Bug 1485375 - [DOCS] Invalid objects can cause quota resources for a project to become exhausted.
Summary: [DOCS] Invalid objects can cause quota resources for a project to become exha...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.4.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 3.7.0
Assignee: Ashley Hardin
QA Contact: DeShuai Ma
Vikram Goyal
Depends On: 1484134
TreeView+ depends on / blocked
Reported: 2017-08-25 13:45 UTC by Eric Rich
Modified: 2020-09-10 11:18 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1484134
Last Closed: 2018-07-10 22:04:55 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Eric Rich 2017-08-25 13:45:08 UTC
+++ This bug was initially created as a clone of Bug #1484134 +++

Description of problem:
If the wrong secret is passed in a given buildconfig (secret is non existing in the project space), it will consume all of the resources set via quota and thus any other build, deployment, etc. will fail until the X build is deleted.

As a result this buildpod, is an invalid object, incrementing a counter that quota is tracking, which leads to quota exhaustion. 

This needs to be documented as a known issue / possible issue with object creation. 

Version-Release number of selected component (if applicable):
3.4 to 3.7(3.8)

--- Additional comment from Derek Carr on 2017-08-23 11:51:19 EDT ---

quota is incremented in admission prior to validation of the resource.  as a result, quota may be incremented even if the pod is not ultimately persisted.  this is a known limitation of the quota subsystem today in kubernetes that we will have to address in a future release.

we should probably doc this at minimum in the product documentation, and we would want an RFE in the future to address this.

--- Additional comment from Derek Carr on 2017-08-24 17:29:46 EDT ---

To provide context for this issue, the API server at a high level works as follows:

1. Receive request
2. Deserialize the object
3. Default the object
4. Convert the object to internal form
5. Admission controllers Admit the object
6. Validate the object
7. ...
8. Persist the Object

Quota validation happens as part of the admission controller chain, and before object validation.  As a result, invalid objects sent to the API server can cause temporary charges to quota until replenishment occurs.

Ideally, we could have validation happen before quota, which requires bucketing of admission controllers into defaulters and non-defaulters.  This bucketing is not yet possible.

Comment 2 Ashley Hardin 2018-07-06 18:38:14 UTC
Work in progress: https://github.com/openshift/openshift-docs/pull/10700

Comment 3 DeShuai Ma 2018-07-09 02:04:31 UTC
The change to doc LGTM, move to verified.

Note You need to log in before you can comment on or make changes to this bug.