Challenge, Medium,  on  Kubernetes

Exclude a Sidecar from VPA Using Per-Container Resource Policy

Omkar Shelke
by  Omkar Shelke

Scenario

A Deployment web-app is running in the production namespace with 2 replicas. Each pod runs two containers that share a log volume:

  • main-app — an nginx web server serving traffic and writing access logs to a shared volume at /var/log/nginx
  • log-sidecar — a busybox container that tails the shared log volume and ships logs, with stable and manually tuned resource values

The team wants to introduce a Vertical Pod Autoscaler (VPA) to generate right-sizing recommendations for main-app. The log-sidecar has fixed resource values that must not be touched — it must be excluded from VPA entirely.

Task

Create a VPA named web-app-vpa in the production namespace targeting the web-app Deployment with updateMode: Off.

Configure resourcePolicy.containerPolicies for each container:

  • Set main-app to mode Auto with minAllowed cpu 100m / memory 128Mi and maxAllowed cpu 2 / memory 2Gi.
  • Set log-sidecar to mode Off to exclude it from VPA recommendations.

After creating the VPA, wait a few minutes and verify that recommendations appear only for main-app and not for log-sidecar.

Do not modify the Deployment resource requests or limits. This challenge is only about creating the VPA with the correct per-container policy.

Hint

A VPA resourcePolicy allows you to control behavior per container using containerName and mode. Setting mode: Off on a container tells VPA to skip it entirely. Use minAllowed and maxAllowed to bound the recommendation range for containers you want VPA to manage.

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge exclude-sidecar-from-vpa-using-per-container-resource-policy-82fb0d94

This will create a local copy of the challenge content in a directory named exclude-sidecar-from-vpa-using-per-container-resource-policy-82fb0d94. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge exclude-sidecar-from-vpa-using-per-container-resource-policy-82fb0d94

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge