Skip to main content
< All Topics

Kubernetes ResourceQuota Controller

Namespace Resource Quotas

In Kubernetes, a cluster is like a big shared computer. If one team runs a very heavy application, it might accidentally use up all the CPU and RAM, causing other teams’ applications to crash.

Namespace Resource Quotas are simply the “limits” or “budgets” you set for a specific team (Namespace). It tells Kubernetes: “This team is allowed to use only this much CPU and this much Memory, and not a single byte more.” This ensures fairness and prevents one bad application from bringing down the whole cluster.

Key Characteristics to Remember
  • “Quota is the Ceiling” – It sets the maximum limit for the whole room (Namespace), not just one person (Pod).
  • “Requests allow entry, Limits stop abuse” – Quotas calculate the total of all Pods’ requests and limits to see if they fit.
  • “No Ticket, No Entry” – If a Quota is active, every single Pod must have resource requests defined, or it will be rejected (unless you have a LimitRange).
  • Aggregate Level: Quotas apply to the sum of all resources in the namespace.
  • Hard Limits: Kubernetes creates a hard stop. You cannot exceed the quota.
  • Resource Types: It covers Compute (CPU, Memory), Storage, and Object Counts (e.g., max 10 pods).
  • Scope: Strictly bound to a specific Namespace.
FeatureDescriptionReal-World Check
Compute QuotaLimits total CPU & RAM usage.“You have 4GB RAM total for this project.”
Object QuotaLimits the count of resources (e.g., Pods, Services).“You can only create 10 servers max.”
ScopeSelectorApply quotas only to specific pod priorities.“Only Gold-tier apps get unlimited resources.”
EnforcementImmediate rejection of new Pods if over quota.“Transaction Declined: Insufficient Funds.”

Kubernetes Resource Quotas are critical governance objects defined in the API group v1. They provide constraints that limit the aggregate resource consumption per Namespace. When a ResourceQuota is applied, the Kubernetes API server inspects every pod creation request. If the new pod’s resource requirement forces the namespace usage over the set Quota, the API server returns a 403 Forbidden error.

This mechanism is vital for multi-tenant environments where you have Development, Staging, and Production workloads running on the same physical hardware. It is the primary defense against the “Noisy Neighbor” problem.

the most important concept is limiting Compute Resources.

  • requests.cpu: The minimum CPU guaranteed to the namespace.
  • limits.cpu: The maximum CPU the namespace can ever reach.
  • requests.memory & limits.memory: Same logic for RAM.

At an architect level, you must consider Quota Scopes and Object Counts to prevent control plane abuse.

  • BestEffort vs. NotBestEffort: You can set different quotas for pods that have limits versus those that don’t (Quality of Service).
  • Object Count Quotas: Prevent “resource exhaustion attacks” where a loop creates 10,000 tiny pods, crashing the API server even if CPU usage is low. You limit pods, services, secrets, configmaps, etc.
  • LimitRange Integration: A Quota fails if a Pod doesn’t have a resource request. Architects use LimitRange to automatically inject default requests/limits so the Quota system doesn’t reject valid deployments purely due to missing YAML fields.
Limitations
  • No “Borrowing”: Namespace A cannot borrow unused quota from Namespace B, even if the cluster is empty. It is a hard wall.
  • CPU Throttling: If you hit CPU limits, the app slows down (throttles). If you hit Memory limits, the app crashes (OOMKilled).
Common Issues, Problems and Solutions
ProblemRoot CauseSolution
“Forbidden: exceeded quota”The new pod requests more resources than available in the remaining quota.Increase the Quota or optimize the Pod’s resource requests.
Deployment stuck at 0 replicasQuota is full, so the ReplicaSet cannot create the Pod.Check kubectl describe quota to see which resource is exhausted.
Pods failing without explicit errorOften caused by Ephemeral Storage limits being hit.Add requests.ephemeral-storage to your quota monitoring.
Yaml file to create Namespace and its Quota
# Create namespace apiVersion: v1 kind: Namespace metadata: name: project-alpha # <— We create this specific name labels: team: backend-devs environment: production apiVersion: v1 kind: ResourceQuota metadata: name: hardened-team-quota namespace: project-alpha # The namespace where this applies labels: environment: production tier: gold spec: hard: # — COMPUTE RESOURCES (The “Engine” Limits) — # requests.cpu: “4” means 4 vCPUs (or 4 Cores) are GUARANTEED. # This is equivalent to writing “4000m”. requests.cpu: “4” # limits.cpu: “8” means the namespace can burst up to 8 vCPUs # if the node has free capacity. It cannot exceed 8 vCPUs. limits.cpu: “8” # Total Memory requests (8 GiB guaranteed) requests.memory: “8Gi” # Total Memory limits (Hard stop at 16 GiB) limits.memory: “16Gi” # — OBJECT COUNTS (The “Clutter” Limits) — # Maximum number of pods allowed (prevents IP address exhaustion) pods: “20” # Limit Services to prevent network clutter services: “10” # Limit Secrets/ConfigMaps to protect etcd database size secrets: “30” configmaps: “30” # — STORAGE RESOURCES (The “Warehouse” Limits) — # Total storage space requested across all PVCs requests.storage: “100Gi” # Max number of PVCs (disks) allowed persistentvolumeclaims: “10” # — EXPENSIVE CLOUD RESOURCES (The “Wallet” Savers) — # Critical for cost control on AWS/GCP/Azure! # Prevents creating too many expensive external Load Balancers services.loadbalancers: “2” # Specific limits for NodePorts (security risk if too many open) services.nodeports: “0”

Contents
Scroll to Top