Restrict resource consumption with limit ranges
By default, containers run with unbounded compute resources on an OKD cluster. With limit ranges, you can restrict resource consumption for specific objects in a project:
pods and containers: You can set minimum and maximum requirements for CPU and memory for pods and their containers.
Image streams: You can set limits on the number of images and tags in an
ImageStream
object.Images: You can limit the size of images that can be pushed to an internal registry.
Persistent volume claims (PVC): You can restrict the size of the PVCs that can be requested.
If a pod does not meet the constraints imposed by the limit range, the pod cannot be created in the namespace.
About limit ranges
A limit range, defined by a LimitRange
object, restricts resource consumption in a project. In the project you can set specific resource limits for a pod, container, image, image stream, or persistent volume claim (PVC).
All requests to create and modify resources are evaluated against each LimitRange
object in the project. If the resource violates any of the enumerated constraints, the resource is rejected.
The following shows a limit range object for all components: pod, container, image, image stream, or PVC. You can configure limits for any or all of these components in the same object. You create a different limit range object for each project where you want to control resources.
Sample limit range object for a container
apiVersion: "v1"
kind: "LimitRange"
metadata:
name: "resource-limits"
spec:
limits:
- type: "Container"
max:
cpu: "2"
memory: "1Gi"
min:
cpu: "100m"
memory: "4Mi"
default:
cpu: "300m"
memory: "200Mi"
defaultRequest:
cpu: "200m"
memory: "100Mi"
maxLimitRequestRatio:
cpu: "10"
About component limits
The following examples show limit range parameters for each component. The examples are broken out for clarity. You can create a single LimitRange
object for any or all components as necessary.
Container limits
A limit range allows you to specify the minimum and maximum CPU and memory that each container in a pod can request for a specific project. If a container is created in the project, the container CPU and memory requests in the Pod
spec must comply with the values set in the LimitRange
object. If not, the pod does not get created.
The container CPU or memory request and limit must be greater than or equal to the
min
resource constraint for containers that are specified in theLimitRange
object.The container CPU or memory request and limit must be less than or equal to the
max
resource constraint for containers that are specified in theLimitRange
object.If the
LimitRange
object defines amax
CPU, you do not need to define a CPUrequest
value in thePod
spec. But you must specify a CPUlimit
value that satisfies the maximum CPU constraint specified in the limit range.The ratio of the container limits to requests must be less than or equal to the
maxLimitRequestRatio
value for containers that is specified in theLimitRange
object.If the
LimitRange
object defines amaxLimitRequestRatio
constraint, any new containers must have both arequest
and alimit
value. OKD calculates the limit-to-request ratio by dividing thelimit
by therequest
. This value should be a non-negative integer greater than 1.For example, if a container has
cpu: 500
in thelimit
value, andcpu: 100
in therequest
value, the limit-to-request ratio forcpu
is5
. This ratio must be less than or equal to themaxLimitRequestRatio
.
If the Pod
spec does not specify a container resource memory or limit, the default
or defaultRequest
CPU and memory values for containers specified in the limit range object are assigned to the container.
Container LimitRange
object definition
apiVersion: "v1"
kind: "LimitRange"
metadata:
name: "resource-limits" (1)
spec:
limits:
- type: "Container"
max:
cpu: "2" (2)
memory: "1Gi" (3)
min:
cpu: "100m" (4)
memory: "4Mi" (5)
default:
cpu: "300m" (6)
memory: "200Mi" (7)
defaultRequest:
cpu: "200m" (8)
memory: "100Mi" (9)
maxLimitRequestRatio:
cpu: "10" (10)
1 | The name of the LimitRange object. |
2 | The maximum amount of CPU that a single container in a pod can request. |
3 | The maximum amount of memory that a single container in a pod can request. |
4 | The minimum amount of CPU that a single container in a pod can request. |
5 | The minimum amount of memory that a single container in a pod can request. |
6 | The default amount of CPU that a container can use if not specified in the Pod spec. |
7 | The default amount of memory that a container can use if not specified in the Pod spec. |
8 | The default amount of CPU that a container can request if not specified in the Pod spec. |
9 | The default amount of memory that a container can request if not specified in the Pod spec. |
10 | The maximum limit-to-request ratio for a container. |
Pod limits
A limit range allows you to specify the minimum and maximum CPU and memory limits for all containers across a pod in a given project. To create a container in the project, the container CPU and memory requests in the Pod
spec must comply with the values set in the LimitRange
object. If not, the pod does not get created.
