Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 9. Quotas

9.1. Resource quotas per project
Copia collegamento

A resource quota, defined by a 

ResourceQuota
object, provides constraints that limit aggregate resource consumption per project. It can limit the quantity of objects that can be created in a project by type, as well as the total amount of compute resources and storage that might be consumed by resources in that project.

This guide describes how resource quotas work, how cluster administrators can set and manage resource quotas on a per project basis, and how developers and cluster administrators can view them.

9.1.1. Resources managed by quotas
Copia collegamento

The following describes the set of compute resources and object types that can be managed by a quota.

Note

A pod is in a terminal state if 

status.phase in (Failed, Succeeded)
is true.

Expand
Table 9.1. Compute resources managed by quota
Resource NameDescription

cpu

The sum of CPU requests across all pods in a non-terminal state cannot exceed this value. 

cpu
and 
requests.cpu
are the same value and can be used interchangeably. 

memory

The sum of memory requests across all pods in a non-terminal state cannot exceed this value. 

memory
and 
requests.memory
are the same value and can be used interchangeably. 

requests.cpu

The sum of CPU requests across all pods in a non-terminal state cannot exceed this value. 

cpu
and 
requests.cpu
are the same value and can be used interchangeably. 

requests.memory

The sum of memory requests across all pods in a non-terminal state cannot exceed this value. 

memory
and 
requests.memory
are the same value and can be used interchangeably. 

limits.cpu

The sum of CPU limits across all pods in a non-terminal state cannot exceed this value. 

limits.memory

The sum of memory limits across all pods in a non-terminal state cannot exceed this value.

Expand
Table 9.2. Storage resources managed by quota
Resource NameDescription

requests.storage

The sum of storage requests across all persistent volume claims in any state cannot exceed this value. 

persistentvolumeclaims

The total number of persistent volume claims that can exist in the project. 

<storage-class-name>.storageclass.storage.k8s.io/requests.storage

The sum of storage requests across all persistent volume claims in any state that have a matching storage class, cannot exceed this value. 

<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims

The total number of persistent volume claims with a matching storage class that can exist in the project. 

ephemeral-storage

The sum of local ephemeral storage requests across all pods in a non-terminal state cannot exceed this value. 

ephemeral-storage
and 
requests.ephemeral-storage
are the same value and can be used interchangeably. 

requests.ephemeral-storage

The sum of ephemeral storage requests across all pods in a non-terminal state cannot exceed this value. 

ephemeral-storage
and 
requests.ephemeral-storage
are the same value and can be used interchangeably. 

limits.ephemeral-storage

The sum of ephemeral storage limits across all pods in a non-terminal state cannot exceed this value.

Expand
Table 9.3. Object counts managed by quota
Resource NameDescription

pods

The total number of pods in a non-terminal state that can exist in the project. 

replicationcontrollers

The total number of ReplicationControllers that can exist in the project. 

resourcequotas

The total number of resource quotas that can exist in the project. 

services

The total number of services that can exist in the project. 

services.loadbalancers

The total number of services of type 

LoadBalancer
that can exist in the project. 

services.nodeports

The total number of services of type 

NodePort
that can exist in the project. 

secrets

The total number of secrets that can exist in the project. 

configmaps

The total number of 

ConfigMap
objects that can exist in the project. 

persistentvolumeclaims

The total number of persistent volume claims that can exist in the project. 

openshift.io/imagestreams

The total number of imagestreams that can exist in the project.

9.1.2. Quota scopes
Copia collegamento

Each quota can have an associated set of scopes. A quota only measures usage for a resource if it matches the intersection of enumerated scopes.

Adding a scope to a quota restricts the set of resources to which that quota can apply. Specifying a resource outside of the allowed set results in a validation error.

Expand

Scope

Description 

BestEffort

Match pods that have best effort quality of service for either 

cpu
or 
memory
. 

NotBestEffort

Match pods that do not have best effort quality of service for 

cpu
and 
memory
.

