Configure resource requests and limits
Big pictureβ
Resource requests and limits are essential configurations for managing resource allocation and ensuring optimal performance of Kubernetes workloads. In Calico Enterprise, these configurations can be customized using custom resources to meet specific requirements and optimize resource utilization.
It's important to note that the CPU and memory values used in the examples are for demonstration purposes and should be adjusted based on individual system requirements. To find the list of all applicable containers for a component, please refer to its specification.
APIServer custom resourceβ
The APIServer CR provides a way to configure APIServerDeployment. The following sections provide example configurations for this CR.
APIServerDeploymentβ
To configure resource specification for the APIServerDeployment, patch the APIServer CR using the below command:
kubectl patch apiserver tigera-secure --type=merge --patch='{"spec": {"apiServerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"calico-apiserver","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"tigera-queryserver","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-apiserver -n tigera-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico APIServerDeployment component in JSON format.
{
"name": "calico-apiserver",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "tigera-queryserver",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ApplicationLayer custom resourceβ
The ApplicationLayer CR provides a way to configure resources for L7LogCollectorDaemonSet. The following sections provide example configurations for this CR.
L7LogCollectorDaemonSetβ
To configure resource specification for the L7LogCollectorDaemonSet, patch the ApplicationLayer CR using the below command:
kubectl patch applicationlayer tigera-secure --type=merge --patch='{"spec": {"l7LogCollectorDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"l7-collector","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"envoy-proxy","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get daemonset.apps/l7-log-collector -n calico-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico L7LogCollectorDaemonSet component in JSON format.
{
"name": "envoy-proxy",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "l7-collector",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Authentication custom resourceβ
The Authentication CR provides a way to configure resources for DexDeployment. The following sections provide example configurations for this CR.
DexDeploymentβ
To configure resource specification for the DexDeployment, patch the Authentication CR using the below command:
kubectl patch authentication tigera-secure --type=merge --patch='{"spec": {"dexDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-dex","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-dex -n tigera-dex -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Calico DexDeployment component in JSON format.
{
"name": "tigera-dex",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Compliance custom resourceβ
The Compliance CR provides a way to configure resources for ComplianceControllerDeployment, ComplianceSnapshotterDeployment, ComplianceBenchmarkerDaemonSet, ComplianceServerDeployment, ComplianceReporterPodTemplate. The following sections provide example configurations for this CR.
Example Configurations:
ComplianceControllerDeploymentβ
To configure resource specification for the ComplianceControllerDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceControllerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-controller","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-controller -n tigera-compliance -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceControllerDeployment component in JSON format.
{
"name": "compliance-controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceSnapshotterDeploymentβ
To configure resource specification for the ComplianceSnapshotterDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceSnapshotterDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-snapshotter","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-snapshotter -n tigera-compliance -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceSnapshotterDeployment in JSON format.
{
"name": "compliance-snapshotter",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceBenchmarkerDaemonSetβ
To configure resource specification for the ComplianceBenchmarkerDaemonSet, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceBenchmarkerDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-benchmarker","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get daemonset.apps/compliance-benchmarker -n tigera-compliance -o json |jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
{
"name": "compliance-benchmarker",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
This command will output the configured resource requests and limits for the ComplianceBenchmarkerDaemonSet in JSON format.
ComplianceServerDeploymentβ
To configure resource specification for the ComplianceServerDeployment, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceServerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"compliance-server","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/compliance-server -n tigera-compliance -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceServerDeployment in JSON format.
{
"name": "compliance-server",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ComplianceReporterPodTemplate.β
To configure resource specification for the ComplianceReporterPodTemplate, patch the Compliance CR using the below command:
kubectl patch compliance tigera-secure --type=merge --patch='{"spec": {"complianceReporterPodTemplate": {"template": {"spec": {"containers":[{"name":"reporter","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get Podtemplates tigera.io.report -n tigera-compliance -o json | jq '.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ComplianceReporterPodTemplate component in JSON format.
