Add EventRateLimit admission controller
Add the EventRateLimit admission controller, to allow operators to define rate limits for the k8s API server at the server, namespace, or user account level. This also * cleans up some of the parameters passed into the API server * replaces the deprecated --admission-control parameter * applies --repair-malformed-updates consistently, incl examples * removes unused batch/v2alpha1 runtime config * https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ * removes duplicate --service-cluster-ip-range setting This PS adds EventRateLimits to the bootstrap and anchor API servers; future work will need to add it to the Keystone Webhook API server. Change-Id: I32a2d4add880e50f470e4cb0687e20d16e6e926d
This commit is contained in:
parent
20f27f6281
commit
178193be84
|
@ -17,6 +17,21 @@ limitations under the License.
|
||||||
{{- if .Values.manifests.configmap_etc }}
|
{{- if .Values.manifests.configmap_etc }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
|
||||||
|
{{/* This slightly involved merge of AC config files into the anchor
|
||||||
|
files uses HTK merge, as straighforward appends result in duplicates. */}}
|
||||||
|
{{- $_ := set .Values "_ac_files_to_copy" list }}
|
||||||
|
{{- range $key, $val := .Values.conf.admission_controllers }}
|
||||||
|
{{- $source := printf "/tmp/etc/%s" $key }}
|
||||||
|
{{- $dest := printf "/etc/kubernetes/apiserver/%s" $key }}
|
||||||
|
{{- $file_to_copy := dict "source" $source "dest" $dest }}
|
||||||
|
{{- $ac_files_to_copy := append $.Values._ac_files_to_copy $file_to_copy }}
|
||||||
|
{{- $_ := set $.Values "_ac_files_to_copy" $ac_files_to_copy }}
|
||||||
|
{{- end }}
|
||||||
|
{{ $all_files_to_copy := dict }}
|
||||||
|
{{ $_ := set $all_files_to_copy "values" (tuple .Values.anchor.files_to_copy .Values._ac_files_to_copy) }}
|
||||||
|
{{ $_ := $all_files_to_copy | include "helm-toolkit.utils.merge" }}
|
||||||
|
{{ $_ := set .Values.anchor "files_to_copy" $all_files_to_copy.result }}
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
|
@ -27,4 +42,9 @@ data:
|
||||||
{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
kubeconfig.yaml: |+
|
kubeconfig.yaml: |+
|
||||||
{{ tuple "etc/_kubeconfig.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "etc/_kubeconfig.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
{{/* Dynamically add config files for admission controllers */}}
|
||||||
|
{{ range $key, $val := .Values.conf.admission_controllers }}
|
||||||
|
{{ $key }}: |+
|
||||||
|
{{ toYaml $val | indent 4 }}
|
||||||
|
{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -62,6 +62,7 @@ spec:
|
||||||
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
||||||
- --allow-privileged=true
|
- --allow-privileged=true
|
||||||
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
||||||
|
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
|
||||||
|
|
||||||
ports:
|
ports:
|
||||||
- containerPort: {{ .Values.network.kubernetes_apiserver.port }}
|
- containerPort: {{ .Values.network.kubernetes_apiserver.port }}
|
||||||
|
|
|
@ -55,20 +55,41 @@ anchor:
|
||||||
dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml
|
dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml
|
||||||
- source: /tmp/etc/kubeconfig.yaml
|
- source: /tmp/etc/kubeconfig.yaml
|
||||||
dest: /etc/kubernetes/apiserver/kubeconfig.yaml
|
dest: /etc/kubernetes/apiserver/kubeconfig.yaml
|
||||||
|
# Note: config files for admission controllers are added to this dynamically
|
||||||
|
|
||||||
command_prefix:
|
command_prefix:
|
||||||
- /apiserver
|
- /apiserver
|
||||||
- --authorization-mode=Node,RBAC
|
- --authorization-mode=Node,RBAC
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
|
||||||
- --apiserver-count=3
|
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
- --v=5
|
- --endpoint-reconciler-type=lease
|
||||||
|
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||||
|
- --repair-malformed-updates=false
|
||||||
|
|
||||||
apiserver:
|
apiserver:
|
||||||
host_etc_path: /etc/kubernetes/apiserver
|
host_etc_path: /etc/kubernetes/apiserver
|
||||||
etcd:
|
etcd:
|
||||||
endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
|
endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
|
||||||
|
|
||||||
|
conf:
|
||||||
|
# Admission controllers config files are generated dynamically based on the
|
||||||
|
# config below, as they they are specific to particular ACs that may be
|
||||||
|
# configured by the operator (or added by k8s in the future).
|
||||||
|
admission_controllers:
|
||||||
|
eventconfig.yaml:
|
||||||
|
kind: Configuration
|
||||||
|
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
|
||||||
|
limits:
|
||||||
|
- type: Server
|
||||||
|
qps: 100
|
||||||
|
burst: 1000
|
||||||
|
acconfig.yaml:
|
||||||
|
kind: AdmissionConfiguration
|
||||||
|
apiVersion: apiserver.k8s.io/v1alpha1
|
||||||
|
plugins:
|
||||||
|
- name: EventRateLimit
|
||||||
|
path: eventconfig.yaml
|
||||||
|
|
||||||
network:
|
network:
|
||||||
kubernetes_apiserver:
|
kubernetes_apiserver:
|
||||||
ingress:
|
ingress:
|
||||||
|
|
|
@ -14,7 +14,7 @@ data:
|
||||||
command_prefix:
|
command_prefix:
|
||||||
- /apiserver
|
- /apiserver
|
||||||
- --authorization-mode=Node,RBAC
|
- --authorization-mode=Node,RBAC
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
- --endpoint-reconciler-type=lease
|
- --endpoint-reconciler-type=lease
|
||||||
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||||
|
|
|
@ -743,7 +743,7 @@ data:
|
||||||
command_prefix:
|
command_prefix:
|
||||||
- /apiserver
|
- /apiserver
|
||||||
- --authorization-mode=Node,RBAC
|
- --authorization-mode=Node,RBAC
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
- --endpoint-reconciler-type=lease
|
- --endpoint-reconciler-type=lease
|
||||||
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
kind: AdmissionConfiguration
|
||||||
|
apiVersion: apiserver.k8s.io/v1alpha1
|
||||||
|
plugins:
|
||||||
|
- name: EventRateLimit
|
||||||
|
path: eventconfig.yaml
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
kind: Configuration
|
||||||
|
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
|
||||||
|
limits:
|
||||||
|
- type: Server
|
||||||
|
qps: 100
|
||||||
|
burst: 1000
|
|
@ -122,8 +122,6 @@ spec:
|
||||||
- "{{ argument }}"
|
- "{{ argument }}"
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
- --advertise-address={{ config['Genesis:ip'] }}
|
- --advertise-address={{ config['Genesis:ip'] }}
|
||||||
- --authorization-mode=Node,RBAC
|
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
|
||||||
- --anonymous-auth=false
|
- --anonymous-auth=false
|
||||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
|
@ -132,15 +130,14 @@ spec:
|
||||||
- --insecure-port=8080
|
- --insecure-port=8080
|
||||||
- --secure-port=6444
|
- --secure-port=6444
|
||||||
- --bind-address=0.0.0.0
|
- --bind-address=0.0.0.0
|
||||||
- --runtime-config=batch/v2alpha1=true
|
|
||||||
- --allow-privileged=true
|
- --allow-privileged=true
|
||||||
- --etcd-servers=https://localhost:12379
|
- --etcd-servers=https://localhost:12379
|
||||||
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
||||||
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
||||||
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
||||||
- --service-cluster-ip-range={{ config['KubernetesNetwork:kubernetes.service_cidr'] }}
|
|
||||||
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||||
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
||||||
|
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
|
||||||
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
|
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
|
||||||
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
||||||
env:
|
env:
|
||||||
|
|
|
@ -20,8 +20,6 @@ spec:
|
||||||
- "{{ argument }}"
|
- "{{ argument }}"
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
- --advertise-address={{ config['Genesis:ip'] }}
|
- --advertise-address={{ config['Genesis:ip'] }}
|
||||||
- --authorization-mode=Node,RBAC
|
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
|
||||||
- --anonymous-auth=false
|
- --anonymous-auth=false
|
||||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
|
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
|
||||||
|
@ -30,15 +28,14 @@ spec:
|
||||||
- --insecure-port=0
|
- --insecure-port=0
|
||||||
- --bind-address=0.0.0.0
|
- --bind-address=0.0.0.0
|
||||||
- --secure-port=6443
|
- --secure-port=6443
|
||||||
- --runtime-config=batch/v2alpha1=true
|
|
||||||
- --allow-privileged=true
|
- --allow-privileged=true
|
||||||
- --etcd-servers=https://localhost:2379
|
- --etcd-servers=https://localhost:2379
|
||||||
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
||||||
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
||||||
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
||||||
- --service-cluster-ip-range={{ config['KubernetesNetwork:kubernetes.service_cidr'] }}
|
|
||||||
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||||
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
||||||
|
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
|
||||||
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
|
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
|
||||||
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
|
Loading…
Reference in New Issue