Configure resource requests and limits
Big picture​
Resource requests and limits are essential configurations for managing resource allocation and ensuring optimal performance of Kubernetes workloads. In Calico Cloud, these configurations can be customized using custom resources to meet specific requirements and optimize resource utilization.
It's important to note that the CPU and memory values used in the examples are for demonstration purposes and should be adjusted based on individual system requirements. To find the list of all applicable containers for a component, please refer to its specification.
APIServer custom resource​
The APIServer CR provides a way to configure APIServerDeployment. The following sections provide example configurations for this CR.
APIServerDeployment​
To configure resource specification for the APIServerDeployment, patch the installation CR using the below command:
$ kubectl patch apiserver tigera-secure --type=merge --patch='{"spec": {"apiServerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"calico-apiserver","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"tigera-queryserver","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
$ kubectl get deployment.apps/tigera-apiserver -n tigera-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico APIServerDeployment component in JSON format.
{
"name": "calico-apiserver",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "tigera-queryserver",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ApplicationLayer custom resource​
The ApplicationLayer CR provides a way to configure resources for L7LogCollectorDaemonSet. The following sections provide example configurations for this CR.
L7LogCollectorDaemonSet​
To configure resource specification for the L7LogCollectorDaemonSet, patch the ApplicationLayer CR using the below command:
$ kubectl patch applicationlayer tigera-secure --type=merge --patch='{"spec": {"l7LogCollectorDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"l7-collector","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"envoy-proxy","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
applicationlayer.operator.tigera.io/tigera-secure patched
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
$ kubectl get daemonset.apps/l7-log-collector -n calico-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico L7LogCollectorDaemonSet component in JSON format.
{
"name": "envoy-proxy",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "l7-collector",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Compliance custom resource​
The Compliance CR provides a way to configure resources for ComplianceControllerDeployment, ComplianceSnapshotterDeployment, ComplianceBenchmarkerDaemonSet, ComplianceServerDeployment, ComplianceReporterPodTemplate. The following sections provide example configurations for this CR.
ComplianceControllerDeployment​
To configure resource specification for the ComplianceControllerDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceControllerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-controller","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-controller -n tigera-compliance -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceControllerDeployment component in JSON format.
{
"name": "compliance-controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceSnapshotterDeployment​
To configure resource specification for the ComplianceSnapshotterDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceSnapshotterDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-snapshotter","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-snapshotter -n tigera-compliance -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceSnapshotterDeployment in JSON format.
{
"name": "compliance-snapshotter",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceBenchmarkerDaemonSet​
To configure resource specification for the ComplianceBenchmarkerDaemonSet, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceBenchmarkerDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-benchmarker","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get daemonset.apps/compliance-benchmarker -n tigera-compliance -o json |jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
{
"name": "compliance-benchmarker",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
This command will output the configured resource requests and limits for the ComplianceBenchmarkerDaemonSet in JSON format.
ComplianceServerDeployment​
To configure resource specification for the ComplianceServerDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceServerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-server","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-server -n tigera-compliance -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceServerDeployment in JSON format.
{
"name": "compliance-server",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceReporterPodTemplate.​
To configure resource specification for the ComplianceReporterPodTemplate, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceReporterPodTemplate": {"template": {"spec": {"containers":[{"name":"reporter","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get Podtemplates tigera.io.report -n tigera-compliance -o json | jq '.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceReporterPodTemplate component in JSON format.
{
"name": "reporter",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Installation custom resource​
The Installation CR provides a way to configure resources for various Calico Enterprise components, including TyphaDeployment, calicoNodeDaemonSet, CalicoNodeWindowsDaemonSet, csiNodeDriverDaemonSet and KubeControllersDeployment. The following sections provide example configurations for this CR.
Example Configurations:
TyphaDeployment​
To configure resource specification for the TyphaDeployment, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"typhaDeployment": {"spec": {"template": {"spec": {"containers": [{"name": "calico-typha", "resources": {"requests": {"cpu": "100m", "memory": "100Mi"}, "limits": {"cpu": "1", "memory": "1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
$ kubectl get deployment.apps/calico-typha -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico TyphaDeployment component in JSON format.
{
"name": "calico-typha",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CalicoNodeDaemonSet​
To configure resource requests for the calicoNodeDaemonSet component, patch the installation CR using the below command:
$ kubectl patch installations default --type=merge --patch='{"spec": {"calicoNodeDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-node","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
$ kubectl get daemonset.apps/calico-node -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeDaemonSet component in JSON format.
