adding hrq documentation

Signed-off-by: unknown <[email protected]>

Author: zfrhv

docs/user-guide/concepts.md

@@ -13,6 +13,7 @@ namespaces are, and _why_ they behave the way they do.
 * [Basic concepts](#basic)
   * [Parents, children, trees and forests](#basic-trees)
   * [Full namespaces and subnamespaces](#basic-subns)
+  * [Hierarchical resource quotas (HRQs)](#hrq)
   * [Policy inheritance and object propagation](#basic-propagation)
   * [Tree labels and non-propagated policies](#basic-labels)
   * [Exceptions and propagation control](#basic-exceptions)
@@ -87,6 +88,8 @@ namespaces:
   as isolation units for their own services. However, namespace creation is a
   privileged cluster-level operation, and you typically want to control this
   privilege very closely.
+* You might want to give some amount of resources to a team (similar to `ResourceQuota`), and they can
+  distribute those resources between their subnamespaces.
 * Finally, you might want to avoid having to find unique names for every
   namespace in the cluster.
 
@@ -218,6 +221,68 @@ probably not a great idea.
 You can create a subnamespace from the command line via `kubectl hns create child
 -n parent`.
 
+<a name="hrq">
+
+### Hierarchical resource quotas (HRQs)
+
+***Hierarchical resource quotas are beta in HNC v1.1***
+
+When you want to give some amount of resources to `team-a`, and want them to be able to
+flexibly use resources in any of their subnamespaces, you create a `HierarchicalResourceQuota`
+in namespace `team-a`. The sum of all resources from all the subnamespaces of the
+members wont be over the amount of resources that is configured in
+`HierarchicalResourceQuota` of namespace `team-a`. All of the reasources of `team-a` are
+equally shared between the applications in their subnamespaces, which is very efficient.
+
+In addition, you can let an org or team's admin create their own hierarchical
+quotas without violating the overall HRQ for their org or team. For example,
+if you start with the following structure:
+```
+company-a
+├── organization-a
+│   ├── org-a-team-1
+│   ├── org-a-team-2
+│   ...
+├── organization-b
+│   ├── org-b-team-1
+│   ├── org-b-team-2
+│   ...
+...
+```
+Instead of each team asking from the `cluster-admin` to modify their `ResourceQuota`, 
+you can insert an additional "policy" namespace above each level to hold
+the policy objects (like hierarchical quota) that the sub-admin _cannot_
+change, while giving them permission to create their own quotas in the
+lower level namespaces, like this:
+```
+company-a-policy
+└── company-a
+```
+And put the resources HRQ in the `company-a-policy` namespace. This will restrict
+whole `company-a` to the amount of resources that they are paying for. Then `company-a`
+can do similar HRQ with their organizations:
+```
+company-a-policy (has HRQ)
+└── company-a
+    ├── org-a-policy (has HRQ)
+    │   └── organization-a
+    ├── org-b-policy (has HRQ)
+    │   └── organization-b
+    ...
+```
+Lower-level quotas cannot override more restrictive quotas from ancestor namespaces;
+the most restrictive quota always wins.
+This way each individual can fairly and securely distribute their resources across
+their members.
+
+To implement hierarchical quotas, HNC automatically creates `ResourceQuota` objects in each
+affected namespace. This is a part of the internal implementation and shouldn't be modified or
+inspected. Use the `kubectl hns hrq` command to inspect hierarchical quotas,
+or look at the `HierarchicalResourceQuota` object in the ancestor
+namespaces.
+
+Note: Decimal point values cannot be specified in HRQ (you can't do `cpu: 1.5` but you can do `cpu: "1.5"` or `cpu: 1500m`). See [#292](https://github.com/kubernetes-sigs/hierarchical-namespaces/issues/292)
+
 <a name="basic-propagation">
 
 ### Policy inheritance and object propagation
@@ -327,7 +392,7 @@ HNC typically propagates _all_ objects of a [specified type](how-to.md#admin-res
 from ancestor namespaces to descendant namespaces. However, sometimes this is
 too restrictive, and you need to create ***exceptions*** to certain policies. For example:
 
-* A ResourceQuota was propagated to many children, but one child namespace now
+* A `ResourceQuota` was propagated to many children, but one child namespace now
   has higher requirements than the rest. Rather than getting rid of the quota in
   the parent namespace, or raising the limit for everyone, you can stop the
   quota in the parent from being propagated to that _one_ child namespace,
@@ -345,7 +410,7 @@ an object can also control how it is propagated to descendant namespaces.
 If you modify an exception - for example, by removing it - this could cause
 the object to be propagated to descendants from which it had previously been
 excluded. This could cause you to accidentally overwrite objects that were
-intended to be exceptions from higher-level policies, like the ResourceQuota
+intended to be exceptions from higher-level policies, like the `ResourceQuota`
 in the example above. To prevent this, if modifying an exception would cause
 HNC to overwrite another object, HNC’s admission controllers will prevent you
 from modifying the object, and will identify the objects that would have been

docs/user-guide/how-to.md

@@ -10,6 +10,7 @@ This document describes common tasks you might want to accomplish using HNC.
   * [Create a subnamespace](#use-subns-create)
   * [Inspect namespace hierarchies](#use-inspect)
   * [Propagating policies across namespaces](#use-propagate)
+  * [Apply hierarchical resource quotas (HRQs)](#use-hrq)
   * [Select namespaces based on their hierarchies](#use-select)
   * [Delete a subnamespace](#use-subns-delete)
   * [Organize full namespaces into a hierarchy](#use-full)
@@ -186,6 +187,19 @@ permissions. To understand why an object is not being propagated to a namespace,
 use `kubectl hns describe <ns>`, where `<ns>` is either the source (ancestor) or
 destination (descendant) namespace.
 
+<a name="use-hrq"/>
+
+### Limit Resources over parent namespaces
+
+***Hierarchical resource quotas are beta in HNC v1.1***
+
+HNC has an object called `HierarchicalResourceQuota` which is a drop-in replacement for `ResourceQuota`
+but across all the namespaces in a hierarchy. It allows you to distribute your resources between
+teams, and those teams can distribute their resources between their subteams.
+[Learn how it works](concepts.md#hierarchical-resource-quota) or see an [quickstart example](quickstart.md#hrq)
+
+Note: Decimal point values cannot be specified in HRQ (you can't do `cpu: 1.5` but you can do `cpu: "1.5"` or `cpu: 1500m`). See [#292](https://github.com/kubernetes-sigs/hierarchical-namespaces/issues/292)
+
 <a name="use-select"/>
 
 ### Select namespaces based on their hierarchies

docs/user-guide/quickstart.md

@@ -21,6 +21,7 @@ also to all contributors since then.
 * [Basic functionality](#basic)
 * [Propagating different resources](#resources)
 * [Hierarchical network policy](#netpol)
+* [Hierarchical resource quotas](#hrq)
 * [Subnamespaces deep-dive](#subns)
 * [Keeping objects out of certain namespaces](#exceptions)
 
@@ -341,7 +342,7 @@ Now we'll create a default network policy that blocks any ingress from other
 namespaces:
 
 ```bash
-cat << EOF | kubectl apply -f -
+kubectl apply -f - << EOF
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
@@ -394,7 +395,7 @@ other. We do this by creating a policy that selects namespaces based on the
 that is automatically added by the HNC.
 
 ```bash
-cat << EOF | kubectl apply -f -
+kubectl apply -f - << EOF
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
@@ -458,6 +459,102 @@ kubectl delete svc s2 -n service-2
 kubectl delete pods s2 -n service-2
 ```
 
+<a name="hrq"/>
+
+### Hierarchical resource quotas
+
+***Hierarchical resource quotas are beta in HNC v1.1***
+
+_Will demonstrate: Create and delete [HierarchicalResourceQuota](concepts.md#hierarchical-resource-quota)._
+
+Let's assume you own _acme-org_ from the previous example:
+```
+acme-org
+├── [s] team-a
+└── [s] team-b
+```
+
+You can create a `HierarchicalResourceQuota` in namespace `acme-org`, and the sum of 
+all subnamespaces resource usage cant go over what is configured in the hrq.
+
+Creating the hrq:
+```bash
+kubectl apply -f - << EOF
+kind: HierarchicalResourceQuota
+apiVersion: hnc.x-k8s.io/v1alpha2
+metadata:
+  name: acme-org-hrq
+  namespace: acme-org
+spec:
+  hard:
+    requests.cpu:  1
+    requests.memory: 2Gi
+    limits.cpu:  2
+    limits.memory: 4Gi
+    services: 1
+EOF
+```
+
+Lets create Service in namespace `team-a`:
+```bash
+kubectl apply -f - << EOF
+kind: Service
+apiVersion: v1
+metadata:
+  name: team-a-svc
+  namespace: team-a
+spec:
+  selector:
+    place: holder
+  ports:
+  - protocol: TCP
+    port: 80
+    targetport: 80
+EOF
+```
+
+And when we try to create Service in namespace `team-b`:
+```bash
+kubectl apply -f - << EOF
+kind: Service
+apiVersion: v1
+metadata:
+  name: team-b-svc
+  namespace: team-b
+spec:
+  selector:
+    place: holder
+  ports:
+  - protocol: TCP
+    port: 80
+    targetport: 80
+EOF
+```
+We get an error:
+```
+Error from server (Forbidden):
+  error when creating "STDIN":
+    admission webhood "resourcesquotasstatus.hnc.x-k8s.io" denied the request:
+      exceeded hierarchical quota in namespace "acme-org":
+        "acme-org-hrq", requested: services=1, used: services=1, limited: services=1
+```
+
+To view the HRQ usage, simply run:
+```bash
+kubectl hns hrq -n acme-org
+```
+you can also view in all namespace:
+```bash
+kubectl hns hrq --all-namespaces
+```
+
+and you can delete the hrq via simply deleting the CR:
+```bash
+kubectl delete hrq acme-org-hrq -n acme-org
+```
+
+Note: Decimal point values cannot be specified (you can't do `cpu: 1.5` but you can do `cpu: "1.5"` or `cpu: 1500m`). See [#292](https://github.com/kubernetes-sigs/hierarchical-namespaces/issues/292)
+
 <a name="subns"/>
 
 ### Subnamespaces deep dive
@@ -672,7 +769,7 @@ Of course, the annotation can also be part of the object when you create it:
 
 ```bash
 kubectl delete secret my-secret -n acme-org
-cat << EOF | k create -f -
+kubectl create -f - << EOF
 apiVersion: v1
 kind: Secret
 metadata:

go.mod

@@ -20,6 +20,7 @@ require (
 	k8s.io/apimachinery v0.23.2
 	k8s.io/cli-runtime v0.23.2
 	k8s.io/client-go v0.23.2
+	k8s.io/kubernetes v1.23.2
 	sigs.k8s.io/controller-runtime v0.11.0
 	sigs.k8s.io/controller-tools v0.8.0
 )
@@ -35,7 +36,7 @@ require (
 	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/aws/aws-sdk-go v1.23.20 // indirect
+	github.com/aws/aws-sdk-go v1.38.49 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.1 // indirect
@@ -63,10 +64,10 @@ require (
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.12 // indirect
@@ -99,9 +100,8 @@ require (
 	golang.org/x/text v0.5.0
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	golang.org/x/tools v0.4.1-0.20221208213631-3f74d914ae6d // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
-	google.golang.org/api v0.44.0 // indirect
+	google.golang.org/api v0.46.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2 // indirect
 	google.golang.org/grpc v1.40.0 // indirect
@@ -120,7 +120,34 @@ require (
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
-require (
-	github.com/spf13/afero v1.6.0 // indirect
-	sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20230208013708-22718275bffe // indirect
+require sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20230208013708-22718275bffe
+
+require github.com/spf13/afero v1.6.0 // indirect
+
+replace (
+	k8s.io/api => k8s.io/api v0.23.2
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.23.2
+	k8s.io/apimachinery => k8s.io/apimachinery v0.23.2
+	k8s.io/apiserver => k8s.io/apiserver v0.23.2
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.23.2
+	k8s.io/client-go => k8s.io/client-go v0.23.2
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.23.2
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.23.2
+	k8s.io/code-generator => k8s.io/code-generator v0.23.2
+	k8s.io/component-base => k8s.io/component-base v0.23.2
+	k8s.io/component-helpers => k8s.io/component-helpers v0.23.2
+	k8s.io/controller-manager => k8s.io/controller-manager v0.23.2
+	k8s.io/cri-api => k8s.io/cri-api v0.23.2
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.23.2
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.23.2
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.23.2
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.23.2
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.23.2
+	k8s.io/kubectl => k8s.io/kubectl v0.23.2
+	k8s.io/kubelet => k8s.io/kubelet v0.23.2
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.23.2
+	k8s.io/metrics => k8s.io/metrics v0.23.2
+	k8s.io/mount-utils => k8s.io/mount-utils v0.23.2
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.23.2
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.23.2
 )