Resource quotas per project

A resource quota, defined by a ResourceQuota object, provides constraints that limit aggregate resource consumption per project. It can limit the quantity of objects that can be created in a project by type, as well as the total amount of compute resources and storage that might be consumed by resources in that project.

This guide describes how resource quotas work, how cluster administrators can set and manage resource quotas on a per project basis, and how developers and cluster administrators can view them.

Resources managed by quotas

The following describes the set of compute resources and object types that can be managed by a quota.

A pod is in a terminal state if status.phase in (Failed, Succeeded) is true.

Table 1. Compute resources managed by quota
Resource NameDescription

cpu

The sum of CPU requests across all pods in a non-terminal state cannot exceed this value. cpu and requests.cpu are the same value and can be used interchangeably.

memory

The sum of memory requests across all pods in a non-terminal state cannot exceed this value. memory and requests.memory are the same value and can be used interchangeably.

requests.cpu

The sum of CPU requests across all pods in a non-terminal state cannot exceed this value. cpu and requests.cpu are the same value and can be used interchangeably.

requests.memory

The sum of memory requests across all pods in a non-terminal state cannot exceed this value. memory and requests.memory are the same value and can be used interchangeably.

limits.cpu

The sum of CPU limits across all pods in a non-terminal state cannot exceed this value.

limits.memory

The sum of memory limits across all pods in a non-terminal state cannot exceed this value.

Table 2. Storage resources managed by quota
Resource NameDescription

requests.storage

The sum of storage requests across all persistent volume claims in any state cannot exceed this value.

persistentvolumeclaims

The total number of persistent volume claims that can exist in the project.

<storage-class-name>.storageclass.storage.k8s.io/requests.storage

The sum of storage requests across all persistent volume claims in any state that have a matching storage class, cannot exceed this value.

<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims

The total number of persistent volume claims with a matching storage class that can exist in the project.

ephemeral-storage

The sum of local ephemeral storage requests across all pods in a non-terminal state cannot exceed this value. ephemeral-storage and requests.ephemeral-storage are the same value and can be used interchangeably.

requests.ephemeral-storage

The sum of ephemeral storage requests across all pods in a non-terminal state cannot exceed this value. ephemeral-storage and requests.ephemeral-storage are the same value and can be used interchangeably.

limits.ephemeral-storage

The sum of ephemeral storage limits across all pods in a non-terminal state cannot exceed this value.

Table 3. Object counts managed by quota
Resource NameDescription

pods

The total number of pods in a non-terminal state that can exist in the project.

replicationcontrollers

The total number of ReplicationControllers that can exist in the project.

resourcequotas

The total number of resource quotas that can exist in the project.

services

The total number of services that can exist in the project.

services.loadbalancers

The total number of services of type LoadBalancer that can exist in the project.

services.nodeports

The total number of services of type NodePort that can exist in the project.

secrets

The total number of secrets that can exist in the project.

configmaps

The total number of ConfigMap objects that can exist in the project.

persistentvolumeclaims

The total number of persistent volume claims that can exist in the project.

openshift.io/imagestreams

The total number of imagestreams that can exist in the project.

Quota scopes

Each quota can have an associated set of scopes. A quota only measures usage for a resource if it matches the intersection of enumerated scopes.

Adding a scope to a quota restricts the set of resources to which that quota can apply. Specifying a resource outside of the allowed set results in a validation error.

Scope

Description

BestEffort

Match pods that have best effort quality of service for either cpu or memory.

NotBestEffort

Match pods that do not have best effort quality of service for cpu and memory.

A BestEffort scope restricts a quota to limiting the following resources:

  • pods

A NotBestEffort scope restricts a quota to tracking the following resources:

  • pods

  • memory

  • requests.memory

  • limits.memory

  • cpu

  • requests.cpu

  • limits.cpu

Quota enforcement

After a resource quota for a project is first created, the project restricts the ability to create any new resources that may violate a quota constraint until it has calculated updated usage statistics.

After a quota is created and usage statistics are updated, the project accepts the creation of new content. When you create or modify resources, your quota usage is incremented immediately upon the request to create or modify the resource.

