A Kubernetes Operator for managing resource quota in namespaces.
The quota operator takes one or more quota definitions in its config. Each quota definition consists of a label selector (applied to namespaces) and a base ResourceQuota template. In each namespace matching the label selector, a ResourceQuota with the quotas from the template is created.
Whenever a QuotaIncrease resource is added to any of these namespaces, the operator adapts the generated ResourceQuota accordingly, depending on the operating mode configured in the quota definition:
- for
cumulativemode, all quotas from allQuotaIncreases in that namespace are summed up - for
maximummode, only the highest quota for each resource takes effect - for
singularmode, only theQuotaIncreasewhich is referenced in thequota.openmcp.cloud/uselabel on the containing namespace is taken into account
When listing QuotaIncreases with the -o wide option via kubectl, the effect that each quota increase has on the corresponding ResourceQuota is shown. The operator can also be configured to immediately delete QuotaIncreases that don't have any effect.
The sets of namespaces returned by the label selectors of different quota definitions in the config must be disjunct. If the same namespace is matched by more than one quota definition's label selector, only the first quota definition to act on this namespace will take effect, all other ones will then ignore it. To identify already handled namespaces, the operator attaches a label to the namespace that contains the name of the quota definition that is responsible for it.
To allow renaming quota definitions in the config, these labels will be overwritten if their value does not match one of the currently configured quota definitions' name. If you are running multiple quota-operators for the same cluster, each needs to be given a list of all other operators' quota definition names (under externalQuotaDefinitionNames in the configuration).
The operator is quite simple to run and only requires two arguments:
--configmust specify the path to the configuration file.- See the docs for more information on what the config file has to look like.
--kubeconfigspecifies the path to the kubeconfig file for the cluster that should be watched by the quota operator.- When running within the cluster which should also be watched, this argument can be omitted.
- Instead of pointing to a kubeconfig file, this argument may also point to a folder containing an OIDC trust configuration.
To deploy the quota operator into a cluster, best use the provided helm chart.
- Configuration
- A quick demo flow which can be used as a tutorial or for showcasing the quota operator
- A more thorough explanation of the different operating modes
This project is open to feature requests/suggestions, bug reports etc. via GitHub issues. Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines.
If you find any bug that may be a security problem, please follow our instructions at in our security policy on how to report it. Please do not create GitHub issues for security-related doubts or problems.
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its Code of Conduct at all times.
Copyright 2025 SAP SE or an SAP affiliate company and quota-operator contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/openmcp-project/