What is the Default Memory/CPU for a Pod?

Kubernetes doesn’t provide default resource limits out-of-the-box. This means that unless you explicitly define limits, your containers can consume unlimited CPU and memory.

Resource limits are enforced at the container level but are usually defined as part of the Deployment, like this:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: 100m
          requests:
            cpu: 100m

You can also define a default limit for pods that don’t specify their own limits. This is done by creating aLimitRange in the relevant namespace:

apiVersion: v1
kind: LimitRange
metadata:
  name: my-limit
spec:
  limits:
  - default:
      memory: 512Mi
      cpu: 100m
    type: Container

Pods deployed after this LimitRange, without their own CPU or memory limit, will have these limits applied to them automatically.

Example

Create a new namespace:

kubectl create ns test

Create a LimitRange:

cat <<EOF | kubectl -n test create -f -
apiVersion: v1
kind: LimitRange
metadata:
  name: my-limit
spec:
  limits:
  - default:
      memory: 512Mi
      cpu: 100m
    type: Container
EOF

Create a deployment without specifying limits:

cat <<EOF | kubectl -n test create -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
EOF

Check the pod and you will see that it has limits as defined in your LimitRange (note that Requests were also added):

kubectl -n test describe pod | grep -A5 Limits
    Limits:
      cpu:     100m
      memory:  512Mi
    Requests:
      cpu:        100m
      memory:     512Mi

Kubernetes is also kind enough to document the change with an annotation:

kubectl -n test describe pod  | grep Annotations
Annotations:    kubernetes.io/limit-ranger: LimitRanger plugin set: cpu, memory request for container nginx; cpu, memory limit for container nginx

LimitRanges Have Some Surprising Behaviors

1. New Kubernetes clusters have a single predefined LimitRange named “limits” in the default namespace with CPU limit set to 100m (that’s 1/10 of a CPU core). Other namespaces don’t have a default LimitRange but you can create them on your own.
2. There may be multiple LimitRanges per namespace. In this case, Kubernetes will use one of them for the default limits (and all of them for min and max limits).
3. Containers that were created before the LimitRange will not be affected by it.

How Does It Work?

The LimitRange functionality is implemented though a Kubernetes admission controller.

Motivation

Limiting pod resources is a good practice. It can prevent unruly pods from disrupting other well-behaved pods by gobbling up all the resources on the node.

You can think of this as a way to prevent denial-of-service, accidental or malicious. As such, resource limits are also recommended as a security precaution.

Admission Controllers view in SecureCloud with LimitRanger enabled

Related Topics

You can also use the LimitRange to restrict max and minimum resources per pod.

You can use another resource called ResourceQuotato restrict resources for a namespace as a whole.