Kubernetes Namespace Resource Quotas: Set Defaults, Limits, and Enforce Policies

Kubernetes allows specifying CPU and RAM requests and limits for individual pods, which is useful for pod‑level resource management. This article demonstrates three strategies for efficient cluster‑wide resource management using namespace‑level features.

Three strategies

Set default resource requests and limits for containers.

Define minimum and maximum resource constraints.

Apply a ResourceQuota to control total resource consumption of all containers in a namespace.

These strategies help address various use cases by leveraging the full capabilities of Kubernetes namespaces and resource management.

Creating a namespace for the demo

kubectl create namespace resource-quota-demo
namespace "resource-quota-demo" created

Defining a ResourceQuota object

apiVersion: v1
kind: ResourceQuota
metadata:
  name: resource-quota
spec:
  hard:
    requests.cpu: "1.4"
    requests.memory: 2Gi
    limits.cpu: "2"
    limits.memory: 3Gi

This ResourceQuota enforces that each container defines its memory and CPU requests and limits, the total memory requests do not exceed 2 Gi, total CPU requests do not exceed 1.4 CPU, and the total limits are capped at 2 CPU and 3 Gi memory.

Applying the ResourceQuota

kubectl create -f resource-quota.yaml --namespace resource-quota-demo
resourcequota "resource-quota" created

Creating the first pod

apiVersion: v1
kind: Pod
metadata:
  name: resource-quota-pod-1
spec:
  containers:
  - name: resource-quota-ctr-1
    image: httpd:2.4
    resources:
      limits:
        memory: "2Gi"
        cpu: 1.2
      requests:
        memory: "1.3Gi"
        cpu: 0.8

kubectl create -f resource-quota-pod-1.yaml --namespace resource-quota-demo
pod "resource-quota-pod-1" created

The pod is created successfully because its requests and limits are within the namespace quota.

Inspecting quota usage after the first pod

kubectl get resourcequota --namespace resource-quota-demo --output=yaml

The output shows that the first pod has consumed part of the quota (limits.cpu: 1200m, limits.memory: 2 Gi, requests.cpu: 800m, requests.memory: 1.3 Gi).

Creating a second pod that exceeds the quota

apiVersion: v1
kind: Pod
metadata:
  name: resource-quota-pod-2
spec:
  containers:
  - name: resource-quota-ctr-2
    image: httpd:2.4
    resources:
      limits:
        memory: "1.3Gi"
        cpu: 0.9
      requests:
        memory: "1Gi"
        cpu: 0.8

kubectl create -f resource-quota-pod-2.yaml --namespace resource-quota-demo

Error from server (Forbidden): error when creating "resource-quota-pod-2.yaml": pods "resource-quota-pod-2" is forbidden: exceeded quota: resource-quota, requested: limits.cpu=900m,limits.memory=1395864371200m,requests.cpu=800m,requests.memory=1Gi, used: limits.cpu=1200m,limits.memory=2Gi,requests.cpu=800m,requests.memory=1395864371200m, limited: limits.cpu=2,limits.memory=3Gi,requests

The creation fails because the pod's CPU and memory requests exceed the defined ResourceQuota.

Cleanup

kubectl delete namespace resource-quota-demo
namespace "resource-quota-demo" deleted

By setting default requests and limits, defining constraints, and applying ResourceQuotas, administrators can enforce resource policies at the namespace level without requiring manual specifications for each pod.