1. Proposed title of this feature request

Add resourcequota scope for terminated pods.

2. What is the nature and description of the request?

Currently, resourcequotas do not prevent terminated pods from infinitely accumulating in a project. We would need an additional scope that either limits the number of terminated (not terminating, terminated) pods or the number of terminated+non-terminated pods.

3. Why does the customer need this? (List the business requirements here)

Any user with edit permissions in a project may cause a DOS in a node by just creating a big enough number of small pods that reach completed state but stay in the node. The reason is that, when the node has a big enough number of containers, the gRPC responses on the CRI socket exceed the maximum size (more details on this problem can be found on RFE-4894).

On one hand, we opened RFE-4894 to ask for node-level protection via the pod GC. However, with this RFE, we aim to grant cluster-admins to setup namespace-level protections against this problem as well.

4. List any affected packages or components.

kube-apiserver