Configure resource requests and limits
Big picture​
Resource requests and limits are essential configurations for managing resource allocation and ensuring optimal performance of Kubernetes workloads. In Calico Enterprise, these configurations can be customized using custom resources to meet specific requirements and optimize resource utilization.
It's important to note that the CPU and memory values used in the examples are for demonstration purposes and should be adjusted based on individual system requirements. To find the list of all applicable containers for a component, please refer to its specification.
APIServer custom resource​
The APIServer CR provides a way to configure APIServerDeployment. The following sections provide example configurations for this CR.
APIServerDeployment​
To configure resource specification for the APIServerDeployment, patch the APIServer CR using the below command:
kubectl patch apiserver tigera-secure --type=merge --patch='{"spec": {"apiServerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"calico-apiserver","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"tigera-queryserver","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-apiserver -n tigera-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico APIServerDeployment component in JSON format.
{
"name": "calico-apiserver",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "tigera-queryserver",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ApplicationLayer custom resource​
The ApplicationLayer CR provides a way to configure resources for L7LogCollectorDaemonSet. The following sections provide example configurations for this CR.
L7LogCollectorDaemonSet​
To configure resource specification for the L7LogCollectorDaemonSet, patch the ApplicationLayer CR using the below command:
kubectl patch applicationlayer tigera-secure --type=merge --patch='{"spec": {"l7LogCollectorDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"l7-collector","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"envoy-proxy","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get daemonset.apps/l7-log-collector -n calico-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico L7LogCollectorDaemonSet component in JSON format.
{
"name": "envoy-proxy",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "l7-collector",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Authentication custom resource​
The Authentication CR provides a way to configure resources for DexDeployment. The following sections provide example configurations for this CR.
DexDeployment​
To configure resource specification for the DexDeployment, patch the Authentication CR using the below command:
kubectl patch authentication tigera-secure --type=merge --patch='{"spec": {"dexDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-dex","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-dex -n tigera-dex -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico DexDeployment component in JSON format.
{
"name": "tigera-dex",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Compliance custom resource​
The Compliance CR provides a way to configure resources for ComplianceControllerDeployment, ComplianceSnapshotterDeployment, ComplianceBenchmarkerDaemonSet, ComplianceServerDeployment, ComplianceReporterPodTemplate. The following sections provide example configurations for this CR.
Example Configurations:
ComplianceControllerDeployment​
To configure resource specification for the ComplianceControllerDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceControllerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-controller","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-controller -n tigera-compliance -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceControllerDeployment component in JSON format.
{
"name": "compliance-controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceSnapshotterDeployment​
To configure resource specification for the ComplianceSnapshotterDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceSnapshotterDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-snapshotter","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-snapshotter -n tigera-compliance -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceSnapshotterDeployment in JSON format.
{
"name": "compliance-snapshotter",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceBenchmarkerDaemonSet​
To configure resource specification for the ComplianceBenchmarkerDaemonSet, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceBenchmarkerDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-benchmarker","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get daemonset.apps/compliance-benchmarker -n tigera-compliance -o json |jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
{
"name": "compliance-benchmarker",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
This command will output the configured resource requests and limits for the ComplianceBenchmarkerDaemonSet in JSON format.
ComplianceServerDeployment​
To configure resource specification for the ComplianceServerDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceServerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-server","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-server -n tigera-compliance -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceServerDeployment in JSON format.
{
"name": "compliance-server",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceReporterPodTemplate.​
To configure resource specification for the ComplianceReporterPodTemplate, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceReporterPodTemplate": {"template": {"spec": {"containers":[{"name":"reporter","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get Podtemplates tigera.io.report -n tigera-compliance -o json | jq '.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceReporterPodTemplate component in JSON format.
{
"name": "reporter",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Installation custom resource​
The Installation CR provides a way to configure resources for various Calico Enterprise components, including TyphaDeployment, calicoNodeDaemonSet, CalicoNodeWindowsDaemonSet, csiNodeDriverDaemonSet and KubeControllersDeployment. The following sections provide example configurations for this CR.
TyphaDeployment​
To configure resource specification for the TyphaDeployment, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"typhaDeployment": {"spec": {"template": {"spec": {"containers": [{"name": "calico-typha", "resources": {"requests": {"cpu": "100m", "memory": "100Mi"}, "limits": {"cpu": "1", "memory": "1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/calico-typha -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico TyphaDeployment component in JSON format.
{
"name": "calico-typha",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CalicoNodeDaemonSet​
To configure resource requests for the calicoNodeDaemonSet component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"calicoNodeDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-node","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get daemonset.apps/calico-node -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeDaemonSet component in JSON format.
