11. 跨命名空间 Pod Affinity Quota
特征状态: Kubernetes v1.24 [stable]
运营商可以使用CrossNamespacePodAffinity配额范围来限制允许哪些命名空间拥有具有跨命名空间的亲和术语的 pod。具体来说,它控制允许设置哪些 pod namespaces或namespaceSelect 亲和性术语中的字段。
可能需要防止用户使用跨命名空间亲和性术语,因为具有反亲和性约束(anti-affinity constraints)的 pod 可能会阻止来自所有其他命名空间的 pod 在故障域中被调度。
使用此范围运算符可以防止某些命名空间(foo-ns在下面的示例中)具有使用跨命名空间 pod 亲和性的 pod,方法是在该命名空间中创建一个CrossNamespaceAffinity范围和硬限制为 0 的资源配额对象:
apiVersion: v1 kind: ResourceQuota metadata: name: disable-cross-namespace-affinity namespace: foo-ns spec: hard: pods: "0" scopeSelector: matchExpressions: - scopeName: CrossNamespaceAffinity
如果运营商希望默认禁止使用namespaces and namespaceSelector并且只允许特定命名空间使用,他们可以CrossNamespaceAffinity 通过将 kube-apiserver 标志 --admission-control-config-file 设置为以下配置文件的路径来配置为有限资源:
apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: "ResourceQuota" configuration: apiVersion: apiserver.config.k8s.io/v1 kind: ResourceQuotaConfiguration limitedResources: - resource: pods matchScopes: - scopeName: CrossNamespaceAffinity
12. 创建与查看 ResourceQuota
12.1 创建
kubectl create namespace myspace cat <<EOF > compute-resources.yaml apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources spec: hard: requests.cpu: "1" requests.memory: 1Gi limits.cpu: "2" limits.memory: 2Gi requests.nvidia.com/gpu: 4 EOF kubectl create -f ./compute-resources.yaml --namespace=myspace cat <<EOF > object-counts.yaml apiVersion: v1 kind: ResourceQuota metadata: name: object-counts spec: hard: configmaps: "10" persistentvolumeclaims: "4" pods: "4" replicationcontrollers: "20" secrets: "10" services: "10" services.loadbalancers: "2" EOF kubectl create -f ./object-counts.yaml --namespace=myspace
12.2 查看
$ kubectl get quota --namespace=myspace NAME AGE compute-resources 30s object-counts 32s $ kubectl describe quota compute-resources --namespace=myspace Name: compute-resources Namespace: myspace Resource Used Hard -------- ---- ---- limits.cpu 0 2 limits.memory 0 2Gi requests.cpu 0 1 requests.memory 0 1Gi requests.nvidia.com/gpu 0 4 $ kubectl describe quota object-counts --namespace=myspace Name: object-counts Namespace: myspace Resource Used Hard -------- ---- ---- configmaps 0 10 persistentvolumeclaims 0 4 pods 0 4 replicationcontrollers 0 20 secrets 1 10 services 0 10 services.loadbalancers 0 2
Kubectl 还使用以下语法支持所有标准命名空间资源的对象计数配额count/<resource>.<group>:
kubectl create namespace myspace kubectl create quota test --hard=count/deployments.apps=2,count/replicasets.apps=4,count/pods=3,count/secrets=4 --namespace=myspace kubectl create deployment nginx --image=nginx --namespace=myspace --replicas=2 $ kubectl describe quota --namespace=myspace Name: test Namespace: myspace Resource Used Hard -------- ---- ---- count/deployments.apps 1 2 count/pods 2 3 count/replicasets.apps 1 4 count/secrets 1 4
13. 默认限制优先级消耗
可能希望 pod 具有特定优先级,例如 当且仅当存在匹配的配额对象时,应允许在命名空间中使用“cluster-services”。
通过这种机制,运营商能够将某些高优先级类的使用限制在有限数量的命名空间中,并且默认情况下并非每个命名空间都能够使用这些优先级类。
要强制执行此操作,应使用kube-apiserver flag将路径传递到以下配置文件:--admission-control-config-file
apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: "ResourceQuota" configuration: apiVersion: apiserver.config.k8s.io/v1 kind: ResourceQuotaConfiguration limitedResources: - resource: pods matchScopes: - scopeName: PriorityClass operator: In values: ["cluster-services"]
然后,在命名空间中创建一个资源配额对象kube-system:
apiVersion: v1 kind: ResourceQuota metadata: name: pods-cluster-services spec: scopeSelector: matchExpressions: - operator : In scopeName: PriorityClass values: ["cluster-services"]
创建
kubectl apply -f https://k8s.io/examples/policy/priority-class-resourcequota.yaml -n kube
在这种情况下,如果出现以下情况,将允许创建 pod:
priorityClassName未指定Pod 。
Pod 的priorityClassName值被指定为cluster-services.
PodpriorityClassName设置为cluster-services,将在kube-system命名空间中创建,并且已通过资源配额检查。
如果将 Pod 创建请求priorityClassName设置为cluster-services 并且将在kube-system
14. 实例
14.1 pod 请求或限制 cpu、mem 超出资源配置
- 创建 ResourceQuota 文件
quota-mem-cpu.yaml
apiVersion: v1 kind: ResourceQuota metadata: name: mem-cpu-demo spec: hard: requests.cpu: "1" requests.memory: 1Gi limits.cpu: "2" limits.memory: 2Gi
kubectl create namespace quota-mem-cpu-example kubectl apply -f https://k8s.io/examples/admin/resource/quota-mem-cpu.yaml --namespace=quota-mem-cpu-example kubectl get resourcequota mem-cpu-demo --namespace=quota-mem-cpu-example --output=yaml
- 创建 pod 文件
quota-mem-cpu-pod.yaml
apiVersion: v1 kind: Pod metadata: name: quota-mem-cpu-demo spec: containers: - name: quota-mem-cpu-demo-ctr image: nginx resources: limits: memory: "800Mi" cpu: "800m" requests: memory: "600Mi" cpu: "400m"
kubectl apply -f https://k8s.io/examples/admin/resource/quota-mem-cpu-pod.yaml --namespace=quota-mem-cpu-example kubectl get pod quota-mem-cpu-demo --namespace=quota-mem-cpu-example kubectl get resourcequota mem-cpu-demo --namespace=quota-mem-cpu-example --output=yaml
输出显示配额以及已使用了多少配额。您可以看到Pod的内存和CPU请求以及限制没有超过配额。
status: hard: limits.cpu: "2" limits.memory: 2Gi requests.cpu: "1" requests.memory: 1Gi used: limits.cpu: 800m limits.memory: 800Mi requests.cpu: 400m requests.memory: 600Mi
注意,已用内存请求和此新内存请求的总和超过了内存请求配额。600 MiB + 700 MiB> 1 GiB。
尝试创建Pod:
kubectl apply -f https://k8s.io/examples/admin/resource/quota-mem-cpu-pod-2.yaml --namespace=quota-mem-cpu-example
没有创建第二个Pod。输出显示创建第二个Pod将导致内存请求总数超过内存请求配额。
Error from server (Forbidden): error when creating "examples/admin/resource/quota-mem-cpu-pod-2.yaml": pods "quota-mem-cpu-demo-2" is forbidden: exceeded quota: mem-cpu-demo, requested: requests.memory=700Mi,used: requests.memory=600Mi, limited: requests.memory=1Gi
参考:
