Configure resource requests and limits
Big picture
Resource requests and limits are essential configurations for managing resource allocation and ensuring optimal performance of Kubernetes workloads. In Calico Enterprise, these configurations can be customized using custom resources to meet specific requirements and optimize resource utilization.
It's important to note that the CPU and memory values used in the examples are for demonstration purposes and should be adjusted based on individual system requirements. To find the list of all applicable containers for a component, please refer to its specification.
APIServer custom resource
The APIServer CR provides a way to configure APIServerDeployment. The following sections provide example configurations for this CR.
APIServerDeployment
To configure resource specification for the APIServerDeployment, patch the APIServer CR using the below command:
kubectl patch apiserver tigera-secure --type=merge --patch='{"spec": {"apiServerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"calico-apiserver","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"tigera-queryserver","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-apiserver -n tigera-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico APIServerDeployment component in JSON format.
{
"name": "calico-apiserver",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "tigera-queryserver",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ApplicationLayer custom resource
The ApplicationLayer CR provides a way to configure resources for L7LogCollectorDaemonSet. The following sections provide example configurations for this CR.
L7LogCollectorDaemonSet
To configure resource specification for the L7LogCollectorDaemonSet, patch the ApplicationLayer CR using the below command:
kubectl patch applicationlayer tigera-secure --type=merge --patch='{"spec": {"l7LogCollectorDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"l7-collector","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"envoy-proxy","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get daemonset.apps/l7-log-collector -n calico-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico L7LogCollectorDaemonSet component in JSON format.
{
"name": "envoy-proxy",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "l7-collector",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Authentication custom resource
The Authentication CR provides a way to configure resources for DexDeployment. The following sections provide example configurations for this CR.
DexDeployment
To configure resource specification for the DexDeployment, patch the Authentication CR using the below command:
kubectl patch authentication tigera-secure --type=merge --patch='{"spec": {"dexDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-dex","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-dex -n tigera-dex -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico DexDeployment component in JSON format.
{
"name": "tigera-dex",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Compliance custom resource
The Compliance CR provides a way to configure resources for ComplianceControllerDeployment, ComplianceSnapshotterDeployment, ComplianceBenchmarkerDaemonSet, ComplianceServerDeployment, ComplianceReporterPodTemplate. The following sections provide example configurations for this CR.
Example Configurations:
ComplianceControllerDeployment
To configure resource specification for the ComplianceControllerDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceControllerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-controller","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-controller -n tigera-compliance -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceControllerDeployment component in JSON format.
{
"name": "compliance-controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceSnapshotterDeployment
To configure resource specification for the ComplianceSnapshotterDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceSnapshotterDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-snapshotter","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-snapshotter -n tigera-compliance -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceSnapshotterDeployment in JSON format.
{
"name": "compliance-snapshotter",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceBenchmarkerDaemonSet
To configure resource specification for the ComplianceBenchmarkerDaemonSet, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceBenchmarkerDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-benchmarker","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get daemonset.apps/compliance-benchmarker -n tigera-compliance -o json |jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
{
"name": "compliance-benchmarker",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
This command will output the configured resource requests and limits for the ComplianceBenchmarkerDaemonSet in JSON format.
ComplianceServerDeployment
To configure resource specification for the ComplianceServerDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceServerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-server","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-server -n tigera-compliance -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceServerDeployment in JSON format.
{
"name": "compliance-server",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceReporterPodTemplate.
To configure resource specification for the ComplianceReporterPodTemplate, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceReporterPodTemplate": {"template": {"spec": {"containers":[{"name":"reporter","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get Podtemplates tigera.io.report -n tigera-compliance -o json | jq '.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceReporterPodTemplate component in JSON format.
{
"name": "reporter",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Installation custom resource
The Installation CR provides a way to configure resources for various Calico Enterprise components, including TyphaDeployment, calicoNodeDaemonSet, CalicoNodeWindowsDaemonSet, csiNodeDriverDaemonSet and KubeControllersDeployment. The following sections provide example configurations for this CR.
TyphaDeployment
To configure resource specification for the TyphaDeployment, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"typhaDeployment": {"spec": {"template": {"spec": {"containers": [{"name": "calico-typha", "resources": {"requests": {"cpu": "100m", "memory": "100Mi"}, "limits": {"cpu": "1", "memory": "1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/calico-typha -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico TyphaDeployment component in JSON format.
{
"name": "calico-typha",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CalicoNodeDaemonSet
To configure resource requests for the calicoNodeDaemonSet component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"calicoNodeDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-node","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get daemonset.apps/calico-node -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeDaemonSet component in JSON format.