If the Pod
spec does not specify a container resource memory or limit, the default
or defaultRequest
CPU and memory values for containers specified in the limit range object are assigned to the container.
Across all containers in a pod, the following must hold true:
The container CPU or memory request and limit must be greater than or equal to the
min
resource constraints for pods that are specified in theLimitRange
object.The container CPU or memory request and limit must be less than or equal to the
max
resource constraints for pods that are specified in theLimitRange
object.The ratio of the container limits to requests must be less than or equal to the
maxLimitRequestRatio
constraint specified in theLimitRange
object.
Pod LimitRange
object definition
apiVersion: "v1"
kind: "LimitRange"
metadata:
name: "resource-limits" (1)
spec:
limits:
- type: "Pod"
max:
cpu: "2" (2)
memory: "1Gi" (3)
min:
cpu: "200m" (4)
memory: "6Mi" (5)
maxLimitRequestRatio:
cpu: "10" (6)
1 | The name of the limit range object. |
2 | The maximum amount of CPU that a pod can request across all containers. |
3 | The maximum amount of memory that a pod can request across all containers. |
4 | The minimum amount of CPU that a pod can request across all containers. |
5 | The minimum amount of memory that a pod can request across all containers. |
6 | The maximum limit-to-request ratio for a container. |
Image limits
A LimitRange
object allows you to specify the maximum size of an image that can be pushed to an OpenShift image registry.
When pushing images to an OpenShift image registry, the following must hold true:
- The size of the image must be less than or equal to the
max
size for images that is specified in theLimitRange
object.
Image LimitRange
object definition
apiVersion: "v1"
kind: "LimitRange"
metadata:
name: "resource-limits" (1)
spec:
limits:
- type: openshift.io/Image
max:
storage: 1Gi (2)
1 | The name of the LimitRange object. |
2 | The maximum size of an image that can be pushed to an OpenShift image registry. |
To prevent blobs that exceed the limit from being uploaded to the registry, the registry must be configured to enforce quotas. |
The image size is not always available in the manifest of an uploaded image. This is especially the case for images built with Docker 1.10 or higher and pushed to a v2 registry. If such an image is pulled with an older Docker daemon, the image manifest is converted by the registry to schema v1 lacking all the size information. No storage limit set on images prevent it from being uploaded. The issue is being addressed. |
Image stream limits
A LimitRange
object allows you to specify limits for image streams.
For each image stream, the following must hold true:
The number of image tags in an
ImageStream
specification must be less than or equal to theopenshift.io/image-tags
constraint in theLimitRange
object.The number of unique references to images in an
ImageStream
specification must be less than or equal to theopenshift.io/images
constraint in the limit range object.
Imagestream LimitRange
object definition
apiVersion: "v1"
kind: "LimitRange"
metadata:
name: "resource-limits" (1)
spec:
limits:
- type: openshift.io/ImageStream
max:
openshift.io/image-tags: 20 (2)
openshift.io/images: 30 (3)
1 | The name of the LimitRange object. |
2 | The maximum number of unique image tags in the imagestream.spec.tags parameter in imagestream spec. |
3 | The maximum number of unique image references in the imagestream.status.tags parameter in the imagestream spec. |
The openshift.io/image-tags
resource represents unique image references. Possible references are an **ImageStreamTag**
, an **ImageStreamImage**
and a **DockerImage**
. Tags can be created using the oc tag
and oc import-image
commands. No distinction is made between internal and external references. However, each unique reference tagged in an ImageStream
specification is counted just once. It does not restrict pushes to an internal container image registry in any way, but is useful for tag restriction.
The openshift.io/images
resource represents unique image names recorded in image stream status. It allows for restriction of a number of images that can be pushed to the OpenShift image registry. Internal and external references are not distinguished.
