Merge pull request #7003 from derekwaynecarr/enforce_unbounded

Reject unbounded cpu and memory pods if quota is restricting it
2025-09-25 04:11:46 +00:00 · 2015-04-22 11:19:52 -07:00
parent d790cc14a9 75482cabb4
commit ee06097c07
4 changed files with 154 additions and 0 deletions
--- a/pkg/resourcequota/resource_quota_controller.go
+++ b/pkg/resourcequota/resource_quota_controller.go
@@ -240,6 +240,28 @@ func PodCPU(pod *api.Pod) *resource.Quantity {
 	return resource.NewMilliQuantity(int64(val), resource.DecimalSI)
 }

+// IsPodCPUUnbounded returns true if the cpu use is unbounded for any container in pod
+func IsPodCPUUnbounded(pod *api.Pod) bool {
+	for j := range pod.Spec.Containers {
+		container := pod.Spec.Containers[j]
+		if container.Resources.Limits.Cpu().MilliValue() == int64(0) {
+			return true
+		}
+	}
+	return false
+}
+
+// IsPodMemoryUnbounded returns true if the memory use is unbounded for any container in pod
+func IsPodMemoryUnbounded(pod *api.Pod) bool {
+	for j := range pod.Spec.Containers {
+		container := pod.Spec.Containers[j]
+		if container.Resources.Limits.Memory().Value() == int64(0) {
+			return true
+		}
+	}
+	return false
+}
+
 // PodMemory computes the memory usage of a pod
 func PodMemory(pod *api.Pod) *resource.Quantity {
 	val := int64(0)
--- a/pkg/resourcequota/resource_quota_controller_test.go
+++ b/pkg/resourcequota/resource_quota_controller_test.go
@@ -267,3 +267,63 @@ func TestSyncResourceQuotaNoChange(t *testing.T) {
 		t.Errorf("SyncResourceQuota made an unexpected client action when state was not dirty: %v", kubeClient.Actions)
 	}
 }
+
+func TestIsPodCPUUnbounded(t *testing.T) {
+	pod := api.Pod{
+		ObjectMeta: api.ObjectMeta{Name: "pod-running"},
+		Status:     api.PodStatus{Phase: api.PodRunning},
+		Spec: api.PodSpec{
+			Volumes:    []api.Volume{{Name: "vol"}},
+			Containers: []api.Container{{Name: "ctr", Image: "image", Resources: getResourceRequirements("100m", "0")}},
+		},
+	}
+	if IsPodCPUUnbounded(&pod) {
+		t.Errorf("Expected false")
+	}
+	pod = api.Pod{
+		ObjectMeta: api.ObjectMeta{Name: "pod-running"},
+		Status:     api.PodStatus{Phase: api.PodRunning},
+		Spec: api.PodSpec{
+			Volumes:    []api.Volume{{Name: "vol"}},
+			Containers: []api.Container{{Name: "ctr", Image: "image", Resources: getResourceRequirements("0", "0")}},
+		},
+	}
+	if !IsPodCPUUnbounded(&pod) {
+		t.Errorf("Expected true")
+	}
+
+	pod.Spec.Containers[0].Resources = api.ResourceRequirements{}
+	if !IsPodCPUUnbounded(&pod) {
+		t.Errorf("Expected true")
+	}
+}
+
+func TestIsPodMemoryUnbounded(t *testing.T) {
+	pod := api.Pod{
+		ObjectMeta: api.ObjectMeta{Name: "pod-running"},
+		Status:     api.PodStatus{Phase: api.PodRunning},
+		Spec: api.PodSpec{
+			Volumes:    []api.Volume{{Name: "vol"}},
+			Containers: []api.Container{{Name: "ctr", Image: "image", Resources: getResourceRequirements("0", "1Gi")}},
+		},
+	}
+	if IsPodMemoryUnbounded(&pod) {
+		t.Errorf("Expected false")
+	}
+	pod = api.Pod{
+		ObjectMeta: api.ObjectMeta{Name: "pod-running"},
+		Status:     api.PodStatus{Phase: api.PodRunning},
+		Spec: api.PodSpec{
+			Volumes:    []api.Volume{{Name: "vol"}},
+			Containers: []api.Container{{Name: "ctr", Image: "image", Resources: getResourceRequirements("0", "0")}},
+		},
+	}
+	if !IsPodMemoryUnbounded(&pod) {
+		t.Errorf("Expected true")
+	}
+
+	pod.Spec.Containers[0].Resources = api.ResourceRequirements{}
+	if !IsPodMemoryUnbounded(&pod) {
+		t.Errorf("Expected true")
+	}
+}