Resource Quota Draft #793
Resource Quota Draft #793
Conversation
We should mention that Rancher implementation leverages native Kubernetes Resource Quota concept.
Not quite true. We enforce the limit on the API level by disallowing the namespace creation if its resource quota exceeds the limit available on the project. We do not stop the existing namespaces.
Same here. More to add: We should describe that quota defined on the namespace will get propagated to kubernetes cluster, and Kubernetes native capabilities will enforce that all the resources created within the namespace, will be within the namespace quota. Like if user tries to start the workload which CPU request exceeds the namespace limit, the workload creation would fail. We should emphasize that on namespace creation, if the quota defined on the namespace, exceeds the quota available on the project (considering all existing namespaces and their quotas), the namespace creation would fail. Admin would have to adjust the project quota by increasing the limit. |
MBishop17
force-pushed
the
quota-draft
branch
from
1c2033b
to
f411a79
Compare
MBishop17
force-pushed
the
quota-draft
branch
from
f411a79
to
1e7cc95
Compare
MBishop17
force-pushed
the
quota-draft
branch
from
37a7379
to
d04919b
Compare
|
@alena1108 and @deniseschannon , I've completed a draft for resource quotas. It's a long one, so enjoy! |
| @@ -171,4 +189,23 @@ Cluster admins and members may occasionally need to move a namespace to another | |||
|
|
|||
| 1. Choose a new project for the new namespace and then click **Move**. Alternatively, you can remove the namespace from all projects by selecting **None**. | |||
|
|
|||
| **Result:** Your namespace is moved to a different project (or is unattached from all projects). If any project resources are attached to the namespace, the namespace releases them and then attached resources from the new project. | |||
| **Result:** Your namespace is moved to a different project (or is unattached from all projects). If any project resources are attached to the namespace, the namespace releases them and then attached resources from the new project. | |||
There was a problem hiding this comment.
we do not allow moving namespace if the destination project has the resource quota set. Thats the limitation for now. The only moves that are allowed, are:
- from project with no quota, to the project with no quota
- from project with quota, to the project with no quota. The quota on the namespace will be cleaned up as the result
|
|
||
| ### Editing Namespace Resource Quotas | ||
|
|
||
| If there is a [resource quota]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas) configured for a project, you can override the namespace default limit to provide a specific namespace with access to more (or less) project resources. |
There was a problem hiding this comment.
with access to more (or less) project resources
think would be good to note that the namespace quota value should be within project limit value?
| | Field | Description | | ||
| | ----------------------- | -------------------------------------------------------------------------------------------------------- | | ||
| | Project Limit | The overall resource limit for the project. | | ||
| | Namespace Default Limit | The default resource limit available for each namespace. This limit is propagated to each namespace in the project. | |
There was a problem hiding this comment.
should mention that combined limit of all the namespaces shouldn't exceed the quota set on a project
|
related to #527 |
| @@ -106,6 +106,22 @@ Rancher extends Kubernetes to allow the application of [Pod Security Policies](h | |||
| >**Tip:** Choose Custom to create a custom role on the fly: [Custom Project Roles]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#custom-project-roles). | |||
|
|
|||
| 1. To add more members, repeat substeps a—c. | |||
|
|
|||
| 1. **Optional:** Add **Resource Quotas**, which limit the resources that a project (and its namespaces) can consume. For more information, see [Resource Quotas]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas). | |||
There was a problem hiding this comment.
we should indicate which version this is available in.
| >**Notes:** | ||
| > | ||
| >- Don't move the namespaces in the `System` project. Moving these namespaces can adversely affect cluster networking. | ||
| >- You cannot move a namespace into a project that already has a [resource quota]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/resource-quotas/) configured. |
There was a problem hiding this comment.
we should indicate that if you move a namespace that had a quota set, the quotas would be removed when moving to a project with no quota.
| >**<sup>1</sup>** In the quota, if you set CPU or Memory limits, all containers you create in the project / namespace must explicitly satisfy the quota. See the [Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas/#requests-vs-limits) for more details. | ||
|
|
||
|
|
||
| ### Namespace Default Limit Overrides |
There was a problem hiding this comment.
I'd rename this to Overriding the default Limit for a Namespace
MBishop17
force-pushed
the
quota-draft
branch
from
933da00
to
3a89df3
Compare
|
LGTM |
|
@deniseschannon , are we waiting on anything to close out this issue? |
|
I can't merge to staging as it will cause staging to be stuck in being able to be moved to live. @MBishop17 |
Alena, can I please get some feedback on the draft I wrote for Resource Quotas?
You can view the actual draft page at https://staging.rancher.com/docs/rancher/v2.x/en/k8s-in-rancher/projects-and-namespaces/project-quotas/