Implement resource quotas across all services #664
Description
Summary
Implement resource quota coverage for all user-facing resources across the platform. This builds on the existing quota framework (ResourceRegistration, ClaimCreationPolicy, GrantCreationPolicy) already in place for DNS and Projects.
Architecture Decision
- ResourceRegistrations + ClaimCreationPolicies live in each service's repo under
config/quota/{registrations,claim-policies}/ - GrantCreationPolicies live centrally in the
datumrepo underconfig/services/ - Infra repo must be updated to ensure new quota manifests are installed into Milo correctly
Phases
Phase 1: Network Services Operator (network-services-operator) ✅
NSO PR: datum-cloud/network-services-operator#129
Grant policy PR: datum-cloud/datum#192
Infra PR: https://github.com/datum-cloud/infra/pull/1979
Add registrations + claim policies for 13 user-facing resources:
| Resource | apiGroup | Default Quota |
|---|---|---|
| Domain | networking.datumapis.com |
25 |
| HTTPProxy | networking.datumapis.com |
10 |
| TrafficProtectionPolicy | networking.datumapis.com |
0 (disabled) |
| Connector | networking.datumapis.com |
5 |
| ConnectorAdvertisement | networking.datumapis.com |
10 |
| Gateway | gateway.networking.k8s.io |
10 |
| HTTPRoute | gateway.networking.k8s.io |
25 |
| BackendTLSPolicy | gateway.networking.k8s.io |
10 |
| Backend | gateway.envoyproxy.io |
10 |
| BackendTrafficPolicy | gateway.envoyproxy.io |
10 |
| SecurityPolicy | gateway.envoyproxy.io |
10 |
| HTTPRouteFilter | gateway.envoyproxy.io |
10 |
| EndpointSlice | discovery.k8s.io |
25 |
Note: Domains aligned with existing DNS zone quota (25). HTTPProxies and Gateways are 1-to-1 with each other (10).
Excluded:
- Network — not user-created
- NetworkPolicy — no role grants create permission
- ConnectorClass — not user-created
- Location — not in scope
- Child resources (NetworkBinding, NetworkContext, Subnet, SubnetClaim) — bounded by parents
Phase 2: Milo — Notes + Core Resources ✅
Milo PR: datum-cloud/milo#523
Grant policy PR: datum-cloud/datum#193
| Resource | apiGroup | Consumer | Default Quota |
|---|---|---|---|
| Note | notes.miloapis.com |
Project | 100 |
| ClusterNote | notes.miloapis.com |
Project | 100 |
| Secret | core.miloapis.com |
Project | 50 |
| ConfigMap | core.miloapis.com |
Project | 50 |
Phase 3: Milo — IAM Resources (deferred)
| Resource | apiGroup | Consumer | Default Quota |
|---|---|---|---|
| UserInvitation | iam.miloapis.com |
Organization | 5 |
| Group | iam.miloapis.com |
Organization | 3 |
Phase 4: Infra
Update deployment configuration to ensure new quota resources from milo are installed correctly. Milo quota resources need to be wired in similar to how NSO quota was wired via ../quota component.
Out of Scope (for now)
- Standard vs Personal org differentiation for per-project quotas — requires org-type label propagation on Project resources
- Compute resources (Workload, Instance) — deferred
- Child resources (NetworkBinding, NetworkContext, Subnet, SubnetClaim) — bounded by parents
- System-managed resources (WorkloadDeployment, GatewayClass, Lease)
- Migration of existing DNS/Project quota config — stays in datum repo since already done
Default Quota Amounts
All per-project quotas use a single default tier (personal-level). Standard org overrides will come later.