When you delete a resource, your quota use is decremented during the next full recalculation of quota statistics for the project. A configurable amount of time determines how long it takes to reduce quota usage statistics to their current observed system value.

If project modifications exceed a quota usage limit, the server denies the action, and an appropriate error message is returned to the user explaining the quota constraint violated, and what their currently observed usage statistics are in the system.

Requests versus limits

When allocating compute resources, each container might specify a request and a limit value each for CPU, memory, and ephemeral storage. Quotas can restrict any of these values.

If the quota has a value specified for requests.cpu or requests.memory, then it requires that every incoming container make an explicit request for those resources. If the quota has a value specified for limits.cpu or limits.memory, then it requires that every incoming container specify an explicit limit for those resources.

Sample resource quota definitions

core-object-counts.yaml

  1. apiVersion: v1
  2. kind: ResourceQuota
  3. metadata:
  4. name: core-object-counts
  5. spec:
  6. hard:
  7. configmaps: "10" (1)
  8. persistentvolumeclaims: "4" (2)
  9. replicationcontrollers: "20" (3)
  10. secrets: "10" (4)
  11. services: "10" (5)
  12. services.loadbalancers: "2" (6)
1The total number of ConfigMap objects that can exist in the project.
2The total number of persistent volume claims (PVCs) that can exist in the project.
3The total number of replication controllers that can exist in the project.
4The total number of secrets that can exist in the project.
5The total number of services that can exist in the project.
6The total number of services of type LoadBalancer that can exist in the project.

openshift-object-counts.yaml

  1. apiVersion: v1
  2. kind: ResourceQuota
  3. metadata:
  4. name: openshift-object-counts
  5. spec:
  6. hard:
  7. openshift.io/imagestreams: "10" (1)
1The total number of image streams that can exist in the project.

compute-resources.yaml

  1. apiVersion: v1
  2. kind: ResourceQuota
  3. metadata:
  4. name: compute-resources
  5. spec:
  6. hard:
  7. pods: "4" (1)
  8. requests.cpu: "1" (2)
  9. requests.memory: 1Gi (3)
  10. limits.cpu: "2" (4)
  11. limits.memory: 2Gi (5)
1The total number of pods in a non-terminal state that can exist in the project.
2Across all pods in a non-terminal state, the sum of CPU requests cannot exceed 1 core.
3Across all pods in a non-terminal state, the sum of memory requests cannot exceed 1Gi.
4Across all pods in a non-terminal state, the sum of CPU limits cannot exceed 2 cores.
5Across all pods in a non-terminal state, the sum of memory limits cannot exceed 2Gi.

besteffort.yaml

  1. apiVersion: v1
  2. kind: ResourceQuota
  3. metadata:
  4. name: besteffort
  5. spec:
  6. hard:
  7. pods: "1" (1)
  8. scopes:
  9. - BestEffort (2)
1The total number of pods in a non-terminal state with BestEffort quality of service that can exist in the project.
2Restricts the quota to only matching pods that have BestEffort quality of service for either memory or CPU.

compute-resources-long-running.yaml

  1. apiVersion: v1
  2. kind: ResourceQuota
  3. metadata:
  4. name: compute-resources-long-running
  5. spec:
  6. hard:
  7. pods: "4" (1)
  8. limits.cpu: "4" (2)
  9. limits.memory: "2Gi" (3)
  10. scopes:
  11. - NotTerminating (4)
1The total number of pods in a non-terminal state.
2Across all pods in a non-terminal state, the sum of CPU limits cannot exceed this value.
3Across all pods in a non-terminal state, the sum of memory limits cannot exceed this value.
4Restricts the quota to only matching pods where spec.activeDeadlineSeconds is set to nil. Build pods fall under NotTerminating unless the RestartNever policy is applied.