Persistent volume claim limits
A LimitRange
object allows you to restrict the storage requested in a persistent volume claim (PVC).
Across all persistent volume claims in a project, the following must hold true:
The resource request in a persistent volume claim (PVC) must be greater than or equal the
min
constraint for PVCs that is specified in theLimitRange
object.The resource request in a persistent volume claim (PVC) must be less than or equal the
max
constraint for PVCs that is specified in theLimitRange
object.
PVC LimitRange
object definition
apiVersion: "v1"
kind: "LimitRange"
metadata:
name: "resource-limits" (1)
spec:
limits:
- type: "PersistentVolumeClaim"
min:
storage: "2Gi" (2)
max:
storage: "50Gi" (3)
1 | The name of the LimitRange object. |
2 | The minimum amount of storage that can be requested in a persistent volume claim. |
3 | The maximum amount of storage that can be requested in a persistent volume claim. |
Creating a Limit Range
To apply a limit range to a project:
Create a
LimitRange
object with your required specifications:apiVersion: "v1"
kind: "LimitRange"
metadata:
name: "resource-limits" (1)
spec:
limits:
- type: "Pod" (2)
max:
cpu: "2"
memory: "1Gi"
min:
cpu: "200m"
memory: "6Mi"
- type: "Container" (3)
max:
cpu: "2"
memory: "1Gi"
min:
cpu: "100m"
memory: "4Mi"
default: (4)
cpu: "300m"
memory: "200Mi"
defaultRequest: (5)
cpu: "200m"
memory: "100Mi"
maxLimitRequestRatio: (6)
cpu: "10"
- type: openshift.io/Image (7)
max:
storage: 1Gi
- type: openshift.io/ImageStream (8)
max:
openshift.io/image-tags: 20
openshift.io/images: 30
- type: "PersistentVolumeClaim" (9)
min:
storage: "2Gi"
max:
storage: "50Gi"
1 Specify a name for the LimitRange
object.2 To set limits for a pod, specify the minimum and maximum CPU and memory requests as needed. 3 To set limits for a container, specify the minimum and maximum CPU and memory requests as needed. 4 Optional. For a container, specify the default amount of CPU or memory that a container can use, if not specified in the Pod
spec.5 Optional. For a container, specify the default amount of CPU or memory that a container can request, if not specified in the Pod
spec.6 Optional. For a container, specify the maximum limit-to-request ratio that can be specified in the Pod
spec.7 To set limits for an Image object, set the maximum size of an image that can be pushed to an OpenShift image registry. 8 To set limits for an image stream, set the maximum number of image tags and references that can be in the ImageStream
object file, as needed.9 To set limits for a persistent volume claim, set the minimum and maximum amount of storage that can be requested. Create the object:
$ oc create -f <limit_range_file> -n <project> (1)
1 Specify the name of the YAML file you created and the project where you want the limits to apply.
Viewing a limit
You can view any limits defined in a project by navigating in the web console to the project’s Quota page.
You can also use the CLI to view limit range details:
Get the list of
LimitRange
object defined in the project. For example, for a project called demoproject:$ oc get limits -n demoproject
NAME CREATED AT
resource-limits 2020-07-15T17:14:23Z
Describe the
LimitRange
object you are interested in, for example theresource-limits
limit range:$ oc describe limits resource-limits -n demoproject
Name: resource-limits
Namespace: demoproject
Type Resource Min Max Default Request Default Limit Max Limit/Request Ratio
---- -------- --- --- --------------- ------------- -----------------------
Pod cpu 200m 2 - - -
Pod memory 6Mi 1Gi - - -
Container cpu 100m 2 200m 300m 10
Container memory 4Mi 1Gi 100Mi 200Mi -
openshift.io/Image storage - 1Gi - - -
openshift.io/ImageStream openshift.io/image - 12 - - -
openshift.io/ImageStream openshift.io/image-tags - 10 - - -
PersistentVolumeClaim storage - 50Gi - - -
Deleting a Limit Range
To remove any active LimitRange
object to no longer enforce the limits in a project:
Run the following command:
$ oc delete limits <limit_name>