If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

• Limits can be used to set the minimum and maximum amount of CPU/memory/storage for:
  • a single deployment related asset (e.g. container / pod) in a namespace and is typically defined in deployment YAML or deployment config YAML
  • all deployment related assets (e.g. containers / pods) in a namespace
• Quotas can be used to:
  • set the maximum amount of CPU and memory that can be used in a namespace
  • set the maximum number of running resources (e.g. persistent volume claims, pods, replication controllers, routes, secrets, services, et cetera) in a namespace
• Cluster Resource Quotas is the same as Quotas except the minimum and maximum are associated with:
  • A user
  • One or more namespaces

You can set both requests and limits.

• requests
  • ​the amount of memory / CPU that is reserved or allocated for the container.
• limit
  • ​the maximum amount of memory / CPU a container can use
  • if a container reaches the CPU limit, the container will be throttled (won’t let it consume any more CPU)
  • if a container reaches the memory limit, Out Of Memory (OOM) should occur and the pod should be killed
  • if a container reaches the storage limit, the pod should be evicted

The oc create quota command can be used to create a quota in a project / namespace. In this example, the quota would be limited to a specific project / namespace.

~]# oc create quota default-quota --hard=pods=10,cpu=1,memory=1G,pods=2,secrets=1 --namespace <some namespace>
resourcequota/default-quota created

The oc create clusterresourcequota command can be used to create a quota for a specifc user. In this example, quotas are set for John Doe.

oc create clusterresourcequota john-doe --project-annotation-selector openshift.io/requester=johndoe --hard=pods=10 --hard=secrets=5

The oc create clusterresourcequota command can also be used to create a quota for one or more project / namespace. In this example, the quota will be applied to all projects containing "foo".

oc create clusterresourcequota foo --project-label-selector=name=foo --hard=pods=10 --hard=secrets=5

The oc get clusterresourcequota command can be used to list the cluster resource quotas that have been created.

~]$ oc get clusterresourcequota
NAME       AGE
foo        9s
john-doe   15s

The oc describe clusterresourcequota command can be used to display more information about a cluster resource quota.

AVOID TROUBLE

Notice 9 used secrets with a hard limit of 5 secrets. This happens when the cluster resource quota is created after the objects have already been created.

~]$ oc describe clusterresourcequota john-doe
Name:           john-doe
Created:        17 seconds ago
Labels:         <none>
Annotations:    <none>
Namespace Selector: []
Label Selector: 
AnnotationSelector: map[openshift.io/requester:johndoe]
Resource        Used    Hard
--------        ----    ----
pods            10      10
secrets         9       5

Or, the oc get clusterresourcequota command with the --output json or --output yaml option can be used.

~]$ oc get clusterresourcequota john-doe --output yaml
apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
  creationTimestamp: "2022-07-20T01:50:10Z"
  generation: 1
  name: john-doe
  resourceVersion: "438328335"
  uid: 0bc0c407-7bb6-4f16-b0e3-95ace2682990
spec:
  quota:
    hard:
      pods: "10"
      secrets: "5"
  selector:
    annotations:
      openshift.io/requester: johndoe
    labels: null

The --output jsonpath option can be used to print the value of a specific JSON key.

~]$ oc get clusterresourcequota john-doe --output jsonpath={.spec.quota.hard.pods}
10

If you do something that exceeds the quota, something like this should be returned.

~]$ oc create --filename pod.yml
Error from server (Forbidden): pods "pod001" is forbidden: exceeded quota: john-doe, requested: pods=1, used: pods=10, limited: pods=10