第17章 制限範囲の設定
17.1. 概要
A limit range, defined by a LimitRange
object, enumerates compute resource constraints in a project at the pod, container, image, image stream, and persistent volume claim level, and specifies the amount of resources that a pod, container, image, image stream, or persistent volume claim can consume.
All resource create and modification requests are evaluated against each LimitRange
object in the project. If the resource violates any of the enumerated constraints, then the resource is rejected. If the resource does not set an explicit value, and if the constraint supports a default value, then the default value is applied to the resource.
コア Limit Range オブジェクトの定義
apiVersion: "v1" kind: "LimitRange" metadata: name: "core-resource-limits" 1 spec: limits: - type: "Pod" max: cpu: "2" 2 memory: "1Gi" 3 min: cpu: "200m" 4 memory: "6Mi" 5 - type: "Container" max: cpu: "2" 6 memory: "1Gi" 7 min: cpu: "100m" 8 memory: "4Mi" 9 default: cpu: "300m" 10 memory: "200Mi" 11 defaultRequest: cpu: "200m" 12 memory: "100Mi" 13 maxLimitRequestRatio: cpu: "10" 14
- 1
- 制限範囲オブジェクトの名前です。
- 2
- すべてのコンテナーにおいて Pod がノードで要求できる CPU の最大量です。
- 3
- すべてのコンテナーにおいて Pod がノードで要求できるメモリーの最大量です。
- 4
- The minimum amount of CPU that a pod can request on a node across all containers.
- 5
- The minimum amount of memory that a pod can request on a node across all containers.
- 6
- Pod の単一コンテナーが要求できる CPU の最大量です。
- 7
- Pod の単一コンテナーが要求できるメモリーの最大量です。
- 8
- The minimum amount of CPU that a single container in a pod can request.
- 9
- The minimum amount of memory that a single container in a pod can request.
- 10
- The default amount of CPU that a container will be limited to use if not specified.
- 11
- The default amount of memory that a container will be limited to use if not specified.
- 12
- The default amount of CPU that a container will request to use if not specified.
- 13
- The default amount of memory that a container will request to use if not specified.
- 14
- The maximum amount of CPU burst that a container can make as a ratio of its limit over request.
For more information on how CPU and memory are measured, see Compute Resources.
OpenShift Container Platform の Limit Range オブジェクトの定義
apiVersion: "v1" kind: "LimitRange" metadata: name: "openshift-resource-limits" spec: limits: - type: openshift.io/Image max: storage: 1Gi 1 - type: openshift.io/ImageStream max: openshift.io/image-tags: 20 2 openshift.io/images: 30 3
Both core and OpenShift Container Platform resources can be specified in just one limit range object. They are separated here into two examples for clarity.
17.1.1. コンテナーの制限
サポートされるリソース:
- CPU
- メモリー
サポートされる制約:
コンテナーごとに設定されます。指定される場合、以下を満たしている必要があります。
制約 | 動作 |
---|---|
|
If the configuration defines a |
|
If the configuration defines a |
|
If a configuration defines a
For example, if a container has |
サポートされるデフォルト:
Default[resource]
-
指定がない場合は
container.resources.limit[resource]
を所定の値にデフォルト設定します。 Default Requests[resource]
-
指定がない場合は、
container.resources.requests[resource]
を所定の値にデフォルト設定します。
17.1.2. Pod の制限
サポートされるリソース:
- CPU
- メモリー
サポートされる制約:
Pod のすべてのコンテナーにおいて、以下を満たしている必要があります。
制約 | 実施される動作 |
---|---|
|
|
|
|
|
|
17.1.3. イメージの制限
サポートされるリソース:
- ストレージ
リソースタイプ名:
-
openshift.io/Image
イメージごとに設定されます。指定される場合、以下が一致している必要があります。
制約 | 動作 |
---|---|
|
|
To prevent blobs exceeding the limit from being uploaded to the registry, the registry must be configured to enforce quota. An environment variable REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA
must be set to true
which is done by default for new deployments. To update older deployment configuration, refer to Enforcing quota in the Registry.
The image size is not always available in the manifest of an uploaded image. This is especially the case for images built with Docker 1.10 or higher and pushed to a v2 registry. If such an image is pulled with an older Docker daemon, the image manifest will be converted by the registry to schema v1 lacking all the size information. No storage limit set on images will prevent it from being uploaded.
現在、この問題への対応が行われています。
17.1.4. イメージストリームの制限
サポートされるリソース:
-
openshift.io/image-tags
-
openshift.io/images
リソースタイプ名:
-
openshift.io/ImageStream
イメージストリームごとに設定されます。指定される場合、以下が一致している必要があります。
制約 | 動作 |
---|---|
|
|
|
|
17.1.4.1. イメージ参照の数
Resource openshift.io/image-tags
represents unique image references. Possible references are an ImageStreamTag
, an ImageStreamImage
and a DockerImage
. They may be created using commands oc tag
and oc import-image
or by using tag tracking. No distinction is made between internal and external references. However, each unique reference tagged in the image stream’s specification is counted just once. It does not restrict pushes to an internal container registry in any way, but is useful for tag restriction.
Resource openshift.io/images
represents unique image names recorded in image stream status. It allows for restriction of a number of images that can be pushed to the internal registry. Internal and external references are not distinguished.
17.1.5. PersistentVolumeClaim の制限
サポートされるリソース:
- ストレージ
サポートされる制約:
プロジェクトのすべての Persistent Volume Claim (永続ボリューム要求、PVC) において、以下が一致している必要があります。
制約 | 実施される動作 |
---|---|
|
Min[resource] ⇐ claim.spec.resources.requests[resource] (required) |
|
claim.spec.resources.requests[resource] (required) ⇐ Max[resource] |
Limit Range オブジェクトの定義
{ "apiVersion": "v1", "kind": "LimitRange", "metadata": { "name": "pvcs" 1 }, "spec": { "limits": [{ "type": "PersistentVolumeClaim", "min": { "storage": "2Gi" 2 }, "max": { "storage": "50Gi" 3 } } ] } }
17.2. 制限範囲の作成
To apply a limit range to a project, create a limit range object definition on your file system to your desired specifications, then run:
$ oc create -f <limit_range_file> -n <project>
17.3. Viewing Limits
You can view any limit ranges defined in a project by navigating in the web console to the project’s Quota page.
You can also use the CLI to view limit range details:
First, get the list of limit ranges defined in the project. For example, for a project called demoproject:
$ oc get limits -n demoproject NAME AGE resource-limits 6d
Then, describe the limit range you are interested in, for example the resource-limits limit range:
$ oc describe limits resource-limits -n demoproject Name: resource-limits Namespace: demoproject Type Resource Min Max Default Request Default Limit Max Limit/Request Ratio ---- -------- --- --- --------------- ------------- ----------------------- Pod cpu 200m 2 - - - Pod memory 6Mi 1Gi - - - Container cpu 100m 2 200m 300m 10 Container memory 4Mi 1Gi 100Mi 200Mi - openshift.io/Image storage - 1Gi - - - openshift.io/ImageStream openshift.io/image - 12 - - - openshift.io/ImageStream openshift.io/image-tags - 10 - - -
17.4. Deleting Limits
Remove any active limit range to no longer enforce the limits of a project:
$ oc delete limits <limit_name>