A 

BestEffort
scope restricts a quota to limiting the following resources: 

  • pods

A 

NotBestEffort
scope restricts a quota to tracking the following resources: 

  • pods
     
  • memory
     
  • requests.memory
     
  • limits.memory
     
  • cpu
     
  • requests.cpu
     
  • limits.cpu

9.1.3. Quota enforcement
Copia collegamento

After a resource quota for a project is first created, the project restricts the ability to create any new resources that may violate a quota constraint until it has calculated updated usage statistics.

After a quota is created and usage statistics are updated, the project accepts the creation of new content. When you create or modify resources, your quota usage is incremented immediately upon the request to create or modify the resource.

When you delete a resource, your quota use is decremented during the next full recalculation of quota statistics for the project. A configurable amount of time determines how long it takes to reduce quota usage statistics to their current observed system value.

If project modifications exceed a quota usage limit, the server denies the action, and an appropriate error message is returned to the user explaining the quota constraint violated, and what their currently observed usage statistics are in the system.

9.1.4. Requests versus limits
Copia collegamento

When allocating compute resources, each container might specify a request and a limit value each for CPU, memory, and ephemeral storage. Quotas can restrict any of these values.

If the quota has a value specified for 

requests.cpu
or 
requests.memory
, then it requires that every incoming container make an explicit request for those resources. If the quota has a value specified for 
limits.cpu
or 
limits.memory
, then it requires that every incoming container specify an explicit limit for those resources.

9.1.5. Sample resource quota definitions
Copia collegamento

core-object-counts.yaml

apiVersion: v1
kind: ResourceQuota
metadata:
  name: core-object-counts
spec:
  hard:
    configmaps: "10"
1 

    persistentvolumeclaims: "4"
2 

    replicationcontrollers: "20"
3 

    secrets: "10"
4 

    services: "10"
5 

    services.loadbalancers: "2"
6

1
The total number of ConfigMap objects that can exist in the project.
2
The total number of persistent volume claims (PVCs) that can exist in the project.
3
The total number of replication controllers that can exist in the project.
4
The total number of secrets that can exist in the project.
5
The total number of services that can exist in the project.
6
The total number of services of type LoadBalancer that can exist in the project.

openshift-object-counts.yaml

apiVersion: v1
kind: ResourceQuota
metadata:
  name: openshift-object-counts
spec:
  hard:
    openshift.io/imagestreams: "10"
1

1
The total number of image streams that can exist in the project.

compute-resources.yaml

apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-resources
spec:
  hard:
    pods: "4"
1 

    requests.cpu: "1"
2 

    requests.memory: 1Gi
3 

    limits.cpu: "2"
4 

    limits.memory: 2Gi
5

1
The total number of pods in a non-terminal state that can exist in the project.
2
Across all pods in a non-terminal state, the sum of CPU requests cannot exceed 1 core.
3
Across all pods in a non-terminal state, the sum of memory requests cannot exceed 1Gi.
4
Across all pods in a non-terminal state, the sum of CPU limits cannot exceed 2 cores.
5
Across all pods in a non-terminal state, the sum of memory limits cannot exceed 2Gi.

besteffort.yaml

apiVersion: v1
kind: ResourceQuota
metadata:
  name: besteffort
spec:
  hard:
    pods: "1"
1 

  scopes:
  - BestEffort
2

1
The total number of pods in a non-terminal state with BestEffort quality of service that can exist in the project.
2
Restricts the quota to only matching pods that have BestEffort quality of service for either memory or CPU.

compute-resources-long-running.yaml

apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-resources-long-running
spec:
  hard:
    pods: "4"
1 

    limits.cpu: "4"
2 

    limits.memory: "2Gi"
3 

  scopes:
  - NotTerminating
4

1
The total number of pods in a non-terminal state.
2
Across all pods in a non-terminal state, the sum of CPU limits cannot exceed this value.
3
Across all pods in a non-terminal state, the sum of memory limits cannot exceed this value.
4
Restricts the quota to only matching pods where spec.activeDeadlineSeconds is set to nil. Build pods fall under NotTerminating unless the RestartNever policy is applied.

compute-resources-time-bound.yaml

apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-resources-time-bound
spec:
  hard:
    pods: "2"
1 

    limits.cpu: "1"
2 

    limits.memory: "1Gi"
3 

  scopes:
  - Terminating
4

1
The total number of pods in a terminating state.
2
Across all pods in a terminating state, the sum of CPU limits cannot exceed this value.
3
Across all pods in a terminating state, the sum of memory limits cannot exceed this value.
4
Restricts the quota to only matching pods where spec.activeDeadlineSeconds >=0. For example, this quota charges for build or deployer pods, but not long running pods like a web server or database.

storage-consumption.yaml

apiVersion: v1
kind: ResourceQuota
metadata:
  name: storage-consumption
spec:
  hard:
    persistentvolumeclaims: "10"
1 

    requests.storage: "50Gi"
2 

    gold.storageclass.storage.k8s.io/requests.storage: "10Gi"
3 

    silver.storageclass.storage.k8s.io/requests.storage: "20Gi"
4 

    silver.storageclass.storage.k8s.io/persistentvolumeclaims: "5"
5 

    bronze.storageclass.storage.k8s.io/requests.storage: "0"
6 

    bronze.storageclass.storage.k8s.io/persistentvolumeclaims: "0"
7 

    requests.ephemeral-storage: 2Gi
8 

    limits.ephemeral-storage: 4Gi
9

1
The total number of persistent volume claims in a project
2
Across all persistent volume claims in a project, the sum of storage requested cannot exceed this value.
3
Across all persistent volume claims in a project, the sum of storage requested in the gold storage class cannot exceed this value.
4
Across all persistent volume claims in a project, the sum of storage requested in the silver storage class cannot exceed this value.
5
Across all persistent volume claims in a project, the total number of claims in the silver storage class cannot exceed this value.
6
Across all persistent volume claims in a project, the sum of storage requested in the bronze storage class cannot exceed this value. When this is set to 0, it means bronze storage class cannot request storage.
7
Across all persistent volume claims in a project, the sum of storage requested in the bronze storage class cannot exceed this value. When this is set to 0, it means bronze storage class cannot create claims.
8
Across all pods in a non-terminal state, the sum of ephemeral storage requests cannot exceed 2Gi.
9
Across all pods in a non-terminal state, the sum of ephemeral storage limits cannot exceed 4Gi.

9.1.6. Creating a quota
Copia collegamento

You can create a quota to constrain resource usage in a given project.

Procedure

  1. Define the quota in a file.

  2. Use the file to create the quota and apply it to a project: 

    $ oc create -f <file> [-n <project_name>]

    For example: 

    $ oc create -f core-object-counts.yaml -n demoproject

9.1.6.1. Creating object count quotas
Copia collegamento

You can create an object count quota for all standard namespaced resource types on OpenShift Container Platform, such as 

BuildConfig
and 
DeploymentConfig
objects. An object quota count places a defined quota on all standard namespaced resource types.

When using a resource quota, an object is charged against the quota upon creation. These types of quotas are useful to protect against exhaustion of resources. The quota can only be created if there are enough spare resources within the project.

Procedure

To configure an object count quota for a resource:

  1. Run the following command: 

    $ oc create quota <name> \
    --hard=count/<resource>.<group>=<quota>,count/<resource>.<group>=<quota>
    1
    1
    The <resource> variable is the name of the resource, and <group> is the API group, if applicable. Use the oc api-resources command for a list of resources and their associated API groups.

    For example: 

    $ oc create quota test \
    --hard=count/deployments.extensions=2,count/replicasets.extensions=4,count/pods=3,count/secrets=4

    Example output

    resourcequota "test" created

    This example limits the listed resources to the hard limit in each project in the cluster.

