| title | excerpt | updated |
|---|---|---|
Known limits |
Requirements and limits to respect |
2025-02-17 |
We have tested our OVHcloud Managed Kubernetes service with up to 100 nodes and 100 pods per node. While we are fairly sure it can go further, we advise you to keep under those limits.
Nodepools with anti-affinity are limited to 5 nodes (but you can create multiple node pools with the same instance flavor if needed of course). A node can run up to 110 pods. This limit does not depend on node flavor.
In general, it is better to have several mid-size Kubernetes clusters than a monster-size one.
To ensure high availability for your services, it is recommended to possess the computation power capable of handling your workload even when one of your nodes becomes unavailable.
Please note that any operation requested to our services, like node deletions or rolling updates, will try to gracefully drain the nodes by respecting Pod Disruption Budgets for a maximum duration of 10 minutes. After this time period, the nodes will be forcefully drained to ensure the smooth progress of the operation. This graceful node draining process only applies when there is at least one other node in the cluster.
Most worker nodes (be them added manually or through cluster autoscaler) are created within a few minutes, with the exception of GPU worker nodes (t1 and t2 flavors) where ready status can take up to a bit more than one hour.
Delivering a fully managed service, including OS and other component updates, you will neither need nor be able to SSH into your nodes.
If an incident is detected by the OVHcloud monitoring, as part of auto-healing, or in case of a version upgrade, the Nodes can be fully reinstalled.
We advise you to save your data in Persistent Volumes (PV), not to save data directly on Nodes if you don't want to lose your data. Follow our guide about how to setup and manage Persistent Volumes on OVHcloud Managed Kubernetes for more information.
Creating a Kubernetes service of type LoadBalancer in a Managed Kubernetes cluster triggers the creation of a Public Cloud Load Balancer based on OpenStack Octavia. If the LoadBalancer has been created through a K8s service, the lifespan of the external Load Balancer (and thus the associated IP address if not explicity specified to keep it) is linked to the lifespan of this Kubernetes resource.
To get more information about the deployment of a LoadBalancer deployment in a MKS cluster, consult our documentation to expose services through a LoadBalancer.
Our Managed Kubernetes service is based on OpenStack, and your nodes, persistent volumes and load balancers are built on it, using OVHcloud Public Cloud. As such, you can see them in the Compute > Instances section of your OVHcloud Public Cloud Control Panel. Though it doesn't mean that you can deal directly with these nodes and persistent volumes the same way you can do it for other Public Cloud instances.
Also, MKS Cluster's quota relies on your project's quota. Consult this documentation to increase your quota.
The managed part of OVHcloud Managed Kubernetes Service means that we have configured those nodes and volumes to be part of our Managed Kubernetes.
Please refrain from manipulating them from the OVHcloud Public Cloud Control Panel (modifying ports left opened, renaming, resizing volumes...), as you could break them.
There is also a limit of 20 Managed Kubernetes Services by Openstack project (also named Openstack tenant).
Due to known limitations currently present in the Kubelet service, be careful to set a unique name to all your Openstack instances running in your tenant including your "Managed Kubernetes Service" nodes and the instances that your start directly on Openstack through manager or API.
The usage of the period (.) character is forbidden in node name. Please, prefer the dash (-) character instead.
In any case, there are some ports that you shouldn't block on your instances if you want to keep your OVHcloud Managed Kubernetes service running:
- TCP Port 22 (ssh): needed for nodes management by OVHcloud
- TCP Ports from 30000 to 32767 (NodePort services port range): needed for NodePort and LoadBalancer services
- TCP Port 111 (rpcbind): needed only if you want to use the NFS client deployed on nodes managed by OVHcloud
- TCP Port 443 (kubelet): needed for communication between the kubelets and the Kubernetes API server
- TCP Port 80 IP 169.254.169.254/32 (init service): needed for OpenStack metadata service
- TCP Ports from 25000 to 31999 (TLS tunnel): needed to tunnel traffic between pods and the Kubernetes API server
- TCP Port 8090 (internal service): needed for nodes management by OVHcloud
- UDP Port 123 (systemd-timesync): needed to allow NTP servers synchronization
- TCP/UDP Port 53 (systemd-resolve): needed to allow domain name resolution
- TCP Port 111 (rpcbind): needed only if you want to use the NFS client deployed on nodes managed by OVHcloud
- TCP Port 4443 (metrics server): needed for communication between the metrics server and the Kubernetes API server
- UDP Port 8472 (flannel): needed for communication between pods
- UDP Port 4789 (kube-dns internal usage): needed for DNS resolution between nodes
- TCP Port 10250 (kubelet): needed for communication between apiserver and worker nodes
In case you want to apply OpenStack security groups onto your nodes, it is mandatory to add the above ports in a ruleset concerning the 0.0.0.0/0 CIDR.
Warning
If you remove the default rules accepting all input and output when creating a new security group, make sure to allow the ports needed by your application, as well as the mandatory ports mentioned above.
[!primary] In order to simplify your policy, you can add these rules which do not specify any port and will allow all internal traffic between pods and services within the cluster:
Direction Ether Type IP Protocol Port Range Remote IP Prefix Description Ingress IPv4 TCP Any 10.2.0.0/16 Allow traffic from pods Ingress IPv4 TCP Any 10.3.0.0/16 Allow traffic from services It allows you to trust the internal traffic between pods and services within the cluster.
For more details, please refer to the Creating and configuring a security group in Horizon documentation.
The vRack feature is currently available and compliant with our Managed Kubernetes Service.
To prevent any conflict, we advise you to keep DHCP service running in your private network.
Warning
At the moment, MKS worker nodes cannot use provided Subnet's DNS nameservers.
Warning
If your cluster has been created using an OpenStack Private Network, you should not change this private network's name nor the network's subnet name.
Indeed, the OpenStack Cloud Controller Manager (CCM) is using the network name to create private network connectivity inside the cluster to link nodes to the private network.
Changing either the private network name or the network's subnet name will have an impact on future nodes to be deployed as the CCM cannot find network information.
The CCM cannot fetch private network information on OpenStack side in order to initialize networking on the freshly deployed nodes on Kubernetes side.
Nodes will have a "uninitialized=true:NoSchedule" taint which prevents the kube-scheduler to deploy pods on those new uninitialized nodes. Nodes impacted by this use case don't have an External-IP as well.
The following subnets are not compliant with the vRack feature and can generate some incoherent behaviours with our used overlay networks:
10.2.0.0/16 # Subnet used by pods
10.3.0.0/16 # Subnet used by services
172.17.0.0/16 # Subnet used by the Docker daemon
The command kubectl get componentstatus is reporting the scheduler, the controller manager and the etcd service as unhealthy. This is a limitation due to our implementation of the Kubernetes control plane as the endpoints needed to report the health of these components are not accesible.
Kubernetes Persistent Volume Claims resizing only allows to expand volumes, not to decrease them.
If you try to decrease the storage size, you will get a message like:
The PersistentVolumeClaim "mysql-pv-claim" is invalid: spec.resources.requests.storage: Forbidden: field can not be less than previous valueFor more details, please refer to the Resizing Persistent Volumes documentation.
The Persistent Volumes are using our Cinder-based block-storage solution through Cinder CSI.
A worker node can have a maximum of 254 persistent volumes attached to it, and a persistent volume can only be attached to a single worker node.
You can manually configure multi-attach persistent volumes with NAS-HA.
-
If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-
Join our community of users.