How to Limit Container CPU Usage with Cgroups in Kubernetes

Kubernetes CPU Resource Configuration

In Kubernetes, a pod's specification can define CPU requests and limits , which are enforced by the CPU Cgroup subsystem. The request guarantees a minimum amount of CPU for the container, while the limit caps the maximum CPU the container can consume.

apiVersion: v1
kind: Pod
metadata:
  name: frontend
spec:
  containers:
  - name: app
    image: images.my-company.example/app:v4
    resources:
      requests:
        memory: "64Mi"
        cpu: "1"
      limits:
        memory: "128Mi"
        cpu: "2"

CPU Usage and Cgroup Parameters

Understanding Linux CPU accounting helps in limiting container CPU usage. The top command shows user space ( us ) and system space ( sy ) CPU usage. Key Cgroup parameters include:

cpu.cfs_quota_us : the total time (in microseconds) that tasks in the cgroup may run during one scheduling period.

cpu.cfs_period_us : the length of a scheduling period for the Completely Fair Scheduler (default 100,000 µs, i.e., 100 ms).

cpu.shares : the relative weight for CPU time allocation among cgroups (default 1024).

Practical Operation: Setting Container CPU Limits

Assume a program threads-cpu consumes two CPUs (200%). By adding its PID to a specific Cgroup and adjusting the parameters, you can restrict its CPU usage:

./threads-cpu/threads-cpu 2 & echo $! > /sys/fs/cgroup/cpu/group2/group3/cgroup.procs
echo 150000 > /sys/fs/cgroup/cpu/group2/group3/cpu.cfs_quota_us
echo 1024 > /sys/fs/cgroup/cpu/group2/group3/cpu.shares

Deep Dive into CPU Cgroup Parameters

The combination of cpu.cfs_quota_us and cpu.cfs_period_us defines the maximum CPU time available to all processes in a cgroup. cpu.shares determines the relative proportion of CPU resources among sibling cgroups, taking effect only when the system's CPUs are fully utilized.

Example Explanation

With threads-cpu running, setting cpu.cfs_quota_us to 150,000 µs and cpu.shares to 1024 limits its CPU usage to roughly 150 % of a single CPU. After applying the settings, running top shows the process’s CPU consumption reduced accordingly.

The cpu.shares value also influences how CPU is divided between multiple cgroups. For instance, a cgroup with cpu.shares 1024 and another with 3072 will share CPU in a 1:3 ratio when demand exceeds available CPUs.

Conclusion

By understanding Linux CPU accounting and the key Cgroup parameters, you can effectively limit container CPU usage. Properly configuring pod CPU requests and limits in Kubernetes ensures stable operation under varying loads and improves overall cluster resource utilization.