Kubernetes资源配额
配额
1、给namespace设置Pod配额
# 编写 quota-pod.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: pod-quato
spec:
hard:
pods: "2"
#给andriy-dang设置pod配额
kubectl create -f quota-pod.yaml --namespace=andriy-dang
#查看配额信息
kubectl get resourcequota pod-quato --namespace=andriy-dang --output=yaml
apiVersion: v1
kind: ResourceQuota
metadata:
creationTimestamp: 2018-03-14T05:34:26Z
name: pod-quato
namespace: andriy-dang
resourceVersion: "209063"
selfLink: /api/v1/namespaces/andriy-dang/resourcequotas/pod-quato
uid: 5be0e7f4-2749-11e8-ad43-d00d8f137bac
spec:
hard:
pods: "2"
status:
hard:
pods: "2"
used:
pods: "1"
#创建deployment验证pod配额
编写quota-deploy.yaml
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: deploy-quota-demo
namespace: andriy-dang
spec:
replicas: 3
template:
metadata:
labels:
purpose: quota-demo
spec:
containers:
- name: pod-quota-demo
image: nginx
#创建deployment
kubectl create -f quota-deploy.yaml
#查看deployment详细信息(可以看出只创建了一个pod)
kubectl get deployment -n andriy-dang deploy-quota-demo -o yaml
status:
availableReplicas: 1
kubectl describe deployment deploy-quota-demo -n andriy-dang
Name: deploy-quota-demo
Namespace: andriy-dang
CreationTimestamp: Wed, 14 Mar 2018 13:45:08 +0800
Labels: purpose=quota-demo
Annotations: deployment.kubernetes.io/revision=1
Selector: purpose=quota-demo
Replicas: 3 desired | 1 updated | 1 total | 1 available | 2 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: purpose=quota-demo
Containers:
pod-quota-demo:
Image: nginx
Port: <none>
Environment: <none>
Mounts: <none>
Volumes: <none>
Conditions:
Type Status Reason
---- ------ ------
Available False MinimumReplicasUnavailable
ReplicaFailure True FailedCreate
Progressing True ReplicaSetUpdated
OldReplicaSets: <none>
NewReplicaSet: deploy-quota-demo-6fc6b469cb (1/3 replicas created)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ScalingReplicaSet 24s deployment-controller Scaled up replica set deploy- quota-demo-6fc6b469cb to 3
2、为namespace设置CPU配额
#设置cpu资源配额(请求为0.5,最大为1)
编写 quota-cpu.yaml
apiVersion: v1
kind: LimitRange
metadata:
name: cpu-limit-range
spec:
limits:
- default:
cpu: 1
defaultRequest:
cpu: 0.5
type: Container
#为andriy-dang设置配额
kubectl create -f quota-cpu.yaml --namespace=andriy-dang
#创建Pod(不指定CPU值,该容器会被赋予一个默认的CPU请求值0.5和一个默认的CPU限额值1)
编写 cpu-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: cpu-test
namespace: andriy-dang
spec:
containers:
- name: cpu-test
image: nginx
#查看Pod配置
kubectl get pod -n andriy-dang cpu-test -o yaml
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: cpu-test
resources:
limits:
cpu: "1"
requests:
cpu: 500m
#如果指定了最大值,为指定请求值,Pod的请求值会等于最大值
apiVersion: v1
kind: Pod
metadata:
name: cpu-test-2
spec:
containers:
- name: cpu-test-2
image: nginx
resources:
limits:
cpu: "1"
输出:
resources:
limits:
cpu: "1"
requests:
cpu: "1"
#如果指定了请求值,为指定最大值,Pod的CPU最大值会默认为1
apiVersion: v1
kind: Pod
metadata:
name: cpu-test-3
spec:
containers:
- name: cpu-test-3
image: nginx
resources:
requests:
cpu: "0.75"
输出:
resources:
limits:
cpu: "1"
requests:
cpu: 750m
3、为 Namespace 配置默认的内存请求与限额
#创建 quota-mem.yaml
apiVersion: v1
kind: LimitRange
metadata:
name: mem-quota
spec:
limits:
- default:
memory: 512Mi
defaultRequest:
memory: 256Mi
type: Container
#为andriy-dang设置配额
kubectl create -f quota-mem.yaml --namespace=andriy-dang
#创建Pod(不指定memory值时,容器会配置默认namespace的配额)
编写 mem-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: mem-test
namespace: andriy-dang
spec:
containers:
- name: mem-test
image: nginx
#查看Pod信息
kubectl get pod -n andriy-dang mem-test -o yaml
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: mem-test
resources:
limits:
memory: 512Mi
requests:
memory: 256Mi
#如果指定了最大值,为指定请求值,容器的最大值及请求值均为最大值
apiVersion: v1
kind: Pod
metadata:
name: mem-test-2
spec:
containers:
- name: mem-test-2
image: nginx
resources:
limits:
memory: "1Gi"
输出:
resources:
limits:
memory: 1Gi
requests:
memory: 1Gi
#如果指定了请求值,为指定最大值,容器的最大值为namespace的最大值
apiVersion: v1
kind: Pod
metadata:
name: mem-test-3
spec:
containers:
- name: mem-test-3
image: nginx
resources:
requests:
memory: "128Mi"
输出:
resources:
limits:
memory: 512Mi
requests:
memory: 128Mi
4、为 Namespace 设置最小和最大内存限制
#创建 quota-mem-max-min.yaml
apiVersion: v1
kind: LimitRange
metadata:
name: mem-min-max
spec:
limits:
- max:
memory: 1Gi
min:
memory: 500Mi
type: Container
#为andriy-dang设置限制
kubectl create -f quota-mem-max-min.yaml --namespace=andriy-dang
#查看限制信息
kubectl get limitrange mem-min-max --namespace=andriy-dang -o yaml
apiVersion: v1
kind: LimitRange
metadata:
creationTimestamp: 2018-03-14T08:06:58Z
name: mem-min-max
namespace: andriy-dang
resourceVersion: "220491"
selfLink: /api/v1/namespaces/andriy-dang/limitranges/mem-min-max
uid: aad20856-275e-11e8-ad43-d00d8f137bac
spec:
limits:
- default:
memory: 1Gi
defaultRequest:
memory: 1Gi
max:
memory: 1Gi
min:
memory: 500Mi
type: Container
现在,每当在 andriy-dang namespace 中创建一个容器时,Kubernetes 都会执行下列步骤:
- 如果容器没有指定自己的内存请求(request)和限制(limit),系统将会为其分配默认值。
- 验证容器的内存请求大于等于 500 MiB。
- 验证容器的内存限制小于等于 1 GiB。
使用以下不同限制的yaml创建pod
1、配置符合 LimitRange 施加的最小和最大内存限制
# mem-max-min-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: men-test
namespace: andriy-dang
spec:
containers:
- name: mem-test
image: nginx
resources:
limits:
memory: "800Mi"
requests:
memory: "600Mi"
#输出结果:创建成功
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: mem-test
resources:
limits:
memory: 800Mi
requests:
memory: 600Mi
2、创建一个超过最大内存限制的 Pod
# mem-max-min-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: men-test
namespace: andriy-dang
spec:
containers:
- name: mem-test
image: nginx
resources:
limits:
memory: "1.5Gi"
requests:
memory: "600Mi"
#输出结果:kubectl create -f mem-max-min-test.yaml
Error from server (Forbidden): error when creating "mem-max-min-test.yaml": pods "men-test" is forbidden: maximum memory usage per Container is 1Gi, but limit is 1536Mi.
3、创建一个不符合最小内存请求的 Pod
# mem-max-min-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: men-test
namespace: andriy-dang
spec:
containers:
- name: mem-test
image: nginx
resources:
limits:
memory: "800Mi"
requests:
memory: "100Mi"
输出结果:kubectl create -f mem-max-min-test.yaml
Error from server (Forbidden): error when creating "mem-max-min-test.yaml": pods "men-test" is forbidden: minimum memory usage per Container is 500Mi, but request is 100Mi.
4、创建一个没有指定任何内存请求和限制的 Pod
# mem-max-min-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: men-test
namespace: andriy-dang
spec:
containers:
- name: mem-test
image: nginx
#输出结果:创建成功
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: mem-test
resources:
limits:
memory: 1Gi
requests:
memory: 1Gi
5、为 Namespace 配置CPU和内存配额
#创建ResourceQuota对象 quota-mem-cpu.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: mem-cpu-test
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2Gi
#为andriy-dang设置mem、CPU配额
kubectl create -f quota-mem-cpu.yaml -n andriy-dang
#查看配额信息
kubectl get resourcequota -n andriy-dang mem-cpu-test -o yaml
apiVersion: v1
kind: ResourceQuota
metadata:
creationTimestamp: 2018-03-15T03:01:54Z
name: mem-cpu-test
namespace: andriy-dang
resourceVersion: "303347"
selfLink: /api/v1/namespaces/andriy-dang/resourcequotas/mem-cpu-test
uid: 3746b8bb-27fd-11e8-ad43-d00d8f137bac
spec:
hard:
limits.cpu: "2"
limits.memory: 2Gi
requests.cpu: "1"
requests.memory: 1Gi
status:
hard:
limits.cpu: "2"
limits.memory: 2Gi
requests.cpu: "1"
requests.memory: 1Gi
used:
limits.cpu: "0"
limits.memory: "0"
requests.cpu: "0"
requests.memory: "0"
1、创建一个Pod
# mem-cpu-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: mem-cpu-test
namespace: andriy-dang
spec:
containers:
- name: mem-cpu-test
image: nginx
resources:
limits:
memory: "800Mi"
cpu: "800m"
requests:
memory: "600Mi"
cpu: "400m"
#查看资源配额使用情况
kubectl get resourcequota -n andriy-dang mem-cpu-test -o yaml
apiVersion: v1
kind: ResourceQuota
metadata:
creationTimestamp: 2018-03-15T03:01:54Z
name: mem-cpu-test
namespace: andriy-dang
resourceVersion: "303742"
selfLink: /api/v1/namespaces/andriy-dang/resourcequotas/mem-cpu-test
uid: 3746b8bb-27fd-11e8-ad43-d00d8f137bac
spec:
hard:
limits.cpu: "2"
limits.memory: 2Gi
requests.cpu: "1"
requests.memory: 1Gi
status:
hard:
limits.cpu: "2"
limits.memory: 2Gi
requests.cpu: "1"
requests.memory: 1Gi
used:
limits.cpu: 800m
limits.memory: 800Mi
requests.cpu: 400m
requests.memory: 600Mi
2、创建第二个Pod
# mem-cpu-test02.yaml
apiVersion: v1
kind: Pod
metadata:
name: mem-cpu-test02
spec:
containers:
- name: mem-cpu-test02
image: redis
resources:
limits:
memory: "1Gi"
cpu: "800m"
requests:
memory: "700Mi"
cpu: "400m"
# 输出结果:创建失败
kubectl create -f mem-cpu-test02.yaml
Error from server (Forbidden): error when creating "mem-cpu-test02.yaml": pods "mem-cpu-test02" is forbidden: exceeded quota: mem-cpu-test, requested: requests.memory=700Mi, used: requests.memory=600Mi, limited: requests.memory=1Gi
6、为 Namespace 配置最小和最大 CPU 限制
#创建一个 LimitRange:quota-cpu-max-min.yaml
apiVersion: v1
kind: LimitRange
metadata:
name: cpu-min-max-test
spec:
limits:
- max:
cpu: "800m"
min:
cpu: "200m"
type: Container
#为andriy-dang设置最大最小限制
kubectl create -f quota-cpu-max-min.yaml -n andriy-dang
#查看限制信息
kubectl get limitrange -n andriy-dang cpu-min-max-test -o yaml
apiVersion: v1
kind: LimitRange
metadata:
creationTimestamp: 2018-03-15T03:18:01Z
name: cpu-min-max-test
namespace: andriy-dang
resourceVersion: "304549"
selfLink: /api/v1/namespaces/andriy-dang/limitranges/cpu-min-max-test
uid: 77cb378a-27ff-11e8-ad43-d00d8f137bac
spec:
limits:
- default:
cpu: 800m
defaultRequest:
cpu: 800m
max:
cpu: 800m
min:
cpu: 200m
type: Container
现在,每当在 andriy-dang namespace 中创建一个容器时,Kubernetes 都会执行下列步骤:
- 如果容器没有指定自己的 CPU 请求(CPU request)和限制(CPU limit),系统将会为其分配默认值。
- 验证容器的 CPU 请求大于等于 200 millicpu。
- 验证容器的 CPU 限制小于等于 800 millicpu。
使用以下不同限制的yaml创建pod
1、配置符合 LimitRange 施加的最小和最大内存限制
# cpu-max-min-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: cpu-test
namespace: andriy-dang
spec:
containers:
- name: cpu-test
image: nginx
resources:
limits:
cpu: "800m"
requests:
cpu: "500m"
#输出结果:创建成功
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: cpu-test
resources:
limits:
cpu: 800m
requests:
cpu: 500m
2、创建一个超过最大CPU限制的 Pod
# cpu-max-min-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: cpu-test
namespace: andriy-dang
spec:
containers:
- name: cpu-test
image: nginx
resources:
limits:
cpu: "1.5"
requests:
cpu: "500m"
#输出结果:kubectl create -f cpu-max-min-test.yaml
Error from server (Forbidden): error when creating "cpu-max-min-test.yaml": pods "cpu-test" is forbidden: maximum cpu usage per Container is 800m, but limit is 1500m.
3、创建一个不符合最小CPU请求的 Pod
# cpu-max-min-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: cpu-test
namespace: andriy-dang
spec:
containers:
- name: cpu-test
image: nginx
resources:
limits:
cpu: "800m"
requests:
cpu: "100m"
输出结果:kubectl create -f cpu-max-min-test.yaml
Error from server (Forbidden): error when creating "cpu-max-min-test.yaml": pods "cpu-test" is forbidden: minimum cpu usage per Container is 200m, but request is 100m.
4、创建一个没有指定任何内存请求和限制的 Pod
# cpu-max-min-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: cpu-test
namespace: andriy-dang
spec:
containers:
- name: cpu-test
image: nginx
#输出结果:创建成功
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: cpu-test
resources:
limits:
cpu: 800m
requests:
cpu: 800m
7、给Pod配置服务质量等级
1、创建一个 Pod 并分配 QoS 等级为 Guaranteed
想要给 Pod 分配 QoS 等级为 Guaranteed:
-
Pod 里的每个容器都必须有内存限制和请求,而且必须是一样的。
-
Pod 里的每个容器都必须有 CPU 限制和请求,而且必须是一样的。
qos-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: qos-test
namespace: andriy-dang
spec:
containers:
- name: qos-test
image: nginx
resources:
limits:
memory: “200Mi”
cpu: “700m”
requests:
memory: “200Mi”
cpu: “700m”
2、创建一个 Pod 并分配 QoS 等级为 Burstable
当出现下面的情况时,则是一个 Pod 被分配了 QoS 等级为 Burstable :
-
该 Pod 不满足 QoS 等级 Guaranteed 的要求。
-
Pod 里至少有一个容器有内存或者 CPU 请求。
qos-pod2.yaml
apiVersion: v1
kind: Pod
metadata:
name: qos-test-2
namespace: andriy-dang
spec:
containers:
- name: qos-test-2
image: nginx
resources:
limits:
memory: “200Mi”
requests:
memory: “100Mi”
3、创建一个 Pod 并分配 QoS 等级为 BestEffort
要给一个 Pod 配置 BestEffort 的 QoS 等级, Pod 里的容器必须没有任何内存或者 CPU 的限制或请求。
# qos-pod3.yaml
apiVersion: v1
kind: Pod
metadata:
name: qos-test-3
namespace: andriy-dang
spec:
containers:
- name: qos-test-3
image: nginx
4、创建一个拥有两个容器的 Pod
这是一个含有两个容器的 Pod 的配置文件,其中一个容器指定了内存申请为 200MB ,另外一个没有任何申请或限制。(QoS 等级为 Burstable)
# qos-pod4.yaml
apiVersion: v1
kind: Pod
metadata:
name: qos-test-4
spec:
containers:
- name: qos-test-4-1
image: nginx
resources:
requests:
memory: "200Mi"
- name: qos-test-4-2
image: redis
8、删除配额
# 删除对应namespace的配额
kubectl delete quota -n andriy-dang --all
上一篇: docker未授权访问漏洞总结
下一篇: JSP页面控制访问权限