compute-resources-time-bound.yaml

  1. apiVersion: v1
  2. kind: ResourceQuota
  3. metadata:
  4. name: compute-resources-time-bound
  5. spec:
  6. hard:
  7. pods: "2" (1)
  8. limits.cpu: "1" (2)
  9. limits.memory: "1Gi" (3)
  10. scopes:
  11. - Terminating (4)
1The total number of pods in a terminating state.
2Across all pods in a terminating state, the sum of CPU limits cannot exceed this value.
3Across all pods in a terminating state, the sum of memory limits cannot exceed this value.
4Restricts the quota to only matching pods where spec.activeDeadlineSeconds >=0. For example, this quota charges for build or deployer pods, but not long running pods like a web server or database.

storage-consumption.yaml

  1. apiVersion: v1
  2. kind: ResourceQuota
  3. metadata:
  4. name: storage-consumption
  5. spec:
  6. hard:
  7. persistentvolumeclaims: "10" (1)
  8. requests.storage: "50Gi" (2)
  9. gold.storageclass.storage.k8s.io/requests.storage: "10Gi" (3)
  10. silver.storageclass.storage.k8s.io/requests.storage: "20Gi" (4)
  11. silver.storageclass.storage.k8s.io/persistentvolumeclaims: "5" (5)
  12. bronze.storageclass.storage.k8s.io/requests.storage: "0" (6)
  13. bronze.storageclass.storage.k8s.io/persistentvolumeclaims: "0" (7)
  14. requests.ephemeral-storage: 2Gi (8)
  15. limits.ephemeral-storage: 4Gi (9)
1The total number of persistent volume claims in a project
2Across all persistent volume claims in a project, the sum of storage requested cannot exceed this value.
3Across all persistent volume claims in a project, the sum of storage requested in the gold storage class cannot exceed this value.
4Across all persistent volume claims in a project, the sum of storage requested in the silver storage class cannot exceed this value.
5Across all persistent volume claims in a project, the total number of claims in the silver storage class cannot exceed this value.
6Across all persistent volume claims in a project, the sum of storage requested in the bronze storage class cannot exceed this value. When this is set to 0, it means bronze storage class cannot request storage.
7Across all persistent volume claims in a project, the sum of storage requested in the bronze storage class cannot exceed this value. When this is set to 0, it means bronze storage class cannot create claims.
8Across all pods in a non-terminal state, the sum of ephemeral storage requests cannot exceed 2Gi.
9Across all pods in a non-terminal state, the sum of ephemeral storage limits cannot exceed 4Gi.

Creating a quota

You can create a quota to constrain resource usage in a given project.

Procedure

  1. Define the quota in a file.

  2. Use the file to create the quota and apply it to a project:

    1. $ oc create -f <file> [-n <project_name>]

    For example:

    1. $ oc create -f core-object-counts.yaml -n demoproject

Creating object count quotas

You can create an object count quota for all standard namespaced resource types on OKD, such as BuildConfig and DeploymentConfig objects. An object quota count places a defined quota on all standard namespaced resource types.

When using a resource quota, an object is charged against the quota upon creation. These types of quotas are useful to protect against exhaustion of resources. The quota can only be created if there are enough spare resources within the project.

Procedure

To configure an object count quota for a resource:

  1. Run the following command:

    1. $ oc create quota <name> \
    2. --hard=count/<resource>.<group>=<quota>,count/<resource>.<group>=<quota> (1)
    1The <resource> variable is the name of the resource, and <group> is the API group, if applicable. Use the oc api-resources command for a list of resources and their associated API groups.

    For example:

    1. $ oc create quota test \
    2. --hard=count/deployments.extensions=2,count/replicasets.extensions=4,count/pods=3,count/secrets=4

    Example output

    1. resourcequota "test" created

    This example limits the listed resources to the hard limit in each project in the cluster.

  2. Verify that the quota was created:

    1. $ oc describe quota test

    Example output

    1. Name: test
    2. Namespace: quota
    3. Resource Used Hard
    4. -------- ---- ----
    5. count/deployments.extensions 0 2
    6. count/pods 0 3
    7. count/replicasets.extensions 0 4
    8. count/secrets 0 4

Setting resource quota for extended resources

Overcommitment of resources is not allowed for extended resources, so you must specify requests and limits for the same extended resource in a quota. Currently, only quota items with the prefix requests. is allowed for extended resources. The following is an example scenario of how to set resource quota for the GPU resource nvidia.com/gpu.

Procedure

  1. Determine how many GPUs are available on a node in your cluster. For example:

    1. # oc describe node ip-172-31-27-209.us-west-2.compute.internal | egrep 'Capacity|Allocatable|gpu'

    Example output

    1. openshift.com/gpu-accelerator=true
    2. Capacity:
    3. nvidia.com/gpu: 2
    4. Allocatable:
    5. nvidia.com/gpu: 2
    6. nvidia.com/gpu 0 0

    In this example, 2 GPUs are available.

  2. Set a quota in the namespace nvidia. In this example, the quota is 1:

    1. # cat gpu-quota.yaml

    Example output

    1. apiVersion: v1
    2. kind: ResourceQuota
    3. metadata:
    4. name: gpu-quota
    5. namespace: nvidia
    6. spec:
    7. hard:
    8. requests.nvidia.com/gpu: 1
  3. Create the quota:

    1. # oc create -f gpu-quota.yaml

    Example output

    1. resourcequota/gpu-quota created
  4. Verify that the namespace has the correct quota set:

    1. # oc describe quota gpu-quota -n nvidia

    Example output

    1. Name: gpu-quota
    2. Namespace: nvidia
    3. Resource Used Hard
    4. -------- ---- ----
    5. requests.nvidia.com/gpu 0 1
  5. Define a pod that asks for a single GPU. The following example definition file is called gpu-pod.yaml:

    1. apiVersion: v1
    2. kind: Pod
    3. metadata:
    4. generateName: gpu-pod-
    5. namespace: nvidia
    6. spec:
    7. restartPolicy: OnFailure
    8. containers:
    9. - name: rhel7-gpu-pod
    10. image: rhel7
    11. env:
    12. - name: NVIDIA_VISIBLE_DEVICES
    13. value: all
    14. - name: NVIDIA_DRIVER_CAPABILITIES
    15. value: "compute,utility"
    16. - name: NVIDIA_REQUIRE_CUDA
    17. value: "cuda>=5.0"
    18. command: ["sleep"]
    19. args: ["infinity"]
    20. resources:
    21. limits:
    22. nvidia.com/gpu: 1
  6. Create the pod:

    1. # oc create -f gpu-pod.yaml
  7. Verify that the pod is running:

    1. # oc get pods

    Example output

    1. NAME READY STATUS RESTARTS AGE
    2. gpu-pod-s46h7 1/1 Running 0 1m
  8. Verify that the quota Used counter is correct:

    1. # oc describe quota gpu-quota -n nvidia

    Example output

    1. Name: gpu-quota
    2. Namespace: nvidia
    3. Resource Used Hard
    4. -------- ---- ----
    5. requests.nvidia.com/gpu 1 1
  9. Attempt to create a second GPU pod in the nvidia namespace. This is technically available on the node because it has 2 GPUs:

    1. # oc create -f gpu-pod.yaml

    Example output

    1. Error from server (Forbidden): error when creating "gpu-pod.yaml": pods "gpu-pod-f7z2w" is forbidden: exceeded quota: gpu-quota, requested: requests.nvidia.com/gpu=1, used: requests.nvidia.com/gpu=1, limited: requests.nvidia.com/gpu=1

    This Forbidden error message is expected because you have a quota of 1 GPU and this pod tried to allocate a second GPU, which exceeds its quota.

Viewing a quota

You can view usage statistics related to any hard limits defined in a project’s quota by navigating in the web console to the project’s Quota page.

You can also use the CLI to view quota details.

Procedure

  1. Get the list of quotas defined in the project. For example, for a project called demoproject:

    1. $ oc get quota -n demoproject

    Example output

    1. NAME AGE
    2. besteffort 11m
    3. compute-resources 2m
    4. core-object-counts 29m
  2. Describe the quota you are interested in, for example the core-object-counts quota:

    1. $ oc describe quota core-object-counts -n demoproject

    Example output

    1. Name: core-object-counts
    2. Namespace: demoproject
    3. Resource Used Hard
    4. -------- ---- ----
    5. configmaps 3 10
    6. persistentvolumeclaims 0 4
    7. replicationcontrollers 3 20
    8. secrets 9 10
    9. services 2 10

Configuring explicit resource quotas

Configure explicit resource quotas in a project request template to apply specific resource quotas in new projects.