{
"name": "calico-node",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
calicoNodeWindowsDaemonSet
To configure resource requests for the calicoNodeWindowsDaemonSet component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"calicoNodeWindowsDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-node-windows","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get daemonset.apps/calico-node -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeWindowsDaemonSet component in JSON format.
{
"name": "calico-node",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CalicoKubeControllersDeployment
To configure resource requests for the CalicoKubeControllersDeployment component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"calicoKubeControllersDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"calico-kube-controllers","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/calico-kube-controllers -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico CalicoKubeControllersDeployment component in JSON format.
{
"name": "calico-kube-controllers",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CSINodeDriverDaemonSet
To configure resource requests for the CSINodeDriverDaemonSet component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"csiNodeDriverDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-csi","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}},{"name":"csi-node-driver-registrar","resources":{"requests":{"cpu":"50m", "memory":"50Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get daemonset.apps/csi-node-driver -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeDaemonSet component in JSON format.
{
"name": "calico-csi",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "csi-node-driver-registrar",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "50m",
"memory": "50Mi"
}
}
}
IntrusionDetection custom resource
The IntrusionDetection CR provides a way to configure resources for IntrusionDetectionControllerDeployment. The following sections provide example configurations for this CR.
IntrusionDetectionControllerDeployment.
To configure resource specification for the IntrusionDetectionControllerDeployment, patch the IntrusionDetection CR using the below command:
kubectl patch intrusiondetection tigera-secure --type=merge --patch='{"spec": {"intrusionDetectionControllerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"webhooks-processor","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}},{"name":"controller","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/intrusion-detection-controller -n tigera-intrusion-detection -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the IntrusionDetectionControllerDeployment in JSON format.
{
"name": "controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
{
"name": "webhooks-processor",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
LogCollector custom resource
The LogCollector CR provides a way to configure resources for FluentdDaemonSet, EKSLogForwarderDeployment.
FluentdDaemonSet.
To configure resource specification for the FluentdDaemonSet, patch the LogCollector CR using the below command:
kubectl patch logcollector tigera-secure --type=merge --patch='{"spec": {"fluentdDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"fluentd","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get daemonset.apps/fluentd-node -n tigera-fluentd -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the FluentdDaemonSet in JSON format.
{
"name": "fluentd",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
EKSLogForwarderDeployment.
To configure resource specification for the EKSLogForwarderDeployment, patch the LogCollector CR using the below command:
kubectl patch logcollector tigera-secure --type=merge --patch='{"spec": {"eksLogForwarderDeployment": {"spec": {"template": {"spec": {"containers":[{"name":"eks-log-forwarder","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/eks-log-forwarder -n tigera-fluentd -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the EKSLogForwarderDeployment in JSON format.
{
"name": "eks-log-forwarder",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
LogStorage custom resource
The LogStorage CR provides a way to configure resources for ECKOperatorStatefulSet, Kibana, LinseedDeployment, ElasticsearchMetricsDeployment. The following sections provide example configurations for this CR.
ECKOperatorStatefulSet.
To configure resource specification for the ECKOperatorStatefulSet, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"eckOperatorStatefulSet":{"spec": {"template": {"spec": {"containers":[{"name":"manager","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get statefulset.apps/elastic-operator -n tigera-eck-operator -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ECKOperatorStatefulSet in JSON format.
{
"name": "manager",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Kibana
To configure resource specification for the Kibana, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"kibana":{"spec": {"template": {"spec": {"containers":[{"name":"kibana","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-secure-kb -n tigera-kibana -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Kibana in JSON format.
{
"name": "kibana",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
LinseedDeployment
To configure resource specification for the LinseedDeployment, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"linseedDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-linseed","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-linseed -n tigera-elasticsearch -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the LinseedDeployment in JSON format.
{
"name": "tigera-linseed",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ElasticsearchMetricsDeployment
To configure resource specification for the ElasticsearchMetricsDeployment, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"elasticsearchMetricsDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-elasticsearch-metrics","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-elasticsearch-metrics -n tigera-elasticsearch -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ElasticsearchMetricsDeployment in JSON format.
{
"name": "tigera-elasticsearch-metrics",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
ManagementClusterConnection custom resource
The ManagementClusterConnection CR provides a way to configure resources for GuardianDeployment. The following sections provide example configurations for this CR.
GuardianDeployment
To configure resource specification for the GuardianDeployment, patch the ManagementClusterConnection CR using the below command:
kubectl patch managementclusterconnection tigera-secure --type=merge --patch='{"spec": {"guardianDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-guardian","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-guardian -n tigera-guardian -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the GuardianDeployment in JSON format.
{
"name": "tigera-guardian",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Manager custom resource
The Manager CR provides a way to configure resources for ManagerDeployment. The following sections provide example configurations for this CR.
ManagerDeployment
To configure resource specification for the ManagerDeployment, patch the Manager CR using the below command:
kubectl patch manager tigera-secure --type=merge --patch='{"spec": {"managerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-voltron","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"tigera-es-proxy","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"tigera-manager","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-manager -n tigera-manager -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ManagerDeployment in JSON format.
{
"name": "tigera-es-proxy",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "tigera-voltron",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "tigera-manager",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Monitor custom resource
The Monitor CR provides a way to configure resources for Prometheus, AlertManager. The following sections provide example configurations for this CR.
Prometheus
To configure resource specification for the Prometheus, Resources for the default container "prometheus" can be configured using the "resources" field under "commonPrometheusFields". For all other injected containers, such as "authn-proxy", resource configuration can be set using the "containers" struct, as shown below in the patch command below.
kubectl patch monitor tigera-secure --type=merge --patch='{"spec": {"prometheus": {"spec":{ "commonPrometheusFields": {"resources": {"limits": {"cpu":"500m","memory":"500Mi"}, "requests": {"cpu":"50m", "memory":"50Mi"}}, "containers":[{"name":"authn-proxy","resources":{"limits": {"cpu":"250m","memory":"500Mi"},"requests": {"cpu":"25m","memory":"50Mi"}}}]}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get statefulset.apps/prometheus-calico-node-prometheus -n tigera-prometheus -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Prometheus in JSON format.
The "config-reloader" container has default resource values set based by the Prometheus resource.
{
"name": "prometheus",
"resources": {
"limits": {
"cpu": "500m",
"memory": "500Mi"
},
"requests": {
"cpu": "50m",
"memory": "50Mi"
}
}
}
{
"name": "config-reloader",
"resources": {
"limits": {
"cpu": "10m",
"memory": "50Mi"
},
"requests": {
"cpu": "10m",
"memory": "50Mi"
}
}
}
{
"name": "authn-proxy",
"resources": {
"limits": {
"cpu": "250m",
"memory": "500Mi"
},
"requests": {
"cpu": "25m",
"memory": "50Mi"
}
}
}
AlertManager
To configure resource specification for the AlertManager, you can set resources for the default container "prometheus" using the "resources" field under "commonPrometheusFields". For all other injected containers, like "authn-proxy", resource configuration can be set using the "containers" struct, as shown below in the patch command below.
kubectl patch monitor tigera-secure --type=merge --patch='{"spec": {"alertManager": {"spec": {"resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get statefulset.apps/alertmanager-calico-node-alertmanager -n tigera-prometheus -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the AlertManager in JSON format.
The "config-reloader" container has default resource values set by the AlertManager resource.
{
"name": "alertmanager",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "config-reloader",
"resources": {
"limits": {
"cpu": "10m",
"memory": "50Mi"
},
"requests": {
"cpu": "10m",
"memory": "50Mi"
}
}
}
PacketCapture custom resource
The PacketCapture CR provides a way to configure resources for PacketCapture. The following sections provide example configurations for this CR.
PacketCaptureDeployment
To configure resource specification for the PacketCapture, patch the PacketCapture CR using the below command:
kubectl patch packetcaptures.operator.tigera.io tigera-secure --type=merge --patch='{"spec": {"packetCaptureDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-packetcapture-server","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-packetcapture -n tigera-packetcapture -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the PacketCaptureDeployment in JSON format.
{
"name": "tigera-packetcapture-server",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
PolicyRecommendation custom resource
The PolicyRecommendation CR provides a way to configure resources for PolicyRecommendation. The following sections provide example configurations for this CR.
PolicyRecommendationDeployment
To configure resource specification for the PolicyRecommendationDeployment, patch the PolicyRecommendation CR using the below command:
kubectl patch policyrecommendation tigera-secure --type=merge --patch='{"spec": {"policyRecommendationDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"policy-recommendation-controller","resources":{"requests":{"cpu":"100m", "memory":"100Mi"},"limits":{"cpu":"1", "memory":"512Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-policy-recommendation -n tigera-policy-recommendation -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the PolicyRecommendationDeployment in JSON format.
{
"name": "policy-recommendation-controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "512Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Update via Helm
To update configurations during installation via the Helm chart, modify the values.yaml with the necessary resource values for the components prior to executing the helm install.
The provided example illustrates configuring the apiserver component. Follow a similar approach for other components to update resource requests and limits during installation using the Helm chart.
APIServer custom resource
The APIServer CR provides a way to configure APIServerDeployment. The following sections provide example values.yaml for apiserver component.
APIServerDeployment
To configure resource specification for the APIServerDeployment, update values.yaml with the appropriate resource values.
apiServer:
apiServerDeployment:
spec:
template:
spec:
containers:
- name: calico-apiserver
resources:
limits:
cpu: 1
memory: 1000Mi
requests:
cpu: 100m
memory: 100Mi
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-apiserver -n tigera-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'