From 7f3d0ef9b1d1dcce250bdc6251c8d100d9c77582 Mon Sep 17 00:00:00 2001 From: Derek Carr Date: Wed, 6 Mar 2019 11:05:16 -0500 Subject: [PATCH] pid limiting documentation --- .../en/docs/tasks/administer-cluster/pids.md | 44 +++++++++++++++++++ .../reserve-compute-resources.md | 3 ++ 2 files changed, 47 insertions(+) create mode 100644 content/en/docs/tasks/administer-cluster/pids.md diff --git a/content/en/docs/tasks/administer-cluster/pids.md b/content/en/docs/tasks/administer-cluster/pids.md new file mode 100644 index 0000000000000..da7825336cf75 --- /dev/null +++ b/content/en/docs/tasks/administer-cluster/pids.md @@ -0,0 +1,44 @@ +--- +reviewers: +- derekwaynecarr +- dashpole +- RobertKrawitz +title: Pid Limiting +content_template: templates/concept +--- + +{{% capture overview %}} +{{< feature-state state="beta" >}} + +This page explains how to configure pid limiting with the `kubelet`. + +Pids are a fundamental resource on Linux hosts. It is trivial to hit the task +limit without hitting any other resource limits and cause instability to a host +machine. + +Administrators require mechanisms to ensure that user pods cannot induce pid +exhaustion that prevents host daemons (runtime, kubelet, etc) from running. In +addition, it is important to ensure that pids are limited among pods in order to +ensure they have limited impact to other workloads on the node. + +{{% /capture %}} + +{{% capture body %}} + +## Pod to Pod Isolation of Pids + +The `SupportPodPidsLimit` feature gate is *beta*. + +If enabled, the `kubelet` argument for `pod-max-pids` will write out the configured +pid limit to the pod level cgroup to the value specified on Linux hosts. If -1, +the `kubelet` will default to the node allocatable pid capacity. + +## Node to Pod Isolation of Pids + +The `SupportNodePidsLimit` feature gate is *alpha*. + +If enabled, the node allocatable feature is able to reserve a number of pids for +system components. The `pids` resource is supported when specifying `system-reserved` +and `kube-reserved` flags for the `kubelet`. + +{{% /capture %}} diff --git a/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md b/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md index 923db9a03c606..143fa4f0c5786 100644 --- a/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md +++ b/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md @@ -250,4 +250,7 @@ for `kube-reserved` and `system-reserved`. As of Kubernetes version 1.8, the `storage` key name was changed to `ephemeral-storage` for the alpha release. +As of Kubernetes version 1.14, the `kubelet` supports specifying `pids` as a resource +for `kube-reserved` and `system-reserved`. + {{% /capture %}}