Resource Quota applied before LimitRanger in Kubernetes for Pod without specified limits

TL;DR:

Error from server (Forbidden): error when creating "test-pod.yml": pods "test-pod" is forbidden: failed quota: mem-cpu-demo: must specify limits.cpu

• You didn't set a default limit for CPU, according to ResourceQuota Docs:

  If quota is enabled in a namespace for compute resources like cpu and memory, users must specify requests or limits for those values; otherwise, the quota system may reject pod creation.

• This is why the pod is not being created. Add a cpu-limit.yaml:

apiVersion: v1kind: LimitRangemetadata:  name: cpu-limit-range  namespace: testspec:  limits:  - default:      cpu: 1    defaultRequest:      cpu: 0.5    type: Container

• The limitRanger injects the defaults at container runtime, and yes, it injects the default values prior to the ResourceQuota validation.

• Other minor issue that I found, is that not all your yamls contains the namespace: test line under metadata, that's important to assign the resources to the right namespace, I fixed it on the example below.

Reproduction:

• Created namespace, applied first the mem-limit and quota, as you mentioned:

$ kubectl create namespace testnamespace/test created$ cat mem-limit.yaml apiVersion: v1kind: LimitRangemetadata:  name: mem-limit-range  namespace: testspec:  limits:  - default:      memory: 512Mi    defaultRequest:      memory: 256Mi    type: Container$ cat quota.yaml apiVersion: v1kind: ResourceQuotametadata:  name: mem-cpu-demo  namespace: testspec:  hard:    limits.cpu: "2"    limits.memory: 2Gi$ kubectl apply -f mem-limit.yaml limitrange/mem-limit-range created$ kubectl apply -f quota.yaml resourcequota/mem-cpu-demo created$ kubectl describe resourcequota -n testName:          mem-cpu-demoNamespace:     testResource       Used  Hard--------       ----  ----limits.cpu     0     2limits.memory  0     2Gi$ kubectl describe limits -n testName:       mem-limit-rangeNamespace:  testType        Resource  Min  Max  Default Request  Default Limit  Max Limit/Request Ratio----        --------  ---  ---  ---------------  -------------  -----------------------Container   memory    -    -    256Mi            512Mi          -

• Now if I try to create the pod:

$ cat pod.yaml apiVersion: v1kind: Podmetadata:  name: test-pod  namespace: testspec:  containers:  - name: test-pod-ctr    image: redis$ kubectl apply -f pod.yaml Error from server (Forbidden): error when creating "pod.yaml": pods "test-pod" is forbidden: failed quota: mem-cpu-demo: must specify limits.cpu

• Same error you faced, because there is no default limits for CPU set. We'll create and apply it:

$ cat cpu-limit.yaml apiVersion: v1kind: LimitRangemetadata:  name: cpu-limit-range  namespace: testspec:  limits:  - default:      cpu: 1    defaultRequest:      cpu: 0.5    type: Container$ kubectl apply -f cpu-limit.yaml limitrange/cpu-limit-range created$ kubectl describe limits cpu-limit-range -n testName:       cpu-limit-rangeNamespace:  testType        Resource  Min  Max  Default Request  Default Limit  Max Limit/Request Ratio----        --------  ---  ---  ---------------  -------------  -----------------------Container   cpu       -    -    500m             1              -

• Now with the cpu limitRange in action, let's create the pod and inspect it:

$ kubectl apply -f pod.yaml pod/test-pod created$ kubectl describe pod test-pod -n testName:         test-podNamespace:    testStatus:       Running...{{Suppressed output}}...    Limits:      cpu:     1      memory:  512Mi    Requests:      cpu:        500m      memory:     256Mi

• Our pod was created with the enforced limitRange.

If you have any question let me know in the comments.