Add caution for using memory-backed emptydir (#44949)

shu-mutou · Tim Bannister · web-flow · commit 2c45e1ae2885 · 2024-07-12T16:36:55.000-07:00
* Add caution for using memory-backed emptydir

To use default size of memory-backed emptydir,
some risks exist. So this adds cautions for the risks.

* Fix sub section title

Co-authored-by: Tim Bannister &lt;tim@scalefactory.com&gt;

* Move conciderations for memory backed emptyDir into
Resource Management for Pods and Container page.

* Revirt removing spaces on volumes.md

* Revirt removing spaces on manage-resources-containers.md

* Fixed to make it more readable and concise

---------

Co-authored-by: Tim Bannister &lt;tim@scalefactory.com&gt;
diff --git a/content/en/docs/concepts/configuration/manage-resources-containers.md b/content/en/docs/concepts/configuration/manage-resources-containers.md
@@ -215,7 +215,8 @@ limits you defined.
   as restartable, Kubernetes restarts the container.
 - The memory limit for the Pod or container can also apply to pages in memory backed
   volumes, such as an `emptyDir`. The kubelet tracks `tmpfs` emptyDir volumes as container
-  memory use, rather than as local ephemeral storage.
+  memory use, rather than as local ephemeral storage.　When using memory backed `emptyDir`,
+  be sure to check the notes [below](#memory-backed-emptydir).
 
 If a container exceeds its memory request and the node that it runs on becomes short of
 memory overall, it is likely that the Pod the container belongs to will be
@@ -237,6 +238,50 @@ are available in your cluster, then Pod resource usage can be retrieved either
 from the [Metrics API](/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/#metrics-api)
 directly or from your monitoring tools.
 
+### Considerations for memory backed `emptyDir` volumes {#memory-backed-emptydir}
+
+{{< caution >}}
+If you do not specify a `sizeLimit` for an `emptyDir` volume, that volume may
+consume up to that pod's memory limit (`Pod.spec.containers[].resources.limits.memory`).
+If you do not set a memory limit, the pod has no upper bound on memory consumption,
+and can consume all available memory on the node.  Kubernetes schedules pods based
+on resource requests (`Pod.spec.containers[].resources.requests`) and will not
+consider memory usage above the request when deciding if another pod can fit on
+a given node.  This can result in a denial of service and cause the OS to do
+out-of-memory (OOM) handling.  It is possible to create any number of `emptyDir`s
+that could potentially consume all available memory on the node, making OOM
+more likely.
+{{< /caution >}}
+
+From the perspective of memory management, there are some similarities between
+when a process uses memory as a work area and when using memory-backed
+`emptyDir`. But when using memory as a volume like memory-backed `emptyDir`,
+there are additional points below that you should be careful of.
+
+* Files stored on a memory-backed volume are almost entirely managed by the
+  user application.  Unlike when used as a work area for a process, you can not
+  rely on things like language-level garbage collection.
+* The purpose of writing files to a volume is to save data or pass it between
+  applications.  Neither Kubernetes nor the OS may automatically delete files
+  from a volume, so memory used by those files can not be reclaimed when the
+  system or the pod are under memory pressure.
+* A memory-backed `emptyDir` is useful because of its performance, but memory
+  is generally much smaller in size and much higher in cost than other storage
+  media, such as disks or SSDs.  Using large amounts of memory for `emptyDir`
+  volumes may affect the normal operation of your pod or of the whole node,
+  so should be used carefully.
+
+If you are administering a cluster or namespace, you can also set
+[ResourceQuota](/docs/concepts/policy/resource-quotas/) that limits memory use;
+you may also want to define a [LimitRange](/docs/concepts/policy/limit-range/)
+for additional enforcement.
+If you specify a `spec.containers[].resources.limits.memory` for each Pod,
+then the muximum size of an `emptyDir` volume will be the pod's memory limit.
+
+As an alternative, a cluster administrator can enforce size limits for
+`emptyDir` volumes in new Pods using a policy mechanism such as
+[ValidationAdmissionPolicy](/docs/reference/access-authn-authz/validating-admission-policy).
+
 ## Local ephemeral storage
 
 <!-- feature gate LocalStorageCapacityIsolation -->
diff --git a/content/en/docs/concepts/storage/volumes.md b/content/en/docs/concepts/storage/volumes.md
@@ -262,11 +262,17 @@ If that is filled up from another source (for example, log files or image
 overlays), the `emptyDir` may run out of capacity before this limit.
 
 {{< note >}}
-If the `SizeMemoryBackedVolumes` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled,
-you can specify a size for memory backed volumes.  If no size is specified, memory
-backed volumes are sized to node allocatable memory.
+You can specify a size for memory backed volumes, provided that the `SizeMemoryBackedVolumes`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+is enabled in your cluster (this has been beta, and active by default, since the Kubernetes 1.22 release).
+If you don't specify a volume size, memory backed volumes are sized to node allocatable memory.
 {{< /note>}}
 
+{{< caution >}}
+Please check [here](/docs/concepts/configuration/manage-resources-containers/#memory-backed-emptydir)
+for points to note in terms of resource management when using memory-backed `emptyDir`.
+{{< /caution >}}
+
 #### emptyDir configuration example
 
 ```yaml
