Skip to main content

Restrictions

LimitRange

Namespace-scoped policy object that operates at admission time via the LimitRanger admission controller. It enforces or defaults the resources.requests and resources.limits fields on:

  • Containers
  • Pods
  • PVCs

It is only taken into consideration when a pod is being created, not after.
It validates the pod resource requests/limits in the pod definition. If validation fails, the pod won't be scheduled.

Not cumilative
LimitRange Manifest
apiVersion: v1
kind: LimitRange
metadata:
  name: resource-limits
  namespace: default
spec:
  limits:
  - type: Container|Pod|PersistentVolumeClaim
    defaultRequest: #if podspec.resources.default does not exist
      cpu: "200m"
      memory: "128Mi"
    default: #Sets podspec.resources.limits if it does not exist
      cpu: "500m"
      memory: "256Mi"
    max: #Is podspec.resources.requests & limits within the range
      cpu: "2"
      memory: "1Gi"
    min: #Is podspec.resources.requests & limits within the range
      cpu: "100m"
      memory: "128Mi"

ResourceQuota

Cumulative LimitRanges.

ResourceQuota is enforced at admission time and, in some cases, updated during pod lifecycle (like when pods are deleted). It tracks and limits total resource usage in a namespace, not per-pod/container, and quota usage is updated over time.

It does not kill, evict, or throttle pods but updates usage dynamically and rejects new requests if quota is over.

danger

Only accounts for:

  • .spec.containers[].resources.requests
  • .spec.containers[].resources.limits
  • Object counts (e.g., number of pods, PVCs, secrets, etc.)

It does not inspect:

  • Actual CPU usage from cgroups
  • Memory usage metrics
  • Metrics-server data
  • Any live resource telemetry
kubectl describe resourcequota namespace-quota -n my-namespace
ResourceQuota Manifest
apiVersion: v1
kind: ResourceQuota
metadata:
  name: my-quota
  namespace: my-namespace  # Change this to your namespace
spec:
  hard:
    pods: "10"                    # Max number of pods in the namespace
    requests.cpu: "2"              # Total CPU requests across all pods (2 cores)
    requests.memory: "4Gi"         # Total memory requests across all pods
    limits.cpu: "4"                # Max CPU usage across all pods
    limits.memory: "8Gi"           # Max memory usage across all pods
    persistentvolumeclaims: "5"    # Max number of PVCs
    services: "10"                 # Max number of services
    services.loadbalancers: "2"    # Max number of LoadBalancer services
    services.nodeports: "3"        # Max number of NodePort services
    configmaps: "15"               # Max number of ConfigMaps
    secrets: "20"                  # Max number of Secrets