Restrict resource consumption with limit ranges

By default, containers run with unbounded compute resources on an OKD cluster. With limit ranges, you can restrict resource consumption for specific objects in a project:

  • pods and containers: You can set minimum and maximum requirements for CPU and memory for pods and their containers.

  • Image streams: You can set limits on the number of images and tags in an ImageStream object.

  • Images: You can limit the size of images that can be pushed to an internal registry.

  • Persistent volume claims (PVC): You can restrict the size of the PVCs that can be requested.

If a pod does not meet the constraints imposed by the limit range, the pod cannot be created in the namespace.

About limit ranges

A limit range, defined by a LimitRange object, restricts resource consumption in a project. In the project you can set specific resource limits for a pod, container, image, image stream, or persistent volume claim (PVC).

All requests to create and modify resources are evaluated against each LimitRange object in the project. If the resource violates any of the enumerated constraints, the resource is rejected.

The following shows a limit range object for all components: pod, container, image, image stream, or PVC. You can configure limits for any or all of these components in the same object. You create a different limit range object for each project where you want to control resources.

Sample limit range object for a container

  1. apiVersion: "v1"
  2. kind: "LimitRange"
  3. metadata:
  4. name: "resource-limits"
  5. spec:
  6. limits:
  7. - type: "Container"
  8. max:
  9. cpu: "2"
  10. memory: "1Gi"
  11. min:
  12. cpu: "100m"
  13. memory: "4Mi"
  14. default:
  15. cpu: "300m"
  16. memory: "200Mi"
  17. defaultRequest:
  18. cpu: "200m"
  19. memory: "100Mi"
  20. maxLimitRequestRatio:
  21. cpu: "10"

About component limits

The following examples show limit range parameters for each component. The examples are broken out for clarity. You can create a single LimitRange object for any or all components as necessary.

Container limits

A limit range allows you to specify the minimum and maximum CPU and memory that each container in a pod can request for a specific project. If a container is created in the project, the container CPU and memory requests in the Pod spec must comply with the values set in the LimitRange object. If not, the pod does not get created.

  • The container CPU or memory request and limit must be greater than or equal to the min resource constraint for containers that are specified in the LimitRange object.

  • The container CPU or memory request and limit must be less than or equal to the max resource constraint for containers that are specified in the LimitRange object.

    If the LimitRange object defines a max CPU, you do not need to define a CPU request value in the Pod spec. But you must specify a CPU limit value that satisfies the maximum CPU constraint specified in the limit range.

  • The ratio of the container limits to requests must be less than or equal to the maxLimitRequestRatio value for containers that is specified in the LimitRange object.

    If the LimitRange object defines a maxLimitRequestRatio constraint, any new containers must have both a request and a limit value. OKD calculates the limit-to-request ratio by dividing the limit by the request. This value should be a non-negative integer greater than 1.

    For example, if a container has cpu: 500 in the limit value, and cpu: 100 in the request value, the limit-to-request ratio for cpu is 5. This ratio must be less than or equal to the maxLimitRequestRatio.

If the Pod spec does not specify a container resource memory or limit, the default or defaultRequest CPU and memory values for containers specified in the limit range object are assigned to the container.

Container LimitRange object definition

  1. apiVersion: "v1"
  2. kind: "LimitRange"
  3. metadata:
  4. name: "resource-limits" (1)
  5. spec:
  6. limits:
  7. - type: "Container"
  8. max:
  9. cpu: "2" (2)
  10. memory: "1Gi" (3)
  11. min:
  12. cpu: "100m" (4)
  13. memory: "4Mi" (5)
  14. default:
  15. cpu: "300m" (6)
  16. memory: "200Mi" (7)
  17. defaultRequest:
  18. cpu: "200m" (8)
  19. memory: "100Mi" (9)
  20. maxLimitRequestRatio:
  21. cpu: "10" (10)
1The name of the LimitRange object.
2The maximum amount of CPU that a single container in a pod can request.
3The maximum amount of memory that a single container in a pod can request.
4The minimum amount of CPU that a single container in a pod can request.
5The minimum amount of memory that a single container in a pod can request.
6The default amount of CPU that a container can use if not specified in the Pod spec.
7The default amount of memory that a container can use if not specified in the Pod spec.
8The default amount of CPU that a container can request if not specified in the Pod spec.
9The default amount of memory that a container can request if not specified in the Pod spec.
10The maximum limit-to-request ratio for a container.

Pod limits

A limit range allows you to specify the minimum and maximum CPU and memory limits for all containers across a pod in a given project. To create a container in the project, the container CPU and memory requests in the Pod spec must comply with the values set in the LimitRange object. If not, the pod does not get created.

If the Pod spec does not specify a container resource memory or limit, the default or defaultRequest CPU and memory values for containers specified in the limit range object are assigned to the container.

Across all containers in a pod, the following must hold true:

  • The container CPU or memory request and limit must be greater than or equal to the min resource constraints for pods that are specified in the LimitRange object.

  • The container CPU or memory request and limit must be less than or equal to the max resource constraints for pods that are specified in the LimitRange object.

  • The ratio of the container limits to requests must be less than or equal to the maxLimitRequestRatio constraint specified in the LimitRange object.

Pod LimitRange object definition

  1. apiVersion: "v1"
  2. kind: "LimitRange"
  3. metadata:
  4. name: "resource-limits" (1)
  5. spec:
  6. limits:
  7. - type: "Pod"
  8. max:
  9. cpu: "2" (2)
  10. memory: "1Gi" (3)
  11. min:
  12. cpu: "200m" (4)
  13. memory: "6Mi" (5)
  14. maxLimitRequestRatio:
  15. cpu: "10" (6)
1The name of the limit range object.
2The maximum amount of CPU that a pod can request across all containers.
3The maximum amount of memory that a pod can request across all containers.
4The minimum amount of CPU that a pod can request across all containers.
5The minimum amount of memory that a pod can request across all containers.
6The maximum limit-to-request ratio for a container.

Image limits

A LimitRange object allows you to specify the maximum size of an image that can be pushed to an internal registry.

When pushing images to an internal registry, the following must hold true:

  • The size of the image must be less than or equal to the max size for images that is specified in the LimitRange object.

Image LimitRange object definition

  1. apiVersion: "v1"
  2. kind: "LimitRange"
  3. metadata:
  4. name: "resource-limits" (1)
  5. spec:
  6. limits:
  7. - type: openshift.io/Image
  8. max:
  9. storage: 1Gi (2)
1The name of the LimitRange object.
2The maximum size of an image that can be pushed to an internal registry.

To prevent blobs that exceed the limit from being uploaded to the registry, the registry must be configured to enforce quotas.

The image size is not always available in the manifest of an uploaded image. This is especially the case for images built with Docker 1.10 or higher and pushed to a v2 registry. If such an image is pulled with an older Docker daemon, the image manifest is converted by the registry to schema v1 lacking all the size information. No storage limit set on images prevent it from being uploaded.

The issue is being addressed.

Image stream limits

A LimitRange object allows you to specify limits for image streams.

For each image stream, the following must hold true:

  • The number of image tags in an ImageStream specification must be less than or equal to the openshift.io/image-tags constraint in the LimitRange object.

  • The number of unique references to images in an ImageStream specification must be less than or equal to the openshift.io/images constraint in the limit range object.

Imagestream LimitRange object definition

  1. apiVersion: "v1"
  2. kind: "LimitRange"
  3. metadata:
  4. name: "resource-limits" (1)
  5. spec:
  6. limits:
  7. - type: openshift.io/ImageStream
  8. max:
  9. openshift.io/image-tags: 20 (2)
  10. openshift.io/images: 30 (3)
1The name of the LimitRange object.
2The maximum number of unique image tags in the imagestream.spec.tags parameter in imagestream spec.
3The maximum number of unique image references in the imagestream.status.tags parameter in the imagestream spec.

The openshift.io/image-tags resource represents unique image references. Possible references are an **ImageStreamTag**, an **ImageStreamImage** and a **DockerImage**. Tags can be created using the oc tag and oc import-image commands. No distinction is made between internal and external references. However, each unique reference tagged in an ImageStream specification is counted just once. It does not restrict pushes to an internal container image registry in any way, but is useful for tag restriction.

The openshift.io/images resource represents unique image names recorded in image stream status. It allows for restriction of a number of images that can be pushed to the internal registry. Internal and external references are not distinguished.

Persistent volume claim limits

A LimitRange object allows you to restrict the storage requested in a persistent volume claim (PVC).

Across all persistent volume claims in a project, the following must hold true:

  • The resource request in a persistent volume claim (PVC) must be greater than or equal the min constraint for PVCs that is specified in the LimitRange object.

