admin-quota-limits.adoc

Setting limit ranges

A limit range, defined by a LimitRange object, defines compute resource constraints at the pod, container, image, image stream, and persistent volume claim level. The limit range specifies the amount of resources that a pod, container, image, image stream, or persistent volume claim can consume.

All requests to create and modify resources are evaluated against each LimitRange object in the project. If the resource violates any of the enumerated constraints, the resource is rejected. If the resource does not set an explicit value, and if the constraint supports a default value, the default value is applied to the resource.

For CPU and memory limits, if you specify a maximum value but do not specify a minimum limit, the resource can consume more CPU and memory resources than the maximum value.

Core limit range object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "core-resource-limits" (1)
spec:
  limits:
    - type: "Pod"
      max:
        cpu: "2" (2)
        memory: "1Gi" (3)
      min:
        cpu: "200m" (4)
        memory: "6Mi" (5)
    - type: "Container"
      max:
        cpu: "2" (6)
        memory: "1Gi" (7)
      min:
        cpu: "100m" (8)
        memory: "4Mi" (9)
      default:
        cpu: "300m" (10)
        memory: "200Mi" (11)
      defaultRequest:
        cpu: "200m" (12)
        memory: "100Mi" (13)
      maxLimitRequestRatio:
        cpu: "10" (14)

1. The name of the limit range object.

2. The maximum amount of CPU that a pod can request on a node across all containers.

3. The maximum amount of memory that a pod can request on a node across all containers.

4. The minimum amount of CPU that a pod can request on a node across all containers. If you do not set a min value or you set min to 0, the result is no limit and the pod can consume more than the max CPU value.

5. The minimum amount of memory that a pod can request on a node across all containers. If you do not set a min value or you set min to 0, the result is no limit and the pod can consume more than the max memory value.

6. The maximum amount of CPU that a single container in a pod can request.

7. The maximum amount of memory that a single container in a pod can request.

8. The minimum amount of CPU that a single container in a pod can request. If you do not set a min value or you set min to 0, the result is no limit and the pod can consume more than the max CPU value.

9. The minimum amount of memory that a single container in a pod can request. If you do not set a min value or you set min to 0, the result is no limit and the pod can consume more than the max memory value.

10. The default CPU limit for a container if you do not specify a limit in the pod specification.

11. The default memory limit for a container if you do not specify a limit in the pod specification.

12. The default CPU request for a container if you do not specify a request in the pod specification.

13. The default memory request for a container if you do not specify a request in the pod specification.

14. The maximum limit-to-request ratio for a container.

{product-title} Limit range object definition

apiVersion: "v1"
kind: "LimitRange"
metadata:
  name: "openshift-resource-limits"
spec:
  limits:
    - type: openshift.io/Image
      max:
        storage: 1Gi (1)
    - type: openshift.io/ImageStream
      max:
        openshift.io/image-tags: 20 (2)
        openshift.io/images: 30 (3)
    - type: "Pod"
      max:
        cpu: "2" (4)
        memory: "1Gi" (5)
        ephemeral-storage: "1Gi" (6)
      min:
        cpu: "1" (7)
        memory: "1Gi" (8)

1. The maximum size of an image that can be pushed to an internal registry.

2. The maximum number of unique image tags as defined in the specification for the image stream.

3. The maximum number of unique image references as defined in the specification for the image stream status.

4. The maximum amount of CPU that a pod can request on a node across all containers.

5. The maximum amount of memory that a pod can request on a node across all containers.

6. The maximum amount of ephemeral storage that a pod can request on a node across all containers.

7. The minimum amount of CPU that a pod can request on a node across all containers. See the Supported Constraints table for important information.

8. The minimum amount of memory that a pod can request on a node across all containers. If you do not set a min value or you set min to 0, the result` is no limit and the pod can consume more than the max memory value.

You can specify both core and {product-title} resources in one limit range object.

Container limits

Supported Resources:

• CPU

• Memory

Supported Constraints

Per container, the following must hold true if specified:

Container

Constraint	Behavior
Min	Min[<resource>] less than or equal to container.resources.requests[<resource>] (required) less than or equal to container/resources.limits[<resource>] (optional) If the configuration defines a min CPU, the request value must be greater than the CPU value. If you do not set a min value or you set min to 0, the result is no limit and the pod can consume more of the resource than the max value.
Max	container.resources.limits[<resource>] (required) less than or equal to Max[<resource>] If the configuration defines a max CPU, you do not need to define a CPU request value. However, you must set a limit that satisfies the maximum CPU constraint that is specified in the limit range.
MaxLimitRequestRatio	MaxLimitRequestRatio[<resource>] less than or equal to (container.resources.limits[<resource>] / container.resources.requests[<resource>]) If the limit range defines a maxLimitRequestRatio constraint, any new containers must have both a request and a limit value. Additionally, {product-title} calculates a limit-to-request ratio by dividing the limit by the request. The result should be an integer greater than 1. For example, if a container has cpu: 500 in the limit value, and cpu: 100 in the request value, the limit-to-request ratio for cpu is 5. This ratio must be less than or equal to the maxLimitRequestRatio.

Supported Defaults:

Default[<resource>]

Defaults container.resources.limit[<resource>] to specified value if none.

Default Requests[<resource>]

Defaults container.resources.requests[<resource>] to specified value if none.

Pod limits

Supported Resources:

• CPU

• Memory

Supported Constraints:

Across all containers in a pod, the following must hold true:

Table 1. Pod

Constraint	Enforced Behavior
Min	Min[<resource>] less than or equal to container.resources.requests[<resource>] (required) less than or equal to container.resources.limits[<resource>]. If you do not set a min value or you set min to 0, the result is no limit and the pod can consume more of the resource than the max value.
Max	container.resources.limits[<resource>] (required) less than or equal to Max[<resource>].
MaxLimitRequestRatio	MaxLimitRequestRatio[<resource>] less than or equal to (container.resources.limits[<resource>] / container.resources.requests[<resource>]).

Image limits

Supported Resources:

• Storage

Resource type name:

• openshift.io/Image

Per image, the following must hold true if specified:

Table 2. Image

Constraint	Behavior
Max	image.dockerimagemetadata.size less than or equal to Max[<resource>]

Note	To prevent blobs that exceed the limit from being uploaded to the registry, the registry must be configured to enforce quota. The REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA environment variable must be set to true. By default, the environment variable is set to true for new deployments.

Image stream limits

Supported Resources:

• openshift.io/image-tags

• openshift.io/images

Resource type name:

• openshift.io/ImageStream

Per image stream, the following must hold true if specified:

Table 3. ImageStream

Constraint	Behavior
Max[openshift.io/image-tags]	length( uniqueimagetags( imagestream.spec.tags ) ) less than or equal to Max[openshift.io/image-tags] uniqueimagetags returns unique references to images of given spec tags.
Max[openshift.io/images]	length( uniqueimages( imagestream.status.tags ) ) less than or equal to Max[openshift.io/images] uniqueimages returns unique image names found in status tags. The name is equal to the digest for the image.

Counting of image references

The openshift.io/image-tags resource represents unique stream limits. Possible references are an ImageStreamTag, an ImageStreamImage, or a DockerImage. Tags can be created by using the oc tag and oc import-image commands or by using image streams. No distinction is made between internal and external references. However, each unique reference that is tagged in an image stream specification is counted just once. It does not restrict pushes to an internal container image registry in any way, but is useful for tag restriction.

The openshift.io/images resource represents unique image names that are recorded in image stream status. It helps to restrict several images that can be pushed to the internal registry. Internal and external references are not distinguished.

PersistentVolumeClaim limits

Supported Resources:

• Storage

Supported Constraints:

Across all persistent volume claims in a project, the following must hold true:

Table 4. Pod

Constraint	Enforced Behavior
Min	Min[<resource>] <= claim.spec.resources.requests[<resource>] (required)
Max	claim.spec.resources.requests[<resource>] (required) <= Max[<resource>]

Limit Range Object Definition

{
  "apiVersion": "v1",
  "kind": "LimitRange",
  "metadata": {
    "name": "pvcs" (1)
  },
  "spec": {
    "limits": [{
        "type": "PersistentVolumeClaim",
        "min": {
          "storage": "2Gi" (2)
        },
        "max": {
          "storage": "50Gi" (3)
        }
      }
    ]
  }
}

1. The name of the limit range object.

2. The minimum amount of storage that can be requested in a persistent volume claim.

3. The maximum amount of storage that can be requested in a persistent volume claim.