Digital Developer Conference: Hybrid Cloud 2021. On Sep 21, gain free hybrid cloud skills from experts and partners. Register now

Enforce resource consumption limits using OpenShift resource quotas

Introduction

When several users or teams share a cluster with a fixed number of nodes, it is possible one user or team could use more than its fair share of resources. You can avoid this situation by setting a resource quota, which limits the aggregate resource consumption per project or pod/container. A resource quota limits the quantity of objects that can be created in a project by type, as well as the total amount of compute and storage resources that resources can consume in that project.

In Red Hat OpenShift, you can manage constraints by using the ResourceQuota object on a project level or by using the LimitRange object on a pod/container level. With limit ranges, you can specify the minimum and maximum usage of memory and CPU. With resource quotas, you can specify the amount of memory and CPU and number of pods, replication controllers, services, secrets, and persistent volume claims. A resource quota is enforced on a project or pod/container when there is ResourceQuota/LimitRange specified. This tutorial shows you how to set different resource limits for your applications and projects on Red Hat OpenShift and explores what happens when you try to exceed the quota.

Prerequisites

For this tutorial, you need:

Estimated time

It will take you around 30 minutes to complete this tutorial.

Log in to the CLI and create a project

  1. From the OpenShift web console on IBM Cloud, click your username at the top right, and then click Copy Login Command.
  2. Click Display Token, and copy the oc login command.
  3. In your terminal, enter ibmcloud, and then paste your oc login command.
  4. Enter the following command to create a project named quota-demo:

     oc new-project quota-demo
    

Configure a pod quota for a namespace

  1. Enter the following command to create a ResourceQuota for the project that limits the number of pods to 2:

     oc apply -f https://raw.githubusercontent.com/nerdingitout/oc-quota/main/project-quota.yaml
    

    You see the message resourcequota/pod-demo created.

  2. Enter the following command to view details about ResourceQuota:

     oc get resourcequota
    

    You see that ResourceQuota was created with 2 pods in the project:

    get resourcequota

  3. You can also view the resource quota on the web console from the Administrator Perspective. From the web console navigation menu, click Administration → Resource Quotas. You see the Resource Quotas page, with the pod-demo listed, as shown in the following image:

    resourcequota webconsole

  4. Click pod-demo to view the details of the resource quota. If you scroll down to the Resource Quota Details section for the pods resource type, you can view the used and maximum resources. Because you haven’t deployed any pods yet, it shows that 0 pods have been used.

    quota details

Verify that the pod quota works

  1. From the CLI, enter the following to deploy a simple application:

     oc create deployment myguestbook --image=ibmcom/guestbook:v1 -n quota-demo
    

    You see the message deployment.apps/myguestbook created.

  2. Enter oc get pods, and the status shows that the pod is in running state:

    image

  3. On the Resource Quota Details section on the web console, you can see that the number of used pods is now 1, as expected. This shows that the ResourceQuota has correctly counted the pod against the specified quota.

    image

  4. You can scale the application from both the web console and the command line. In this step, you use the web console to scale the application to 2 replicas. From the navigation menu, click Workloads → Deployments, and then click the myguestbook deployment:

    deployments

  5. On the Deployment Details page, you can click the upper arrow to increase the number of replicas and the down arrow to decrease the number of replicas. Clck the upper arrow to increase the number of replicas to 2:

    scale pods

  6. From the navigation menu, click Administration → Resource Quotas, and then click pod-demo. You can see that the number of used pods has increased to 2:

    image

  7. From the command line, let’s try exceeding the quota by adding another pod:

     oc create deployment myguestbookv2 --image=ibmcom/guestbook:v2 -n quota-demo
    

    You see the message deployment.apps/myguestbookv2 created.

  8. Enter oc get pods, and you see that there are only 2 pods running, even though you created a total of 3 pods:

    image

  9. Go back to the web console and click Workloads → Deployments. You see the status of the myguestbook2 deployment shows 0 of 1 pods:

    deployments 2

  10. Click the myguestbook2 deployment to view more details. You can see that the pod hasn’t been deployed.

    image

  11. Scroll to the Conditions section, which shows that the pod has failed with a message that the quota has been exceeded.

    failed pod

  12. To prepare for the next step, let’s delete all of the resources and the resource quota you created. From the command line, enter the following commands to delete all resources for the ‘myguestbook’ and ‘myguestbookv2’ deployments:

     oc delete all --selector app=myguestbook
     oc delete all --selector app=myguestbookv2
    

    You see messages that the pods and deployments have been deleted:

    delete all

Configure memory and CPU for a namespace

  1. Create a new ResourceQuota for memory and CPU using the following oc apply command:

     oc apply -f https://raw.githubusercontent.com/nerdingitout/oc-quota/main/quota-mem-cpu.yaml
    

    You see the message resourcequota/mem-cpu-demo created.

