Limiting network bandwidth at namespace level in RKE2 using Calico

[praseed44]

Discussed in https://github.com/orgs/projectcalico/discussions/8962

^{Originally posted by praseed44 July 1, 2024}
Can Calico CNI limit the network bandwidth used by containerd to download images from image registry? In a multi-tenant Kubernetes cluster with Calico as CNI, we are looking for a capability to limit the network bandwidth per namespace to ensure fair usage by all tenants in a cluster.

Given that, there are huge sized images for ML models running in Kubernetes cluster - image pull of few namespaces is consuming most of the network bandwidth thereby affecting the other tenants in the cluster.

Looking forward to the feedback from this expert team. Thank you!

[MichalFupso]

Hi @praseed44, you can limit bandwidth by pod using the Traffic Shaping plugin. You can check out more info about it in our docs https://docs.tigera.io/calico/latest/reference/configure-cni-plugins#cni-network-configuration-lists

[praseed44]

Hi @praseed44, you can limit bandwidth by pod using the Traffic Shaping plugin. You can check out more info about it in our docs https://docs.tigera.io/calico/latest/reference/configure-cni-plugins#cni-network-configuration-lists

Thank you @MichalFupso for the feedback. I have tried these but doesn’t seem to have any effect for image pulls bandwidth limiting. But works for ingress/egress traffic for pod networking and pod to node networking.

Is this supposed to work even for image pull scenarios or Am I missing something? Please share your thoughts.

[caseydavenport]

No that won't work for image pull - image pull is done by the container runtime from the host and is part of host networking and isn't under Calico's control.

I think this is probably outside the scope of Calico - typically Calico isn't responsible for configuring the base host's networking.