{
"name": "reporter",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Installation custom resourceβ
The Installation CR provides a way to configure resources for various Calico Enterprise components, including TyphaDeployment, calicoNodeDaemonSet, CalicoNodeWindowsDaemonSet, csiNodeDriverDaemonSet and KubeControllersDeployment. The following sections provide example configurations for this CR.
TyphaDeploymentβ
To configure resource specification for the TyphaDeployment, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"typhaDeployment": {"spec": {"template": {"spec": {"containers": [{"name": "calico-typha", "resources": {"requests": {"cpu": "100m", "memory": "100Mi"}, "limits": {"cpu": "1", "memory": "1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/calico-typha -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico TyphaDeployment component in JSON format.
{
"name": "calico-typha",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CalicoNodeDaemonSetβ
To configure resource requests for the calicoNodeDaemonSet component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"calicoNodeDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-node","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get daemonset.apps/calico-node -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeDaemonSet component in JSON format.
{
"name": "calico-node",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
calicoNodeWindowsDaemonSetβ
To configure resource requests for the calicoNodeWindowsDaemonSet component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"calicoNodeWindowsDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-node-windows","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get daemonset.apps/calico-node -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeWindowsDaemonSet component in JSON format.
{
"name": "calico-node",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CalicoKubeControllersDeploymentβ
To configure resource requests for the CalicoKubeControllersDeployment component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"calicoKubeControllersDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"calico-kube-controllers","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/calico-kube-controllers -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico CalicoKubeControllersDeployment component in JSON format.
{
"name": "calico-kube-controllers",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
CSINodeDriverDaemonSetβ
To configure resource requests for the CSINodeDriverDaemonSet component, patch the installation CR using the below command:
kubectl patch installations default --type=merge --patch='{"spec": {"csiNodeDriverDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"calico-csi","resources":{"requests":{"cpu":"100m", "memory":"100Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}},{"name":"csi-node-driver-registrar","resources":{"requests":{"cpu":"50m", "memory":"50Mi"}, "limits":{"cpu":"1", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get daemonset.apps/csi-node-driver -n calico-system -o json | jq '.spec.template.spec.containers[]| {name:.name,resources:.resources}'
This command will output the configured resource requests and limits for the Calico calicoNodeDaemonSet component in JSON format.
{
"name": "calico-csi",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "csi-node-driver-registrar",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "50m",
"memory": "50Mi"
}
}
}
IntrusionDetection custom resourceβ
The IntrusionDetection CR provides a way to configure resources for IntrusionDetectionControllerDeployment. The following sections provide example configurations for this CR.
IntrusionDetectionControllerDeployment.β
To configure resource specification for the IntrusionDetectionControllerDeployment, patch the IntrusionDetection CR using the below command:
kubectl patch intrusiondetection tigera-secure --type=merge --patch='{"spec": {"intrusionDetectionControllerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"webhooks-processor","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}},{"name":"controller","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/intrusion-detection-controller -n tigera-intrusion-detection -o json|jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the IntrusionDetectionControllerDeployment in JSON format.
{
"name": "controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
{
"name": "webhooks-processor",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
LogCollector custom resourceβ
The LogCollector CR provides a way to configure resources for FluentdDaemonSet, EKSLogForwarderDeployment.
FluentdDaemonSet.β
To configure resource specification for the FluentdDaemonSet, patch the LogCollector CR using the below command:
kubectl patch logcollector tigera-secure --type=merge --patch='{"spec": {"fluentdDaemonSet":{"spec": {"template": {"spec": {"containers":[{"name":"fluentd","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get daemonset.apps/fluentd-node -n tigera-fluentd -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the FluentdDaemonSet in JSON format.
{
"name": "fluentd",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
EKSLogForwarderDeployment.β
To configure resource specification for the EKSLogForwarderDeployment, patch the LogCollector CR using the below command:
kubectl patch logcollector tigera-secure --type=merge --patch='{"spec": {"eksLogForwarderDeployment": {"spec": {"template": {"spec": {"containers":[{"name":"eks-log-forwarder","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/eks-log-forwarder -n tigera-fluentd -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the EKSLogForwarderDeployment in JSON format.
{
"name": "eks-log-forwarder",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
LogStorage custom resourceβ
The LogStorage CR provides a way to configure resources for ECKOperatorStatefulSet, Kibana, LinseedDeployment, ElasticsearchMetricsDeployment. The following sections provide example configurations for this CR.
ECKOperatorStatefulSet.β
To configure resource specification for the ECKOperatorStatefulSet, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"eckOperatorStatefulSet":{"spec": {"template": {"spec": {"containers":[{"name":"manager","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get statefulset.apps/elastic-operator -n tigera-eck-operator -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ECKOperatorStatefulSet in JSON format.
{
"name": "manager",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Kibanaβ
To configure resource specification for the Kibana, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"kibana":{"spec": {"template": {"spec": {"containers":[{"name":"kibana","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-secure-kb -n tigera-kibana -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Kibana in JSON format.
{
"name": "kibana",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
LinseedDeploymentβ
To configure resource specification for the LinseedDeployment, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"linseedDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-linseed","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-linseed -n tigera-elasticsearch -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the LinseedDeployment in JSON format.
{
"name": "tigera-linseed",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
ElasticsearchMetricsDeploymentβ
To configure resource specification for the ElasticsearchMetricsDeployment, patch the LogStorage CR using the below command:
kubectl patch logstorage tigera-secure --type=merge --patch='{"spec": {"elasticsearchMetricsDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-elasticsearch-metrics","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"1000Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-elasticsearch-metrics -n tigera-elasticsearch -o json| jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ElasticsearchMetricsDeployment in JSON format.
{
"name": "tigera-elasticsearch-metrics",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "1000Mi"
}
}
}
ManagementClusterConnection custom resourceβ
The ManagementClusterConnection CR provides a way to configure resources for GuardianDeployment. The following sections provide example configurations for this CR.
GuardianDeploymentβ
To configure resource specification for the GuardianDeployment, patch the ManagementClusterConnection CR using the below command:
kubectl patch managementclusterconnection tigera-secure --type=merge --patch='{"spec": {"guardianDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-guardian","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-guardian -n tigera-guardian -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the GuardianDeployment in JSON format.
{
"name": "tigera-guardian",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Manager custom resourceβ
The Manager CR provides a way to configure resources for ManagerDeployment. The following sections provide example configurations for this CR.
ManagerDeploymentβ
To configure resource specification for the ManagerDeployment, patch the Manager CR using the below command:
kubectl patch manager tigera-secure --type=merge --patch='{"spec": {"managerDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-voltron","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"tigera-ui-apis","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}},{"name":"tigera-manager","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-manager -n tigera-manager -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the ManagerDeployment in JSON format.
{
"name": "tigera-ui-apis",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "tigera-voltron",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "tigera-manager",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Monitor custom resourceβ
The Monitor CR provides a way to configure resources for Prometheus, Alertmanager. The following sections provide example configurations for this CR.
Prometheusβ
To configure resource specification for the Prometheus, Resources for the default container "prometheus" can be configured using the "resources" field under "commonPrometheusFields". For all other injected containers, such as "authn-proxy", resource configuration can be set using the "containers" struct, as shown below in the patch command below.
kubectl patch monitor tigera-secure --type=merge --patch='{"spec": {"prometheus": {"spec":{ "commonPrometheusFields": {"resources": {"limits": {"cpu":"500m","memory":"500Mi"}, "requests": {"cpu":"50m", "memory":"50Mi"}}, "containers":[{"name":"authn-proxy","resources":{"limits": {"cpu":"250m","memory":"500Mi"},"requests": {"cpu":"25m","memory":"50Mi"}}}]}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get statefulset.apps/prometheus-calico-node-prometheus -n tigera-prometheus -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Prometheus in JSON format.
The "config-reloader" container has default resource values set based by the Prometheus resource.
