What Are Limit Ranges in Kubernetes?

intermediate|namespacesdevopssreplatform engineerCKA
TL;DR

A LimitRange sets default, minimum, and maximum resource constraints for individual containers, Pods, and PVCs within a namespace. It enforces per-object limits (unlike ResourceQuota which caps aggregate totals) and automatically injects default resource requests and limits into Pods that omit them.

Detailed Answer

A LimitRange is a policy object that constrains resource usage on a per-container, per-Pod, or per-PVC basis within a namespace. While ResourceQuota caps the total, LimitRange ensures each individual workload stays within reasonable bounds.

What LimitRange Controls

| Constraint | Purpose | |---|---| | default | Default limits for containers that do not specify them | | defaultRequest | Default requests for containers that do not specify them | | min | Minimum resource requests/limits allowed | | max | Maximum resource requests/limits allowed | | maxLimitRequestRatio | Maximum ratio between limit and request |

Comprehensive LimitRange Example

apiVersion: v1
kind: LimitRange
metadata:
  name: resource-constraints
  namespace: team-backend
spec:
  limits:
    - type: Container
      default:
        cpu: "500m"
        memory: "256Mi"
      defaultRequest:
        cpu: "100m"
        memory: "128Mi"
      min:
        cpu: "50m"
        memory: "64Mi"
      max:
        cpu: "4"
        memory: "8Gi"
      maxLimitRequestRatio:
        cpu: "10"
        memory: "4"
    - type: Pod
      max:
        cpu: "8"
        memory: "16Gi"
    - type: PersistentVolumeClaim
      min:
        storage: "1Gi"
      max:
        storage: "100Gi"

How Default Injection Works

When a container does not specify resource requests or limits, the LimitRange admission controller injects the defaults:

Pod without resource specs:

apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  containers:
    - name: app
      image: myapp:v1
      # No resources specified

What Kubernetes creates (after LimitRange injection):

apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  containers:
    - name: app
      image: myapp:v1
      resources:
        requests:
          cpu: "100m"         # From defaultRequest
          memory: "128Mi"     # From defaultRequest
        limits:
          cpu: "500m"         # From default
          memory: "256Mi"     # From default

Enforcement Examples

Minimum Enforcement

# Pod requests below minimum
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: tiny-pod
spec:
  containers:
    - name: app
      image: myapp:v1
      resources:
        requests:
          cpu: "10m"    # Below min of 50m
EOF

# Error: minimum cpu usage per Container is 50m, but request is 10m

Maximum Enforcement

# Pod requests above maximum
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: huge-pod
spec:
  containers:
    - name: app
      image: myapp:v1
      resources:
        limits:
          cpu: "16"     # Above max of 4
EOF

# Error: maximum cpu usage per Container is 4, but limit is 16

Ratio Enforcement

With maxLimitRequestRatio: cpu: "10", the limit cannot be more than 10x the request:

resources:
  requests:
    cpu: "100m"
  limits:
    cpu: "2"       # Ratio = 20:1, exceeds max ratio of 10:1
# Error: cpu max limit to request ratio per Container is 10, but provided ratio is 20

LimitRange vs ResourceQuota

| Aspect | LimitRange | ResourceQuota | |---|---|---| | Scope | Per container/Pod/PVC | Per namespace (aggregate) | | Defaults | Injects default values | No defaults | | Min/Max | Per-object constraints | Total caps | | Enforcement | Individual workload | Namespace total | | Works alone | Yes | Requires requests/limits on Pods |

Best Practice: Use Both Together

# LimitRange: Sets per-container boundaries and defaults
apiVersion: v1
kind: LimitRange
metadata:
  name: limits
  namespace: team-backend
spec:
  limits:
    - type: Container
      default:
        cpu: "500m"
        memory: "256Mi"
      defaultRequest:
        cpu: "100m"
        memory: "128Mi"
      max:
        cpu: "4"
        memory: "8Gi"
---
# ResourceQuota: Caps the total for the namespace
apiVersion: v1
kind: ResourceQuota
metadata:
  name: quota
  namespace: team-backend
spec:
  hard:
    requests.cpu: "20"
    requests.memory: "40Gi"
    limits.cpu: "40"
    limits.memory: "80Gi"
    pods: "100"

The LimitRange ensures no single container is too large or too small. The ResourceQuota ensures the team does not consume too much of the cluster in total.

Viewing LimitRange

kubectl describe limitrange resource-constraints -n team-backend

# Type        Resource  Min    Max    Default  Default Request  Ratio
# ----        --------  ---    ---    -------  ---------------  -----
# Container   cpu       50m    4      500m     100m             10
# Container   memory    64Mi   8Gi    256Mi    128Mi            4
# Pod         cpu       -      8      -        -                -
# Pod         memory    -      16Gi   -        -                -
# PVC         storage   1Gi    100Gi  -        -                -

Why Interviewers Ask This

Interviewers ask this to test whether you know how to enforce resource governance at the individual workload level, preventing both resource starvation and excessive consumption.

Common Follow-Up Questions

How does LimitRange differ from ResourceQuota?
ResourceQuota limits the total resources in a namespace. LimitRange limits the resources of each individual container or Pod. They are complementary — use both together.
What happens if a Pod requests more than the LimitRange maximum?
The Pod is rejected by the admission controller with an error explaining that the request exceeds the LimitRange constraint.
Can LimitRange set defaults for resource limits?
Yes. The default field sets default limits, and defaultRequest sets default requests. These are injected into containers that do not specify their own values.

Key Takeaways

  • LimitRange enforces per-container and per-Pod resource boundaries within a namespace.
  • It injects default requests and limits into containers that omit resource specifications.
  • Use LimitRange alongside ResourceQuota for comprehensive resource governance.

Related Questions

How Do Resource Quotas Work in Kubernetes?What Are Kubernetes Namespaces?

You Might Also Like

What Are Resource Requests and Limits in Kubernetes?What Are the Pod Quality of Service (QoS) Classes?
Back to Namespaces Interview Questions