https://drive.google.com/file/d/1RGZ_f7zoVbRyCoZe3_Wx4XX6DcLkApqH/view?usp=sharing
apiVersion: v1
kind: ResourceQuota
metadata:
name: pod-quota
namespace: learning # โ Applied to this namespace only
spec:
hard:
pods: "4" # โ Max 4 Pods allowed in "learning" namespace
๐ Key Insight:
This quota prevents users/teams from flooding a namespace with unlimited Pods โ critical for cost control and stability.
๐ก Why limit Pods?
- Each Pod consumes IP addresses, kubelet resources, etcd space
- Prevents "noisy neighbor" attacks in multi-team clusters
| Component | Role |
|---|---|
namespace: learning |
Quota applies only to this namespace |
hard.pods: "4" |
Hard limit โ no more than 4 Pods (running + pending) |
| Enforcement | Happens at admission time (before Pod is created) |
๐ฏ What counts toward pods quota?
- Every Pod (including those from Deployments, ReplicaSets, Jobs)
- Does NOT count: Services, ConfigMaps, Secrets
โ ๏ธ Important:
Quotas apply to all Pods in the namespace โ even if created by controllers (Deployments, etc.).
# Create namespace
kubectl create namespace learning
# Apply quota
kubectl apply -f namespace-pod-quota.yml
# Verify quota
kubectl get resourcequotas -n learning
# NAME AGE REQUEST LIMIT
# pod-quota 10s pods: 0/4
# Deploy 4 Pods (using bare Pods for simplicity)
for i in {1..4}; do
kubectl run pod$i -n learning --image=nginx --restart=Never
done
# Verify
kubectl get pods -n learning
# 4 Pods in "Running" state
kubectl describe resourcequotas pod-quota -n learning
# Used: pods: 4
# Try to deploy a 5th Pod
kubectl run pod5 -n learning --image=nginx --restart=Never
# โ
Expected error:
# Error from server (Forbidden):
# pods "pod5" is forbidden:
# exceeded quota: pod-quota, requested: pods=1, used: pods=4, limited: pods=4
๐ Key Message:
"exceeded quota" โ Kubernetes blocks creation at admission time.