When several users or teams share a cluster with a fixed number of nodes, there is a concern that one team could use more than its fair share of resources. Resource quotas are a tool for administrators to address this concern. A resource quota, defined by a ResourceQuota object, provides constraints that limit aggregate resource consumption per namespace. A ResourceQuota can also limit the quantity of objects that can be created in a namespace by API kind, as well as the total amount of infrastructure resources that may be consumed by API objects found in that namespace.

Production-Grade Container Orchestration

This page describes the process of migrating from PodSecurityPolicies to the built-in PodSecurity admission controller. This can be done effectively using a combination of dry-run and audit and warn modes, although this becomes harder if mutating PSPs are used. Before you begin Your Kubernetes server must be at or later than version v1.22. To check the version, enter kubectl version. If you are currently running a version of Kubernetes other than 1.

This page explains how to debug Pods running (or crashing) on a Node. Before you begin Your Pod should already be scheduled and running. If your Pod is not yet running, start with Debugging Pods. For some of the advanced debugging steps you need to know on which Node the Pod is running and have shell access to run commands on that Node. You don't need that access to run the standard debug steps that use kubectl.

FEATURE STATE: Kubernetes v1.35 [stable] This page shows how to assign extended resources to a Container. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

Namespaces can be labeled to enforce the Pod Security Standards. The three policies privileged, baseline and restricted broadly cover the security spectrum and are implemented by the Pod Security admission controller. Before you begin Pod Security Admission was available by default in Kubernetes v1.23, as a beta. From version 1.25 onwards, Pod Security Admission is generally available. To check the version, enter kubectl version. Requiring the baseline Pod Security Standard with namespace labels This manifest defines a Namespace my-baseline-namespace that:

Kubernetes provides a built-in admission controller to enforce the Pod Security Standards. You can configure this admission controller to set cluster-wide defaults and exemptions. Before you begin Following an alpha release in Kubernetes v1.22, Pod Security Admission became available by default in Kubernetes v1.23, as a beta. From version 1.25 onwards, Pod Security Admission is generally available. To check the version, enter kubectl version. If you are not running Kubernetes 1.

This page shows how to debug a node running on the Kubernetes cluster using kubectl debug command. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

FEATURE STATE: Kubernetes v1.11 [stable] crictl is a command-line interface for CRI-compatible container runtimes. You can use it to inspect and debug container runtimes and applications on a Kubernetes node. crictl and its source are hosted in the cri-tools repository. Before you begin crictl requires a Linux operating system with a CRI runtime. Installing crictl You can download a compressed archive crictl from the cri-tools release page, for several different architectures.

Creating Secret objects using kubectl command line.