Prerequisites

  • Access to the cluster as a user with the cluster-admin role.

  • Install the OpenShift CLI (oc).

Procedure

  1. Add a resource quota definition to a project request template:

    • If a project request template does not exist in a cluster:

      1. Create a bootstrap project template and output it to a file called template.yaml:

        1. $ oc adm create-bootstrap-project-template -o yaml > template.yaml
      2. Add a resource quota definition to template.yaml. The following example defines a resource quota named ‘storage-consumption’. The definition must be added before the parameters: section in the template:

        1. - apiVersion: v1
        2. kind: ResourceQuota
        3. metadata:
        4. name: storage-consumption
        5. namespace: ${PROJECT_NAME}
        6. spec:
        7. hard:
        8. persistentvolumeclaims: "10" (1)
        9. requests.storage: "50Gi" (2)
        10. gold.storageclass.storage.k8s.io/requests.storage: "10Gi" (3)
        11. silver.storageclass.storage.k8s.io/requests.storage: "20Gi" (4)
        12. silver.storageclass.storage.k8s.io/persistentvolumeclaims: "5" (5)
        13. bronze.storageclass.storage.k8s.io/requests.storage: "0" (6)
        14. bronze.storageclass.storage.k8s.io/persistentvolumeclaims: "0" (7)
        1The total number of persistent volume claims in a project.
        2Across all persistent volume claims in a project, the sum of storage requested cannot exceed this value.
        3Across all persistent volume claims in a project, the sum of storage requested in the gold storage class cannot exceed this value.
        4Across all persistent volume claims in a project, the sum of storage requested in the silver storage class cannot exceed this value.
        5Across all persistent volume claims in a project, the total number of claims in the silver storage class cannot exceed this value.
        6Across all persistent volume claims in a project, the sum of storage requested in the bronze storage class cannot exceed this value. When this value is set to 0, the bronze storage class cannot request storage.
        7Across all persistent volume claims in a project, the sum of storage requested in the bronze storage class cannot exceed this value. When this value is set to 0, the bronze storage class cannot create claims.
      3. Create a project request template from the modified template.yaml file in the openshift-config namespace:

        1. $ oc create -f template.yaml -n openshift-config

        To include the configuration as a kubectl.kubernetes.io/last-applied-configuration annotation, add the —save-config option to the oc create command.

        By default, the template is called project-request.

    • If a project request template already exists within a cluster:

      If you declaratively or imperatively manage objects within your cluster by using configuration files, edit the existing project request template through those files instead.

      1. List templates in the openshift-config namespace:

        1. $ oc get templates -n openshift-config
      2. Edit an existing project request template:

        1. $ oc edit template <project_request_template> -n openshift-config
      3. Add a resource quota definition, such as the preceding storage-consumption example, into the existing template. The definition must be added before the parameters: section in the template.

  1. If you created a project request template, reference it in the cluster’s project configuration resource:

    1. Access the project configuration resource for editing:

      • By using the web console:

        1. Navigate to the AdministrationCluster Settings page.

        2. Click Configuration to view all configuration resources.

        3. Find the entry for Project and click Edit YAML.

      • By using the CLI:

        1. Edit the project.config.openshift.io/cluster resource:

          1. $ oc edit project.config.openshift.io/cluster
  1. 2. Update the `spec` section of the project configuration resource to include the `projectRequestTemplate` and `name` parameters. The following example references the default project request template name `project-request`:
  2. ```
  3. apiVersion: config.openshift.io/v1
  4. kind: Project
  5. metadata:
  6. ...
  7. spec:
  8. projectRequestTemplate:
  9. name: project-request
  10. ```
  1. Verify that the resource quota is applied when projects are created:

    1. Create a project:

      1. $ oc new-project <project_name>
    2. List the project’s resource quotas:

      1. $ oc get resourcequotas
    3. Describe the resource quota in detail:

      1. $ oc describe resourcequotas <resource_quota_name>