Kubernetes Prow Robot
GitHub
commit
a0936b7d68
|
|
@ -34,7 +34,7 @@ Resource quotas are a tool for administrators to address this concern.
|
|||
|
||||
<!--
|
||||
A resource quota, defined by a `ResourceQuota` object, provides constraints that limit
|
||||
aggregate resource consumption per namespace. It can limit the quantity of objects that can
|
||||
aggregate resource consumption per namespace. It can limit the quantity of objects that can
|
||||
be created in a namespace by type, as well as the total amount of compute resources that may
|
||||
be consumed by resources in that namespace.
|
||||
-->
|
||||
|
|
@ -47,14 +47,15 @@ Resource quotas work like this:
|
|||
资源配额的工作方式如下:
|
||||
|
||||
<!--
|
||||
- Different teams work in different namespaces. This can be enforced with [RBAC](/docs/reference/access-authn-authz/rbac/).
|
||||
- Different teams work in different namespaces. This can be enforced with
|
||||
[RBAC](/docs/reference/access-authn-authz/rbac/).
|
||||
- The administrator creates one ResourceQuota for each namespace.
|
||||
- Users create resources (pods, services, etc.) in the namespace, and the quota system
|
||||
tracks usage to ensure it does not exceed hard resource limits defined in a ResourceQuota.
|
||||
- If creating or updating a resource violates a quota constraint, the request will fail with HTTP
|
||||
status code `403 FORBIDDEN` with a message explaining the constraint that would have been violated.
|
||||
- If quota is enabled in a namespace for compute resources like `cpu` and `memory`, users must specify
|
||||
requests or limits for those values; otherwise, the quota system may reject pod creation. Hint: Use
|
||||
requests or limits for those values; otherwise, the quota system may reject pod creation. Hint: Use
|
||||
the `LimitRanger` admission controller to force defaults for pods that make no compute resource requirements.
|
||||
|
||||
See the [walkthrough](/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
|
||||
|
|
@ -77,12 +78,16 @@ Resource quotas work like this:
|
|||
{{< note >}}
|
||||
<!--
|
||||
- For `cpu` and `memory` resources, ResourceQuotas enforce that **every**
|
||||
(new) pod in that namespace sets a limit for that resource.
|
||||
If you enforce a resource quota in a namespace for either `cpu` or `memory`,
|
||||
you, and other clients, **must** specify either `requests` or `limits` for that resource,
|
||||
for every new Pod you submit. If you don't, the control plane may reject admission
|
||||
for that Pod.
|
||||
- For other resources: ResourceQuota works and will ignore pods in the namespace without setting a limit or request for that resource. It means that you can create a new pod without limit/request ephemeral storage if the resource quota limits the ephemeral storage of this namespace.
|
||||
(new) pod in that namespace sets a limit for that resource.
|
||||
If you enforce a resource quota in a namespace for either `cpu` or `memory`,
|
||||
you, and other clients, **must** specify either `requests` or `limits` for that resource,
|
||||
for every new Pod you submit. If you don't, the control plane may reject admission
|
||||
for that Pod.
|
||||
- For other resources: ResourceQuota works and will ignore pods in the namespace without
|
||||
setting a limit or request for that resource. It means that you can create a new pod
|
||||
without limit/request ephemeral storage if the resource quota limits the ephemeral
|
||||
storage of this namespace.
|
||||
|
||||
You can use a [LimitRange](/docs/concepts/policy/limit-range/) to automatically set
|
||||
a default request for these resources.
|
||||
-->
|
||||
|
|
@ -93,6 +98,7 @@ a default request for these resources.
|
|||
- 对于其他资源:ResourceQuota 可以工作,并且会忽略命名空间中的 Pod,而无需为该资源设置限制或请求。
|
||||
这意味着,如果资源配额限制了此命名空间的临时存储,则可以创建没有限制/请求临时存储的新 Pod。
|
||||
你可以使用[限制范围](/zh-cn/docs/concepts/policy/limit-range/)自动设置对这些资源的默认请求。
|
||||
|
||||
{{< /note >}}
|
||||
|
||||
<!--
|
||||
|
|
@ -110,7 +116,7 @@ Examples of policies that could be created using namespaces and quotas are:
|
|||
<!--
|
||||
- In a cluster with a capacity of 32 GiB RAM, and 16 cores, let team A use 20 GiB and 10 cores,
|
||||
let B use 10GiB and 4 cores, and hold 2GiB and 2 cores in reserve for future allocation.
|
||||
- Limit the "testing" namespace to using 1 core and 1GiB RAM. Let the "production" namespace
|
||||
- Limit the "testing" namespace to using 1 core and 1GiB RAM. Let the "production" namespace
|
||||
use any amount.
|
||||
-->
|
||||
- 在具有 32 GiB 内存和 16 核 CPU 资源的集群中,允许 A 团队使用 20 GiB 内存 和 10 核的 CPU 资源,
|
||||
|
|
@ -119,7 +125,7 @@ Examples of policies that could be created using namespaces and quotas are:
|
|||
|
||||
<!--
|
||||
In the case where the total capacity of the cluster is less than the sum of the quotas of the namespaces,
|
||||
there may be contention for resources. This is handled on a first-come-first-served basis.
|
||||
there may be contention for resources. This is handled on a first-come-first-served basis.
|
||||
|
||||
Neither contention nor changes to quota will affect already created resources.
|
||||
-->
|
||||
|
|
@ -130,14 +136,14 @@ Neither contention nor changes to quota will affect already created resources.
|
|||
<!--
|
||||
## Enabling Resource Quota
|
||||
|
||||
Resource Quota support is enabled by default for many Kubernetes distributions. It is
|
||||
ResourceQuota support is enabled by default for many Kubernetes distributions. It is
|
||||
enabled when the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}
|
||||
`--enable-admission-plugins=` flag has `ResourceQuota` as
|
||||
one of its arguments.
|
||||
-->
|
||||
## 启用资源配额 {#enabling-resource-quota}
|
||||
|
||||
资源配额的支持在很多 Kubernetes 版本中是默认启用的。
|
||||
ResourceQuota 的支持在很多 Kubernetes 版本中是默认启用的。
|
||||
当 {{< glossary_tooltip text="API 服务器" term_id="kube-apiserver" >}}
|
||||
的命令行标志 `--enable-admission-plugins=` 中包含 `ResourceQuota` 时,
|
||||
资源配额会被启用。
|
||||
|
|
@ -168,7 +174,7 @@ The following resource types are supported:
|
|||
|
||||
<!--
|
||||
| Resource Name | Description |
|
||||
| --------------------- | --------------------------------------------------------- |
|
||||
| ------------- | ----------- |
|
||||
| `limits.cpu` | Across all pods in a non-terminal state, the sum of CPU limits cannot exceed this value. |
|
||||
| `limits.memory` | Across all pods in a non-terminal state, the sum of memory limits cannot exceed this value. |
|
||||
| `requests.cpu` | Across all pods in a non-terminal state, the sum of CPU requests cannot exceed this value. |
|
||||
|
|
@ -178,7 +184,7 @@ The following resource types are supported:
|
|||
| `memory` | Same as `requests.memory` |
|
||||
-->
|
||||
| 资源名称 | 描述 |
|
||||
| --------------------- | --------------------------------------------- |
|
||||
| ------------- | ----------- |
|
||||
| `limits.cpu` | 所有非终止状态的 Pod,其 CPU 限额总量不能超过该值。 |
|
||||
| `limits.memory` | 所有非终止状态的 Pod,其内存限额总量不能超过该值。 |
|
||||
| `requests.cpu` | 所有非终止状态的 Pod,其 CPU 需求总量不能超过该值。 |
|
||||
|
|
@ -202,10 +208,10 @@ In addition to the resources mentioned above, in release 1.10, quota support for
|
|||
<!--
|
||||
As overcommit is not allowed for extended resources, it makes no sense to specify both `requests`
|
||||
and `limits` for the same extended resource in a quota. So for extended resources, only quota items
|
||||
with prefix `requests.` is allowed for now.
|
||||
with prefix `requests.` are allowed.
|
||||
-->
|
||||
由于扩展资源不可超量分配,因此没有必要在配额中为同一扩展资源同时指定 `requests` 和 `limits`。
|
||||
对于扩展资源而言,目前仅允许使用前缀为 `requests.` 的配额项。
|
||||
对于扩展资源而言,仅允许使用前缀为 `requests.` 的配额项。
|
||||
|
||||
<!--
|
||||
Take the GPU resource as an example, if the resource name is `nvidia.com/gpu`, and you want to
|
||||
|
|
@ -217,14 +223,15 @@ limit the total number of GPUs requested in a namespace to 4, you can define a q
|
|||
* `requests.nvidia.com/gpu: 4`
|
||||
|
||||
<!--
|
||||
See [Viewing and Setting Quotas](#viewing-and-setting-quotas) for more detail information.
|
||||
See [Viewing and Setting Quotas](#viewing-and-setting-quotas) for more details.
|
||||
-->
|
||||
有关更多详细信息,请参阅[查看和设置配额](#viewing-and-setting-quotas)。
|
||||
|
||||
<!--
|
||||
## Storage Resource Quota
|
||||
|
||||
You can limit the total sum of [storage resources](/docs/concepts/storage/persistent-volumes/) that can be requested in a given namespace.
|
||||
You can limit the total sum of [storage resources](/docs/concepts/storage/persistent-volumes/)
|
||||
that can be requested in a given namespace.
|
||||
|
||||
In addition, you can limit consumption of storage resources based on associated storage-class.
|
||||
-->
|
||||
|
|
@ -237,25 +244,25 @@ In addition, you can limit consumption of storage resources based on associated
|
|||
|
||||
<!--
|
||||
| Resource Name | Description |
|
||||
| --------------------- | --------------------------------------------------------- |
|
||||
| ------------- | ----------- |
|
||||
| `requests.storage` | Across all persistent volume claims, the sum of storage requests cannot exceed this value. |
|
||||
| `persistentvolumeclaims` | The total number of [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) that can exist in the namespace. |
|
||||
| `<storage-class-name>.storageclass.storage.k8s.io/requests.storage` | Across all persistent volume claims associated with the `<storage-class-name>`, the sum of storage requests cannot exceed this value. |
|
||||
| `<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims` | Across all persistent volume claims associated with the `<storage-class-name>`, the total number of [persistent volume claims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) that can exist in the namespace. |
|
||||
-->
|
||||
| 资源名称 | 描述 |
|
||||
| --------------------- | ----------------------------------------------------------- |
|
||||
| ------------- | ----------- |
|
||||
| `requests.storage` | 所有 PVC,存储资源的需求总量不能超过该值。 |
|
||||
| `persistentvolumeclaims` | 在该命名空间中所允许的 [PVC](/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) 总量。 |
|
||||
| `<storage-class-name>.storageclass.storage.k8s.io/requests.storage` | 在所有与 `<storage-class-name>` 相关的持久卷申领中,存储请求的总和不能超过该值。 |
|
||||
| `<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims` | 在与 storage-class-name 相关的所有持久卷申领中,命名空间中可以存在的[持久卷申领](/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)总数。 |
|
||||
|
||||
<!--
|
||||
For example, if an operator wants to quota storage with `gold` storage class separate from `bronze` storage class, the operator can
|
||||
define a quota as follows:
|
||||
For example, if you want to quota storage with `gold` StorageClass separate from
|
||||
a `bronze` StorageClass, you can define a quota as follows:
|
||||
-->
|
||||
例如,如果一个操作人员针对 `gold` 存储类型与 `bronze` 存储类型设置配额,
|
||||
操作人员可以定义如下配额:
|
||||
例如,如果你想要将 `gold` StorageClass 与 `bronze` StorageClass 分开进行存储配额配置,
|
||||
则可以按如下方式定义配额:
|
||||
|
||||
* `gold.storageclass.storage.k8s.io/requests.storage: 500Gi`
|
||||
* `bronze.storageclass.storage.k8s.io/requests.storage: 100Gi`
|
||||
|
|
@ -267,13 +274,13 @@ In release 1.8, quota support for local ephemeral storage is added as an alpha f
|
|||
|
||||
<!--
|
||||
| Resource Name | Description |
|
||||
| ------------------------------- |----------------------------------------------------------- |
|
||||
| ------------- | ----------- |
|
||||
| `requests.ephemeral-storage` | Across all pods in the namespace, the sum of local ephemeral storage requests cannot exceed this value. |
|
||||
| `limits.ephemeral-storage` | Across all pods in the namespace, the sum of local ephemeral storage limits cannot exceed this value. |
|
||||
| `ephemeral-storage` | Same as `requests.ephemeral-storage`. |
|
||||
-->
|
||||
| 资源名称 | 描述 |
|
||||
| ------------------------------- |----------------------------------------------------------- |
|
||||
| ------------- | ----------- |
|
||||
| `requests.ephemeral-storage` | 在命名空间的所有 Pod 中,本地临时存储请求的总和不能超过此值。 |
|
||||
| `limits.ephemeral-storage` | 在命名空间的所有 Pod 中,本地临时存储限制值的总和不能超过此值。 |
|
||||
| `ephemeral-storage` | 与 `requests.ephemeral-storage` 相同。 |
|
||||
|
|
@ -323,9 +330,10 @@ Here is an example set of resources users may want to put under object count quo
|
|||
|
||||
<!--
|
||||
If you define a quota this way, it applies to Kubernetes' APIs that are part of the API server, and
|
||||
to any custom resources backed by a CustomResourceDefinition. If you use [API aggregation](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/) to
|
||||
to any custom resources backed by a CustomResourceDefinition. If you use
|
||||
[API aggregation](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/) to
|
||||
add additional, custom APIs that are not defined as CustomResourceDefinitions, the core Kubernetes
|
||||
control plane does not enforce quota for the aggregated API. The extension API server is expected to
|
||||
control plane does not enforce quota for the aggregated API. The extension API server is expected to
|
||||
provide quota enforcement if that's appropriate for the custom API.
|
||||
For example, to create a quota on a `widgets` custom resource in the `example.com` API group, use `count/widgets.example.com`.
|
||||
-->
|
||||
|
|
@ -340,7 +348,7 @@ For example, to create a quota on a `widgets` custom resource in the `example.co
|
|||
<!--
|
||||
When using such a resource quota (nearly for all object kinds), an object is charged
|
||||
against the quota if the object kind exists (is defined) in the control plane.
|
||||
These types of quotas are useful to protect against exhaustion of storage resources. For example, you may
|
||||
These types of quotas are useful to protect against exhaustion of storage resources. For example, you may
|
||||
want to limit the number of Secrets in a server given their large size. Too many Secrets in a cluster can
|
||||
actually prevent servers and controllers from starting. You can set a quota for Jobs to protect against
|
||||
a poorly configured CronJob. CronJobs that create too many Jobs in a namespace can lead to a denial of service.
|
||||
|
|
@ -363,7 +371,7 @@ The following types are supported:
|
|||
|
||||
<!--
|
||||
| Resource Name | Description |
|
||||
| ----------------------------|--------------------------------------------- |
|
||||
| ------------- | ----------- |
|
||||
| `configmaps` | The total number of ConfigMaps that can exist in the namespace. |
|
||||
| `persistentvolumeclaims` | The total number of [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) that can exist in the namespace. |
|
||||
| `pods` | The total number of Pods in a non-terminal state that can exist in the namespace. A pod is in a terminal state if `.status.phase in (Failed, Succeeded)` is true. |
|
||||
|
|
@ -795,7 +803,7 @@ spec:
|
|||
<!--
|
||||
If operators want to disallow using `namespaces` and `namespaceSelector` by default, and
|
||||
only allow it for specific namespaces, they could configure `CrossNamespacePodAffinity`
|
||||
as a limited resource by setting the kube-apiserver flag --admission-control-config-file
|
||||
as a limited resource by setting the kube-apiserver flag `--admission-control-config-file`
|
||||
to the path of the following configuration file:
|
||||
-->
|
||||
如果集群运维人员希望默认禁止使用 `namespaces` 和 `namespaceSelector`,
|
||||
|
|
@ -841,7 +849,7 @@ The quota can be configured to quota either value.
|
|||
|
||||
<!--
|
||||
If the quota has a value specified for `requests.cpu` or `requests.memory`, then it requires that every incoming
|
||||
container makes an explicit request for those resources. If the quota has a value specified for `limits.cpu` or `limits.memory`,
|
||||
container makes an explicit request for those resources. If the quota has a value specified for `limits.cpu` or `limits.memory`,
|
||||
then it requires that every incoming container specifies an explicit limit for those resources.
|
||||
-->
|
||||
如果配额中指定了 `requests.cpu` 或 `requests.memory` 的值,则它要求每个容器都显式给出对这些资源的请求。
|
||||
|
|
@ -850,7 +858,7 @@ then it requires that every incoming container specifies an explicit limit for t
|
|||
<!--
|
||||
## Viewing and Setting Quotas
|
||||
|
||||
Kubectl supports creating, updating, and viewing quotas:
|
||||
kubectl supports creating, updating, and viewing quotas:
|
||||
-->
|
||||
## 查看和设置配额 {#viewing-and-setting-quotas}
|
||||
|
||||
|
|
@ -947,7 +955,7 @@ services.loadbalancers 0 2
|
|||
```
|
||||
|
||||
<!--
|
||||
Kubectl also supports object count quota for all standard namespaced resources
|
||||
kubectl also supports object count quota for all standard namespaced resources
|
||||
using the syntax `count/<resource>.<group>`:
|
||||
-->
|
||||
kubectl 还使用语法 `count/<resource>.<group>` 支持所有标准的、命名空间域的资源的对象计数配额:
|
||||
|
|
@ -983,7 +991,7 @@ count/secrets 1 4
|
|||
## Quota and Cluster Capacity
|
||||
|
||||
ResourceQuotas are independent of the cluster capacity. They are
|
||||
expressed in absolute units. So, if you add nodes to your cluster, this does *not*
|
||||
expressed in absolute units. So, if you add nodes to your cluster, this does *not*
|
||||
automatically give each namespace the ability to consume more resources.
|
||||
-->
|
||||
## 配额和集群容量 {#quota-and-cluster-capacity}
|
||||
|
|
@ -1022,7 +1030,7 @@ restrictions around nodes: pods from several namespaces may run on the same node
|
|||
<!--
|
||||
## Limit Priority Class consumption by default
|
||||
|
||||
It may be desired that pods at a particular priority, eg. "cluster-services",
|
||||
It may be desired that pods at a particular priority, such as "cluster-services",
|
||||
should be allowed in a namespace, if and only if, a matching quota object exists.
|
||||
-->
|
||||
## 默认情况下限制特定优先级的资源消耗 {#limit-priority-class-consumption-by-default}
|
||||
|
|
@ -1079,9 +1087,9 @@ resourcequota/pods-cluster-services created
|
|||
<!--
|
||||
In this case, a pod creation will be allowed if:
|
||||
|
||||
1. the Pod's `priorityClassName` is not specified.
|
||||
1. the Pod's `priorityClassName` is specified to a value other than `cluster-services`.
|
||||
1. the Pod's `priorityClassName` is set to `cluster-services`, it is to be created
|
||||
1. the Pod's `priorityClassName` is not specified.
|
||||
1. the Pod's `priorityClassName` is specified to a value other than `cluster-services`.
|
||||
1. the Pod's `priorityClassName` is set to `cluster-services`, it is to be created
|
||||
in the `kube-system` namespace, and it has passed the resource quota check.
|
||||
-->
|
||||
在这里,当以下条件满足时可以创建 Pod:
|
||||
|
|
@ -1101,10 +1109,11 @@ and it is to be created in a namespace other than `kube-system`.
|
|||
## {{% heading "whatsnext" %}}
|
||||
|
||||
<!--
|
||||
- See [ResourceQuota design doc](https://git.k8s.io/design-proposals-archive/resource-management/admission_control_resource_quota.md) for more information.
|
||||
- See [ResourceQuota design document](https://git.k8s.io/design-proposals-archive/resource-management/admission_control_resource_quota.md)
|
||||
for more information.
|
||||
- See a [detailed example for how to use resource quota](/docs/tasks/administer-cluster/quota-api-object/).
|
||||
- Read [Quota support for priority class design doc](https://git.k8s.io/design-proposals-archive/scheduling/pod-priority-resourcequota.md).
|
||||
- See [LimitedResources](https://github.com/kubernetes/kubernetes/pull/36765)
|
||||
- Read [Quota support for priority class design document](https://git.k8s.io/design-proposals-archive/scheduling/pod-priority-resourcequota.md).
|
||||
- See [LimitedResources](https://github.com/kubernetes/kubernetes/pull/36765).
|
||||
-->
|
||||
- 参阅[资源配额设计文档](https://git.k8s.io/design-proposals-archive/resource-management/admission_control_resource_quota.md)。
|
||||
- 参阅[如何使用资源配额的详细示例](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)。
|
||||
|
|
|
|||
Loading…
Reference in New Issue