Specifies limits for a container, specify the minimum and maximum CPU and memory requests as needed.
    spec.limit.type.default
    For a container, specifies the default amount of CPU or memory that a container can use, if not specified in the Pod spec. This parameter is optional.
    spec.limit.type.defaultRequest
    For a container, specifies the default amount of CPU or memory that a container can request, if not specified in the Pod spec. This parameter is optional.
    spec.limit.type.maxLimitRequestRatio
    For a container, specifies the maximum limit-to-request ratio that can be specified in the Pod spec. This parameter is optional.
    spec.limit.type.openshift.io/Image
    Specifies limits for an image object. Set the maximum size of an image that can be pushed to an OpenShift image registry.
    spec.limit.type.openshift.io/ImageStream
    Specifies limits for an image stream. Set the maximum number of image tags and references that can be in the ImageStream object file, as needed.
    spec.limit.type.openshift.io/PersistentVolueClaim
    Specifies limits for a persistent volume claim. Set the minimum and maximum amount of storage that can be requested.

  2. Create the object: 

    $ oc create -f <limit_range_file> -n <project>
    Copy to Clipboard Toggle word wrap

    where:

    <limit_range_file>
    Specifies the name of the YAML file you created.
    <project>
    Specifies the project where you want the limits to apply.

8.3.4. Viewing a limit
Copy link

You can view the limits defined in a project by navigating in the web console to the project’s Quota page. This allows you to see details about each of the limit ranges in a project.

You can also use the CLI to view limit range details:

Procedure

  1. Get the list of LimitRange objects defined in the project. For example, for a project called demoproject: 

    $ oc get limits -n demoproject
    Copy to Clipboard Toggle word wrap 
    NAME              CREATED AT
resource-limits   2020-07-15T17:14:23Z
    Copy to Clipboard Toggle word wrap

  2. Describe the LimitRange object you are interested in, for example the resource-limits limit range: 

    $ oc describe limits resource-limits -n demoproject
    Copy to Clipboard Toggle word wrap 
    Name:                           resource-limits
Namespace:                      demoproject
Type                            Resource                Min     Max     Default Request Default Limit   Max Limit/Request Ratio
----                            --------                ---     ---     --------------- -------------   -----------------------
Pod                             cpu                     200m    2       -               -               -
Pod                             memory                  6Mi     1Gi     -               -               -
Container                       cpu                     100m    2       200m            300m            10
Container                       memory                  4Mi     1Gi     100Mi           200Mi           -
openshift.io/Image              storage                 -       1Gi     -               -               -
openshift.io/ImageStream        openshift.io/image      -       12      -               -               -
openshift.io/ImageStream        openshift.io/image-tags -       10      -               -               -
PersistentVolumeClaim           storage                 -       50Gi    -               -               -
    Copy to Clipboard Toggle word wrap

8.3.5. Deleting a Limit Range
Copy link

You can remove any active LimitRange object so that it no longer enforces the limits in a project.

Procedure

  • Run the following command: 

    $ oc delete limits <limit_name>
    Copy to Clipboard Toggle word wrap

As a cluster administrator, you can manage application memory usage to help your clusters operate more efficiently.

You can perform any of the following tasks to manage application memory:

  • Determine the memory and risk requirements of a containerized application component and configuring the container memory parameters to suit those requirements.
  • Configure containerized application runtimes (for example, OpenJDK) to adhere optimally to the configured container memory parameters.
  • Diagnose and resolve memory-related error conditions associated with running in a container.

You can review the following concepts to learn how Red Hat OpenShift Service on AWS manages compute resources so that you can lean how to keep your cluster running efficiently.

For each kind of resource (memory, CPU, storage), Red Hat OpenShift Service on AWS allows optional request and limit values to be placed on each container in a pod.

Note the following information about memory requests and memory limits:

  • Memory request

    • The memory request value, if specified, influences the Red Hat OpenShift Service on AWS scheduler. The scheduler considers the memory request when scheduling a container to a node, then fences off the requested memory on the chosen node for the use of the container.
    • If a node’s memory is exhausted, Red Hat OpenShift Service on AWS prioritizes evicting its containers whose memory usage most exceeds their memory request. In serious cases of memory exhaustion, the node OOM killer might select and kill a process in a container based on a similar metric.
    • The cluster administrator can assign quota or assign default values for the memory request value.
    • The cluster administrator can override the memory request values that a developer specifies, to manage cluster overcommit.

