Quotas and limits

This page explains Google Distributed Cloud release 1.14 quotas and limits for Google Cloud projects, clusters, and nodes.

Limits

Note the following limits and recommendations for your clusters.

Maximum number of pods per cluster

We recommend that you limit the number of pods per cluster to 15,000 or fewer. For example, if your cluster has 200 nodes, you should restrict the number of pods per node to 75 or fewer. Likewise, if you want to run 110 pods per node, you should restrict the number of nodes in your cluster to 136 or fewer. The following table provides examples of configurations that are and aren't recommended.

Pods per node Nodes per cluster Pods per Cluster Result
110 200 22,000 Too many pods, not recommended
110 136 14,960 Within limit
100 150 15,000 Within limit
75 200 15,000 Within limit

The maximum number of pods per cluster recommendation takes precedence over the recommendations for pods per node and nodes per cluster in the following sections.

Maximum number of nodes per cluster

We test Google Distributed Cloud to run workloads with up to 500 nodes. However, to ensure optimal performance and reliability, we recommend that you don't exceed 200 nodes per cluster when running workloads in production.

Cluster type Minimum nodes Recommended maximum nodes Absolute maximum nodes
User, Standalone, or Hybrid 1 200 500

For single-node clusters, you must remove the node-role.kubernetes.io/master:NoSchedule taint to run workloads on the node. For details, see Kubernetes taints and tolerations.

Maximum number of pods per node

Google Distributed Cloud supports the configuration of maximum pods per node in the nodeConfig.PodDensity.MaxPodsPerNode setting of the cluster configuration file. The following table shows the minimum and maximum values supported for MaxPodsPerNode, which includes pods running add-on services:

Cluster type Minimum allowed value Recommended maximum value Maximum allowed value
All HA clusters and non-HA user clusters 32 110 250
All other non-HA clusters 64 110 250

Maximum number of endpoints

On RHEL and CentOS, there's a cluster-level limitation of 100,000 endpoints. This number is the sum of all pods that are referenced by a Kubernetes service. If two services reference the same set of pods, this situation counts as two separate sets of endpoints. The underlying nftable implementation on RHEL and CentOS causes this limitation; it's not an intrinsic limitation of Google Distributed Cloud.

Mitigation

For RHEL and CentOS, there are no mitigations. For Ubuntu and Debian systems, we recommend switching from the default nftables to legacy iptables on large-scale clusters.

Dataplane V2 eBPF limit

The maximum number of entries in the BPF lbmap for Dataplane V2 is 65,536. Increases in the following areas can cause the total number of entries to grow:

  • Number of services
  • Number of ports per service
  • Number of backends per service

We recommend that you monitor the actual number of entries used by your cluster to ensure that you don't exceed the limit. Use the following command to get the current entries:

kubectl get po -n kube-system -l k8s-app=cilium | cut -d " " -f1 | grep anetd | head -n1 | \
    xargs -I % kubectl -n kube-system exec % -- cilium bpf lb list | wc -l

We also recommend that you use your own monitoring pipeline to collect metrics from the anetd DaemonSet. Monitor for the following conditions to identify when the number of entries are causing problems:

cilium_bpf_map_ops_total{map_name="lb4_services_v2",operation="update",outcome="fail" } > 0
cilium_bpf_map_ops_total{map_name="lb4_backends_v2",operation="update",outcome="fail" } > 0

LoadBalancer and NodePort Services port limit

The port limit for LoadBalancer and NodePort Services is 2,768. The default port range is 30000-32767. If you exceed the limit, you can't create new LoadBalancer or NodePort Services and you can't add new node ports for existing services.

By default, Kubernetes allocates node ports to Services of type LoadBalancer. These allocations can quickly exhaust available node ports from the 2,768 allotted to your cluster. To save node ports, disable load balancer node port allocation by setting the allocateLoadBalancerNodePorts field to false in the LoadBalancer Service spec. This setting prevents Kubernetes from allocating node ports to LoadBalancer Services. For more information, see Disabling load balancer NodePort allocation in the Kubernetes documentation.

Use the following command to check the number of ports currently allocated:

kubectl get svc -A | grep : | tr -s ' ' | cut -d ' '  -f6 | tr ',' '\n' | wc -l

Bundled load balancer node connection limits

The number of connections allowed for each node used for bundled load balancing (MetalLB) is 28,000. The default ephemeral port range for these connections is 32768-60999. If you exceed the connection limit, requests to the LoadBalancer Service might fail.

If you need to expose a load balancer service that is capable of handling a substantial number of connections (for Ingress, for example), we recommend that you consider an alternate load balancing method to avoid this limitation with MetalLB.

Cluster quotas

You can register a maximum of 15 clusters by default. To register more clusters in GKE Hub, you can submit a request to increase your quota in the Google Cloud console:

Go to Quotas

Scaling issues

This section describes some issues to keep in mind when scaling your clusters.

Resources reserved for system daemons

Starting from version 1.14, Google Distributed Cloud automatically reserves resources on a node for system daemons such as sshd or udev. CPU and memory resources are reserved on a node for system daemons so that these daemons have the resources they require. Without this feature, which is enabled by default, Pods can potentially consume most of the resources on a node, making it impossible for system daemons to complete their tasks.

Specifically, Google Distributed Cloud reserves 50 millicores of CPU (50 mCPU) and 280 Mebibytes (280 MiB) of memory on each node for system daemons. Note that the CPU unit 'mCPU' stands for "thousandth of a core", and so 50/1000 or 5% of a core on each node is reserved for system daemons. The amount of reserved resources is small and doesn't have a significant impact on Pod performance. However, the kubelet on a node may evict Pods if their use of CPU or memory exceeds the amounts that have been allocated to them.

etcd performance

Disk speed is critical to etcd performance and stability. A slow disk increases etcd request latency, which can lead to cluster stability problems. We recommend that you use a solid-state disk (SSD) for your etcd store. The etcd documentation provides additional hardware recommendations for ensuring the best etcd performance when running your clusters in production.

To check your etcd and disk performance, use the following etcd I/O latency metrics in the Metrics Explorer:

  • etcd_disk_backend_commit_duration_seconds: the duration should be less than 25 milliseconds for the 99th percentile (p99).
  • etcd_disk_wal_fsync_duration_seconds: the duration should be less than 10 milliseconds for the 99th percentile (p99).

For more information about etcd performance, see What does the etcd warning "apply entries took too long" mean? and What does the etcd warning "failed to send out heartbeat on time" mean?.

Didn't find what you were looking for? Click Send feedback and let us know what's missing.