New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quota for user facing resources #1650
Comments
I also think, that it is reasonable gardener admins to be able to specify a quota for creating projects. Otherwise the project API could be abused. |
It might be interesting to look into whether For the object size there is kubernetes/kubernetes#83261. We could revendor |
Thanks for the suggestion @rfranzke. I gave it a shoot and tested |
with #2032 also |
Thanks @timuthy for trying it out. Indeed, it won't work with custom API servers. How do we proceed here now? Shall we go ahead with your initial proposal and implement our own resource? |
I tried out Unfortunately, it didn't work reliably in my local setup, e.g. outdated resource count or no admission denial after the quota exhaustion. I'll take some time to find out more and hope that this is still the way to go since it's a K8s standard feature. |
/remove lifecycle/stale |
We can use the |
Thanks for the update @timuthy. Do you have more background? Why? Last time we talked about it you mentioned there was a problem with the resource quota controller that collects the current number of shoots, for example. Do you now also have observed issues in the admission plugin (even if the controller would compute the values correctly)? |
The resource quota controller only updates the current or actual resource usage of Pods and Services as explained by the design doc and implemented here. It's the admission plugin's task to check if any incoming object potentially violates the |
What would you like to be added:
Gardener should have configurable, project scoped quotas for resources that end users (specifically project members) are permitted to create:
The list above contains all possible resources, although some of them might be negligible or aren't critical for the system stability (tbd).
A quota could look like:
Unfortunately, k8s native
ResourceQuotas
don't cover all necessary API objects and uses cases:https://kubernetes.io/docs/tasks/administer-cluster/quota-api-object/
Why is this needed:
Quotas are one countermeasure to prevent the Gardener- and Kube-Apiserver, it's backing etcds as well as involving controllers from being flooded.
/cc @petersutter @ThormaehlenFred
The text was updated successfully, but these errors were encountered: