limitRange
LimitRange
有个好听的中文名字,叫"资源配置访问管理"。用过K8S的都知道,在默认情况下,K8S不会对Pod进行CPU和内存限制,这就意味着这个未被限制的Pod可以随心所欲的使用节点上的CPU和内存,如果某个Pod发生内存泄漏那么将是一个非常糟糕的事情。
所以正常情况下,我们在部署Pod的时候都会把Requests和Limits加上,如下:
apiVersion: apps/v1
kind: Deployment
metadata:
name: ng-deploy
spec:
selector:
matchLabels:
app: ng-demo
replicas: 2
template:
metadata:
labels:
app: ng-demo
spec:
containers:
- name: ng-demo
image: nginx
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 216Mi
limits:
cpu: 100m
memory: 216Mi
但是,如果Pod非常多,而且很多Pod只需要相同的限制,我们还是像上面那样一个一个的加就非常繁琐了,这时候我们就可以通过LimitRange
做一个Namespace资源限制。如果在部署Pod的时候指定了requests和Limits,则指定的生效。反之则由全局的给Pod加上默认的限制。
总结,LimitRange
可以实现的功能:
创建LimitRange之后,LimitRange会在它所属namespace范围内生效。
常用的场景如下(来自《Kubernetes权威指南》)
LimitRange
可以用来限制Pod,也可以限制Container。下面我们以一个例子来详细说明。
(1)、首先创建一个namespace
apiVersion: v1
kind: Namespace
metadata:
name: coolops
(2)、为namespace配置LimitRange
apiVersion: v1
kind: LimitRange
metadata:
name: mylimit
namespace: coolops
spec:
limits:
- max:
cpu: "1"
memory: 1Gi
min:
cpu: 100m
memory: 10Mi
maxLimitRequestRatio:
cpu: 3
memory: 4
type: Pod
- default:
cpu: 300m
memory: 200Mi
defaultRequest:
cpu: 200m
memory: 100Mi
max:
cpu: "2"
memory: 1Gi
min:
cpu: 100m
memory: 10Mi
maxLimitRequestRatio:
cpu: 5
memory: 4
type: Container
参数说明:
注意: (1)、如果
container
设置了max
,pod
中的容器必须设置limit
,如果未设置,则使用defaultlimt
的值,如果defaultlimit
也没有设置,则无法成功创建 (2)、如果设置了container
的min
,创建容器的时候必须设置request
的值,如果没有设置,则使用defaultrequest
,如果没有defaultrequest
,则默认等于容器的limit
值,如果limit
也没有,启动就会报错
创建上面配置的LimitRange:
# kubectl apply -f limitrange.yaml
limitrange/mylimit created
# kubectl get limitrange -n coolops
NAME CREATED AT
mylimit 2020-03-26T09:46:33Z
# kubectl describe limitranges -n coolops mylimit
Name: mylimit
Namespace: coolops
Type Resource Min Max Default Request Default Limit Max Limit/Request Ratio
---- -------- --- --- --------------- ------------- -----------------------
Pod memory 10Mi 1Gi - - 4
Pod cpu 100m 1 - - 3
Container cpu 100m 2 200m 300m 5
Container memory 10Mi 1Gi 100Mi 200Mi 4
(1)、创建一个允许范围之内的requests和limits的pod
apiVersion: v1
kind: Pod
metadata:
name: pod01
namespace: coolops
spec:
containers:
- name: pod-01
image: nginx
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 200m
memory: 30Mi
limits:
cpu: 300m
memory: 50Mi
我们通过kubectl apply -f pod-01.yaml
可以正常创建Pod。
(2)、创建一个cpu超出允许访问的Pod
apiVersion: v1
kind: Pod
metadata:
name: pod02
namespace: coolops
spec:
containers:
- name: pod-02
image: nginx
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 200m
memory: 30Mi
limits:
cpu: 2
memory: 50Mi
然后我们创建会报如下错误:
# kubectl apply -f pod-02.yaml
Error from server (Forbidden): error when creating "pod-02.yaml": pods "pod02" is forbidden: [maximum cpu usage per Pod is 1, but limit is 2, cpu max limit to request ratio per Pod is 3, but provided ratio is 10.000000, cpu max limit to request ratio per Container is 5, but provided ratio is 10.000000]
(3)创建低于允许范围的Pod
apiVersion: v1
kind: Pod
metadata:
name: pod03
namespace: coolops
spec:
containers:
- name: pod-03
image: nginx
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 200m
memory: 30Mi
limits:
cpu: 100m
memory: 10Mi
然后会报如下错误:
# kubectl apply -f pod-03.yaml
The Pod "pod03" is invalid:
* spec.containers[0].resources.requests: Invalid value: "200m": must be less than or equal to cpu limit
* spec.containers[0].resources.requests: Invalid value: "30Mi": must be less than or equal to memory limit
(4)、创建一个未定义request或Limits的Pod
apiVersion: v1
kind: Pod
metadata:
name: pod04
namespace: coolops
spec:
containers:
- name: pod-04
image: nginx
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 200m
memory: 200Mi
然后我们创建完Pod后会发现自动给我们加上了limits。如下:
# kubectl describe pod -n coolops pod04
...
Limits:
cpu: 300m
memory: 200Mi
Requests:
cpu: 200m
memory: 200Mi
...
上面我指定了requests,LimitRange自动给我们加上了defaultLimits,你也可以试一下全都不加或者加一个,道理是一样的。值得注意的是这里要注意一下我们设置的maxLimitRequestRatio
,配置的比列必须小于等于我们设置的值。
上文有介绍LimitRange还可以限制还可以限制PVC,如下:
apiVersion: v1
kind: LimitRange
metadata:
name: storagelimits
namespace: coolops
spec:
limits:
- type: PersistentVolumeClaim
max:
storage: 2Gi
min:
storage: 1Gi
创建完后即可查看:
kubectl describe limitranges -n coolops storagelimits
Name: storagelimits
Namespace: coolops
Type Resource Min Max Default Request Default Limit Max Limit/Request Ratio
---- -------- --- --- --------------- ------------- -----------------------
PersistentVolumeClaim storage 1Gi 2Gi - - -
你可以创建PVC进行测试,道理是一样的。
参考资料
[1] https://kubernetes.io/docs/concepts/policy/limit-range/
[2] 《Kubernetes权威指南》