2017-03-15 18:27:58 +00:00
---
2018-02-27 18:51:46 +00:00
reviewers:
2017-03-15 18:27:58 +00:00
- derekwaynecarr
title: Resource Quotas
---
When several users or teams share a cluster with a fixed number of nodes,
there is a concern that one team could use more than its fair share of resources.
Resource quotas are a tool for administrators to address this concern.
A resource quota, defined by a `ResourceQuota` object, provides constraints that limit
aggregate resource consumption per namespace. It can limit the quantity of objects that can
be created in a namespace by type, as well as the total amount of compute resources that may
be consumed by resources in that project.
Resource quotas work like this:
- Different teams work in different namespaces. Currently this is voluntary, but
support for making this mandatory via ACLs is planned.
2018-03-03 19:53:52 +00:00
- The administrator creates one or more `ResourceQuotas` for each namespace.
2017-03-15 18:27:58 +00:00
- Users create resources (pods, services, etc.) in the namespace, and the quota system
2018-03-03 19:53:52 +00:00
tracks usage to ensure it does not exceed hard resource limits defined in a `ResourceQuota` .
2017-03-15 18:27:58 +00:00
- If creating or updating a resource violates a quota constraint, the request will fail with HTTP
status code `403 FORBIDDEN` with a message explaining the constraint that would have been violated.
- If quota is enabled in a namespace for compute resources like `cpu` and `memory` , users must specify
requests or limits for those values; otherwise, the quota system may reject pod creation. Hint: Use
2018-03-15 16:10:25 +00:00
the `LimitRanger` admission controller to force defaults for pods that make no compute resource requirements.
2018-03-03 19:53:52 +00:00
See the [walkthrough ](/docs/tasks/administer-cluster/quota-memory-cpu-namespace/ ) for an example of how to avoid this problem.
2017-03-15 18:27:58 +00:00
Examples of policies that could be created using namespaces and quotas are:
2017-08-22 07:46:18 +00:00
- In a cluster with a capacity of 32 GiB RAM, and 16 cores, let team A use 20 GiB and 10 cores,
2017-03-15 18:27:58 +00:00
let B use 10GiB and 4 cores, and hold 2GiB and 2 cores in reserve for future allocation.
- Limit the "testing" namespace to using 1 core and 1GiB RAM. Let the "production" namespace
use any amount.
In the case where the total capacity of the cluster is less than the sum of the quotas of the namespaces,
there may be contention for resources. This is handled on a first-come-first-served basis.
Neither contention nor changes to quota will affect already created resources.
## Enabling Resource Quota
Merge 1.10 to master for release (#7861)
* 1.10 update (#7151)
* Fix partition value expected behaviour explanation (#7123)
Fixes issue #7057
* Correct "On-Premise" to "On-Premises"
* Updates the Calico installation page (#7094)
* All files for Haufe Groups case study (#7051)
* Fix typo (#7127)
* fix typo of device-plugins.md (#7106)
* fix broken links (#7136)
* Updated configure-service-account (#7147)
Error from server resolved by escaping kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}' JSON string by '\'
* Remove docs related to 'require-kubeconfig' (#7138)
With kubernetes/kubernetes#58367 merged, v1.10 will not use the
"require-kubeconfig" flag. The flag has become a no-op solely to ensure
existing deployments won't break.
* Added Verification Scenario for a Pod that Uses a PVC in Terminating State (#7164)
The below PR:
https://github.com/kubernetes/kubernetes/pull/55873
modified scheduler in such a way that scheduling of a pod that uses a PVC in Terminating state fails.
That's why verification of such scenario was added to documentation.
* fix LimitPodHardAntiAffinityTopology name (#7221)
* Document the removal of the KubeletConfigFile feature gate (#7140)
With kubernetes/kubernetes#58978 merged, the said feature gate is
removed. This PR removes texts related to the gate and revises the
Feature Gates reference to reflect this change.
* deprecate three admission controller (#7363)
* Document the removal of Accelerators feature gate (#7389)
The `Accelerators` feature gate will be removed in 1.11. 1.10 will be
its last mile.
References: kubernetes/kubernetes#57384
* Update local storage docs for beta (#7473)
* Document that HugePages feature gate is Beta (#7387)
The `HugePages` feature gate has graduated to Beta in v1.10. This PR
documents this fact.
* Add HyperVContainer feature gates (#7502)
* Remove the beta reference from Taints and Tolerations doc (#7493)
* Kms provider doc (#7479)
* Kms provider doc
* issue# 7399, Create KMS-provider.md and update encrypt-data.md
* address review comments
* Document that Device Plugin feature is Beta (1.10) (#7512)
* Add docs for CRD features for 1.10 (#7439)
* Add docs for CRD features for 1.10
* Add CustomResourcesSubresources to list of feature gates
* Add latest changes to custom resources doc
* Add crds as abbreviated alias (#7437)
* Bring PVC Protection Feature to Beta (#7165)
* Bring PVC Protection Feature to Beta
The PR: https://github.com/kubernetes/kubernetes/pull/59052
brought PVC Protection feature to beta.