  • The resource request in a persistent volume claim (PVC) must be less than or equal the max constraint for PVCs that is specified in the LimitRange object.

PVC LimitRange object definition

  1. apiVersion: "v1"
  2. kind: "LimitRange"
  3. metadata:
  4. name: "resource-limits" (1)
  5. spec:
  6. limits:
  7. - type: "PersistentVolumeClaim"
  8. min:
  9. storage: "2Gi" (2)
  10. max:
  11. storage: "50Gi" (3)
1The name of the LimitRange object.
2The minimum amount of storage that can be requested in a persistent volume claim.
3The maximum amount of storage that can be requested in a persistent volume claim.

Creating a Limit Range

To apply a limit range to a project:

  1. Create a LimitRange object with your required specifications:

    1. apiVersion: "v1"
    2. kind: "LimitRange"
    3. metadata:
    4. name: "resource-limits" (1)
    5. spec:
    6. limits:
    7. - type: "Pod" (2)
    8. max:
    9. cpu: "2"
    10. memory: "1Gi"
    11. min:
    12. cpu: "200m"
    13. memory: "6Mi"
    14. - type: "Container" (3)
    15. max:
    16. cpu: "2"
    17. memory: "1Gi"
    18. min:
    19. cpu: "100m"
    20. memory: "4Mi"
    21. default: (4)
    22. cpu: "300m"
    23. memory: "200Mi"
    24. defaultRequest: (5)
    25. cpu: "200m"
    26. memory: "100Mi"
    27. maxLimitRequestRatio: (6)
    28. cpu: "10"
    29. - type: openshift.io/Image (7)
    30. max:
    31. storage: 1Gi
    32. - type: openshift.io/ImageStream (8)
    33. max:
    34. openshift.io/image-tags: 20
    35. openshift.io/images: 30
    36. - type: "PersistentVolumeClaim" (9)
    37. min:
    38. storage: "2Gi"
    39. max:
    40. storage: "50Gi"
    1Specify a name for the LimitRange object.
    2To set limits for a pod, specify the minimum and maximum CPU and memory requests as needed.
    3To set limits for a container, specify the minimum and maximum CPU and memory requests as needed.
    4Optional. For a container, specify the default amount of CPU or memory that a container can use, if not specified in the Pod spec.
    5Optional. For a container, specify the default amount of CPU or memory that a container can request, if not specified in the Pod spec.
    6Optional. For a container, specify the maximum limit-to-request ratio that can be specified in the Pod spec.
    7To set limits for an Image object, set the maximum size of an image that can be pushed to an internal registry.
    8To set limits for an image stream, set the maximum number of image tags and references that can be in the ImageStream object file, as needed.
    9To set limits for a persistent volume claim, set the minimum and maximum amount of storage that can be requested.
  2. Create the object:

    1. $ oc create -f <limit_range_file> -n <project> (1)
    1Specify the name of the YAML file you created and the project where you want the limits to apply.

Viewing a limit

You can view any limits defined in a project by navigating in the web console to the project’s Quota page.

You can also use the CLI to view limit range details:

  1. Get the list of LimitRange object defined in the project. For example, for a project called demoproject:

    1. $ oc get limits -n demoproject
    1. NAME CREATED AT
    2. resource-limits 2020-07-15T17:14:23Z
  2. Describe the LimitRange object you are interested in, for example the resource-limits limit range:

    1. $ oc describe limits resource-limits -n demoproject
    1. Name: resource-limits
    2. Namespace: demoproject
    3. Type Resource Min Max Default Request Default Limit Max Limit/Request Ratio
    4. ---- -------- --- --- --------------- ------------- -----------------------
    5. Pod cpu 200m 2 - - -
    6. Pod memory 6Mi 1Gi - - -
    7. Container cpu 100m 2 200m 300m 10
    8. Container memory 4Mi 1Gi 100Mi 200Mi -
    9. openshift.io/Image storage - 1Gi - - -
    10. openshift.io/ImageStream openshift.io/image - 12 - - -
    11. openshift.io/ImageStream openshift.io/image-tags - 10 - - -
    12. PersistentVolumeClaim storage - 50Gi - - -

Deleting a Limit Range

To remove any active LimitRange object to no longer enforce the limits in a project:

  1. Run the following command:

    1. $ oc delete limits <limit_name>