Resource quotas across multiple projects

A multi-project quota, defined by a ClusterResourceQuota object, allows quotas to be shared across multiple projects. Resources used in each selected project are aggregated and that aggregate is used to limit resources across all the selected projects.

This guide describes how cluster administrators can set and manage resource quotas across multiple projects.

Do not run workloads in or share access to default projects. Default projects are reserved for running core cluster components.

The following default projects are considered highly privileged: default, kube-public, kube-system, openshift, openshift-infra, openshift-node, and other system-created projects that have the openshift.io/run-level label set to 0 or 1. Functionality that relies on admission plugins, such as pod security admission, security context constraints, cluster resource quotas, and image reference resolution, does not work in highly privileged projects.

Selecting multiple projects during quota creation

When creating quotas, you can select multiple projects based on annotation selection, label selection, or both.

Procedure

  1. To select projects based on annotations, run the following command:

    1. $ oc create clusterquota for-user \
    2. --project-annotation-selector openshift.io/requester=<user_name> \
    3. --hard pods=10 \
    4. --hard secrets=20

    This creates the following ClusterResourceQuota object:

    1. apiVersion: quota.openshift.io/v1
    2. kind: ClusterResourceQuota
    3. metadata:
    4. name: for-user
    5. spec:
    6. quota: (1)
    7. hard:
    8. pods: "10"
    9. secrets: "20"
    10. selector:
    11. annotations: (2)
    12. openshift.io/requester: <user_name>
    13. labels: null (3)
    14. status:
    15. namespaces: (4)
    16. - namespace: ns-one
    17. status:
    18. hard:
    19. pods: "10"
    20. secrets: "20"
    21. used:
    22. pods: "1"
    23. secrets: "9"
    24. total: (5)
    25. hard:
    26. pods: "10"
    27. secrets: "20"
    28. used:
    29. pods: "1"
    30. secrets: "9"
    1The ResourceQuotaSpec object that will be enforced over the selected projects.
    2A simple key-value selector for annotations.
    3A label selector that can be used to select projects.
    4A per-namespace map that describes current quota usage in each selected project.
    5The aggregate usage across all selected projects.

    This multi-project quota document controls all projects requested by <user_name> using the default project request endpoint. You are limited to 10 pods and 20 secrets.

  2. Similarly, to select projects based on labels, run this command:

    1. $ oc create clusterresourcequota for-name \(1)
    2. --project-label-selector=name=frontend \(2)
    3. --hard=pods=10 --hard=secrets=20
    1Both clusterresourcequota and clusterquota are aliases of the same command. for-name is the name of the ClusterResourceQuota object.
    2To select projects by label, provide a key-value pair by using the format —project-label-selector=key=value.

    This creates the following ClusterResourceQuota object definition:

    1. apiVersion: quota.openshift.io/v1
    2. kind: ClusterResourceQuota
    3. metadata:
    4. creationTimestamp: null
    5. name: for-name
    6. spec:
    7. quota:
    8. hard:
    9. pods: "10"
    10. secrets: "20"
    11. selector:
    12. annotations: null
    13. labels:
    14. matchLabels:
    15. name: frontend

Viewing applicable cluster resource quotas

A project administrator is not allowed to create or modify the multi-project quota that limits his or her project, but the administrator is allowed to view the multi-project quota documents that are applied to his or her project. The project administrator can do this via the AppliedClusterResourceQuota resource.

Procedure

  1. To view quotas applied to a project, run:

    1. $ oc describe AppliedClusterResourceQuota

    Example output

    1. Name: for-user
    2. Namespace: <none>
    3. Created: 19 hours ago
    4. Labels: <none>
    5. Annotations: <none>
    6. Label Selector: <null>
    7. AnnotationSelector: map[openshift.io/requester:<user-name>]
    8. Resource Used Hard
    9. -------- ---- ----
    10. pods 1 10
    11. secrets 9 20

Selection granularity

Because of the locking consideration when claiming quota allocations, the number of active projects selected by a multi-project quota is an important consideration. Selecting more than 100 projects under a single multi-project quota can have detrimental effects on API server responsiveness in those projects.