Description of problem: When the project has some resources already, eg has 4 services, cluster-admin still can create clusterquota which the limit of this resource is less than consumed, eg, 3 services In this situation, if user tried to create other resources which do not exceed the clusterquota, it always failed. Version-Release number of selected component (if applicable): openshift v3.3.0.21 kubernetes v1.3.0+507d3a7 etcd 2.3.0+git How reproducible: Always Steps to Reproduce: 1.Create some resources in project, eg. 4 services. 2.Add label to this project. # oc label namespace/prozyp test=zyp namespace "prozyp" labeled 3.Create clusterquota to limit the project. # oc create clusterresourcequota clusterquota --project-label-selector=test=zyp --hard=pods=10,memory=1Gi,cpu=800m,services=3 # oc describe clusterquota clusterquota 4.In the project create pod that doesn't exceed the clusterquota. # oc run testpod2 --image=aosqe/hello-openshift --generator=run-pod/v1 --limits='cpu=100m,memory=200Mi' Actual results: 3.CLusterquota is created successfully. # oc create clusterresourcequota clusterquota --project-label-selector=test=zyp --hard=pods=10,memory=1Gi,cpu=800m,services=3 clusterresourcequota "clusterquota" created # oc describe clusterquota clusterquota Name: clusterquota Namespace: <none> Created: 4 minutes ago Labels: <none> Annotations: <none> Label Selector: test=zyp AnnotationSelector: map[] Resource Used Hard -------- ---- ---- cpu 400m 800m memory 600Mi 1Gi pods 3 10 services 4 3 4.Could not create pod successfully. # oc run testpod2 --image=aosqe/hello-openshift --generator=run-pod/v1 --limits='cpu=100m,memory=200Mi' Error from server: pods "testpod2" is forbidden: Exceeded quota: clusterquota, requested: , used: services=4, limited: services=3 Expected results: 4.If clusterquota can be created successfully in above situation, it should not forbid the creation of resources which don't exceed the quota, so the pod should be created successfully. Additional info:
This impacts project and cluster-quota. The check should be to verify that the LessThanOrEqual check is only performed on the masked delta usage not the summed new usage across all resources.
Upstream PR: https://github.com/kubernetes/kubernetes/pull/30796
Origin PR: https://github.com/openshift/origin/pull/10493
This has been merged into ose and is in OSE v3.3.0.23 or newer.
Checked on ocp v3.3.0.23. oc v3.3.0.23-dirty openshift v3.3.0.23-dirty kubernetes v1.3.0+507d3a7 etcd 2.3.0+git Now could create other resources in project when clusterquota was created with one resource exceeding the limits.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1933