{
"name": "calico-node",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
calicoNodeWindowsDaemonSet​
To configure resource requests for the calicoNodeWindowsDaemonSet component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"calicoNodeWindowsDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-node-windows","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get daemonset.apps/calico-node -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeWindowsDaemonSet component in JSON format.
{
"name": "calico-node",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CalicoKubeControllersDeployment​
To configure resource requests for the CalicoKubeControllersDeployment component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"calicoKubeControllersDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"calico-kube-controllers","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/calico-kube-controllers -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico CalicoKubeControllersDeployment component in JSON format.
{
"name": "calico-kube-controllers",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CSINodeDriverDaemonSet​
To configure resource requests for the CSINodeDriverDaemonSet component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"csiNodeDriverDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-csi","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}},{"name":"csi-node-driver-registrar","resources":{"requests":{"cpu":"50m", "memory":"50Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get daemonset.apps/csi-node-driver -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeDaemonSet component in JSON format.
{
"name": "calico-csi",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "csi-node-driver-registrar",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "50m",
"memory": "50Mi"
}
}
}
IntrusionDetection custom resource​
The IntrusionDetection CR provides a way to configure resources for IntrusionDetectionControllerDeployment. The following sections provide example configurations for this CR.
IntrusionDetectionControllerDeployment.​
To configure resource specification for the IntrusionDetectionControllerDeployment, patch the IntrusionDetection CR using the below command:
kubectl patch intrusiondetection tigera-secure --type=merge --patch='{"spec": {"intrusionDetectionControllerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"webhooks-processor","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}},{"name":"controller","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/intrusion-detection-controller -n tigera-intrusion-detection -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the IntrusionDetectionControllerDeployment in JSON format.
{
"name": "controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
{
"name": "webhooks-processor",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
LogCollector custom resource​
The LogCollector CR provides a way to configure resources for FluentdDaemonSet, EKSLogForwarderDeployment.
FluentdDaemonSet.​
To configure resource specification for the FluentdDaemonSet, patch the LogCollector CR using the below command:
kubectl patch logcollector tigera-secure --type=merge --patch='{"spec": {"fluentdDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"fluentd","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get daemonset.apps/fluentd-node -n tigera-fluentd -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the FluentdDaemonSet in JSON format.
{
"name": "fluentd",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
EKSLogForwarderDeployment.​
To configure resource specification for the EKSLogForwarderDeployment, patch the LogCollector CR using the below command:
kubectl patch logcollector tigera-secure --type=merge --patch='{"spec": {"eksLogForwarderDeployment": {"spec": {"template": {"spec": {"containers":[{"name":"eks-log-forwarder","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/eks-log-forwarder -n tigera-fluentd -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the EKSLogForwarderDeployment in JSON format.
{
"name": "eks-log-forwarder",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
LogStorage custom resource​
The LogStorage CR provides a way to configure resources for ECKOperatorStatefulSet, Kibana, LinseedDeployment, ElasticsearchMetricsDeployment. The following sections provide example configurations for this CR.
ECKOperatorStatefulSet.​
To configure resource specification for the ECKOperatorStatefulSet, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"eckOperatorStatefulSet":{"spec": {"template": {"spec": {"containers":[{"name":"manager","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get statefulset.apps/elastic-operator -n tigera-eck-operator -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ECKOperatorStatefulSet in JSON format.
{
"name": "manager",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Kibana​
To configure resource specification for the Kibana, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"kibana":{"spec": {"template": {"spec": {"containers":[{"name":"kibana","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-secure-kb -n tigera-kibana -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Kibana in JSON format.
{
"name": "kibana",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
LinseedDeployment​
To configure resource specification for the LinseedDeployment, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"linseedDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-linseed","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-linseed -n tigera-elasticsearch -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the LinseedDeployment in JSON format.
{
"name": "tigera-linseed",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ElasticsearchMetricsDeployment​
To configure resource specification for the ElasticsearchMetricsDeployment, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"elasticsearchMetricsDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-elasticsearch-metrics","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-elasticsearch-metrics -n tigera-elasticsearch -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ElasticsearchMetricsDeployment in JSON format.
{
"name": "tigera-elasticsearch-metrics",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
ManagementClusterConnection custom resource​
The ManagementClusterConnection CR provides a way to configure resources for GuardianDeployment. The following sections provide example configurations for this CR.
GuardianDeployment​
To configure resource specification for the GuardianDeployment, patch the ManagementClusterConnection CR using the below command:
kubectl patch managementclusterconnection tigera-secure --type=merge --patch='{"spec": {"guardianDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-guardian","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-guardian -n tigera-guardian -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the GuardianDeployment in JSON format.
{
"name": "tigera-guardian",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Manager custom resource​
The Manager CR provides a way to configure resources for ManagerDeployment. The following sections provide example configurations for this CR.
ManagerDeployment​
To configure resource specification for the ManagerDeployment, patch the Manager CR using the below command:
kubectl patch manager tigera-secure --type=merge --patch='{"spec": {"managerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-voltron","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"tigera-es-proxy","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"tigera-manager","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-manager -n tigera-manager -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ManagerDeployment in JSON format.
{
"name": "tigera-es-proxy",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "tigera-voltron",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "tigera-manager",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Monitor custom resource​
The Monitor CR provides a way to configure resources for Prometheus, AlertManager. The following sections provide example configurations for this CR.
Prometheus​
To configure resource specification for the Prometheus, Resources for the default container "prometheus" can be configured using the "resources" field under "commonPrometheusFields". For all other injected containers, such as "authn-proxy", resource configuration can be set using the "containers" struct, as shown below in the patch command below.
kubectl patch monitor tigera-secure --type=merge --patch='{"spec": {"prometheus": {"spec":{ "commonPrometheusFields": {"resources": {"limits": {"cpu":"500m","memory":"500Mi"}, "requests": {"cpu":"50m", "memory":"50Mi"}}, "containers":[{"name":"authn-proxy","resources":{"limits": {"cpu":"250m","memory":"500Mi"},"requests": {"cpu":"25m","memory":"50Mi"}}}]}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get statefulset.apps/prometheus-calico-node-prometheus -n tigera-prometheus -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Prometheus in JSON format.
The "config-reloader" container has default resource values set based by the Prometheus resource.
{
"name": "prometheus",
"resources": {
"limits": {
"cpu": "500m",
"memory": "500Mi"
},
"requests": {
"cpu": "50m",
"memory": "50Mi"
}
}
}
{
"name": "config-reloader",
"resources": {
"limits": {
"cpu": "10m",
"memory": "50Mi"
},
"requests": {
"cpu": "10m",
"memory": "50Mi"
}
}
}
{
"name": "authn-proxy",
"resources": {
"limits": {
"cpu": "250m",
"memory": "500Mi"
},
"requests": {
"cpu": "25m",
"memory": "50Mi"
}
}
}
AlertManager​
To configure resource specification for the AlertManager, you can set resources for the default container "prometheus" using the "resources" field under "commonPrometheusFields". For all other injected containers, like "authn-proxy", resource configuration can be set using the "containers" struct, as shown below in the patch command below.
kubectl patch monitor tigera-secure --type=merge --patch='{"spec": {"alertManager": {"spec": {"resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get statefulset.apps/alertmanager-calico-node-alertmanager -n tigera-prometheus -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the AlertManager in JSON format.
The "config-reloader" container has default resource values set by the AlertManager resource.
{
"name": "alertmanager",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "config-reloader",
"resources": {
"limits": {
"cpu": "10m",
"memory": "50Mi"
},
"requests": {
"cpu": "10m",
"memory": "50Mi"
}
}
}
PacketCapture custom resource​
The PacketCapture CR provides a way to configure resources for PacketCapture. The following sections provide example configurations for this CR.
PacketCaptureDeployment​
To configure resource specification for the PacketCapture, patch the PacketCapture CR using the below command:
kubectl patch packetcaptures.operator.tigera.io tigera-secure --type=merge --patch='{"spec": {"packetCaptureDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-packetcapture-server","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-packetcapture -n tigera-packetcapture -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the PacketCaptureDeployment in JSON format.
{
"name": "tigera-packetcapture-server",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
PolicyRecommendation custom resource​
The PolicyRecommendation CR provides a way to configure resources for PolicyRecommendation. The following sections provide example configurations for this CR.
PolicyRecommendationDeployment​
To configure resource specification for the PolicyRecommendationDeployment, patch the PolicyRecommendation CR using the below command:
kubectl patch policyrecommendation tigera-secure --type=merge --patch='{"spec": {"policyRecommendationDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"policy-recommendation-controller","resources":{"requests":{"cpu":"100m", "memory":"100Mi"},"limits":{"cpu":"1", "memory":"512Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verification​
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-policy-recommendation -n tigera-policy-recommendation -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the PolicyRecommendationDeployment in JSON format.
{
"name": "policy-recommendation-controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "512Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Update via Helm​
To update configurations during installation via the Helm chart, modify the values.yaml with the necessary resource values for the components prior to executing the helm install.
The provided example illustrates configuring the apiserver component. Follow a similar approach for other components to update resource requests and limits during installation using the Helm chart.
APIServer custom resource​
The APIServer CR provides a way to configure APIServerDeployment. The following sections provide example values.yaml for apiserver component.
APIServerDeployment​
To configure resource specification for the APIServerDeployment, update values.yaml with the appropriate resource values.
apiServer:
apiServerDeployment:
spec:
template:
spec:
containers:
- name: calico-apiserver
resources:
limits:
cpu: 1
memory: 1000Mi
requests:
cpu: 100m
memory: 100Mi
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-apiserver -n tigera-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'