  • Memory limit

    • The memory limit value, if specified, provides a hard limit on the memory that can be allocated across all the processes in a container.
    • If the memory allocated by all of the processes in a container exceeds the memory limit, the node Out of Memory (OOM) killer immediately selects and kills a process in the container.
    • If both memory request and limit are specified, the memory limit value must be greater than or equal to the memory request.
    • The cluster administrator can assign quota or assign default values for the memory limit value.
    • The minimum memory limit is 12 MB. If a container fails to start due to a Cannot allocate memory pod event, the memory limit is too low. Either increase or remove the memory limit. Removing the limit allows pods to consume unbounded node resources.

The steps for sizing application memory on Red Hat OpenShift Service on AWS are as follows:

  1. Determine expected container memory usage

    Determine expected mean and peak container memory usage. For example, you could perform separate load testing. Remember to consider all the processes that could potentially run in parallel in the container, such as any ancillary scripts that might be spawned by the main application.

  2. Determine risk appetite

    Determine risk appetite for eviction. If the risk appetite is low, the container should request memory according to the expected peak usage plus a percentage safety margin. If the risk appetite is higher, it might be more appropriate to request memory according to the expected mean usage.

  3. Set container memory request

    Set the container memory request based on the above. The request should represent the application memory usage as accurately as possible. If the request is too high, cluster and quota usage will be inefficient. If the request is too low, the chances of application eviction increase.

  4. Set container memory limit, if required

    Set the container memory limit, if required. Setting a limit has the effect of immediately killing a container process if the combined memory usage of all processes in the container exceeds the limit. Setting a limit might make unanticipated excess memory usage obvious early (fail fast). However, setting a limit also terminates processes abruptly.

    Note that some Red Hat OpenShift Service on AWS clusters might require a limit value to be set; some might override the request based on the limit; and some application images rely on a limit value being set as this is easier to detect than a request value.

    If the memory limit is set, it should not be set to less than the expected peak container memory usage plus a percentage safety margin.

  5. Ensure applications are tuned

    Ensure your applications are tuned with respect to configured request and limit values, if appropriate. This step is particularly relevant to applications which pool memory, such as the JVM. The rest of this page discusses this.

You can review the following concepts to learn about how to deploy OpenJDK applications in your cluster effectively.

The default OpenJDK settings do not work well with containerized environments. As a result, some additional Java memory settings must always be provided whenever running the OpenJDK in a container.

The JVM memory layout is complex, version dependent, and describing it in detail is beyond the scope of this documentation. However, as a starting point for running OpenJDK in a container, at least the following three memory-related tasks are key:

Overriding the JVM maximum heap size

OpenJDK defaults to using a maximum of 25% of available memory (recognizing any container memory limits in place) for heap memory. This default value is conservative, and, in a properly-configured container environment, would result in 75% of the memory assigned to a container being mostly unused. A much higher percentage for the JVM to use for heap memory, such as 80%, is more suitable in a container context where memory limits are imposed on the container level.

Most of the Red Hat containers include a startup script that replaces the OpenJDK default by setting updated values when the JVM launches.

For example, the Red Hat build of OpenJDK containers have a default value of 80%. This value can be set to a different percentage by defining the JAVA_MAX_RAM_RATIO environment variable.

For other OpenJDK deployements, the default value of 25% can be changed using the following command:

Example

$ java -XX:MaxRAMPercentage=80.0
Copy to Clipboard Toggle word wrap

Encouraging the JVM to release unused memory to the operating system, if appropriate

By default, the OpenJDK does not aggressively return unused memory to the operating system. This could be appropriate for many containerized Java workloads, but notable exceptions include workloads where additional active processes co-exist with a JVM within a container, whether those additional processes are native, additional JVMs, or a combination of the two.

Java-based agents can use the following JVM arguments to encourage the JVM to release unused memory to the operating system: 

-XX:+UseParallelGC
-XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10 -XX:GCTimeRatio=4
-XX:AdaptiveSizePolicyWeight=90
Copy to Clipboard Toggle word wrap

These arguments are intended to return heap memory to the operating system whenever allocated memory exceeds 110% of in-use memory (-XX:MaxHeapFreeRatio), spending up to 20% of CPU time in the garbage collector (-XX:GCTimeRatio). At no time will the application heap allocation be less than the initial heap allocation (overridden by -XX:InitialHeapSize / -Xms). Detailed additional information is available Tuning Java’s footprint in OpenShift (Part 1), Tuning Java’s footprint in OpenShift (Part 2), and at OpenJDK and Containers.

Ensuring all JVM processes within a container are appropriately configured

In the case that multiple JVMs run in the same container, it is essential to ensure that they are all configured appropriately. For many workloads it will be necessary to grant each JVM a percentage memory budget, leaving a perhaps substantial additional safety margin.

Many Java tools use different environment variables (JAVA_OPTS, GRADLE_OPTS, and so on) to configure their JVMs and it can be challenging to ensure that the right settings are being passed to the right JVM.

The JAVA_TOOL_OPTIONS environment variable is always respected by the OpenJDK, and values specified in JAVA_TOOL_OPTIONS will be overridden by other options specified on the JVM command line. By default, to ensure that these options are used by default for all JVM workloads run in the Java-based agent image, the Red Hat OpenShift Service on AWS Jenkins Maven agent image sets the following variable: 

JAVA_TOOL_OPTIONS="-Dsun.zip.disableMemoryMapping=true"
Copy to Clipboard Toggle word wrap

This does not guarantee that additional options are not required, but is intended to be a helpful starting point. Optimally tuning JVM workloads for running in a container is beyond the scope of this documentation, and may involve setting multiple additional JVM options.

You can configure your container to use the Downward API to dynamically discover its memory request and limit from within a pod. This allows your applications to better manage these resources without needing to use the API server.

Procedure

  • Configure the pod to add the MEMORY_REQUEST and MEMORY_LIMIT stanzas:

    1. Create a YAML file similar to the following: 

      apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  securityContext:
    runAsNonRoot: false
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: test
    image: fedora:latest
    command:
    - sleep
    - "3600"
    env:
    - name: MEMORY_REQUEST
      valueFrom:
        resourceFieldRef:
          containerName: test
          resource: requests.memory
    - name: MEMORY_LIMIT
      valueFrom:
        resourceFieldRef:
          containerName: test
          resource: limits.memory
    resources:
      requests:
        memory: 384Mi
      limits:
        memory: 512Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: [ALL]
      Copy to Clipboard Toggle word wrap

      where:

      spec.consinters.env.name.MEMORY_REQUEST
      This stanza discovers the application memory request value.
      spec.consinters.env.name.MEMORY_LIMIT
      This stanza discovers the application memory limit value.

    2. Create the pod by running the following command: 

      $ oc create -f <file_name>.yaml
      Copy to Clipboard Toggle word wrap

Verification

  1. Access the pod using a remote shell: 

    $ oc rsh test
    Copy to Clipboard Toggle word wrap

  2. Check that the requested values were applied: 

    $ env | grep MEMORY | sort
    Copy to Clipboard Toggle word wrap

    Example output

    MEMORY_LIMIT=536870912
MEMORY_REQUEST=402653184
    Copy to Clipboard Toggle word wrap

Note

The memory limit value can also be read from inside the container by the /sys/fs/cgroup/memory/memory.limit_in_bytes file.

8.4.4. Understanding OOM kill policy
Copy link

Red Hat OpenShift Service on AWS can kill a process in a container if the total memory usage of all the processes in the container exceeds the memory limit, or in serious cases of node memory exhaustion.

If a process is Out of Memory (OOM) killed, the container could exit immediately. If the container PID 1 process receives the SIGKILL, the container does exit immediately. Otherwise, the container behavior is dependent on the behavior of the other processes.

For example, a container process exited with code 137, indicating it received a SIGKILL signal.

If the container does not exit immediately, use the following stepts to detect if an OOM kill occurred.

Procedure

  1. Access the pod using a remote shell: 

    # oc rsh <pod name>
    Copy to Clipboard Toggle word wrap

  2. Run the following command to see the current OOM kill count in /sys/fs/cgroup/memory/memory.oom_control: 

    $ grep '^oom_kill ' /sys/fs/cgroup/memory/memory.oom_control
    Copy to Clipboard Toggle word wrap

    Example output

    oom_kill 0
    Copy to Clipboard Toggle word wrap

  3. Run the following command to provoke an OOM kill: 

    $ sed -e '' </dev/zero
    Copy to Clipboard Toggle word wrap

    Example output

    Killed
    Copy to Clipboard Toggle word wrap

  4. Run the following command to see that the OOM kill counter in /sys/fs/cgroup/memory/memory.oom_control incremented: 

    $ grep '^oom_kill ' /sys/fs/cgroup/memory/memory.oom_control
    Copy to Clipboard Toggle word wrap

    Example output

    oom_kill 1
    Copy to Clipboard Toggle word wrap

    If one or more processes in a pod are OOM killed, when the pod subsequently exits, whether immediately or not, it will have phase Failed and reason OOMKilled. An OOM-killed pod might be restarted depending on the value of restartPolicy. If not restarted, controllers such as the replication controller will notice the pod’s failed status and create a new pod to replace the old one.

