Security, RBAC, and Production ReadinessLesson 6.5
Kubernetes resource quotas and LimitRanges: enforcing multi-tenant cluster policies
ResourceQuota definition, compute quotas, object count quotas, LimitRange defaults, default requests and limits, namespace-level enforcement, quota scope, exceeding quota behavior
Quotas Prevent Resource Starvation
In multi-tenant clusters, one team can accidentally consume all available resources, starving others. ResourceQuotas cap how much a namespace can consume. LimitRanges set default resource requests and limits so developers do not have to specify them on every Pod.
ResourceQuota
apiVersion: v1
kind: ResourceQuota
metadata:
name: team-quota
namespace: team-alpha
spec:
hard:
requests.cpu: "10"
requests.memory: 20Gi
limits.cpu: "20"
limits.memory: 40Gi
pods: "50"
services: "10"
persistentvolumeclaims: "20"LimitRange (Defaults)
apiVersion: v1
kind: LimitRange
metadata:
name: default-limits
namespace: team-alpha
spec:
limits:
- default:
cpu: "500m"
memory: "256Mi"
defaultRequest:
cpu: "100m"
memory: "128Mi"
type: ContainerWhen a ResourceQuota is set on a namespace, every Pod MUST have resource requests specified (or a LimitRange must provide defaults). Pods without requests are rejected by the API server. This forces teams to think about resource usage.