LimitRanges for resources

In the world of Kubernetes, if you don’t set rules, a single container can act like a “noisy neighbor,” eating up all the CPU and Memory on a node. This can crash other important applications.

While ResourceQuotas set limits for the whole Namespace (the whole team),

LimitRanges are the specific rules for individual Pods and Containers (the individual player). They ensure every container is “sized just right” not too small to fail, and not too big to waste resources. If a developer forgets to set CPU or Memory request, the LimitRange automatically applies a safe default setting for them.

Think of a Kubernetes Namespace as a Shared Office Cafeteria.

• ResourceQuota is the budget for the entire department (e.g., “The Engineering team gets 500 plates of food total per day”).
• LimitRange is the rule for the individual plate:
  • Min: You must take at least 1 spoon of rice (so you don’t starve/crash).
  • Max: You cannot take more than 2 full plates (so you don’t leave others hungry).
  • Default: If you don’t say what you want, we automatically give you a standard “Thali” (Standard Default Request/Limit).

Easy Remember Cheat Sheet

1. “LimitRange is for the Pod; ResourceQuota is for the Namespace.”
2. “No limits defined? LimitRange fills in the blanks.”
3. “It stops the ‘Goldilocks’ problem: Not too big, not too small.”
4. “It acts as a gatekeeper at the door if a Pod breaks the rules, it gets rejected immediately.”

• Scope: Applied at the Namespace level but enforces rules on individual Containers and Pods.
• Defaults: Can inject default requests and limits if the user creates a Pod without them.
• Validation: It rejects Pod creation if the requested resources violate the Min/Max constraints.
• Ratio Control: It can enforce a strict ratio between Request (minimum needed) and Limit (maximum allowed) to prevent over-commitment.

At an Architect level, LimitRanges are your first line of defense against Denial of Service (DoS) attacks from internal bad actors or misconfigured CI/CD pipelines.

• The LimitRange is actually an Admission Plugin. It runs in the API server. When a request comes in:
  • Mutating Phase: If the pod has no limits, the LimitRange mutates the pod spec to inject the defaults.
  • Validating Phase: It checks the final numbers. If they are outside the Min/Max, it rejects the pod.

• Strategy: Never allow a Namespace to exist without a LimitRange. This ensures that even if a developer is lazy, their pods are “capped” by the default limits.
• Integration: Combine LimitRanges with OPA Gatekeeper or Kyverno. While LimitRange handles the numeric values, Kyverno can enforce which LimitRange profile is applied to which team.
• Security Context: By forcing a low CPU and Memory limit, you force developers to optimize their code. This reduces the blast radius if a container is compromised and tries to mine crypto (it will hit the CPU limit immediately).
• • Kyverno (Policy engine to enforce presence of LimitRanges)

Use Case

• Multi-tenant Clusters: When Team A and Team B share a cluster, LimitRanges prevent Team A from creating a “Monster Pod” that takes up an entire 64GB RAM node.
• Development Environments: Developers often forget to add YAML resources. LimitRange fixes this by auto-injecting “small t-shirt size” resources (e.g., 200m CPU, 512Mi RAM).

Benefits

• Stability: Prevents node starvation.
• Cost Control: Prevents accidental provisioning of massive containers.
• Standardization: Enforces a baseline “T-shirt sizing” for applications.

Limitations

• No Retroactive Action: If you apply a LimitRange today, it does not kill or resize existing Pods that violate the rule. It only affects new Pods.
• Node Capacity Ignorance: A LimitRange allows you to set a Max of 100GB RAM even if your biggest node is only 64GB. It validates the number, not the physical reality (though the Pod will stick in Pending state later).

Common Issues, Problems, and Solutions

• Problem: “My Pod creation is failing with Forbidden error.”
  • Solution: The Pod requested resources outside the Min/Max range. Check kubectl describe limitrange and adjust your Pod spec.
• Problem: “I didn’t set limits, but my Pod has limits now.”
  • Solution: This is the Default feature working as intended. If you don’t want this, you must explicitly define limits in your Pod or remove the default section from the LimitRange.
• Problem: “OOMKilled (Out of Memory) errors.”
  • Solution: The defaultLimit might be too aggressive (too small). Increase the default memory limit in the LimitRange.

• Configure Default Memory Requests and Limits for a Namespace
• Configure Default CPU Requests and Limits for a Namespace
• Limit Ranges API Reference

Yaml file to create LimitRange

Difference between Quota vs. LimitRange: