Skip to content

Pod resource admission validation

Pod resource admission validation is the enforcement mechanism within Kubernetes that ensures containers adhere to defined compute resource constraints. By default, Kubernetes does not limit the resources a container can use, potentially allowing a single Pod to monopolize a node's available CPU and memory.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md] To prevent this, administrators can implement policies that enforce minimum and maximum resource allocations.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]

LimitRange

The primary tool for this validation is the LimitRange object, which is scoped to a specific [[Namespace]].^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md] A LimitRange policy ensures that:

  • Pods or containers do not exceed a specified maximum CPU or memory usage.
  • Pods or containers meet a specified minimum resource request.
  • PersistentVolumeClaims conform to defined storage constraints.
  • Default request and limit values are automatically injected into containers that do not explicitly declare them.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]

Default Value Injection

When a LimitRange is created in a namespace, it acts as a policy object for resource allocation.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md] If a Pod is created without specifying resource requests or limits, the Kubernetes Control Plane automatically injects the default values defined in the LimitRange into the container's runtime configuration.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]

Admission Rejection

The validation process occurs at admission, meaning Kubernetes will reject the creation of resources that violate the policy.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md] The system will return a Forbidden error if:

  • A container's CPU or memory limit exceeds the LimitRange maximum.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]
  • A container's CPU or memory request falls below the LimitRange minimum.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]

Sources

^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]