Skip to content

Kubernetes Pod admission constraints

Kubernetes Pod admission constraints refer to policies that define valid resource configurations for Pods within a specific scope. These constraints act as "admission" gates, ensuring that workloads adhere to predefined consumption standards or allocation limits before they are scheduled on a node.

In Kubernetes, unconstrained Pods can potentially monopolize a node's available resources.^[400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md] To prevent this, administrators can enforce policies at the Namespace level using resources like LimitRange to control how resources are allocated and consumed.^[400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md]

Constraint Mechanisms

Constraints are typically enforced using policies attached to a [[Namespace]].

LimitRange

A LimitRange is a policy object that restricts resource allocation within a Namespace.^[400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md] It ensures that specific compute resources (CPU and memory) or storage requests fall within acceptable boundaries.^[400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md]

Specifically, a LimitRange can enforce:

  • Min/Max Consumption: Constraints on the minimum and maximum CPU or memory usage per Pod or Container.^[400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md]
  • Storage Limits: Constraints on the minimum and maximum storage size for PersistentVolumeClaims.^[400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md]
  • Request-to-Limit Ratio: Control over the ratio between resource requests (reservation) and limits (cap).^[400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md]
  • Default Values: Automatic injection of default resource requests and limits for containers that do not explicitly define them.^[400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md]

Behavior and Enforcement

When a LimitRange is active in a Namespace, the Kubernetes API server validates or modifies Pod configurations at creation time.

  • Default Injection: If a Pod is created without specifying resource requests or limits, the LimitRange automatically applies the defined defaults.^[400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md]
  • Min/Max Validation: If a Pod declares resource values that violate the defined constraints (e.g., a CPU limit higher than the max allowed, or a request lower than the min allowed), Kubernetes will reject the creation with a Forbidden error.^[400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md]

Sources

  • 400-devops__06-Kubernetes__k8s-ithelp__Day23__README.md