{
"name": "calico-node",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
calicoNodeWindowsDaemonSet​
To configure resource requests for the calicoNodeWindowsDaemonSet component, patch the installation CR using the below command:
$ kubectl patch installations default --type=merge --patch='{"spec": {"calicoNodeWindowsDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-node-windows","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
$ kubectl get daemonset.apps/calico-node -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeWindowsDaemonSet component in JSON format.
{
"name": "calico-node",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CalicoKubeControllersDeployment​
To configure resource requests for the CalicoKubeControllersDeployment component, patch the installation CR using the below command:
$ kubectl patch installations default --type=merge --patch='{"spec": {"calicoKubeControllersDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"calico-kube-controllers","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
$ kubectl get deployment.apps/calico-kube-controllers -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico CalicoKubeControllersDeployment component in JSON format.
{
"name": "calico-kube-controllers",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CSINodeDriverDaemonSet​
To configure resource requests for the CSINodeDriverDaemonSet component, patch the installation CR using the below command:
$ kubectl patch installations default --type=merge --patch='{"spec": {"csiNodeDriverDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-csi","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}},{"name":"csi-node-driver-registrar","resources":{"requests":{"cpu":"50m", "memory":"50Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
$ kubectl get daemonset.apps/csi-node-driver -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeDaemonSet component in JSON format.
{
"name": "calico-csi",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "csi-node-driver-registrar",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "50m",
"memory": "50Mi"
}
}
}
IntrusionDetection custom resource​
The IntrusionDetection CR provides a way to configure resources for IntrusionDetectionControllerDeployment. The following sections provide example configurations for this CR.
IntrusionDetectionControllerDeployment.​
To configure resource specification for the IntrusionDetectionControllerDeployment, patch the IntrusionDetection CR using the below command:
$ kubectl patch intrusiondetection tigera-secure --type=merge --patch='{"spec": {"intrusionDetectionControllerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"webhooks-processor","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}},{"name":"controller","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
$ kubectl get deployment.apps/intrusion-detection-controller -n tigera-intrusion-detection -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the IntrusionDetectionControllerDeployment in JSON format.
{
"name": "controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
{
"name": "webhooks-processor",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
LogCollector custom resource​
The LogCollector CR provides a way to configure resources for FluentdDaemonSet, EKSLogForwarderDeployment.
FluentdDaemonSet.​
To configure resource specification for the FluentdDaemonSet, patch the LogCollector CR using the below command:
kubectl patch logcollector tigera-secure --type=merge --patch='{"spec": {"fluentdDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"fluentd","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get daemonset.apps/fluentd-node -n tigera-fluentd -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the FluentdDaemonSet in JSON format.
{
"name": "fluentd",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
EKSLogForwarderDeployment.​
To configure resource specification for the EKSLogForwarderDeployment, patch the LogCollector CR using the below command:
kubectl patch logcollector tigera-secure --type=merge --patch='{"spec": {"eksLogForwarderDeployment": {"spec": {"template": {"spec": {"containers":[{"name":"eks-log-forwarder","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/eks-log-forwarder -n tigera-fluentd -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the EKSLogForwarderDeployment in JSON format.
{
"name": "eks-log-forwarder",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ManagementClusterConnection custom resource​
The ManagementClusterConnection CR provides a way to configure resources for GuardianDeployment. The following sections provide example configurations for this CR.
GuardianDeployment.​
To configure resource specification for the GuardianDeployment, patch the ManagementClusterConnection CR using the below command:
kubectl patch managementclusterconnection tigera-secure --type=merge --patch='{"spec": {"guardianDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-guardian","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-guardian -n tigera-guardian -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the GuardianDeployment in JSON format.
{
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
PacketCaptureAPI custom resource​
The PacketCaptureAPI CR provides a way to configure resources for PacketCapture. The following sections provide example configurations for this CR.
PacketCaptureAPIDeployment​
To configure resource specification for the PacketCaptureAPI, patch the PacketCapture CR using the below command:
kubectl patch packetcaptureapis tigera-secure --type=merge --patch='{"spec": {"packetCaptureAPIDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-packetcapture-server","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-packetcapture -n tigera-packetcapture -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the PacketCaptureDeployment in JSON format.
{
"name": "tigera-packetcapture-server",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}