    Use the following command to get the pod status: 

    $ oc get pod test
    Copy to Clipboard Toggle word wrap

    Example output

    NAME      READY     STATUS      RESTARTS   AGE
test      0/1       OOMKilled   0          1m
    Copy to Clipboard Toggle word wrap

    • If the pod has not restarted, run the following command to view the pod: 

      $ oc get pod test -o yaml
      Copy to Clipboard Toggle word wrap

      Example output

      apiVersion: v1
kind: Pod
metadata:
  name: test
# ...
status:
  containerStatuses:
  - name: test
    ready: false
    restartCount: 0
    state:
      terminated:
        exitCode: 137
        reason: OOMKilled
  phase: Failed
      Copy to Clipboard Toggle word wrap

    • If restarted, run the following command to view the pod: 

      $ oc get pod test -o yaml
      Copy to Clipboard Toggle word wrap

      Example output

      apiVersion: v1
kind: Pod
metadata:
  name: test
# ...
status:
  containerStatuses:
  - name: test
    ready: true
    restartCount: 1
    lastState:
      terminated:
        exitCode: 137
        reason: OOMKilled
    state:
      running:
  phase: Running
      Copy to Clipboard Toggle word wrap

8.4.5. Understanding pod eviction
Copy link

You can review the following concepts to learn the Red Hat OpenShift Service on AWS pod eviction policy.

Red Hat OpenShift Service on AWS can evict a pod from its node when the node’s memory is exhausted. Depending on the extent of memory exhaustion, the eviction might or might not be graceful. Graceful eviction implies the main process (PID 1) of each container receiving a SIGTERM signal, then some time later a SIGKILL signal if the process has not exited already. Non-graceful eviction implies the main process of each container immediately receiving a SIGKILL signal.

An evicted pod has phase Failed and reason Evicted. It is not restarted, regardless of the value of restartPolicy. However, controllers such as the replication controller will notice the pod’s failed status and create a new pod to replace the old one. 

$ oc get pod test
Copy to Clipboard Toggle word wrap

Example output

NAME      READY     STATUS    RESTARTS   AGE
test      0/1       Evicted   0          1m
Copy to Clipboard Toggle word wrap 

$ oc get pod test -o yaml
Copy to Clipboard Toggle word wrap

Example output

apiVersion: v1
kind: Pod
metadata:
  name: test
...
status:
  message: 'Pod The node was low on resource: [MemoryPressure].'
  phase: Failed
  reason: Evicted
Copy to Clipboard Toggle word wrap

Red Hat OpenShift Service on AWS administrators can manage container density on nodes by configuring pod placement behavior and per-project resource limits that overcommit cannot exceed.

Alternatively, administrators can disable project-level resource overcommitment on customer-created namespaces that are not managed by Red Hat.

For more information about container resource management, see Additional resources.

In an overcommitted state, the sum of the container compute resource requestsand limits exceeds the resources available on the system. For example, you might want to use overcommitment in development environments where a trade-off of guaranteed performance for capacity is acceptable.

Containers can specify compute resource requests and limits. Requests are used for scheduling your container and provide a minimum service guarantee. Limits constrain the amount of compute resource that can be consumed on your node.

The scheduler attempts to optimize the compute resource use across all nodes in your cluster. It places pods onto specific nodes, taking the pods' compute resource requests and nodes' available capacity into consideration.

8.5.1. Project-level limits
Copy link

In Red Hat OpenShift Service on AWS, because overcommitment of project-level resources is enabled by default, if required by your use case, you can disable overcommitment on projects that are not managed by Red Hat.

For the list of projects that are managed by Red Hat and cannot be modified, see "Red Hat Managed resources" in Support.

8.5.1.1. Disabling overcommitment for a project
Copy link

If required by your use case, you can disable overcommitment on any project that is not managed by Red Hat. For a list of projects that cannot be modified, see "Red Hat Managed resources" in Support.

Prerequisites

  • You are logged in to the cluster using an account with cluster administrator or cluster editor permissions.

Procedure

  1. Edit the namespace object file:

    1. If you are using the web console:

      1. Click Administration Namespaces and click the namespace for the project.
      2. In the Annotations section, click the Edit button.
      3. Click Add more and enter a new annotation that uses a Key of quota.openshift.io/cluster-resource-override-enabled and a Value of false.
      4. Click Save.

    2. If you are using the ROSA CLI (rosa):

      1. Edit the namespace: 

        $ rosa edit namespace/<project_name>
        Copy to Clipboard Toggle word wrap

      2. Add the following annotation: 

        apiVersion: v1
kind: Namespace
metadata:
  annotations:
    quota.openshift.io/cluster-resource-override-enabled: "false"
# ...
        Copy to Clipboard Toggle word wrap

        where:

        metadata.annotations.quota.openshift.io/cluster-resource-override-enabled.false
        Specifies that overcommit is disabled for this namespace.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red Hat