  2. Verify that the quota was created: 

    $ oc describe quota test

    Example output

    Name:                         test
Namespace:                    quota
Resource                      Used  Hard
--------                      ----  ----
count/deployments.extensions  0     2
count/pods                    0     3
count/replicasets.extensions  0     4
count/secrets                 0     4

9.1.6.2. Setting resource quota for extended resources
Copia collegamento

Overcommitment of resources is not allowed for extended resources, so you must specify 

requests
and 
limits
for the same extended resource in a quota. Currently, only quota items with the prefix 
requests.
is allowed for extended resources. The following is an example scenario of how to set resource quota for the GPU resource 
nvidia.com/gpu
.

Procedure

  1. Determine how many GPUs are available on a node in your cluster. For example: 

    # oc describe node ip-172-31-27-209.us-west-2.compute.internal | egrep 'Capacity|Allocatable|gpu'

    Example output

                        openshift.com/gpu-accelerator=true
Capacity:
 nvidia.com/gpu:  2
Allocatable:
 nvidia.com/gpu:  2
  nvidia.com/gpu  0           0

    In this example, 2 GPUs are available.

  2. Set a quota in the namespace 

    nvidia
    . In this example, the quota is 
    1
    : 

    # cat gpu-quota.yaml

    Example output

    apiVersion: v1
kind: ResourceQuota
metadata:
  name: gpu-quota
  namespace: nvidia
spec:
  hard:
    requests.nvidia.com/gpu: 1

  3. Create the quota: 

    # oc create -f gpu-quota.yaml

    Example output

    resourcequota/gpu-quota created

  4. Verify that the namespace has the correct quota set: 

    # oc describe quota gpu-quota -n nvidia

    Example output

    Name:                    gpu-quota
Namespace:               nvidia
Resource                 Used  Hard
--------                 ----  ----
requests.nvidia.com/gpu  0     1

  5. Define a pod that asks for a single GPU. The following example definition file is called 

    gpu-pod.yaml
    : 

    apiVersion: v1
kind: Pod
metadata:
  generateName: gpu-pod-
  namespace: nvidia
spec:
  restartPolicy: OnFailure
  containers:
  - name: rhel7-gpu-pod
    image: rhel7
    env:
      - name: NVIDIA_VISIBLE_DEVICES
        value: all
      - name: NVIDIA_DRIVER_CAPABILITIES
        value: "compute,utility"
      - name: NVIDIA_REQUIRE_CUDA
        value: "cuda>=5.0"
    command: ["sleep"]
    args: ["infinity"]
    resources:
      limits:
        nvidia.com/gpu: 1

  6. Create the pod: 

    # oc create -f gpu-pod.yaml

  7. Verify that the pod is running: 

    # oc get pods

    Example output

    NAME              READY     STATUS      RESTARTS   AGE
gpu-pod-s46h7     1/1       Running     0          1m

  8. Verify that the quota 

    Used
    counter is correct: 

    # oc describe quota gpu-quota -n nvidia

    Example output

    Name:                    gpu-quota
Namespace:               nvidia
Resource                 Used  Hard
--------                 ----  ----
requests.nvidia.com/gpu  1     1

  9. Attempt to create a second GPU pod in the 

    nvidia
    namespace. This is technically available on the node because it has 2 GPUs: 

    # oc create -f gpu-pod.yaml

    Example output

    Error from server (Forbidden): error when creating "gpu-pod.yaml": pods "gpu-pod-f7z2w" is forbidden: exceeded quota: gpu-quota, requested: requests.nvidia.com/gpu=1, used: requests.nvidia.com/gpu=1, limited: requests.nvidia.com/gpu=1

    This Forbidden error message is expected because you have a quota of 1 GPU and this pod tried to allocate a second GPU, which exceeds its quota.

9.1.7. Viewing a quota
Copia collegamento

You can view usage statistics related to any hard limits defined in a project’s quota by navigating in the web console to the project’s Quota page.

You can also use the CLI to view quota details.

