Restrict resource consumption with limit ranges

You can use limit ranges to restrict resource consumption for specific objects in a project.

By default, containers run with unbounded compute resources on an OpenShift Container Platform cluster.

You can configure resource consumption for the following objects:

• pods and containers: You can set minimum and maximum requirements for CPU and memory for pods and their containers.

• Image streams: You can set limits on the number of images and tags in an ImageStream object.

• Images: You can limit the size of images that can be pushed to an internal registry.

• Persistent volume claims (PVC): You can restrict the size of the PVCs that can be requested.

If a pod does not meet the constraints imposed by the limit range, the pod cannot be created in the namespace.

About limit ranges

You can set specific resource limits for a pod, container, image, image stream, or persistent volume claim (PVC) in a specific project by defining a LimitRange object. A limit range allows you to restrict resource consumption in that project.

All requests to create and modify resources are evaluated against each LimitRange object in the project. If the resource violates any of the enumerated constraints, the resource is rejected.

The following shows a limit range object for all components: pod, container, image, image stream, or PVC. You can configure limits for any or all of these components in the same object. You create a different limit range object for each project where you want to control resources.

Sample limit range object for a container

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: "Container"
      max:
        cpu: "2"
        memory: "1Gi"
      min:
        cpu: "100m"
        memory: "4Mi"
      default:
        cpu: "300m"
        memory: "200Mi"
      defaultRequest:
        cpu: "200m"
        memory: "100Mi"
      maxLimitRequestRatio:
        cpu: "10"

About component limits

Review the following examples to learn the limit range parameters for each component for when you create or edit a LimitRange object.

The examples are broken out for clarity. You can create a single LimitRange object for any or all components as necessary.

Container limits

A limit range allows you to specify the minimum and maximum CPU and memory that each container in a pod can request for a specific project. If a container is created in the project, the container CPU and memory requests in the Pod spec must comply with the values set in the LimitRange object. If not, the pod does not get created. The following requirements must hold true:

• The container CPU or memory request and limit must be greater than or equal to the min resource constraint for containers that are specified in the LimitRange object.

• The container CPU or memory request and limit must be less than or equal to the max resource constraint for containers that are specified in the LimitRange object.

If the LimitRange object defines a max CPU, you do not need to define a CPU request value in the Pod spec. But you must specify a CPU limit value that satisfies the maximum CPU constraint specified in the limit range. The following requirements must hold true:

• The ratio of the container limits to requests must be less than or equal to the maxLimitRequestRatio value for containers that is specified in the LimitRange object.

  If the LimitRange object defines a maxLimitRequestRatio constraint, any new containers must have both a request and a limit value. OpenShift Container Platform calculates the limit-to-request ratio by dividing the limit by the request. This value should be a non-negative integer greater than 1.

  For example, if a container has cpu: 500 in the limit value, and cpu: 100 in the request value, the limit-to-request ratio for cpu is 5. This ratio must be less than or equal to the maxLimitRequestRatio.

If the Pod spec does not specify a container resource memory or limit, the default or defaultRequest CPU and memory values for containers specified in the limit range object are assigned to the container.

Container LimitRange object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: "Container"
      max:
        cpu: "2"
        memory: "1Gi"
      min:
        cpu: "100m"
        memory: "4Mi"
      default:
        cpu: "300m"
        memory: "200Mi"
      defaultRequest:
        cpu: "200m"
        memory: "100Mi"
      maxLimitRequestRatio:
        cpu: "10"

where:

metadata.name

Specifies the name of the limit range object.

spec.limit.max.cpu

Specifies the maximum amount of CPU that a single container in a pod can request.

spec.limit.max.memory

Specifies the maximum amount of memory that a single container in a pod can request.

spec.limit.min.cpu

Specifies the minimum amount of CPU that a single container in a pod can request.

spec.limit.min.memory

Specifies the minimum amount of memory that a single container in a pod can request.

spec.limit.default.cpu

Specifies the default amount of CPU that a container can use if not specified in the Pod spec.

spec.limit.default.memory

Specifies the default amount of memory that a container can use if not specified in the Pod spec.

spec.limit.defaultRequest.cpu

Specifies the default amount of CPU that a container can request if not specified in the Pod spec.

spec.limit.defaultRequest.memory

Specifies the default amount of memory that a container can request if not specified in the Pod spec.

spec.limit.maxLimitRequestRatio.cpu

Specifies the maximum limit-to-request ratio for a container.

Pod limits

A limit range allows you to specify the minimum and maximum CPU and memory limits for all containers across a pod in a given project. To create a container in the project, the container CPU and memory requests in the Pod spec must comply with the values set in the LimitRange object. If not, the pod does not get created.

If the Pod spec does not specify a container resource memory or limit, the default or defaultRequest CPU and memory values for containers specified in the limit range object are assigned to the container.

Across all containers in a pod, the following requirements must hold true:

• The container CPU or memory request and limit must be greater than or equal to the min resource constraints for pods that are specified in the LimitRange object.

• The container CPU or memory request and limit must be less than or equal to the max resource constraints for pods that are specified in the LimitRange object.

• The ratio of the container limits to requests must be less than or equal to the maxLimitRequestRatio constraint specified in the LimitRange object.

Pod LimitRange object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: "Pod"
      max:
        cpu: "2"
        memory: "1Gi"
      min:
        cpu: "200m"
        memory: "6Mi"
      maxLimitRequestRatio:
        cpu: "10"

where:

metadata.name

Specifies the name of the limit range object.

spec.limit.max.cpu

Specifies the maximum amount of CPU that a pod can request across all containers.

spec.limit.max.memory

Specifies the maximum amount of memory that a pod can request across all containers.

spec.limit.min.cpu

Specifies the minimum amount of CPU that a pod can request across all containers.

spec.limit.min.memory

Specifies the minimum amount of memory that a pod can request across all containers.

spec.limit.maxLimitRequestRatio.cpu

Specifies the maximum limit-to-request ratio for a container.

Image limits

A limit range allows you to specify the maximum size of an image that can be pushed to an OpenShift image registry.

When pushing images to an OpenShift image registry, the following requirement must hold true:

• The size of the image must be less than or equal to the max size for images that is specified in the LimitRange object.

Image LimitRange object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: openshift.io/Image
      max:
        storage: 1Gi

where:

metadata.name

Specifies the name of the limit range object.

spec.limit.max.storage

Specifies the maximum size of an image that can be pushed to an OpenShift image registry.

Warning

The image size is not always available in the manifest of an uploaded image. This is especially the case for images built with Docker 1.10 or higher and pushed to a v2 registry. If such an image is pulled with an older Docker daemon, the image manifest is converted by the registry to schema v1 lacking all the size information. No storage limit set on images prevent it from being uploaded.

The issue is being addressed.

Image stream limits

A limit range allows you to specify limits for image streams.

For each image stream, the following requirements must hold true:

• The number of image tags in an ImageStream specification must be less than or equal to the openshift.io/image-tags constraint in the LimitRange object.

• The number of unique references to images in an ImageStream specification must be less than or equal to the openshift.io/images constraint in the limit range object.

Imagestream LimitRange object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: openshift.io/ImageStream
      max:
        openshift.io/image-tags: 20
        openshift.io/images: 30

where

metadata.name

Specifies the name of the LimitRange object.

spec.limit.max.openshift.io/image-tags

Specifies the maximum number of unique image tags in the imagestream.spec.tags parameter in imagestream spec.

spec.limit.max.openshift.io/images

Specifies the maximum number of unique image references in the imagestream.status.tags parameter in the imagestream spec.

The openshift.io/image-tags resource represents unique image references. Possible references are an ImageStreamTag, an ImageStreamImage and a DockerImage. Tags can be created using the oc tag and oc import-image commands. No distinction is made between internal and external references. However, each unique reference tagged in an ImageStream specification is counted just once. It does not restrict pushes to an internal container image registry in any way, but is useful for tag restriction.

The openshift.io/images resource represents unique image names recorded in image stream status. It allows for restriction of a specific number of images that can be pushed to the OpenShift image registry. Internal and external references are not distinguished.

Persistent volume claim limits

A limit range allows you to restrict the storage requested in a persistent volume claim (PVC).

Across all persistent volume claims in a project, the following requirements must hold true:

• The resource request in a persistent volume claim (PVC) must be greater than or equal the min constraint for PVCs that is specified in the LimitRange object.

• The resource request in a persistent volume claim (PVC) must be less than or equal the max constraint for PVCs that is specified in the LimitRange object.