That's why the documentation is updated accordingly.
* The PVC Protection feature was renamed to Storage Protection. That's why the documentation is updated.
* promote PodNodeSelector to stable; document detailed behavior (#7134)
* promote PodNodeSelector to stable; document detailed behavior
* respond to feedback
* Update CPU manager feature enabling (#7390)
With `CPUManager` feature graduating to beta. No explicit enabling is
required starting v1.10.
References: kubernetes/kubernetes#55977
* Adding block volumeMode documentation for local volumes. (#7531)
Code review comments.
Changed property to field.
Address tech review comment.
* remove description kubectl --show-all (#7574)
--show-all has been deprecated and set to true by default.
https://github.com/kubernetes/kubernetes/pull/60210
* fix description about contribute style guide (#7592)
* fix description about KUBECONFIG (#7589)
s/envrionment/environment
* fix description about cni (#7588)
s/simultanously/simultaneously/
* fix description about MutatingAdmissionWebhook and ValidatingAdmissionWebhook (#7587)
* fix description about persistent volume binding (#7590)
s/slighty/slightly/
* Doc change for configurable pod resolv.conf Beta (#7611)
* fix description about out of resource handling (#7597)
s/threshhold/threshold
* fix description about zookeeper (#7598)
s/achive/achieve
* fix description about kubeadm (#7594)
s/compatability/compatibility/
* fix description about kubeadm (#7593)
* fix description about kubeadm implementation details (#7595)
* fix description about api concepts (#7596)
* Storage Protection was renamed to Storage Object in Use Protection (#7576)
* Storage Protection was renamed to Storage Object in Use Protection
The K8s PR: https://github.com/kubernetes/kubernetes/pull/59901
renamed Storage Protection to Storage Object in Use Protection.
That's why the same is also renamed in the documentation.
* Moved Storage Object in Use Protection admission plugin description down according to alphabetic order.
* Use PSP from policy API group. (#7562)
* update kubeletconfig docs for v1.10, beta (#7561)
* Update port-forwarding docs (#7575)
* add pv protection description (#7620)
* fix description about client library (#7634)
* Add docs on configuring NodePort IP (#7631)
* Document that LocalStorageCapacityIsolation is beta (#7635)
A follow-up to the kubernetes/kubernetes#60159 change which has promoted
the `LocalStorageCapacityIsolation` feature gate to Beta.
* Update CoreDNS docs for beta (#7638)
* Update CoreDNS docs for beta
* Review comments
* Fix typo (#7640)
* Update feature gates move to beta (#7662)
* Added the inability to use colon ':' character as environment variable names and described workaround (#7657)
* merge master to 1.10, with fixes (#7682)
* Flag names changed (s/admission-control/enable-admission-plugins); disable-admissions-plugin entry added; removed reference to admission controller/plugins requiring set order (for v1.10), redundant example enabling specific plugin, and redundant version-specific info (#7449)
* Documentation for MountPropagation beta (#7655)
* Remove job's scale-related operations (#7684)
* authentication: document client-go exec plugins (#7648)
* authentication: document client-go exec plugins
* Update authentication.md
* Update local ephemeral storage feature to beta (#7685)
Update local ephemeral storage feature to beta
* Update docs for windows container resources (#7653)
* add server-side print docs (#7671)
* Create a task describing Pod process namespace sharing (#7489)
* Add external metrics to HPA docs (#7664)
* Add external metrics to HPA docs
* Update horizontal-pod-autoscale-walkthrough.md
* Apply review comments to HPA walkthrough
* remove description about "scale jobs" (#7712)
* CSI Docs for K8s v1.10 (#7698)
* Add a warning about increased memory consumption for audit logging feature. (#7725)
Signed-off-by: Mik Vyatskov <vmik@google.com>
* Update Audit Logging documentation for 1.10 (#7679)
Signed-off-by: Mik Vyatskov <vmik@google.com>
* Fix stage names in audit logging documentation (#7746)
Signed-off-by: Mik Vyatskov <vmik@google.com>
* Feature gate update for release 1.10 (#7742)
* State in the docs that the value of default Node labels are not reliable. (#7794)
* Kill the reference to --admission-control option (#7755)
The `--admission-control` option has been replaced by two new options in
v1.10. This PR kills the last appearance of the old option in the doc.
* Pvcprotection toc (#7807)
* Refreshing installation instructions (#7495)
* Refreshing installation instructions
Added conjure-up. Updated displays and juju versions to current versions.
* Updated anchors
* Fixed image value version typo (#7768)
Was inconsistent with other values
* Update flocker reference to the github repo (#7784)
* Fix typo in federation document (#7779)
* an user -> a user (#7778)
* Events are namespaced (#7767)
* fix 'monitoring' link lose efficacy problem' (#7764)
* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)
* Update downward-api-volume-expose-pod-information.md (#7771)
* Update downward-api-volume-expose-pod-information.md
The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.
* Update downward-api-volume-expose-pod-information.md
One more spot needed fixing.
* Update downward-api-volume-expose-pod-information.md
Yet another fix, in the container example.
* Add Amadeus Case Study (#7783)
* Add Amadeus Case Study
* add Amadeus logo
* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)
There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.
* install-kubectl: choose one installation method (#7705)
The previous text layout suggested that all installations had to be done, one after another.
* Update install-kubeadm.md (#7781)
Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.
* repair failure link (#7788)
* repair failure link
* repair failure link
* do change as required
* Update k8s201.md (#7777)
* Update k8s201.md
Change instructions to download yams files directly from the website (as used in other pages.)
Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.
* Update k8s201.md
Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)
* Gramatical fix to kompose introduction (#7792)
The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.
* update amadeus.html (#7800)
* Fix a missing word in endpoint reconciler section (#7804)
* add toc entry for pvcprotection downgrade issue doc
* Pvcprotection toc (#7809)
* Refreshing installation instructions (#7495)
* Refreshing installation instructions
Added conjure-up. Updated displays and juju versions to current versions.
* Updated anchors
* Fixed image value version typo (#7768)
Was inconsistent with other values
* Update flocker reference to the github repo (#7784)
* Fix typo in federation document (#7779)
* an user -> a user (#7778)
* Events are namespaced (#7767)
* fix 'monitoring' link lose efficacy problem' (#7764)
* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)
* Update downward-api-volume-expose-pod-information.md (#7771)
* Update downward-api-volume-expose-pod-information.md
The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.
* Update downward-api-volume-expose-pod-information.md
One more spot needed fixing.
* Update downward-api-volume-expose-pod-information.md
Yet another fix, in the container example.
* Add Amadeus Case Study (#7783)
* Add Amadeus Case Study
* add Amadeus logo
* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)
There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.
* install-kubectl: choose one installation method (#7705)
The previous text layout suggested that all installations had to be done, one after another.
* Update install-kubeadm.md (#7781)
Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.
* repair failure link (#7788)
* repair failure link
* repair failure link
* do change as required
* Update k8s201.md (#7777)
* Update k8s201.md
Change instructions to download yams files directly from the website (as used in other pages.)
Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.
* Update k8s201.md
Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)
* Gramatical fix to kompose introduction (#7792)
The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.
* update amadeus.html (#7800)
* Fix a missing word in endpoint reconciler section (#7804)
* add toc entry for pvcprotection downgrade issue doc
* revert TOC change
* Release 1.10 (#7818)
* Refreshing installation instructions (#7495)
* Refreshing installation instructions
Added conjure-up. Updated displays and juju versions to current versions.
* Updated anchors
* Fixed image value version typo (#7768)
Was inconsistent with other values
* Update flocker reference to the github repo (#7784)
* Fix typo in federation document (#7779)
* an user -> a user (#7778)
* Events are namespaced (#7767)
* fix 'monitoring' link lose efficacy problem' (#7764)
* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)
* Update downward-api-volume-expose-pod-information.md (#7771)
* Update downward-api-volume-expose-pod-information.md
The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.
* Update downward-api-volume-expose-pod-information.md
One more spot needed fixing.
* Update downward-api-volume-expose-pod-information.md
Yet another fix, in the container example.
* Add Amadeus Case Study (#7783)
* Add Amadeus Case Study
* add Amadeus logo
* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)
There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.
* install-kubectl: choose one installation method (#7705)
The previous text layout suggested that all installations had to be done, one after another.
* Update install-kubeadm.md (#7781)
Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.
* repair failure link (#7788)
* repair failure link
* repair failure link
* do change as required
* Update k8s201.md (#7777)
* Update k8s201.md
Change instructions to download yams files directly from the website (as used in other pages.)
Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.
* Update k8s201.md
Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)
* Gramatical fix to kompose introduction (#7792)
The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.
* update amadeus.html (#7800)
* Fix a missing word in endpoint reconciler section (#7804)
* Partners page updates (#7802)
* Partners page updates
* Update to ZTE link
* Make using sysctls a task instead of a concept (#6808)
Closes: #4505
* add a note when mount a configmap to pod (#7745)
* adjust a note format (#7812)
* Update docker-cli-to-kubectl.md (#7748)
* Update docker-cli-to-kubectl.md
Edited the document for adherence to the style guide and word usage.
* Update docker-cli-to-kubectl.md
* Incorporated the changes suggested.
