L10. Resource Limits, Quotas and LimitRanges
Video generating
Check back soon for the video lesson on Resource Limits, Quotas and LimitRanges
Without resource limits, a single pod can starve the entire node. Learn how to set CPU and memory limits, enforce namespace quotas, and use LimitRanges to set defaults.
Why Resource Limits Matter for Security
Resource limits are not just an operational concern. They are a security control. Without limits, a compromised pod can:
- Crypto-mine: Consume all CPU on the node
- DoS other pods: Starve co-located workloads of memory
- Trigger OOM kills: Force the kernel to kill other pods
- Exhaust disk: Fill the node's ephemeral storage with logs or data
Requests vs Limits
| Setting | What It Does | Used For |
|---|---|---|
| requests | Guaranteed minimum resources | Scheduling decisions |
| limits | Maximum resources allowed | Runtime enforcement |
containers:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">name: app</li>
</ul>
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256MiResourceQuotas
ResourceQuotas set aggregate limits for an entire namespace:
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-quota
namespace: production
spec:
hard:
requests.cpu: "10"
requests.memory: 20Gi
limits.cpu: "20"
limits.memory: 40Gi
pods: "50"
secrets: "20"
services.loadbalancers: "2"When a ResourceQuota is active, every pod must specify resource requests and limits. Pods without them are rejected. Best practice: Set quotas on every non-system namespace to prevent resource exhaustion from a single team or workload.
LimitRanges
LimitRanges set default, minimum, and maximum resource values for containers in a namespace. They catch pods that forget to set limits:
apiVersion: v1
kind: LimitRange
metadata:
name: default-limits
namespace: production
spec:
limits:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">type: Container</li>
</ul>
default:
cpu: 200m
memory: 256Mi
defaultRequest:
cpu: 100m
memory: 128Mi
max:
cpu: "2"
memory: 2Gi
min:
cpu: 50m
memory: 64MiIf a pod does not specify resource limits, the LimitRange injects the default values. If a pod requests more than the maximum, it is rejected.
Ephemeral Storage Limits
Do not forget ephemeral storage. Containers can fill the node's disk with logs, temp files, or downloaded data:
resources:
requests:
ephemeral-storage: 500Mi
limits:
ephemeral-storage: 1GiWhen a container exceeds its ephemeral storage limit, it is evicted from the node.
Priority Classes
Use PriorityClasses to ensure critical workloads survive resource pressure. Higher-priority pods can preempt lower-priority ones when the cluster is under pressure:
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: security-critical
value: 1000000
globalDefault: false
description: "Priority for security monitoring workloads"Assign the priority class to pods that must keep running (security agents, logging, monitoring).
- ✓Without resource limits, a compromised pod can crypto-mine, DoS other pods, or exhaust node disk
- ✓Requests are guaranteed minimums for scheduling; limits are maximum enforced at runtime (OOM-kill for memory, throttle for CPU)
- ✓When a ResourceQuota is active in a namespace, every pod must specify resource requests and limits or be rejected
- ✓LimitRanges inject default resource values for pods that do not specify them and enforce min/max boundaries
- ✓Ephemeral storage limits prevent containers from filling the node disk with logs or temporary files
1. What happens when a container exceeds its memory limit?
2. What happens when a ResourceQuota is active and a pod does not specify resource requests?
3. Which resource type prevents containers from filling the node disk with logs?