rancher: Incorrect resource quota set for namespaces where Project quota is enabled

SURE-3695

Rancher Cluster: Rancher version: v2.5.10 & v.2.6.2 Number of nodes: 3 Node OS version: Ubuntu 20.04.3 LTS

Downstream Cluster: Number of Downstream clusters: 1 Node OS: Ubuntu 20.04.3 LTS RKE/RKE2/K3S version: NA Kubernetes version: NA CNI: NA

Longhorn: Longhorn version:NA CPU per node: NA Memory per node: NA Disk type: HDD/SSD/NVMe Network bandwidth between the nodes: NA

Other: Underlying Infrastructure: NA Any 3rd party software installed on the nodes: NA –>

Issue description: The namespace created after utilizing all project limits; the resource quota allocated to new namespace contains quota which is not provided in project quota

Business impact: Unable to create a new config map on a namespace where no project resource quota assigned for configmap

Repro steps:

Create a Project with below resource limits

    limitsCpu: 200m
    limitsMemory: 128Mi
    requestsCpu: 100m
    requestsMemory: 64Mi
  description: ""
  displayName: quotatest
  enableProjectMonitoring: false
  namespaceDefaultResourceQuota:
    limit:
      limitsCpu: "1000"
      limitsMemory: "2000"
  resourceQuota:
    limit:
      limitsCpu: "1000"
      limitsMemory: "2000"

Create a namespace inside the project The namespace gets a quota with the below settings

    hard:
      limits.cpu: 1k
      limits.memory: 2k

Create another namespace, but this time the new namespace gets below the quota

    hard:
      configmaps: "0"
      limits.cpu: "0"
      limits.memory: "0"
      persistentvolumeclaims: "0"
      pods: "0"
      replicationcontrollers: "0"
      requests.cpu: "0"
      requests.memory: "0"
      requests.storage: "0"
      secrets: "0"
      services: "0"
      services.loadbalancers: "0"
      services.nodeports: "0"

Create a new config map on second namespace configmaps "test" is forbidden: exceeded quota: default-995sh, requested: configmaps=1, used: configmaps=0, limited: configmaps=0

Actual behavior: Unable to create config maps on namespace that doesn’t have a project-level configmap quota set

Expected behavior: Configmap creation should work since the limit is set for only CPU and Memory

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 25 (15 by maintainers)

Most upvoted comments

I think the zeros-for-all quota is confusing. Unless I’m mistaken, it basically just bricks the new namespace so you can’t do anything with it. It would be easier to understand if creating the namespace would fail with an error along the lines of “Can’t create a new namespace because the project resource quota is already at capacity. Increase the project quota limit or decrease the limit of other namespaces in the project to free up more capacity.”

+3
catherineluse on Feb 18, 2022

Project Quota can’t be remove, which is a serious problem, see https://github.com/rancher/rancher/issues/35688

+2
finkr on Jan 14, 2022
Read more comments on GitHub
← rancher: Improve error logs in health check containers when health check is paused when ipsec is not in "active" state.
rancher: Incorrect verb "read" versus "get" in clusterscan resource RBAC prevents correctly granting clusterscan permissions →