* Mount propagation update to include docker config (#7854)
* update overridden config for 1.10 (#7847)
* update overridden config for 1.10
* fix config file per comments
* Update Extended Resource doc wrt cluster-level resources (#7759)
2018-03-27 01:33:11 +00:00
Resource Quota support is enabled by default for many Kubernetes distributions. It is
enabled when the apiserver `--enable-admission-plugins=` flag has `ResourceQuota` as
2017-03-15 18:27:58 +00:00
one of its arguments.
2018-03-03 19:53:52 +00:00
A resource quota is enforced in a particular namespace when there is a
`ResourceQuota` in that namespace.
2017-03-15 18:27:58 +00:00
## Compute Resource Quota
You can limit the total sum of [compute resources ](/docs/user-guide/compute-resources ) that can be requested in a given namespace.
2017-07-28 15:23:11 +00:00
2017-03-15 18:27:58 +00:00
The following resource types are supported:
| Resource Name | Description |
| --------------------- | ----------------------------------------------------------- |
| `cpu` | Across all pods in a non-terminal state, the sum of CPU requests cannot exceed this value. |
| `limits.cpu` | Across all pods in a non-terminal state, the sum of CPU limits cannot exceed this value. |
| `limits.memory` | Across all pods in a non-terminal state, the sum of memory limits cannot exceed this value. |
| `memory` | Across all pods in a non-terminal state, the sum of memory requests cannot exceed this value. |
| `requests.cpu` | Across all pods in a non-terminal state, the sum of CPU requests cannot exceed this value. |
| `requests.memory` | Across all pods in a non-terminal state, the sum of memory requests cannot exceed this value. |
2018-04-12 21:51:59 +00:00
### Resource Quota For Extended Resources
In addition to the resources mentioned above, in release 1.10, quota support for
2018-05-23 05:39:32 +00:00
[extended resources ](/docs/concepts/configuration/manage-compute-resources-container/#extended-resources ) is added.
2018-04-12 21:51:59 +00:00
As overcommit is not allowed for extended resources, it makes no sense to specify both `requests`
and `limits` for the same extended resource in a quota. So for extended resources, only quota items
with prefix `requests.` is allowed for now.
Take the GPU resource as an example, if the resource name is `nvidia.com/gpu` , and you want to
limit the total number of GPUs requested in a namespace to 4, you can define a quota as follows:
* `requests.nvidia.com/gpu: 4`
See [Viewing and Setting Quotas ](#viewing-and-setting-quotas ) for more detail information.
2017-03-15 18:27:58 +00:00
## Storage Resource Quota
2017-09-25 23:06:20 +00:00
You can limit the total sum of [storage resources ](/docs/concepts/storage/persistent-volumes/ ) that can be requested in a given namespace.
2017-03-15 18:27:58 +00:00
In addition, you can limit consumption of storage resources based on associated storage-class.
| Resource Name | Description |
| --------------------- | ----------------------------------------------------------- |
| `requests.storage` | Across all persistent volume claims, the sum of storage requests cannot exceed this value. |
2017-09-24 18:41:34 +00:00
| `persistentvolumeclaims` | The total number of [persistent volume claims ](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims ) that can exist in the namespace. |
2017-03-15 18:27:58 +00:00
| `<storage-class-name>.storageclass.storage.k8s.io/requests.storage` | Across all persistent volume claims associated with the storage-class-name, the sum of storage requests cannot exceed this value. |
2017-09-24 18:41:34 +00:00
| `<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims` | Across all persistent volume claims associated with the storage-class-name, the total number of [persistent volume claims ](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims ) that can exist in the namespace. |
2017-03-15 18:27:58 +00:00
For example, if an operator wants to quota storage with `gold` storage class separate from `bronze` storage class, the operator can
define a quota as follows:
* `gold.storageclass.storage.k8s.io/requests.storage: 500Gi`
* `bronze.storageclass.storage.k8s.io/requests.storage: 100Gi`
2018-03-03 19:53:52 +00:00
In release 1.8, quota support for local ephemeral storage is added as an alpha feature:
Release 1.8 (#5659)
* GC now supports non-core resources
* Add two examples about how to analysis audits of kube-apiserver (#4264)
* Deprecate system:nodes binding
* [1.8] StatefulSet `initialized` annotation is now ignored.
* inits the kubeadm upgrade docs
addresses kubernetes/kubernetes.github.io/issues/4689
* adds kubeadm upgrade cmd to ToC
addresses kubernetes/kubernetes.github.io/issues/4689
* add workload placement docs
* ScaleIO - document udpate for 1.8
* Add documentation on storageClass.mountOptions and PV.mountOptions (#5254)
* Add documentation on storageClass.mountOptions and PV.mountOptions
* convert notes into callouts
* Add docs for CustomResource validation
add info about supported fields
* advanced audit beta features (#5300)
* Update job workload doc with backoff failure policy (#5319)
Add to the Jobs documentation how to use the new backoffLimit field that
limit the number of Pod failure before considering the Job as failed.
