Skip to content

Commit

Permalink
Fix example errors for CrossNamespacePodAffinity
Browse files Browse the repository at this point in the history
Remove references to CrossNamespaceAffinity

The scope CrossNamespaceAffinity does not exist. Attempting to feed the example
YAML to `kubectl create` results in the following error:

> The ResourceQuota "disable-cross-namespace-affinity" is invalid:
> * spec.scopeSelector.matchExpressions.scopeName: Invalid value:
>  "CrossNamespaceAffinity": unsupported scope

Add missing operator for CrossNamespacePodAffinity

Trying to create the example ResourceQuotas without an operator results in the
following error from `kubectl create`:

> The ResourceQuota "disable-cross-namespace-affinity" is invalid:
> * spec.scopeSelector.matchExpressions.operator: Invalid value: "": must be
>   'Exist' when scope is any of ResourceQuotaScopeTerminating,
>   ResourceQuotaScopeNotTerminating, ResourceQuotaScopeBestEffort,
>   ResourceQuotaScopeNotBestEffort or
>   ResourceQuotaScopeCrossNamespacePodAffinity
> * spec.scopeSelector.matchExpressions.operator: Invalid value: "": not a valid
>     selector operator

The error message itself has another bug, as the operator is Exist*s*, not
Exist.

Signed-off-by: Simon Engmann <[email protected]>
  • Loading branch information
sybereal committed Jul 19, 2023
1 parent 79eeabe commit cfb6309
Showing 1 changed file with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions content/en/docs/concepts/policy/resource-quotas.md
Original file line number Diff line number Diff line change
Expand Up @@ -465,7 +465,7 @@ from getting scheduled in a failure domain.
Using this scope operators can prevent certain namespaces (`foo-ns` in the example below)
from having pods that use cross-namespace pod affinity by creating a resource quota object in
that namespace with `CrossNamespaceAffinity` scope and hard limit of 0:
that namespace with `CrossNamespacePodAffinity` scope and hard limit of 0:
```yaml
apiVersion: v1
Expand All @@ -478,11 +478,12 @@ spec:
pods: "0"
scopeSelector:
matchExpressions:
- scopeName: CrossNamespaceAffinity
- scopeName: CrossNamespacePodAffinity
operator: Exists
```

If operators want to disallow using `namespaces` and `namespaceSelector` by default, and
only allow it for specific namespaces, they could configure `CrossNamespaceAffinity`
only allow it for specific namespaces, they could configure `CrossNamespacePodAffinity`
as a limited resource by setting the kube-apiserver flag --admission-control-config-file
to the path of the following configuration file:

Expand All @@ -497,12 +498,13 @@ plugins:
limitedResources:
- resource: pods
matchScopes:
- scopeName: CrossNamespaceAffinity
- scopeName: CrossNamespacePodAffinity
operator: Exists
```
With the above configuration, pods can use `namespaces` and `namespaceSelector` in pod affinity only
if the namespace where they are created have a resource quota object with
`CrossNamespaceAffinity` scope and a hard limit greater than or equal to the number of pods using those fields.
`CrossNamespacePodAffinity` scope and a hard limit greater than or equal to the number of pods using those fields.

## Requests compared to Limits {#requests-vs-limits}

Expand Down

0 comments on commit cfb6309

Please sign in to comment.