k8s中ResourceQuota与LimitRange的作用
什么是NamespaceNamespace是对全局系统资源的一种封装隔离,使处于不同Namespace的进程拥有独立的系统资源。通过不同的Namespace可以合理地管理不同的服务。他们相互隔离,但又可以相互通信。常见的pods,services,replication,controllers和persistentVolumes等都是属于某一个Namespace的(默认为default),但是..
·
什么是Namespace
Namespace是对全局系统资源的一种封装隔离,使处于不同Namespace的进程拥有独立的系统资源。通过不同的Namespace可以合理地管理不同的服务。他们相互隔离,但又可以相互通信。常见的pods,services,replication,controllers和deployments等都是属于某一个Namespace的(默认为default),但是node和persistentVolumes等不属于任何Namespace。
Namespace常用操作
创建
- 命令行
kubectl create namespace my-home
- yaml编排
#[root@k8s0 zookeeper]# cat my-home.yml
apiVersion: v1
kind: Namespace
metadata:
name: my-home-2
kubectl apply -f my-home.yml
查询
[root@k8s0 zookeeper]# kubectl get namespace
default Active 18d
kube-node-lease Active 18d
kube-ops Active 17d
kube-public Active 18d
kube-system Active 18d
my-home Active 2m58s
my-home-2 Active 6s
删除
kubectl delete namespace my-home-2
临时设置Request的Namespace
kubectl --namespace=<${your-namespace-name}> run nginx --image=alpine
kubectl get pod --namespce=<${your-namespace-name}>
Namespace中的资源限制
为Namespace配额的方式有两种:ResourceQuota和LimitRange
- ResourceQuota
ResourceQuota 用来限制 namespace 中所有的 Pod 占用的总的资源 request 和 limit
- LimitRange
LimitRange 用来限制 namespace 中 单个Pod 默认资源 request 和 limit
ResourceQuota配置
- 限制Pod总数
kubectl create namespace my-pod
apiVersion: v1
kind: ResourceQuota
metadata:
name: pod-demo
namespace: my-pod
spec:
hard:
pods: "2"
kubectl get resourcequota pod-demo -n my-pod -o yaml
apiVersion: v1
kind: ResourceQuota
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ResourceQuota","metadata":{"annotations":{},"name":"pod-demo","namespace":"my-pod"},"spec":{"hard":{"pods":"2"}}}
creationTimestamp: "2020-03-30T06:03:28Z"
name: pod-demo
namespace: my-pod
resourceVersion: "2450965"
selfLink: /api/v1/namespaces/my-pod/resourcequotas/pod-demo
uid: ebdea686-b0ce-47d2-83ad-ac5c346ec915
spec:
hard:
pods: "2"
status:
hard:
pods: "2"
used:
pods: "0"
创建Pod测试:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: my-pod
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
[root@k8s0 zookeeper]# kubectl get pod -n my-pod
NAME READY STATUS RESTARTS AGE
nginx-7dc797df7b-9tkc4 1/1 Running 0 13m
nginx-7dc797df7b-nktzj 1/1 Running 0 13m
[root@k8s0 zookeeper]# kubectl get deployment -n my-pod
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 2/2 2 2 13m
现在增加一个Pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: my-pod
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
[root@k8s0 zookeeper]# kubectl get pod -n my-pod
NAME READY STATUS RESTARTS AGE
nginx-7dc797df7b-9tkc4 1/1 Running 0 15m
nginx-7dc797df7b-nktzj 1/1 Running 0 15m
[root@k8s0 zookeeper]# kubectl get deployment -n my-pod
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 2/3 2 2 15m
可以看出只有两个pod在运行
kubectl get deployment -n my-pod -o yaml
***
reason: MinimumReplicasUnavailable
status: "False"
type: Available
- lastTransitionTime: "2020-03-30T06:52:08Z"
lastUpdateTime: "2020-03-30T06:52:08Z"
message: 'pods "nginx-7dc797df7b-tcsr5" is forbidden: exceeded quota: pod-demo,
requested: pods=1, used: pods=2, limited: pods=2'
***
从上面可以看出有一个pod没有创建成功。为了验证ResourceQuota是否是限制Namespace下所有Pod资源的总和,给之前的Pod数量改成2,再创建一个新的deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-add
namespace: my-pod
spec:
replicas: 2
selector:
matchLabels:
app: nginx-add
template:
metadata:
labels:
app: nginx-add
spec:
containers:
- name: nginx-add
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
[root@k8s0 zookeeper]# kubectl get pod -n my-pod
NAME READY STATUS RESTARTS AGE
nginx-7dc797df7b-9tkc4 1/1 Running 0 22m
nginx-7dc797df7b-nktzj 1/1 Running 0 22m
[root@k8s0 zookeeper]# kubectl get deployment -n my-pod
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 2/2 2 2 22m
nginx-add 0/2 0 0 21s
从上可以看出nginx-add这个deployment没有创建成功而且pod中也没有nginx-add的pod出现
- 限制CUP和内存
apiVersion: v1
kind: ResourceQuota
metadata:
name: pod-cpu
namespace: my-pod
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2Gi
- 每个容器必须设置内存请求(memory request),内存限额(memory limit),cpu请求(cpu request)和cpu限额(cpu limit)
- 所有容器的内存请求总额不得超过1 GiB
- 所有容器的内存限额总额不得超过2 GiB
- 所有容器的CPU请求总额不得超过1 CPU
- 所有容器的CPU限额总额不得超过2 CPU
- 创建Pod验证
apiVersion: v1
kind: Pod
metadata:
name: nginx-cpu
namespace: my-pod
spec:
containers:
- name: nginx-cpu
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
resources:
limits:
memory: "800Mi"
cpu: "800m"
requests:
memory: "600Mi"
cpu: "400m"
具体验证方法不再赘述。可以创建两个pod分配不同的资源,观察即可
- ResourceQuota其他限制
apiVersion: v1
kind: ResourceQuota
metadata:
name: object-counts
namespace: my-pod
spec:
