- Create a project and apply a
services.nodeports
quota = 0
$ oc new-project service-nodeport-quota
$ oc project service-nodeport-quota
$ cat << EOF | oc apply -f -
apiVersion: v1
kind: ResourceQuota
metadata:
name: services-nodeport-quota
spec:
hard:
services.nodeports: "0"
EOF
Deploy a sample app which will create a ClusterIP
service
$ oc new-app ruby~https://github.com/sclorg/ruby-ex.git
$ oc get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ruby-ex ClusterIP 172.30.54.253 <none> 8080/TCP 6s
$ oc get po
NAME READY STATUS RESTARTS AGE
ruby-ex-1-build 0/1 Completed 0 3m40s
ruby-ex-5d97598688-gfhdx 1/1 Running 0 3m10s
Create another ClusterIP
type of service to check the quota is not applied to those services:
$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
name: ruby-ex-2
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
deployment: ruby-ex
type: ClusterIP
EOF
$ oc get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ruby-ex ClusterIP 172.30.54.253 <none> 8080/TCP 11m
ruby-ex-2 ClusterIP 172.30.210.30 <none> 8080/TCP 6m59s
Create a NodePort
service:
$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
labels:
app: ruby-ex
name: ruby-ex-nodeport
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
deployment: ruby-ex
type: NodePort
EOF
Error from server (Forbidden): error when creating "ruby-ex-nodeport.yaml": services "ruby-ex-nodeport" is forbidden: exceeded quota: services-nodeport-quota, requested: services.nodeports=1, used: services.nodeports=0, limited: services.nodeports=0
It fails because of the quota.
In this case, we will modify the default project template to include the NodePort
quota:
$ oc adm create-bootstrap-project-template -o yaml > template.yaml
$ cp template.yaml template-quota.yaml
Add the quota object into the template-quota yaml file
$ diff template.yaml template-with-quota.yaml
4c4
< name: project-request
---
> name: project-request-quota-nodeport
30a31,37
> - apiVersion: v1
> kind: ResourceQuota
> metadata:
> name: services-nodeport-quota
> spec:
> hard:
> services.nodeports: "0"
$ oc create -f template-with-quota.yaml -n openshift-config
Then, edit the project crd to specify the new project request template:
$ oc edit project.config.openshift.io/cluster
Add the projectRequestTemplate spec:
spec:
projectRequestTemplate:
name: project-request-quota-nodeport
Check it:
$ oc get project.config.openshift.io/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Project
metadata:
annotations:
release.openshift.io/create-only: "true"
creationTimestamp: "2020-09-15T08:19:04Z"
generation: 2
managedFields:
...
name: cluster
resourceVersion: "82836"
selfLink: /apis/config.openshift.io/v1/projects/cluster
uid: dd94546a-201a-4c33-9f0c-a1d1750790b5
spec:
projectRequestTemplate:
name: project-request-quota-nodeport
Create a new project to verify:
$ oc new-project my-new-project
Now using project "my-new-project" on server "https://api.kni1.cloud.lab.eng.bos.redhat.com:6443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app ruby~https://github.com/sclorg/ruby-ex.git
to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:
kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node
$ oc get quota
NAME AGE REQUEST LIMIT
services-nodeport-quota 5s services.nodeports: 0/0
$ oc project
Using project "my-new-project" on server "https://api.kni1.cloud.lab.eng.bos.redhat.com:6443".
$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
labels:
app: ruby-ex
name: ruby-ex-nodeport
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
deployment: ruby-ex
type: NodePort
EOF
Error from server (Forbidden): error when creating "ruby-ex-nodeport.yaml": services "ruby-ex-nodeport" is forbidden: exceeded quota: services-nodeport-quota, requested: services.nodeports=1, used: services.nodeports=0, limited: services.nodeports=0
It forbids the NodePort
service... but let's check the ClusterIP
one:
$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
name: ruby-ex-2
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
deployment: ruby-ex
type: ClusterIP
EOF
service/ruby-ex-2 created