ResourceQuota概述
当多个团队去共享使用一个Kubernetes集群时,会出现不均匀的资源使用,默认情况下资源先到先得,这个时候可以通过ResourceQuota来对命名空间资源使用总量做限制,从而解决这个问题。
使用前提
ResourceQuota功能是一个准入控制插件,默认已经启用。检查是否开启ResourceQuota功能的方法如下:
[root@master ~]# kubectl -n kube-system get pod|grep apiserver
kube-apiserver-master.host.com 1/1 Running 27 (17h ago) 61d
[root@master ~]# kubectl -n kube-system exec kube-apiserver-master.host.com -- kube-apiserver -h|grep enable-admission-plugins
--admission-control strings Admission is divided into two phases. In the first phase, only mutating admission plugins run. In the second phase, only validating admission plugins run. The names in the below list may represent a validating plugin, a mutating plugin, or both. The order of plugins in which they are passed to this flag does not matter. Comma-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. (DEPRECATED: Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version.)
--enable-admission-plugins strings admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
在"--enable-admission-plugins"中寻找"ResourceQuota"发现已经开启。
支持的资源
支持的资源 | 描述 |
---|---|
limits.cpu/memory | 所有Pod上限资源配置总量不超过该值 (所有非终止状态的Pod) |
requests.cpu/memory | 所有Pod请求资源配置总量不超过该值 (所有非终止状态的Pod) |
cpu/memory | 等同于requests.cpu/requests.memory |
requests.storage | 所有PVC请求容量总和不超过该值 |
persistentvolumeclaims | 所有PVC数量总和不超过该值 |
\<storage-class-name\>.storageclass.storage.k8s.io/requests.storage | 所有与\<storage-class-name\>相关的PVC请求容量总和不超过该值 |
\<storage-class-name\>.storageclass.storage.k8s.io/persistentvolumeclaims | 所有与\<storage-class-name\>相关的PVC数量总和不超过该值 |
pods、 count/deployments.apps、count/statfulsets.apps、count/services(services.loadbalancers、 services.nodeports)count/secrets、 count/configmaps、count/job.batch、count/cronjobs.batch | 创建资源数量不超过该值 |
资源清单
计算资源配额
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resources
namespace: test
spec:
hard:
requests.cpu: "1"
requests.memory: 10Gi
limits.cpu: "4"
limits.memory: 20Gi
存储资源配额
apiVersion: v1
kind: ResourceQuota
metadata:
name: storage-resources
namespace: test
spec:
hard:
requests.storage: 10Gi
managed-nfs-storage.storageclass.storage.k8s.io/requests.storage: 10Gi
"managed-nfs-storage"是动态存储类的名称。
对象数量配额
apiVersion: v1
kind: ResourceQuota
metadata:
name: object-counts
namespace: test
spec:
hard:
pods: "10"
count/deployments.apps: "3"
count/services: "3"
限制的是个数,命名空间的总数量不能超过该值。
配额状态
[root@master ~]# kubectl get quota -n test
NAME AGE REQUEST LIMIT
compute-resources 41m requests.cpu: 0/4, requests.memory: 0/10Gi limits.cpu: 0/6, limits.memory: 0/12Gi
object-counts 4m6s count/deployments.apps: 0/3, count/services: 0/3, pods: 0/10
storage-resources 6m16s managed-nfs-storage.storageclass.storage.k8s.io/requests.storage: 0/10Gi, requests.storage: 0/10Gi
通过上面的命令可以查看额配资源使用的情况。