-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect resource quota set for namespaces where Project quota is enabled #35647
Comments
@annablender In our initial checks we were not able to reproduce this on 2.6.2. Have to try a few more usecases and additionally test it on 2.6-head. But will get to it post 2.6.3 release |
Waiting on rancher/dashboard#5016 |
@cbron @cmurphy @MbolotSuse @catherineluse @samjustus I believe we would need to evaluate those (possibly include someone from the UI team as well, for good measure) and decide what to do. In addition, the backend controller responsible for handling new namespaces and resource quotas, as well as container limits, needs to be significantly refactored and cleaned up to be correct, more readable and performant. Here are some behaviors and questions about them:
About the crux of this particular issue - I believe we create a zeros-for-all quota when a new namespace would not fit - simply because this is our way of rejecting the namespace. The namespace itself is created immediately on request. Our logic handles creating a Resource Quota in it. Instead of rejecting the quota and deleting the namespace, we just make a fully restrictive quota. Not sure if this is the most intuitive behavior. |
I think the zeros-for-all quota is confusing. Unless I'm mistaken, it basically just bricks the new namespace so you can't do anything with it. It would be easier to understand if creating the namespace would fail with an error along the lines of "Can't create a new namespace because the project resource quota is already at capacity. Increase the project quota limit or decrease the limit of other namespaces in the project to free up more capacity." |
Going with last option here, we should only block things that are over quota. If you are over CPU, you should still be able to make a NS with only configMaps. But ideally we alert user and tell them they are over CPU quota, so they aren't confused if they did actually want to allocate CPU. UI behavior:
UI todo:
Non-UI behavior:
Non-UI todo:
|
For this particular task, we'll have backend changes to achieve the following behavior: For scenarios where namespaces are created in kubectl:
It should not matter whether requested quota comes from project defaults or annotation. |
QA TestingRoot causeWe were creating an all-restrictive quota (zero for all resources) for namespaces that do not What was fixed, or what changes have occurredWe now never create the all-restrictive quota limit. This is true even if you use kubectl and explicitly specify resource quota limits with a special annotation, like this: Areas or cases that should be tested
What areas could experience regressions?Please ignore the following until you run through the main scenarios. This is mostly information to keep in mind but no action is needed at this moment. One issue that will soon disappear is a lack of full synchronization between frontend and backend. A project has a limit of 500 total and 300 per namespace default (of some resource). StepsScenario 1Project resource limits: Default limits for new namespace: Make two namespaces, ns1 and ns2, in the UI, use the defaults. Inspect them with ns1 has quota limit ns2 has quota limit - notice that because you created the namespace in the UI, it gets remainder of the resource, not zero. Now the CPU resource is completely occupied in the project.
k1 has quota limit Create another namespace via UI called ns3. Scenario 2Project resource limits: Default limits for new namespace: Make two namespaces, ns1 and ns2, in the UI, use the defaults. Inspect them with ns1 has quota limit ns2 has quota limit Now the CPU resources is completely filled in the project.
k1 has quota limit Create another namespace via UI called ns3. Scenario 3Do the same test but for the namespace created with kubectl, do specify some custom limits in an annotation.
namespace k1 has quota limit Scenario 4Create a project and do not set any resource limits.
Observe that both namespaces end up having NO limits. Scenario 5Project resource limits: Default limits for new namespace: Create a namespace outside of any project. Run my-ns has quota limit |
My checks PASSEDValidation Environment
Validation steps
kubectl describe namespace $nameOfNamespace
touch new-namespace-spec.yaml
vi new-namespace-spec.yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
field.cattle.io/projectId: [your-cluster-ID]:[your-project-ID]
name: k1
kubectl create -f new-namespace-spec.yaml kubectl describe namespace k1 ResultsExpectedFor the namespace created via kubectl to abide by the resource quota set to the project Actual✅ PASS : The namespace created via kubectl did abide by the resource quota set against the project Additional Tests
|
Release noteFor namespaces created inside projects via kubectl, the controller no longer assigns an all-restrictive quota limit when a resource limit exceeds the remaining amount in the project. Instead, a zero just for the exceeding resource is granted. |
SURE-3695
Rancher Cluster:
Rancher version: v2.5.10 & v.2.6.2
Number of nodes: 3
Node OS version: Ubuntu 20.04.3 LTS
Downstream Cluster:
Number of Downstream clusters: 1
Node OS: Ubuntu 20.04.3 LTS
RKE/RKE2/K3S version: NA
Kubernetes version: NA
CNI: NA
Longhorn:
Longhorn version:NA
CPU per node: NA
Memory per node: NA
Disk type: HDD/SSD/NVMe
Network bandwidth between the nodes: NA
Other:
Underlying Infrastructure: NA
Any 3rd party software installed on the nodes: NA
-->
Issue description:
The namespace created after utilizing all project limits; the resource quota allocated to new namespace contains quota which is not provided in project quota
Business impact:
Unable to create a new config map on a namespace where no project resource quota assigned for configmap
Repro steps:
Create a Project with below resource limits
Create a namespace inside the project
The namespace gets a quota with the below settings
Create another namespace, but this time the new namespace gets below the quota
Create a new config map on second namespace
configmaps "test" is forbidden: exceeded quota: default-995sh, requested: configmaps=1, used: configmaps=0, limited: configmaps=0
Actual behavior:
Unable to create config maps on namespace that doesn't have a project-level configmap quota set
Expected behavior:
Configmap creation should work since the limit is set for only CPU and Memory
The text was updated successfully, but these errors were encountered: