container "zlog-collector" requires resource limits

[suvl]

We have an OPA agent running and, as everyone should, we have a requirement that all containers must specify resource limits. This is more than necessary to keep a cluster healthy. While installing the log collector, I got denied:

Error: admission webhook "validating-webhook.openpolicyagent.org" denied the request: container "zlog-collector" requires resource limits

You guys should really set this up. Any idea what good values would be for these limits?

[suvl]

Well, looking into the yamls, I noticed you already define memory limits for up to 1Gi. But cpu limits still triggered our OPA. Gonna set this to 1000m and check if it works.

[zebrium]

Thanks Joao, this is very valuable feedback.

Keep us posted and I’ll have our eng. team investigate and follow-up as well with appropriate recommendations and changes to the yaml as necessary.

Rod…

Rod Bagg VP Engineering 408-636-6347 [cid:image001.png@01D5C783.8D029EA0]

From: João Trigo Soares notifications@github.com Sent: Friday, January 10, 2020 6:31 AM To: zebrium/ze-kubernetes-collector ze-kubernetes-collector@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: Re: [zebrium/ze-kubernetes-collector] container "zlog-collector" requires resource limits (#1)

Well, looking into the yamls, I noticed you already define memory limits for up to 1Gi. But cpu limits still triggered our OPA. Gonna set this to 1000m and check if it works.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/zebrium/ze-kubernetes-collector/issues/1?email_source=notifications&email_token=AMWZR2QU3XZPWGGPPVXJ3OTQ5CBBVA5CNFSM4KFISGS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIUCUBA#issuecomment-573057540, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMWZR2QNVWDNATEN3DKSYWDQ5CBBVANCNFSM4KFISGSQ.

[zebrium]

Joao, thanks for raising the issue.

We haven’t deployed OPA on our kubernetes clusters yet. I am curious about what kind of configuration you use. Do you use default resource policy or use your own policy? It is a little strange that OPA complains CPU resource request is too low.

As to CPU resource, it really depends on how much logs are generated. We should provide a recommendation to users.

Brady

[suvl]

@bradyzebrium @zebrium Hi Brady. We have custom policies on top that require every deployed container to have both cpu and memory limits in place. We believe that is a requirement for a healthy cluster, specially when all our clusters are multitenant at the moment. I understand you have stated the memory limits, is there a reason for requiring "unlimited" cpu?

[zebrium]

We don’t require unlimited CPU. We have 20m in requested cpu resource, limit is not set. I think currently maximum CPU log collector is 1 CPU which is 1000m in kubernetes cpu resource. We can set CPU limit to that.

On Jan 13, 2020, at 3:37 AM, João Trigo Soares notifications@github.com<mailto:notifications@github.com> wrote:

@bradyzebriumhttps://github.com/bradyzebrium @zebriumhttps://github.com/zebrium Hi Brady. We have custom policies on top that require every deployed container to have both cpu and memory limits in place. We believe that is a requirement for a healthy cluster, specially when all our clusters are multitenant at the moment. I understand you have stated the memory limits, is there a reason for requiring "unlimited" cpu?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/zebrium/ze-kubernetes-collector/issues/1?email_source=notifications&email_token=AMWZR2T6XEWMUGWRYN2ZV2TQ5RG6BA5CNFSM4KFISGS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIYMRCI#issuecomment-573622409, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMWZR2QYPEHNSO4F7EQTDPDQ5RG6BANCNFSM4KFISGSQ.

[zebrium]

Hi Joao, I have set cpu limit to 1000m. Please let me know if you have any issues.

Brady

[suvl]

/close it now works like a charm