How do you enforce per-pool (tenant) resource quotas for CPU / RAM / disk in Proxmox?

F

Fearless-Grape5584

New Member
Dec 9, 2025
5
0
1
I’m looking for a practical way to enforce tenant-level resource limits in Proxmox.

My current approach is to use Pools + RBAC to isolate tenant resources and delegate operations to a pool admin (create/delete VMs, start/stop, snapshots, backups, etc.) only within their own pool.
However, the obvious problem is that a pool admin can still consume as much CPU / RAM / disk as they want, which can impact other tenants.

What I’m trying to achieve is something like:
  • Enforce hard limits per pool (CPU / RAM / disk), or
  • Prevent VM creation (or require approval) once a pool exceeds its allocated capacity, or
  • Hook into the event before a pool admin spins up VMs (e.g., a pre-create / pre-start guardrail) to enforce policy, or
  • If Proxmox can’t do this natively, what’s the common “real-world” way people handle this?

How do you manage tenant-level capacity in practice? For example:
  • separate clusters per tenant,
  • external guardrails (API / IaC) that check quotas before creating VMs,
  • monitoring + policy / chargeback,
  • any other proven pattern.

Note: I’m not posting the full build steps here because it becomes quite long.
If anyone needs context on the exact setup, I documented the manual build process in my repo (I’m the author):
https://github.com/zelogx/proxmox-msl-setup-basic
The step-by-step instructions are in `build-instruction.md`.

Thanks in advance — this feels like a common multi-tenant pain point, so shared approaches would likely help others as well.
 
Hi,
depending on what you would like to archive, you can try to implement a solution via hookscripts. ( https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_hookscripts )

But a more suitable solution might be the Proxmox Datacenter Manager + multiple Cluster.

From the perspective of provisioning:
CPUs can be used shared,
KSM can save on RAM,
Storage quotas can usually be implemented directly on the storages.
Resource Groups are cluster wide, so usage stats needs to respect that.
Real Multi-tenancy also needs to consider anonymous neighbor tenants, which will be a nasty setup with multiple authentication realms.

BR, Lucas
 
bl1mp said:
Hi,
depending on what you would like to archive, you can try to implement a solution via hookscripts. ( https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_hookscripts )

But a more suitable solution might be the Proxmox Datacenter Manager + multiple Cluster.
Click to expand...
Hi Lucas,

thanks — that’s a very helpful perspective.

I agree that PDM + multiple clusters can be a solid approach when you want to separate tenants at the cluster boundary.

In my case, I’m exploring a different direction: squeezing multi-tenant-style delegation out of a single Proxmox server (or a single cluster) by slicing it with Pools + RBAC, and then adding some kind of preventive guardrail before provisioning.

So your pointer to hookscripts is especially useful for what I’m trying to achieve. I’ll dig into that path.

BR,
Masa
 
You must log in or register to reply here.
Top Bottom
Back