* Documented additional AWS Service annotations (#4864)
* Add device plugin doc under concepts/cluster-administration. (#5261)
* Add device plugin doc under concepts/cluster-administration.
* Update device-plugins.md
* Update device-plugins.md
Add meta description. Fix typo. Change bare metal deployment to manual deployment.
* Update device-plugins.md
Fix typo again.
* Update page.version. (#5341)
* Add documentation on storageClass.reclaimPolicy (#5171)
* [Advanced audit] use new herf for audit-api (#5349)
This tag contains all the changes in v1beta1 version. Update it now.
* Added documentation around creating the InitializerConfiguration for the persistent volume label controller in the cloud-controller-manager (#5255)
* Documentation for kubectl plugins (#5294)
* Documentation for kubectl plugins
* Update kubectl-plugins.md
* Update kubectl-plugins.md
* Updated CPU manager docs to match implementation. (#5332)
* Noted limitation of alpha static cpumanager.
* Updated CPU manager docs to match implementation.
- Removed references to CPU pressure node condition and evictions.
- Added note about new --cpu-manager-reconcile-period flag.
- Added note about node allocatable requirements for static policy.
- Noted limitation of alpha static cpumanager.
* Move cpu-manager task link to rsc mgmt section.
* init containers annotation removed in 1.8 (#5390)
* Add documentation for TaintNodesByCondition (#5352)
* Add documentation for TaintNodesByCondition
* Update nodes.md
* Update taint-and-toleration.md
* Update daemonset.md
* Update nodes.md
* Update taint-and-toleration.md
* Update daemonset.md
* Fix deployments (#5421)
* Document extended resources and OIR deprecation. (#5399)
* Document extended resources and OIR deprecation.
* Updated extended resources doc per reviews.
* reverts extra spacing in _data/tasks.yml
* addresses `kubeadm upgrade` review comments
Feedback from @chenopis, @luxas, and @steveperry-53 addressed with this commit
* HugePages documentation (#5419)
* Update cpu-management-policies.md (#5407)
Fixed the bad link.
Modified "cpu" to "CPU".
Added more 'yaml' as supplement.
* Update RBAC docs for v1 (#5445)
* Add user docs for pod priority and preemption (#5328)
* Add user docs for pod priority and preemption
* Update pod-priority-preemption.md
* More updates
* Update docs/admin/kubeadm.md for 1.8 (#5440)
- Made a couple of minor wording changes (not strictly 1.8 related).
- Did some reformatting (not strictly 1.8 related).
- Updated references to the default token TTL (was infinite, now 24 hours).
- Documented the new `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join`.
- Added references to the new `--discovery-token-ca-cert-hash` flag in all the default examples.
- Added a new _Security model_ section that describes the security tradeoffs of the various discovery modes.
- Documented the new `--groups` flag for `kubeadm token create`.
- Added a note of caution under _Automating kubeadm_ that references the _Security model_ section.
- Updated the component version table to drop 1.6 and add 1.8.
- Update `_data/reference.yml` to try to get the sidebar fixed up and more consistent with `kubefed`.
* Update StatefulSet Basics for 1.8 release (#5398)
* addresses `kubeadm upgrade` review comments
2nd iteration review comments by @luxas
* adds kubelet upgrade section to kubeadm upgrade
* Fix a bulleted list on docs/admin/kubeadm.md. (#5458)
I updated this doc yesterday and I was absolutely sure I fixed this, but I just saw that this commit got lost somehow.
This was introduced recently in https://github.com/kubernetes/kubernetes.github.io/pull/5440.
* Clarify the API to check for device plugins
* Moving Flexvolume to separate out-of-tree section
* addresses `kubeadm upgrade` review comments
CC: @luxas
* fixes kubeadm upgrade index
* Update Stackdriver Logging documentation (#5495)
* Re-update WordPress and MySQL PV doc to use apps/v1beta2 APIs (#5526)
* Update statefulset concepts doc to use apps/v1beta2 APIs (#5420)
* add document on kubectl's behavior regarding initializers (#5505)
* Update docs/admin/kubeadm.md to cover self-hosting in 1.8. (#5497)
This is a new beta feature in 1.8.
* Update kubectl patch doc to use apps/v1beta2 APIs (#5422)
* [1.8] Update "Run Applications" tasks to apps/v1beta2. (#5525)
* Update replicated stateful application task for 1.8.
* Update single instance stateful app task for 1.8.
* Update stateless app task for 1.8.
* Update kubectl patch task for 1.8.
* fix the link of persistent storage (#5515)
* update the admission-controllers.md index.md what-is-kubernetes.md link
* fix the link of persistent storage
* Add quota support for local ephemeral storage (#5493)
* Add quota support for local ephemeral storage
update the doc to this alpha feature
* Update resource-quotas.md
* Updated Deployments concepts doc (#5491)
* Updated Deployments concepts doc
* Addressed comments
* Addressed more comments
* Modify allocatable storage to ephemeral-storage (#5490)
Update the doc to use ephemeral-storage instead of storage
* Revamped concepts doc for ReplicaSet (#5463)
* Revamped concepts doc for ReplicaSet
* Minor changes to call out specific versions for selector defaulting and
immutability
* Addressed doc review comments
* Remove petset documentations (#5395)
* Update docs to use batch/v1beta1 cronjobs (#5475)
* add federation job doc (#5485)
* add federation job doc
* Update job.md
Edits for clarity and consistency
* Update job.md
Fixed a typo
* update DaemonSet concept for 1.8 release (#5397)
* update DaemonSet concept for 1.8 release
* Update daemonset.md
Fix typo. than -> then
* Update bootstrap tokens doc for 1.8. (#5479)
* Update bootstrap tokens doc for 1.8.
This has some changes I missed when I was updating the main kubeadm documention:
- Bootstrap tokens are now beta, not alpha (https://github.com/kubernetes/features/issues/130)
- The apiserver flag to enable the authenticator changedin 1.8 (https://github.com/kubernetes/kubernetes/pull/51198)
- Added `auth-extra-groups` documentaion (https://github.com/kubernetes/kubernetes/pull/50933)
- Updated the _Token Management with `kubeadm`_ section to link to the main kubeadm docs, since it was just duplicated information.
* Update bootstrap-tokens.md
* Updated the Cassandra tutorial to use apps/v1beta2 (#5548)
* add docs for AllowPrivilegeEscalation (#5448)
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
* Add local ephemeral storage alpha feature in managing compute resource (#5522)
* Add local ephemeral storage alpha feature in managing compute resource
Since 1.8, we add the local ephemeral storage alpha feature as one
resource type to manage. Add this feature into the doc.
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Added documentation for Metrics Server (#5560)
* authorization: improve authorization debugging docs (#5549)
* Document mount propagation (#5544)
* Update /docs/setup/independent/create-cluster-kubeadm.md for 1.8. (#5524)
This introduction needed a couple of small tweaks to cover the `--discovery-token-ca-cert-hash` flag added in https://github.com/kubernetes/kubernetes/pull/49520 and some version bumps.
* Add task doc for alpha dynamic kubelet configuration (#5523)
* Fix input/output of selfsubjectaccess review (#5593)
* Add docs for implementing resize (#5528)
* Add docs for implementing resize
* Update admission-controllers.md
* Added link to PVC section
* minor typo fixes
* Update NetworkPolicy concept guide with egress and CIDR changes (#5529)
* update zookeeper tutorial for 1.8 release
* add doc for hostpath type (#5503)
* Federated Hpa feature doc (#5487)
* Federated Hpa feature doc
* Federated Hpa feature doc review fixes
* Update hpa.md
* Update hpa.md
* update cloud controller manager docs for v1.8
* Update cronjob with defaults information (#5556)
* Kubernetes 1.8 reference docs (#5632)
* Kubernetes 1.8 reference docs
* Kubectl reference docs for 1.8
* Update side bar with 1.8 kubectl and api ref docs links
* remove petset.md
* update on state of HostAlias in 1.8 with hostNetwork Pod support (#5644)
* Fix cron job deletion section (#5655)
* update imported docs (#5656)
* Add documentation for certificate rotation. (#5639)
* Link to using kubeadm page
* fix the command output
fix the command output
* fix typo in api/resources reference: "Worloads"
* Add documentation for certificate rotation.
* Create TOC entry for cloud controller manager. (#5662)
* Updates for new versions of API types
* Followup 5655: fix link to garbage collection (#5666)
* Temporarily redirect resources-reference to api-reference. (#5668)
* Update config for 1.8 release. (#5661)
* Update config for 1.8 release.
* Address reviewer comments.
* Switch references in HPA docs from alpha to beta (#5671)
The HPA docs still referenced the alpha version. This switches them to
talk about v2beta1, which is the appropriate version for Kubernetes 1.8
* Deprecate openstack heat (#5670)
* Fix typo in pod preset conflict example
Move container port definition to the correct line.
* Highlight openstack-heat provider deprecation
The openstack-heat provider for kube-up is being deprecated and will be
removed in a future release.
* Temporarily fix broken links by redirecting. (#5672)
* Fix broken links. (#5675)
* Fix render of code block (#5674)
* Fix broken links. (#5677)
* Add a small note about auto-bootstrapped CSR ClusterRoles (#5660)
* Update kubeadm install doc for v1.8 (#5676)
* add draft workloads api content for 1.8 (#5650)
* add draft workloads api content for 1.8
* edits per review, add tables, for 1.8 workloads api doc
* fix typo
* Minor fixes to kubeadm 1.8 upgrade guide. (#5678)
- The kubelet upgrade instructions should be done on every host, not
just worker nodes.
- We should just upgrade all packages, instead of calling out kubelet
specifically. This will also upgrade kubectl, kubeadm, and
kubernetes-cni, if installed.
- Draining nodes should also ignore daemonsets, and master errors can be
ignored.
- Make sure that the new kubeadm download is chmoded correctly.
- Add a step to run `kubeadm version` to verify after downloading.
- Manually approve new kubelet CSRs if rotation is enabled (known issue).
* Release 1.8 (#5680)
* Fix versions for 1.8 API ref docs
* Updates for 1.8 kubectl reference docs
* Kubeadm /docs/admin/kubeadm.md cleanup, editing. (#5681)
* Update docs/admin/kubeadm.md (mostly 1.8 related).
This is Fabrizio's work, which I'm committing along with my edits (in a commit on top of this).
* A few of my own edits to clarify and clean up some Markdown.
2017-09-29 04:46:51 +00:00
| Resource Name | Description |
| ------------------------------- |----------------------------------------------------------- |
| `requests.ephemeral-storage` | Across all pods in the namespace, the sum of local ephemeral storage requests cannot exceed this value. |
| `limits.ephemeral-storage` | Across all pods in the namespace, the sum of local ephemeral storage limits cannot exceed this value. |
2017-03-15 18:27:58 +00:00
## Object Count Quota
2018-02-24 20:59:44 +00:00
The 1.9 release added support to quota all standard namespaced resource types using the following syntax:
* `count/<resource>.<group>`
Here is an example set of resources users may want to put under object count quota:
* `count/persistentvolumeclaims`
* `count/services`
* `count/secrets`
* `count/configmaps`
* `count/replicationcontrollers`
* `count/deployments.apps`
* `count/replicasets.apps`
* `count/statefulsets.apps`
* `count/jobs.batch`
* `count/cronjobs.batch`
* `count/deployments.extensions`
When using `count/*` resource quota, an object is charged against the quota if it exists in server storage.
These types of quotas are useful to protect against exhaustion of storage resources. For example, you may
want to quota the number of secrets in a server given their large size. Too many secrets in a cluster can
actually prevent servers and controllers from starting! You may choose to quota jobs to protect against
a poorly configured cronjob creating too many jobs in a namespace causing a denial of service.
Prior to the 1.9 release, it was possible to do generic object count quota on a limited set of resources.
In addition, it is possible to further constrain quota for particular resources by their type.
The following types are supported:
2017-03-15 18:27:58 +00:00
| Resource Name | Description |
| ------------------------------- | ------------------------------------------------- |
| `configmaps` | The total number of config maps that can exist in the namespace. |
2017-09-24 18:41:34 +00:00
| `persistentvolumeclaims` | The total number of [persistent volume claims ](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims ) that can exist in the namespace. |
2017-03-15 18:27:58 +00:00
| `pods` | The total number of pods in a non-terminal state that can exist in the namespace. A pod is in a terminal state if `status.phase in (Failed, Succeeded)` is true. |
| `replicationcontrollers` | The total number of replication controllers that can exist in the namespace. |
| `resourcequotas` | The total number of [resource quotas ](/docs/admin/admission-controllers/#resourcequota ) that can exist in the namespace. |
| `services` | The total number of services that can exist in the namespace. |
| `services.loadbalancers` | The total number of services of type load balancer that can exist in the namespace. |
| `services.nodeports` | The total number of services of type node port that can exist in the namespace. |
| `secrets` | The total number of secrets that can exist in the namespace. |
For example, `pods` quota counts and enforces a maximum on the number of `pods`
2018-03-03 19:53:52 +00:00
created in a single namespace that are not terminal. You might want to set a `pods`
2018-02-24 20:59:44 +00:00
quota on a namespace to avoid the case where a user creates many small pods and
exhausts the cluster's supply of Pod IPs.
2017-03-15 18:27:58 +00:00
## Quota Scopes
Each quota can have an associated set of scopes. A quota will only measure usage for a resource if it matches
the intersection of enumerated scopes.
When a scope is added to the quota, it limits the number of resources it supports to those that pertain to the scope.
Resources specified on the quota outside of the allowed set results in a validation error.
| Scope | Description |
| ----- | ----------- |
| `Terminating` | Match pods where `spec.activeDeadlineSeconds >= 0` |
| `NotTerminating` | Match pods where `spec.activeDeadlineSeconds is nil` |
| `BestEffort` | Match pods that have best effort quality of service. |
| `NotBestEffort` | Match pods that do not have best effort quality of service. |
The `BestEffort` scope restricts a quota to tracking the following resource: `pods`
The `Terminating` , `NotTerminating` , and `NotBestEffort` scopes restrict a quota to tracking the following resources:
* `cpu`
* `limits.cpu`
* `limits.memory`
* `memory`
* `pods`
* `requests.cpu`
* `requests.memory`
## Requests vs Limits
When allocating compute resources, each container may specify a request and a limit value for either CPU or memory.
The quota can be configured to quota either value.
If the quota has a value specified for `requests.cpu` or `requests.memory` , then it requires that every incoming
container makes an explicit request for those resources. If the quota has a value specified for `limits.cpu` or `limits.memory` ,
then it requires that every incoming container specifies an explicit limit for those resources.
## Viewing and Setting Quotas
Kubectl supports creating, updating, and viewing quotas:
```shell
2018-02-24 20:59:44 +00:00
kubectl create namespace myspace
2017-03-15 18:27:58 +00:00
2018-02-24 20:59:44 +00:00
cat < < EOF > compute-resources.yaml
2017-03-15 18:27:58 +00:00
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resources
spec:
hard:
pods: "4"
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2Gi
2018-04-12 21:51:59 +00:00
requests.nvidia.com/gpu: 4
2017-03-15 18:27:58 +00:00
EOF
2018-02-24 20:59:44 +00:00
kubectl create -f ./compute-resources.yaml --namespace=myspace
2017-03-15 18:27:58 +00:00
2018-02-24 20:59:44 +00:00
cat < < EOF > object-counts.yaml
2017-03-15 18:27:58 +00:00
apiVersion: v1
kind: ResourceQuota
metadata:
name: object-counts
spec:
hard:
configmaps: "10"
persistentvolumeclaims: "4"
replicationcontrollers: "20"
secrets: "10"
services: "10"
services.loadbalancers: "2"
EOF
2018-02-24 20:59:44 +00:00
kubectl create -f ./object-counts.yaml --namespace=myspace
2017-03-15 18:27:58 +00:00
2018-02-24 20:59:44 +00:00
kubectl get quota --namespace=myspace
2017-03-15 18:27:58 +00:00
NAME AGE
compute-resources 30s
object-counts 32s
2018-02-24 20:59:44 +00:00
kubectl describe quota compute-resources --namespace=myspace
2018-04-12 21:51:59 +00:00
Name: compute-resources
Namespace: myspace
Resource Used Hard
-------- ---- ----
limits.cpu 0 2
limits.memory 0 2Gi
pods 0 4
requests.cpu 0 1
requests.memory 0 1Gi
requests.nvidia.com/gpu 0 4
2017-03-15 18:27:58 +00:00
2018-02-24 20:59:44 +00:00
kubectl describe quota object-counts --namespace=myspace
2017-03-15 18:27:58 +00:00
Name: object-counts
Namespace: myspace
Resource Used Hard
-------- ---- ----
configmaps 0 10
persistentvolumeclaims 0 4
replicationcontrollers 0 20
secrets 1 10
services 0 10
services.loadbalancers 0 2
```
2018-02-24 20:59:44 +00:00
Kubectl also supports object count quota for all standard namespaced resources
using the syntax `count/<resource>.<group>` :
```shell
kubectl create namespace myspace
kubectl create quota test --hard=count/deployments.extensions=2,count/replicasets.extensions=4,count/pods=3,count/secrets=4 --namespace=myspace
kubectl run nginx --image=nginx --replicas=2 --namespace=myspace
kubectl describe quota --namespace=myspace
Name: test
Namespace: myspace
Resource Used Hard
-------- ---- ----
count/deployments.extensions 1 2
count/pods 2 3
count/replicasets.extensions 1 4
count/secrets 1 4
```
2017-03-15 18:27:58 +00:00
## Quota and Cluster Capacity
2018-03-03 19:53:52 +00:00
`ResourceQuotas` are independent of the cluster capacity. They are
2017-03-15 18:27:58 +00:00
expressed in absolute units. So, if you add nodes to your cluster, this does *not*
automatically give each namespace the ability to consume more resources.
Sometimes more complex policies may be desired, such as:
2017-08-22 23:52:27 +00:00
- Proportionally divide total cluster resources among several teams.
- Allow each tenant to grow resource usage as needed, but have a generous
2017-03-15 18:27:58 +00:00
limit to prevent accidental resource exhaustion.
2017-08-22 23:52:27 +00:00
- Detect demand from one namespace, add nodes, and increase quota.
2017-03-15 18:27:58 +00:00
2018-03-03 19:53:52 +00:00
Such policies could be implemented using `ResourceQuotas` as building blocks, by
writing a "controller" that watches the quota usage and adjusts the quota
2017-03-15 18:27:58 +00:00
hard limits of each namespace according to other signals.
Note that resource quota divides up aggregate cluster resources, but it creates no
restrictions around nodes: pods from several namespaces may run on the same node.
## Example
2017-08-10 06:17:01 +00:00
See a [detailed example for how to use resource quota ](/docs/tasks/administer-cluster/quota-api-object/ ).
2017-03-15 18:27:58 +00:00
## Read More
2017-09-25 21:08:25 +00:00
See [ResourceQuota design doc ](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_resource_quota.md ) for more information.
