Skip to content

Instantly share code, notes, and snippets.

@e-minguez

e-minguez/service.nodeport-quota.md

Created September 16, 2020 07:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save e-minguez/1cb84a7214212b84863ea1e39e47a56e to your computer and use it in GitHub Desktop.
Save e-minguez/1cb84a7214212b84863ea1e39e47a56e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
service.nodeport-quota.md

INDIVIDUAL PROJECT

  • Create a project and apply a services.nodeports quota = 0
$ oc new-project service-nodeport-quota
$ oc project service-nodeport-quota
$ cat << EOF | oc apply -f -
apiVersion: v1
kind: ResourceQuota
metadata:
  name: services-nodeport-quota
spec:
  hard:
    services.nodeports: "0"
EOF

Deploy a sample app which will create a ClusterIP service

$ oc new-app ruby~https://github.com/sclorg/ruby-ex.git
 
$ oc get svc
NAME      TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
ruby-ex   ClusterIP   172.30.54.253   <none>        8080/TCP   6s
 
$ oc get po
NAME                       READY   STATUS      RESTARTS   AGE
ruby-ex-1-build            0/1     Completed   0          3m40s
ruby-ex-5d97598688-gfhdx   1/1     Running     0          3m10s

Create another ClusterIP type of service to check the quota is not applied to those services:

$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: ruby-ex-2
spec:
  ports:
  - name: 8080-tcp
    port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    deployment: ruby-ex
  type: ClusterIP
EOF
 
$ oc get svc
NAME        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
ruby-ex     ClusterIP   172.30.54.253   <none>        8080/TCP   11m
ruby-ex-2   ClusterIP   172.30.210.30   <none>        8080/TCP   6m59s

Create a NodePort service:

$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  labels:
    app: ruby-ex
  name: ruby-ex-nodeport
spec:
  ports:
  - name: 8080-tcp
    port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    deployment: ruby-ex
  type: NodePort
EOF
Error from server (Forbidden): error when creating "ruby-ex-nodeport.yaml": services "ruby-ex-nodeport" is forbidden: exceeded quota: services-nodeport-quota, requested: services.nodeports=1, used: services.nodeports=0, limited: services.nodeports=0

It fails because of the quota.

PROJECT TEMPLATE

In this case, we will modify the default project template to include the NodePort quota:

$ oc adm create-bootstrap-project-template -o yaml > template.yaml
$ cp template.yaml template-quota.yaml

Add the quota object into the template-quota yaml file

$ diff template.yaml template-with-quota.yaml
4c4
<   name: project-request
---
>   name: project-request-quota-nodeport
30a31,37
> - apiVersion: v1
>   kind: ResourceQuota
>   metadata:
>     name: services-nodeport-quota
>   spec:
>     hard:
>       services.nodeports: "0"
 
$ oc create -f template-with-quota.yaml -n openshift-config

Then, edit the project crd to specify the new project request template:

$ oc edit project.config.openshift.io/cluster

Add the projectRequestTemplate spec:

spec:
  projectRequestTemplate:
    name: project-request-quota-nodeport

Check it:

$ oc get project.config.openshift.io/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Project
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2020-09-15T08:19:04Z"
  generation: 2
  managedFields:
  ...
  name: cluster
  resourceVersion: "82836"
  selfLink: /apis/config.openshift.io/v1/projects/cluster
  uid: dd94546a-201a-4c33-9f0c-a1d1750790b5
spec:
  projectRequestTemplate:
    name: project-request-quota-nodeport

Create a new project to verify:

$ oc new-project my-new-project
Now using project "my-new-project" on server "https://api.kni1.cloud.lab.eng.bos.redhat.com:6443".
 
You can add applications to this project with the 'new-app' command. For example, try:
 
    oc new-app ruby~https://github.com/sclorg/ruby-ex.git
 
to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:
 
    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node
 
$ oc get quota
NAME                      AGE   REQUEST                   LIMIT
services-nodeport-quota   5s    services.nodeports: 0/0  
 
$ oc project
Using project "my-new-project" on server "https://api.kni1.cloud.lab.eng.bos.redhat.com:6443".
 
$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  labels:
    app: ruby-ex
  name: ruby-ex-nodeport
spec:
  ports:
  - name: 8080-tcp
    port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    deployment: ruby-ex
  type: NodePort
EOF
Error from server (Forbidden): error when creating "ruby-ex-nodeport.yaml": services "ruby-ex-nodeport" is forbidden: exceeded quota: services-nodeport-quota, requested: services.nodeports=1, used: services.nodeports=0, limited: services.nodeports=0

It forbids the NodePort service... but let's check the ClusterIP one:

$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: ruby-ex-2
spec:
  ports:
  - name: 8080-tcp
    port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    deployment: ruby-ex
  type: ClusterIP
EOF
service/ruby-ex-2 created
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment