Add EventRateLimit admission controller

Add the EventRateLimit admission controller, to allow operators to
define rate limits for the k8s API server at the server, namespace,
or user account level.

This also
* cleans up some of the parameters passed into the API server
* replaces the deprecated --admission-control parameter
* applies --repair-malformed-updates consistently, incl examples
* removes unused batch/v2alpha1 runtime config
* https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
* removes duplicate --service-cluster-ip-range setting

This PS adds EventRateLimits to the bootstrap and anchor API
servers; future work will need to add it to the Keystone
Webhook API server.

Change-Id: I32a2d4add880e50f470e4cb0687e20d16e6e926d
This commit is contained in:
Matt McEuen 2018-10-17 18:22:04 -05:00
parent 20f27f6281
commit 178193be84
9 changed files with 62 additions and 13 deletions

View File

@ -17,6 +17,21 @@ limitations under the License.
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
{{/* This slightly involved merge of AC config files into the anchor
files uses HTK merge, as straighforward appends result in duplicates. */}}
{{- $_ := set .Values "_ac_files_to_copy" list }}
{{- range $key, $val := .Values.conf.admission_controllers }}
{{- $source := printf "/tmp/etc/%s" $key }}
{{- $dest := printf "/etc/kubernetes/apiserver/%s" $key }}
{{- $file_to_copy := dict "source" $source "dest" $dest }}
{{- $ac_files_to_copy := append $.Values._ac_files_to_copy $file_to_copy }}
{{- $_ := set $.Values "_ac_files_to_copy" $ac_files_to_copy }}
{{- end }}
{{ $all_files_to_copy := dict }}
{{ $_ := set $all_files_to_copy "values" (tuple .Values.anchor.files_to_copy .Values._ac_files_to_copy) }}
{{ $_ := $all_files_to_copy | include "helm-toolkit.utils.merge" }}
{{ $_ := set .Values.anchor "files_to_copy" $all_files_to_copy.result }}
---
apiVersion: v1
kind: ConfigMap
@ -27,4 +42,9 @@ data:
{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
kubeconfig.yaml: |+
{{ tuple "etc/_kubeconfig.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{/* Dynamically add config files for admission controllers */}}
{{ range $key, $val := .Values.conf.admission_controllers }}
{{ $key }}: |+
{{ toYaml $val | indent 4 }}
{{ end }}
{{- end }}

View File

@ -62,6 +62,7 @@ spec:
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
- --allow-privileged=true
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
ports:
- containerPort: {{ .Values.network.kubernetes_apiserver.port }}

View File

@ -55,20 +55,41 @@ anchor:
dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml
- source: /tmp/etc/kubeconfig.yaml
dest: /etc/kubernetes/apiserver/kubeconfig.yaml
# Note: config files for admission controllers are added to this dynamically
command_prefix:
- /apiserver
- --authorization-mode=Node,RBAC
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --apiserver-count=3
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
- --service-cluster-ip-range=10.96.0.0/16
- --v=5
- --endpoint-reconciler-type=lease
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
- --repair-malformed-updates=false
apiserver:
host_etc_path: /etc/kubernetes/apiserver
etcd:
endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
conf:
# Admission controllers config files are generated dynamically based on the
# config below, as they they are specific to particular ACs that may be
# configured by the operator (or added by k8s in the future).
admission_controllers:
eventconfig.yaml:
kind: Configuration
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
limits:
- type: Server
qps: 100
burst: 1000
acconfig.yaml:
kind: AdmissionConfiguration
apiVersion: apiserver.k8s.io/v1alpha1
plugins:
- name: EventRateLimit
path: eventconfig.yaml
network:
kubernetes_apiserver:
ingress:

View File

@ -14,7 +14,7 @@ data:
command_prefix:
- /apiserver
- --authorization-mode=Node,RBAC
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
- --service-cluster-ip-range=10.96.0.0/16
- --endpoint-reconciler-type=lease
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11

View File

@ -743,7 +743,7 @@ data:
command_prefix:
- /apiserver
- --authorization-mode=Node,RBAC
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
- --service-cluster-ip-range=10.96.0.0/16
- --endpoint-reconciler-type=lease
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11

View File

@ -0,0 +1,6 @@
---
kind: AdmissionConfiguration
apiVersion: apiserver.k8s.io/v1alpha1
plugins:
- name: EventRateLimit
path: eventconfig.yaml

View File

@ -0,0 +1,7 @@
---
kind: Configuration
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
limits:
- type: Server
qps: 100
burst: 1000

View File

@ -122,8 +122,6 @@ spec:
- "{{ argument }}"
{%- endfor %}
- --advertise-address={{ config['Genesis:ip'] }}
- --authorization-mode=Node,RBAC
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --anonymous-auth=false
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
@ -132,15 +130,14 @@ spec:
- --insecure-port=8080
- --secure-port=6444
- --bind-address=0.0.0.0
- --runtime-config=batch/v2alpha1=true
- --allow-privileged=true
- --etcd-servers=https://localhost:12379
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
- --service-cluster-ip-range={{ config['KubernetesNetwork:kubernetes.service_cidr'] }}
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
env:

View File

@ -20,8 +20,6 @@ spec:
- "{{ argument }}"
{%- endfor %}
- --advertise-address={{ config['Genesis:ip'] }}
- --authorization-mode=Node,RBAC
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --anonymous-auth=false
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
@ -30,15 +28,14 @@ spec:
- --insecure-port=0
- --bind-address=0.0.0.0
- --secure-port=6443
- --runtime-config=batch/v2alpha1=true
- --allow-privileged=true
- --etcd-servers=https://localhost:2379
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
- --service-cluster-ip-range={{ config['KubernetesNetwork:kubernetes.service_cidr'] }}
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
volumeMounts: