This is a cache of https://docs.openshift.com/container-platform/4.9/nodes/clusters/nodes-cluster-limit-ranges.html. It is a snapshot of the page at 2024-11-04T18:42:43.381+0000.
Setting limit ranges - Working with clusters | Nodes | OpenShift Container Platform 4.9
×

By default, containers run with unbounded compute resources on an OpenShift Container Platform cluster. With limit ranges, you can restrict resource consumption for specific objects in a project:

  • pods and containers: You can set minimum and maximum requirements for CPU and memory for pods and their containers.

  • Image streams: You can set limits on the number of images and tags in an ImageStream object.

  • Images: You can limit the size of images that can be pushed to an internal registry.

  • Persistent volume claims (PVC): You can restrict the size of the PVCs that can be requested.

If a pod does not meet the constraints imposed by the limit range, the pod cannot be created in the namespace.

About limit ranges

A limit range, defined by a LimitRange object, restricts resource consumption in a project. In the project you can set specific resource limits for a pod, container, image, image stream, or persistent volume claim (PVC).

All requests to create and modify resources are evaluated against each LimitRange object in the project. If the resource violates any of the enumerated constraints, the resource is rejected.

The following shows a limit range object for all components: pod, container, image, image stream, or PVC. You can configure limits for any or all of these components in the same object. You create a different limit range object for each project where you want to control resources.

Sample limit range object for a container
apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: "Container"
      max:
        cpu: "2"
        memory: "1Gi"
      min:
        cpu: "100m"
        memory: "4Mi"
      default:
        cpu: "300m"
        memory: "200Mi"
      defaultRequest:
        cpu: "200m"
        memory: "100Mi"
      maxLimitRequestRatio:
        cpu: "10"

About component limits

The following examples show limit range parameters for each component. The examples are broken out for clarity. You can create a single LimitRange object for any or all components as necessary.

Container limits

A limit range allows you to specify the minimum and maximum CPU and memory that each container in a pod can request for a specific project. If a container is created in the project, the container CPU and memory requests in the Pod spec must comply with the values set in the LimitRange object. If not, the pod does not get created.

  • The container CPU or memory request and limit must be greater than or equal to the min resource constraint for containers that are specified in the LimitRange object.

  • The container CPU or memory request and limit must be less than or equal to the max resource constraint for containers that are specified in the LimitRange object.

    If the LimitRange object defines a max CPU, you do not need to define a CPU request value in the Pod spec. But you must specify a CPU limit value that satisfies the maximum CPU constraint specified in the limit range.

  • The ratio of the container limits to requests must be less than or equal to the maxLimitRequestRatio value for containers that is specified in the LimitRange object.

    If the LimitRange object defines a maxLimitRequestRatio constraint, any new containers must have both a request and a limit value. OpenShift Container Platform calculates the limit-to-request ratio by dividing the limit by the request. This value should be a non-negative integer greater than 1.

    For example, if a container has cpu: 500 in the limit value, and cpu: 100 in the request value, the limit-to-request ratio for cpu is 5. This ratio must be less than or equal to the maxLimitRequestRatio.

If the Pod spec does not specify a container resource memory or limit, the default or defaultRequest CPU and memory values for containers specified in the limit range object are assigned to the container.

Container LimitRange object definition
apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits" (1)
spec:
  limits:
    - type: "Container"
      max:
        cpu: "2" (2)
        memory: "1Gi" (3)
      min:
        cpu: "100m" (4)
        memory: "4Mi" (5)
      default:
        cpu: "300m" (6)
        memory: "200Mi" (7)
      defaultRequest:
        cpu: "200m" (8)
        memory: "100Mi" (9)
      maxLimitRequestRatio:
        cpu: "10" (10)
1 The name of the LimitRange object.
2 The maximum amount of CPU that a single container in a pod can request.
3 The maximum amount of memory that a single container in a pod can request.
4 The minimum amount of CPU that a single container in a pod can request.
5 The minimum amount of memory that a single container in a pod can request.
6 The default amount of CPU that a container can use if not specified in the Pod spec.
7 The default amount of memory that a container can use if not specified in the Pod spec.
8 The default amount of CPU that a container can request if not specified in the Pod spec.
9 The default amount of memory that a container can request if not specified in the Pod spec.
10 The maximum limit-to-request ratio for a container.

Pod limits

A limit range allows you to specify the minimum and maximum CPU and memory limits for all containers across a pod in a given project. To create a container in the project, the container CPU and memory requests in the Pod spec must comply with the values set in the LimitRange object. If not, the pod does not get created.

If the Pod spec does not specify a container resource memory or limit, the default or defaultRequest CPU and memory values for containers specified in the limit range object are assigned to the container.

Across all containers in a pod, the following must hold true:

  • The container CPU or memory request and limit must be greater than or equal to the min resource constraints for pods that are specified in the LimitRange object.

  • The container CPU or memory request and limit must be less than or equal to the max resource constraints for pods that are specified in the LimitRange object.

  • The ratio of the container limits to requests must be less than or equal to the maxLimitRequestRatio constraint specified in the LimitRange object.

Pod LimitRange object definition
apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits" (1)
spec:
  limits:
    - type: "Pod"
      max:
        cpu: "2" (2)
        memory: "1Gi" (3)
      min:
        cpu: "200m" (4)
        memory: "6Mi" (5)
      maxLimitRequestRatio:
        cpu: "10" (6)
1 The name of the limit range object.
2 The maximum amount of CPU that a pod can request across all containers.
3 The maximum amount of memory that a pod can request across all containers.
4 The minimum amount of CPU that a pod can request across all containers.
5 The minimum amount of memory that a pod can request across all containers.
6 The maximum limit-to-request ratio for a container.

Image limits

A LimitRange object allows you to specify the maximum size of an image that can be pushed to an internal registry.

When pushing images to an internal registry, the following must hold true:

  • The size of the image must be less than or equal to the max size for images that is specified in the LimitRange object.

Image LimitRange object definition
apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits" (1)
spec:
  limits:
    - type: openshift.io/Image
      max:
        storage: 1Gi (2)
1 The name of the LimitRange object.
2 The maximum size of an image that can be pushed to an internal registry.

To prevent blobs that exceed the limit from being uploaded to the registry, the registry must be configured to enforce quotas.

The image size is not always available in the manifest of an uploaded image. This is especially the case for images built with Docker 1.10 or higher and pushed to a v2 registry. If such an image is pulled with an older Docker daemon, the image manifest is converted by the registry to schema v1 lacking all the size information. No storage limit set on images prevent it from being uploaded.

The issue is being addressed.

Image stream limits

A LimitRange object allows you to specify limits for image streams.

For each image stream, the following must hold true:

  • The number of image tags in an ImageStream specification must be less than or equal to the openshift.io/image-tags constraint in the LimitRange object.

  • The number of unique references to images in an ImageStream specification must be less than or equal to the openshift.io/images constraint in the limit range object.

Imagestream LimitRange object definition
apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits" (1)
spec:
  limits:
    - type: openshift.io/ImageStream
      max:
        openshift.io/image-tags: 20 (2)
        openshift.io/images: 30 (3)
1 The name of the LimitRange object.
2 The maximum number of unique image tags in the imagestream.spec.tags parameter in imagestream spec.
3 The maximum number of unique image references in the imagestream.status.tags parameter in the imagestream spec.

The openshift.io/image-tags resource represents unique image references. Possible references are an ImageStreamTag, an ImageStreamImage and a DockerImage. Tags can be created using the oc tag and oc import-image commands. No distinction is made between internal and external references. However, each unique reference tagged in an ImageStream specification is counted just once. It does not restrict pushes to an internal container image registry in any way, but is useful for tag restriction.

The openshift.io/images resource represents unique image names recorded in image stream status. It allows for restriction of a number of images that can be pushed to the internal registry. Internal and external references are not distinguished.

Persistent volume claim limits

A LimitRange object allows you to restrict the storage requested in a persistent volume claim (PVC).

Across all persistent volume claims in a project, the following must hold true:

  • The resource request in a persistent volume claim (PVC) must be greater than or equal the min constraint for PVCs that is specified in the LimitRange object.

  • The resource request in a persistent volume claim (PVC) must be less than or equal the max constraint for PVCs that is specified in the LimitRange object.

PVC LimitRange object definition
apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits" (1)
spec:
  limits:
    - type: "PersistentVolumeClaim"
      min:
        storage: "2Gi" (2)
      max:
        storage: "50Gi" (3)
1 The name of the LimitRange object.
2 The minimum amount of storage that can be requested in a persistent volume claim.
3 The maximum amount of storage that can be requested in a persistent volume claim.

Creating a Limit Range

To apply a limit range to a project:

  1. Create a LimitRange object with your required specifications:

    apiVersion: "v1"
    kind: "LimitRange"
    metadata:
      name: "resource-limits" (1)
    spec:
      limits:
        - type: "Pod" (2)
          max:
            cpu: "2"
            memory: "1Gi"
          min:
            cpu: "200m"
            memory: "6Mi"
        - type: "Container" (3)
          max:
            cpu: "2"
            memory: "1Gi"
          min:
            cpu: "100m"
            memory: "4Mi"
          default: (4)
            cpu: "300m"
            memory: "200Mi"
          defaultRequest: (5)
            cpu: "200m"
            memory: "100Mi"
          maxLimitRequestRatio: (6)
            cpu: "10"
        - type: openshift.io/Image (7)
          max:
            storage: 1Gi
        - type: openshift.io/ImageStream (8)
          max:
            openshift.io/image-tags: 20
            openshift.io/images: 30
        - type: "PersistentVolumeClaim" (9)
          min:
            storage: "2Gi"
          max:
            storage: "50Gi"
    1 Specify a name for the LimitRange object.
    2 To set limits for a pod, specify the minimum and maximum CPU and memory requests as needed.
    3 To set limits for a container, specify the minimum and maximum CPU and memory requests as needed.
    4 Optional. For a container, specify the default amount of CPU or memory that a container can use, if not specified in the Pod spec.
    5 Optional. For a container, specify the default amount of CPU or memory that a container can request, if not specified in the Pod spec.
    6 Optional. For a container, specify the maximum limit-to-request ratio that can be specified in the Pod spec.
    7 To set limits for an Image object, set the maximum size of an image that can be pushed to an internal registry.
    8 To set limits for an image stream, set the maximum number of image tags and references that can be in the ImageStream object file, as needed.
    9 To set limits for a persistent volume claim, set the minimum and maximum amount of storage that can be requested.
  2. Create the object:

    $ oc create -f <limit_range_file> -n <project> (1)
    1 Specify the name of the YAML file you created and the project where you want the limits to apply.

Viewing a limit

You can view any limits defined in a project by navigating in the web console to the project’s quota page.

You can also use the CLI to view limit range details:

  1. Get the list of LimitRange object defined in the project. For example, for a project called demoproject:

    $ oc get limits -n demoproject
    NAME              CREATED AT
    resource-limits   2020-07-15T17:14:23Z
  2. Describe the LimitRange object you are interested in, for example the resource-limits limit range:

    $ oc describe limits resource-limits -n demoproject
    Name:                           resource-limits
    Namespace:                      demoproject
    Type                            Resource                Min     Max     Default Request Default Limit   Max Limit/Request Ratio
    ----                            --------                ---     ---     --------------- -------------   -----------------------
    Pod                             cpu                     200m    2       -               -               -
    Pod                             memory                  6Mi     1Gi     -               -               -
    Container                       cpu                     100m    2       200m            300m            10
    Container                       memory                  4Mi     1Gi     100Mi           200Mi           -
    openshift.io/Image              storage                 -       1Gi     -               -               -
    openshift.io/ImageStream        openshift.io/image      -       12      -               -               -
    openshift.io/ImageStream        openshift.io/image-tags -       10      -               -               -
    PersistentVolumeClaim           storage                 -       50Gi    -               -               -

Deleting a Limit Range

To remove any active LimitRange object to no longer enforce the limits in a project:

  1. Run the following command:

    $ oc delete limits <limit_name>