{
"name": "prometheus",
"resources": {
"limits": {
"cpu": "500m",
"memory": "500Mi"
},
"requests": {
"cpu": "50m",
"memory": "50Mi"
}
}
}
{
"name": "config-reloader",
"resources": {
"limits": {
"cpu": "10m",
"memory": "50Mi"
},
"requests": {
"cpu": "10m",
"memory": "50Mi"
}
}
}
{
"name": "authn-proxy",
"resources": {
"limits": {
"cpu": "250m",
"memory": "500Mi"
},
"requests": {
"cpu": "25m",
"memory": "50Mi"
}
}
}
Alertmanagerβ
To configure resource specification for the Alertmanager, you can set resources for the default container "prometheus" using the "resources" field under "commonPrometheusFields". For all other injected containers, like "authn-proxy", resource configuration can be set using the "containers" struct, as shown below in the patch command below.
kubectl patch monitor tigera-secure --type=merge --patch='{"spec": {"alertManager": {"spec": {"resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get statefulset.apps/alertmanager-calico-node-alertmanager -n tigera-prometheus -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the Alertmanager in JSON format.
The "config-reloader" container has default resource values set by the Alertmanager resource.
{
"name": "alertmanager",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
{
"name": "config-reloader",
"resources": {
"limits": {
"cpu": "10m",
"memory": "50Mi"
},
"requests": {
"cpu": "10m",
"memory": "50Mi"
}
}
}
PacketCaptureAPI custom resourceβ
The PacketCaptureAPI CR provides a way to configure resources for PacketCapture. The following sections provide example configurations for this CR.
PacketCaptureAPIDeploymentβ
To configure resource specification for the PacketCaptureAPI, patch the PacketCapture CR using the below command:
kubectl patch packetcaptureapis tigera-secure --type=merge --patch='{"spec": {"packetCaptureAPIDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"tigera-packetcapture-server","resources":{"limits":{"cpu":"1", "memory":"1000Mi"},"requests":{"cpu":"100m", "memory":"100Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-packetcapture -n tigera-packetcapture -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the PacketCaptureDeployment in JSON format.
{
"name": "tigera-packetcapture-server",
"resources": {
"limits": {
"cpu": "1",
"memory": "1000Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
PolicyRecommendation custom resourceβ
The PolicyRecommendation CR provides a way to configure resources for PolicyRecommendation. The following sections provide example configurations for this CR.
PolicyRecommendationDeploymentβ
To configure resource specification for the PolicyRecommendationDeployment, patch the PolicyRecommendation CR using the below command:
kubectl patch policyrecommendation tigera-secure --type=merge --patch='{"spec": {"policyRecommendationDeployment":{"spec": {"template": {"spec": {"containers":[{"name":"policy-recommendation-controller","resources":{"requests":{"cpu":"100m", "memory":"100Mi"},"limits":{"cpu":"1", "memory":"512Mi"}}}]}}}}}}'
This command sets the CPU request to 100 milliCPU (mCPU) and the memory request is set to 100 Mebibytes (MiB) while the CPU limit is set to 1 CPU and the memory limit is set to 1000 Mebibytes (MiB).
Verificationβ
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-policy-recommendation -n tigera-policy-recommendation -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'
This command will output the configured resource requests and limits for the PolicyRecommendationDeployment in JSON format.
{
"name": "policy-recommendation-controller",
"resources": {
"limits": {
"cpu": "1",
"memory": "512Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
}
}
Update via Helmβ
To update configurations during installation via the Helm chart, modify the values.yaml with the necessary resource values for the components prior to executing the Helm install.
The provided example illustrates configuring the apiserver component. Follow a similar approach for other components to update resource requests and limits during installation using the Helm chart.
APIServer custom resourceβ
The APIServer CR provides a way to configure APIServerDeployment. The following sections provide example values.yaml for apiserver component.
APIServerDeploymentβ
To configure resource specification for the APIServerDeployment, update values.yaml with the appropriate resource values.
apiServer:
apiServerDeployment:
spec:
template:
spec:
containers:
- name: calico-apiserver
resources:
limits:
cpu: 1
memory: 1000Mi
requests:
cpu: 100m
memory: 100Mi
You can verify the configured resources using the following command:
kubectl get deployment.apps/tigera-apiserver -n tigera-system -o json | jq '.spec.template.spec.containers[] | {name: .name, resources: .resources}'