Procedure

  1. Get the list of quotas defined in the project. For example, for a project called 

    demoproject
    : 

    $ oc get quota -n demoproject

    Example output

    NAME                AGE
besteffort          11m
compute-resources   2m
core-object-counts  29m

  2. Describe the quota you are interested in, for example the 

    core-object-counts
    quota: 

    $ oc describe quota core-object-counts -n demoproject

    Example output

    Name:			core-object-counts
Namespace:		demoproject
Resource		Used	Hard
--------		----	----
configmaps		3	10
persistentvolumeclaims	0	4
replicationcontrollers	3	20
secrets			9	10
services		2	10

9.1.8. Configuring explicit resource quotas
Copia collegamento

Configure explicit resource quotas in a project request template to apply specific resource quotas in new projects.

Prerequisites

  • Access to the cluster as a user with the cluster-admin role.
  • Install the OpenShift CLI (
    oc
    ).

Procedure

  1. Add a resource quota definition to a project request template:

    • If a project request template does not exist in a cluster:

      1. Create a bootstrap project template and output it to a file called 

        template.yaml
        : 

        $ oc adm create-bootstrap-project-template -o yaml > template.yaml

      2. Add a resource quota definition to 

        template.yaml
        . The following example defines a resource quota named 'storage-consumption'. The definition must be added before the 
        parameters:
        section in the template: 

        - apiVersion: v1
  kind: ResourceQuota
  metadata:
    name: storage-consumption
    namespace: ${PROJECT_NAME}
  spec:
    hard:
      persistentvolumeclaims: "10"
        1 
        
      requests.storage: "50Gi"
        2 
        
      gold.storageclass.storage.k8s.io/requests.storage: "10Gi"
        3 
        
      silver.storageclass.storage.k8s.io/requests.storage: "20Gi"
        4 
        
      silver.storageclass.storage.k8s.io/persistentvolumeclaims: "5"
        5 
        
      bronze.storageclass.storage.k8s.io/requests.storage: "0"
        6 
        
      bronze.storageclass.storage.k8s.io/persistentvolumeclaims: "0"
        7
        1
        The total number of persistent volume claims in a project.
        2
        Across all persistent volume claims in a project, the sum of storage requested cannot exceed this value.
        3
        Across all persistent volume claims in a project, the sum of storage requested in the gold storage class cannot exceed this value.
        4
        Across all persistent volume claims in a project, the sum of storage requested in the silver storage class cannot exceed this value.
        5
        Across all persistent volume claims in a project, the total number of claims in the silver storage class cannot exceed this value.
        6
        Across all persistent volume claims in a project, the sum of storage requested in the bronze storage class cannot exceed this value. When this value is set to 0, the bronze storage class cannot request storage.
        7
        Across all persistent volume claims in a project, the sum of storage requested in the bronze storage class cannot exceed this value. When this value is set to 0, the bronze storage class cannot create claims.

      3. Create a project request template from the modified 

        template.yaml
        file in the 
        openshift-config
        namespace: 

        $ oc create -f template.yaml -n openshift-config
        Note

        To include the configuration as a 

        kubectl.kubernetes.io/last-applied-configuration
        annotation, add the 
        --save-config
        option to the 
        oc create
        command.

        By default, the template is called 

        project-request
        .

    • If a project request template already exists within a cluster:

      Note

      If you declaratively or imperatively manage objects within your cluster by using configuration files, edit the existing project request template through those files instead.

      1. List templates in the 

        openshift-config
        namespace: 

        $ oc get templates -n openshift-config

      2. Edit an existing project request template: 

        $ oc edit template <project_request_template> -n openshift-config
      3. Add a resource quota definition, such as the preceding 
        storage-consumption
        example, into the existing template. The definition must be added before the 
        parameters:
        section in the template.

  2. If you created a project request template, reference it in the cluster’s project configuration resource:

    1. Access the project configuration resource for editing:

      • By using the web console:

        1. Navigate to the Administration Cluster Settings page.
        2. Click Configuration to view all configuration resources.
        3. Find the entry for Project and click Edit YAML.

      • By using the CLI:

        1. Edit the 

          project.config.openshift.io/cluster
          resource: 

          $ oc edit project.config.openshift.io/cluster

    2. Update the 

      spec
      section of the project configuration resource to include the 
      projectRequestTemplate
      and 
      name
      parameters. The following example references the default project request template name 
      project-request
      : 

      apiVersion: config.openshift.io/v1
kind: Project
metadata:
  ...
spec:
  projectRequestTemplate:
    name: project-request

  3. Verify that the resource quota is applied when projects are created:

    1. Create a project: 

      $ oc new-project <project_name>

    2. List the project’s resource quotas: 

      $ oc get resourcequotas

    3. Describe the resource quota in detail: 

      $ oc describe resourcequotas <resource_quota_name>

9.2. Resource quotas across multiple projects
Copia collegamento

A multi-project quota, defined by a 

ClusterResourceQuota
object, allows quotas to be shared across multiple projects. Resources used in each selected project are aggregated and that aggregate is used to limit resources across all the selected projects.

This guide describes how cluster administrators can set and manage resource quotas across multiple projects.

9.2.1. Selecting multiple projects during quota creation
Copia collegamento

When creating quotas, you can select multiple projects based on annotation selection, label selection, or both.

Procedure

  1. To select projects based on annotations, run the following command: 

    $ oc create clusterquota for-user \
     --project-annotation-selector openshift.io/requester=<user_name> \
     --hard pods=10 \
     --hard secrets=20

    This creates the following 

    ClusterResourceQuota
    object: 

    apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
  name: for-user
spec:
  quota:
    1 
    
    hard:
      pods: "10"
      secrets: "20"
  selector:
    annotations:
    2 
    
      openshift.io/requester: <user_name>
    labels: null
    3 
    
status:
  namespaces:
    4 
    
  - namespace: ns-one
    status:
      hard:
        pods: "10"
        secrets: "20"
      used:
        pods: "1"
        secrets: "9"
  total:
    5 
    
    hard:
      pods: "10"
      secrets: "20"
    used:
      pods: "1"
      secrets: "9"
    1
    The ResourceQuotaSpec object that will be enforced over the selected projects.
    2
    A simple key-value selector for annotations.
    3
    A label selector that can be used to select projects.
    4
    A per-namespace map that describes current quota usage in each selected project.
    5
    The aggregate usage across all selected projects.

    This multi-project quota document controls all projects requested by 

    <user_name>
    using the default project request endpoint. You are limited to 10 pods and 20 secrets.

  2. Similarly, to select projects based on labels, run this command: 

    $  oc create clusterresourcequota for-name \
    1 
    
    --project-label-selector=name=frontend \
    2 
    
    --hard=pods=10 --hard=secrets=20
    1
    Both clusterresourcequota and clusterquota are aliases of the same command. for-name is the name of the ClusterResourceQuota object.
    2
    To select projects by label, provide a key-value pair by using the format --project-label-selector=key=value.

    This creates the following 

    ClusterResourceQuota
    object definition: 

    apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
  creationTimestamp: null
  name: for-name
spec:
  quota:
    hard:
      pods: "10"
      secrets: "20"
  selector:
    annotations: null
    labels:
      matchLabels:
        name: frontend

9.2.2. Viewing applicable cluster resource quotas
Copia collegamento

A project administrator is not allowed to create or modify the multi-project quota that limits his or her project, but the administrator is allowed to view the multi-project quota documents that are applied to his or her project. The project administrator can do this via the 

AppliedClusterResourceQuota
resource.

Procedure

  1. To view quotas applied to a project, run: 

    $ oc describe AppliedClusterResourceQuota

    Example output

    Name:   for-user
Namespace:  <none>
Created:  19 hours ago
Labels:   <none>
Annotations:  <none>
Label Selector: <null>
AnnotationSelector: map[openshift.io/requester:<user-name>]
Resource  Used  Hard
--------  ----  ----
pods        1     10
secrets     9     20

9.2.3. Selection granularity
Copia collegamento

Because of the locking consideration when claiming quota allocations, the number of active projects selected by a multi-project quota is an important consideration. Selecting more than 100 projects under a single multi-project quota can have detrimental effects on API server responsiveness in those projects.

Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima