Resource limit per Namespace

Source

Developer

Stimulus

Deploys new workload in a Namespace

Environment

Any APPUiO Zone

Artifact

kubectl

Response

Workloads are denied if they exceed the resource limit. Workloads can comprise the following Kubernetes resources:

  • Pods

  • PersistentVolumeClaims

  • ConfigMaps

  • Secrets

  • Services

  • ImageStreams

  • ImageStreamTags

Response measure

The workload is denied if they exceed any of the following resource quotas.

  • Count of

    • NotTerminating Pods

    • Terminating Pods

    • PersistentVolumeClaims

    • ConfigMaps

    • Secrets

    • Services

    • ImageStreams

    • ImageStreamTags

  • Cumulative CPU requests or limits across all containers in all NotTerminating Pods

  • Cumulative CPU limits across all containers in all Terminating Pods

  • Cumulative memory requests or limits across all containers in all NotTerminating Pods

  • Cumulative memory limits across all containers in all Terminating Pods

  • Cumulative storage requests (across all PVCs)

  • Cumulative ephemeral storage consumption (EmptyDirs and writable container layers)

As listed, pods are separated into NotTerminating and Terminating. A Terminating pod is a pod which has .spec.activeDeadlineSeconds >= 0. A NotTerminating pod is a pod which has .spec.activeDeadlineSecons = nil.

See the Kubernetes docs on Quota Scopes for the official documentation about NotTerminating and Terminating pods.

See the APPUiO Cloud Commodore component for the exact default quota values.

Rationale

  • The APPUiO Zone shall be protected from abusive resource usage.

  • A quota prevents a developer (or a system account) from creating potentially billable workload (accidental or purposefully) that could lead to surprises in the bill.

  • Quotas slow down resource consumption on a cluster level and that gives time for cluster admins to do capacity planning, for example to scale up a nearly-full APPUiO Zone.

See also