PVC LimitRange object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "resource-limits"
spec:
  limits:
    - type: "PersistentVolumeClaim"
      min:
        storage: "2Gi"
      max:
        storage: "50Gi"

where:

metadata.name

Specifies the name of the LimitRange object.

spec.limit.min.storage

Specifies the minimum amount of storage that can be requested in a persistent volume claim.

spec.limit.max.storage

Specifies the maximum amount of storage that can be requested in a persistent volume claim.

Creating a Limit Range

You can define LimitRange objects to set specific resource limits for a pod, container, image, image stream, or persistent volume claim (PVC) in a specific project. A limit range allows you to restrict resource consumption in that project.

Procedure

1. Create a LimitRange object with your required specifications:

   apiVersion: "v1"
   kind: "LimitRange"
   metadata:
     name: "resource-limits"
   spec:
     limits:
       - type: "Pod"
         max:
           cpu: "2"
           memory: "1Gi"
         min:
           cpu: "200m"
           memory: "6Mi"
       - type: "Container"
         max:
           cpu: "2"
           memory: "1Gi"
         min:
           cpu: "100m"
           memory: "4Mi"
         default:
           cpu: "300m"
           memory: "200Mi"
         defaultRequest:
           cpu: "200m"
           memory: "100Mi"
         maxLimitRequestRatio:
           cpu: "10"
       - type: openshift.io/Image
         max:
           storage: 1Gi
       - type: openshift.io/ImageStream
         max:
           openshift.io/image-tags: 20
           openshift.io/images: 30
       - type: "PersistentVolumeClaim"
         min:
           storage: "2Gi"
         max:
           storage: "50Gi"

   where:

   metadata.name

   Specifies a name for the LimitRange object.

   spec.limit.type.Pod

   Specifies limits for a pod, specify the minimum and maximum CPU and memory requests as needed.

   spec.limit.type.Container

   Specifies limits for a container, specify the minimum and maximum CPU and memory requests as needed.

   spec.limit.type.default

   For a container, specifies the default amount of CPU or memory that a container can use, if not specified in the Pod spec. This parameter is optional.

   spec.limit.type.defaultRequest

   For a container, specifies the default amount of CPU or memory that a container can request, if not specified in the Pod spec. This parameter is optional.

   spec.limit.type.maxLimitRequestRatio

   For a container, specifies the maximum limit-to-request ratio that can be specified in the Pod spec. This parameter is optional.

   spec.limit.type.openshift.io/Image

   Specifies limits for an image object. Set the maximum size of an image that can be pushed to an OpenShift image registry.

   spec.limit.type.openshift.io/ImageStream

   Specifies limits for an image stream. Set the maximum number of image tags and references that can be in the ImageStream object file, as needed.

   spec.limit.type.openshift.io/PersistentVolueClaim

   Specifies limits for a persistent volume claim. Set the minimum and maximum amount of storage that can be requested.

2. Create the object:

   $ oc create -f <limit_range_file> -n <project>

   where:

   <limit_range_file>

   Specifies the name of the YAML file you created.

   <project>

   Specifies the project where you want the limits to apply.

Viewing a limit

You can view the limits defined in a project by navigating in the web console to the project’s Quota page. This allows you to see details about each of the limit ranges in a project.

You can also use the CLI to view limit range details:

Procedure

1. Get the list of LimitRange objects defined in the project. For example, for a project called demoproject:

   $ oc get limits -n demoproject

   NAME              CREATED AT
   resource-limits   2020-07-15T17:14:23Z

2. Describe the LimitRange object you are interested in, for example the resource-limits limit range:

   $ oc describe limits resource-limits -n demoproject

   Name:                           resource-limits
   Namespace:                      demoproject
   Type                            Resource                Min     Max     Default Request Default Limit   Max Limit/Request Ratio
   ----                            --------                ---     ---     --------------- -------------   -----------------------
   Pod                             cpu                     200m    2       -               -               -
   Pod                             memory                  6Mi     1Gi     -               -               -
   Container                       cpu                     100m    2       200m            300m            10
   Container                       memory                  4Mi     1Gi     100Mi           200Mi           -
   openshift.io/Image              storage                 -       1Gi     -               -               -
   openshift.io/ImageStream        openshift.io/image      -       12      -               -               -
   openshift.io/ImageStream        openshift.io/image-tags -       10      -               -               -
   PersistentVolumeClaim           storage                 -       50Gi    -               -               -

Deleting a Limit Range

You can remove any active LimitRange object so that it no longer enforces the limits in a project.

Procedure

• Run the following command:

  $ oc delete limits <limit_name>