Resource Quota applied before LimitRanger in Kubernetes for Pod without specified limits
TL;DR:
Error from server (Forbidden): error when creating "test-pod.yml": pods "test-pod" is forbidden: failed quota: mem-cpu-demo: must specify limits.cpu
You didn't set a default limit for CPU, according to ResourceQuota Docs:
If quota is enabled in a namespace for compute resources like cpu and memory, users must specify requests or limits for those values; otherwise, the quota system may reject pod creation.
This is why the pod is not being created. Add a
cpu-limit.yaml
:
apiVersion: v1kind: LimitRangemetadata: name: cpu-limit-range namespace: testspec: limits: - default: cpu: 1 defaultRequest: cpu: 0.5 type: Container
The limitRanger injects the defaults at container runtime, and yes, it injects the default values prior to the ResourceQuota validation.
Other minor issue that I found, is that not all your yamls contains the
namespace: test
line under metadata, that's important to assign the resources to the right namespace, I fixed it on the example below.
Reproduction:
- Created namespace, applied first the mem-limit and quota, as you mentioned:
$ kubectl create namespace testnamespace/test created$ cat mem-limit.yaml apiVersion: v1kind: LimitRangemetadata: name: mem-limit-range namespace: testspec: limits: - default: memory: 512Mi defaultRequest: memory: 256Mi type: Container$ cat quota.yaml apiVersion: v1kind: ResourceQuotametadata: name: mem-cpu-demo namespace: testspec: hard: limits.cpu: "2" limits.memory: 2Gi$ kubectl apply -f mem-limit.yaml limitrange/mem-limit-range created$ kubectl apply -f quota.yaml resourcequota/mem-cpu-demo created$ kubectl describe resourcequota -n testName: mem-cpu-demoNamespace: testResource Used Hard-------- ---- ----limits.cpu 0 2limits.memory 0 2Gi$ kubectl describe limits -n testName: mem-limit-rangeNamespace: testType Resource Min Max Default Request Default Limit Max Limit/Request Ratio---- -------- --- --- --------------- ------------- -----------------------Container memory - - 256Mi 512Mi -
- Now if I try to create the pod:
$ cat pod.yaml apiVersion: v1kind: Podmetadata: name: test-pod namespace: testspec: containers: - name: test-pod-ctr image: redis$ kubectl apply -f pod.yaml Error from server (Forbidden): error when creating "pod.yaml": pods "test-pod" is forbidden: failed quota: mem-cpu-demo: must specify limits.cpu
- Same error you faced, because there is no default limits for CPU set. We'll create and apply it:
$ cat cpu-limit.yaml apiVersion: v1kind: LimitRangemetadata: name: cpu-limit-range namespace: testspec: limits: - default: cpu: 1 defaultRequest: cpu: 0.5 type: Container$ kubectl apply -f cpu-limit.yaml limitrange/cpu-limit-range created$ kubectl describe limits cpu-limit-range -n testName: cpu-limit-rangeNamespace: testType Resource Min Max Default Request Default Limit Max Limit/Request Ratio---- -------- --- --- --------------- ------------- -----------------------Container cpu - - 500m 1 -
- Now with the cpu limitRange in action, let's create the pod and inspect it:
$ kubectl apply -f pod.yaml pod/test-pod created$ kubectl describe pod test-pod -n testName: test-podNamespace: testStatus: Running...{{Suppressed output}}... Limits: cpu: 1 memory: 512Mi Requests: cpu: 500m memory: 256Mi
- Our pod was created with the enforced limitRange.
If you have any question let me know in the comments.