    The YAML file contains the following details for the quota:

     apiVersion: v1
     kind: ResourceQuota
     metadata:
       name: mem-cpu-demo
     spec:
       hard:
         requests.cpu: "1"
         requests.memory: 1Gi
         limits.cpu: "2"
         limits.memory: 2Gi
    
  2. When defining the quota for memory and CPU, you are defining minimum (requests) and maximum (limits) resources to be used. Once created, you can view the resource quota on the web console. Click Administration → Resource Quotas, and then click mem-cpu-demo. You can see that the resources haven’t been used yet:

    image

This ResourceQuota places the following requirements on the quota-demo namespace:

  • Every container must have a memory request, memory limit, CPU request, and CPU limit.
  • The memory request total for all containers must not exceed 1 GiB.
  • The memory limit total for all containers must not exceed 2 GiB.
  • The CPU request total for all containers must not exceed 1 core.
  • The CPU limit total for all containers must not exceed 2 cores.

Verify that the CPU and memory quotas work

  1. Create an Nginx application using the following command:

     oc apply -f https://raw.githubusercontent.com/nerdingitout/oc-quota/main/nginx-app.yaml
    

    You see the message pod/nginx-app created.

    The yaml definition specifies the memory and CPU for the pod, as shown here:

     apiVersion: v1
     kind: Pod
     metadata:
       name: nginx-app
     spec:
       containers:
       - name: quota-mem-cpu-demo-ctr
         image: nginx
         resources:
           limits:
             memory: "800Mi"
             cpu: "800m"
           requests:
             memory: "600Mi"
             cpu: "400m"
    
  2. Because the requests and limits for the CPU and memory are within the quota, the pod should be created successfully. Enter oc get pods to see that nginx-app is running:

    image

  3. On the web console, look at the Resource Quota Details section to see that the Nginx pod’s CPU and memory requests and limits are correctly accounted for against the ResourceQuota:

    image

Now, let’s try to exceed the quota by creating a new application using the redis docker image. The yaml definition includes the following details. Keep in mind that it will exceed the quota, therefore the application won’t be created.

apiVersion: v1
kind: Pod
metadata:
  name: redis-app
spec:
  containers:
  - name: quota-mem-cpu-demo-2-ctr
    image: redis
    resources:
      limits:
        memory: "1Gi"
        cpu: "800m"
      requests:
        memory: "700Mi"
        cpu: "400m"
  1. Use the following command to create the application:

     oc apply -f https://raw.githubusercontent.com/nerdingitout/oc-quota/main/redis-app.yaml
    

    You receive the following error, because the application exceeded the quota:

    image

  2. You can increase the resource quota to fit in the new application. From the web console, click YAML on the mem-cpu-demo Resource Quota Details page. Copy and paste the following lines of code between lines 65 and 71 and then click Save:

     spec:
       hard:
         limits.cpu: '4'
         limits.memory: 4Gi
         requests.cpu: '1'
         requests.memory: 2Gi
    

    The following image shows the updated lines of code in the web console:

    image

  3. Enter the following in the CLI to attempt to create the same redis application again.

     oc apply -f https://raw.githubusercontent.com/nerdingitout/oc-quota/main/redis-app.yaml
    

    This time, you receive the message pod/redis-app created.

  4. Enter oc get pods, and you see that the new application is running successfully.

    image

  5. Go back to the mem-cpu-demo Details tab, and you see that it has changed and now the consumed resources are counted for both applications:

    image

Summary

In this tutorial, you learned how to create resource quotas for the number of pods, CPU, and memory usage limits. You can apply quotas to even more resources in OpenShift. Explore the OpenShift resource quota documentation to learn how to apply quotas to object counts and storage and compute resources using what you learned from this tutorial.