hard:
configmaps: "10"
persistentvolumeclaims: "4"
replicationcontrollers: "20"
secrets: "10"
services: "10"
services.loadbalancers: "2"
LimitRange配置默认的CPU请求和默认CPU限额
apiVersion: v1
kind: LimitRange
metadata:
name: cpu-limit-range
namespace: default-cpu-example
spec:
limits:
- default:
cpu: 1
defaultRequest:
cpu: 0.5
type: Container
- 创建Pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: default-cpu-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
kubectl get pod nginx-7dc797df7b-f4n4b -n default-cpu-example -o yaml
***
resources:
limits:
cpu: "1"
requests:
cpu: 500m
***
- 如果指定了容器的限额,但未指定请求值
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: default-cpu-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
cpu: "1"
***
resources:
limits:
cpu: "1"
requests:
cpu: "1"
***
输出展示该容器的CPU请求值与它的限额值相等。
注意该容器并未被赋予这个默认的CPU请求值0.5。
- 如果指定了请求值,但未指定限定值
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: default-cpu-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
requests:
cpu: "0.75"
***
resources:
limits:
cpu: "1"
requests:
cpu: 750m
***
输出显示该容器的CPU请求值被设置为该容器配置文件中指定的值。该容器的CPU限额设置为1,这是该命名空间的默认CPU的限额值。
LimitRange配置默认的内存请求与限额
apiVersion: v1
kind: LimitRange
metadata:
name: mem-limit-range
namespace: mem-example
spec:
limits:
- default:
memory: 512Mi
defaultRequest:
memory: 256Mi
type: Container
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
***
limits:
memory: 512Mi
requests:
memory: 256Mi
***
输出显示该 Pod 的容器的内存请求值是 256MiB, 内存限额值是 512MiB. 这些是由 LimitRange 指定的默认值
- 测试指定请求值、不指定限额和不指定请求值、指定限额
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
requests:
memory: "128Mi"
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
memory: "1G"
LimitRange设置最小和最大内存限制
apiVersion: v1
kind: LimitRange
metadata:
name: mem-min-max-demo-lr
spec:
limits:
- max:
memory: 1Gi
min:
memory: 500Mi
type: Container
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
memory: "800Mi"
requests:
memory: "600Mi"
***
resources:
limits:
memory: 800Mi
requests:
memory: 600Mi
***
输出显示了容器的内存请求为 600 MiB,内存限制为 800 MiB。这符合 LimitRange 施加的限制
- 删除pod创建一个更大内存的pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
memory: "1.5Gi"
requests:
memory: "800Mi"
[root@k8s0 zookeeper]# kubectl get pod -n mem
No resources found in mem namespace.
[root@k8s0 zookeeper]# kubectl get deployment -n mem
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 0/1 0 0 72s
pod并没有创建成功
kubectl get deployment nginx -n mem -o yaml
***
- lastTransitionTime: "2020-03-30T09:35:06Z"
lastUpdateTime: "2020-03-30T09:35:06Z"
message: 'pods "nginx-664685fbd6-n9l9w" is forbidden: maximum memory usage per
Container is 1Gi, but limit is 1536Mi'
***
- 创建一个不符合最小内存值的请求也是无法创建成功的
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
memory: "800Gi"
requests:
memory: "100Mi"
- 创建一个没有任何限制的pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
***
resources:
limits:
memory: 1Gi
requests:
memory: 1Gi
***
输出显示 Pod 的容器具有 1 GiB 的内存请求和 1 GiB 的内存限制,因为当容器没有指定自己的内存请求和限制时,它将从 LimitRange 获取 默认的内存请求和限制值
配置最小和最大CPU限制
apiVersion: v1
kind: LimitRange
metadata:
name: cpu-min-max-demo-lr
namespace: limit-mem
spec:
limits:
- max:
cpu: "800m"
min:
cpu: "200m"
type: Container
[root@k8s0 zookeeper]# kubectl get LimitRange -n limit-mem -o yaml
apiVersion: v1
items:
- apiVersion: v1
kind: LimitRange
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"LimitRange","metadata":{"annotations":{},"name":"cpu-min-max-demo-lr","namespace":"limit-mem"},"spec":{"limits":[{"max":{"cpu":"800m"},"min":{"cpu":"200m"},"type":"Container"}]}}
creationTimestamp: "2020-03-30T11:21:25Z"
name: cpu-min-max-demo-lr
namespace: limit-mem
resourceVersion: "2480768"
selfLink: /api/v1/namespaces/limit-mem/limitranges/cpu-min-max-demo-lr
uid: 2f0014f3-1b3a-4041-892f-bdc004838894
spec:
limits:
- default:
cpu: 800m
defaultRequest:
cpu: 800m
max:
cpu: 800m
min:
cpu: 200m
type: Container
kind: List
metadata:
resourceVersion: ""
selfLink: ""
- 创建符合限制的测试
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: limit-mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
cpu: "800m"
requests:
cpu: "500m"
- 创建大于限制的测试
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: limit-mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
cpu: "900m"
requests:
cpu: "500m"
- 创建小于限制的测试
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: limit-mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
cpu: "800m"
requests:
cpu: "100m"
- 创建没有指定的测试
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: limit-mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
2
0- 0
已为社区贡献10条内容
所有评论(0)