container "zlog-collector" requires resource limits

[suvl]

We have an OPA agent running and, as everyone should, we have a requirement that all containers must specify resource limits. This is more than necessary to keep a cluster healthy. While installing the log collector, I got denied:

Error: admission webhook "validating-webhook.openpolicyagent.org" denied the request: container "zlog-collector" requires resource limits

You guys should really set this up. Any idea what good values would be for these limits?

[suvl]

Well, looking into the yamls, I noticed you already define memory limits for up to 1Gi. But cpu limits still triggered our OPA. Gonna set this to 1000m and check if it works.

[Deleted user]

Thanks Joao, this is very valuable feedback. Keep us posted and I’ll have our eng. team investigate and follow-up as well with appropriate recommendations and changes to the yaml as necessary. Rod… Rod Bagg VP Engineering 408-636-6347 [cid:image001.png@01D5C783.8D029EA0] From: João Trigo Soares <notifications@github.com> Sent: Friday, January 10, 2020 6:31 AM To: zebrium/ze-kubernetes-collector <ze-kubernetes-collector@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Subject: Re: [zebrium/ze-kubernetes-collector] container "zlog-collector" requires resource limits (#1) Well, looking into the yamls, I noticed you already define memory limits for up to 1Gi. But cpu limits still triggered our OPA. Gonna set this to 1000m and check if it works. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#1?email_source=notifications&email_token=AMWZR2QU3XZPWGGPPVXJ3OTQ5CBBVA5CNFSM4KFISGS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIUCUBA#issuecomment-573057540>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMWZR2QNVWDNATEN3DKSYWDQ5CBBVANCNFSM4KFISGSQ>.

[Deleted user]

Joao, thanks for raising the issue.

We haven’t deployed OPA on our kubernetes clusters yet. I am curious about what kind of configuration you use. Do you use default resource policy or use your own policy? It is a little strange that OPA complains CPU resource request is too low.

As to CPU resource, it really depends on how much logs are generated. We should provide a recommendation to users.

Brady

[suvl]

@bradyzebrium @zebrium
Hi Brady.
We have custom policies on top that require every deployed container to have both cpu and memory limits in place. We believe that is a requirement for a healthy cluster, specially when all our clusters are multitenant at the moment.
I understand you have stated the memory limits, is there a reason for requiring "unlimited" cpu?

[Deleted user]

We don’t require unlimited CPU. We have 20m in requested cpu resource, limit is not set. I think currently maximum CPU log collector is 1 CPU which is 1000m in kubernetes cpu resource. We can set CPU limit to that. On Jan 13, 2020, at 3:37 AM, João Trigo Soares <notifications@github.com<mailto:notifications@github.com>> wrote: @bradyzebrium<https://github.com/bradyzebrium> @zebrium<https://github.com/zebrium> Hi Brady. We have custom policies on top that require every deployed container to have both cpu and memory limits in place. We believe that is a requirement for a healthy cluster, specially when all our clusters are multitenant at the moment. I understand you have stated the memory limits, is there a reason for requiring "unlimited" cpu? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#1?email_source=notifications&email_token=AMWZR2T6XEWMUGWRYN2ZV2TQ5RG6BA5CNFSM4KFISGS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIYMRCI#issuecomment-573622409>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMWZR2QYPEHNSO4F7EQTDPDQ5RG6BANCNFSM4KFISGSQ>.

[Deleted user]

Hi Joao, I have set cpu limit to 1000m. Please let me know if you have any issues.

Brady

[suvl]

/close
it now works like a charm