Merge "Add EventRateLimit admission controller"
This commit is contained in:
commit
a5a17ffe6d
|
@ -17,6 +17,21 @@ limitations under the License.
|
||||||
{{- if .Values.manifests.configmap_etc }}
|
{{- if .Values.manifests.configmap_etc }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
|
||||||
|
{{/* This slightly involved merge of AC config files into the anchor
|
||||||
|
files uses HTK merge, as straighforward appends result in duplicates. */}}
|
||||||
|
{{- $_ := set .Values "_ac_files_to_copy" list }}
|
||||||
|
{{- range $key, $val := .Values.conf.admission_controllers }}
|
||||||
|
{{- $source := printf "/tmp/etc/%s" $key }}
|
||||||
|
{{- $dest := printf "/etc/kubernetes/apiserver/%s" $key }}
|
||||||
|
{{- $file_to_copy := dict "source" $source "dest" $dest }}
|
||||||
|
{{- $ac_files_to_copy := append $.Values._ac_files_to_copy $file_to_copy }}
|
||||||
|
{{- $_ := set $.Values "_ac_files_to_copy" $ac_files_to_copy }}
|
||||||
|
{{- end }}
|
||||||
|
{{ $all_files_to_copy := dict }}
|
||||||
|
{{ $_ := set $all_files_to_copy "values" (tuple .Values.anchor.files_to_copy .Values._ac_files_to_copy) }}
|
||||||
|
{{ $_ := $all_files_to_copy | include "helm-toolkit.utils.merge" }}
|
||||||
|
{{ $_ := set .Values.anchor "files_to_copy" $all_files_to_copy.result }}
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
|
@ -27,4 +42,9 @@ data:
|
||||||
{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
kubeconfig.yaml: |+
|
kubeconfig.yaml: |+
|
||||||
{{ tuple "etc/_kubeconfig.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "etc/_kubeconfig.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
{{/* Dynamically add config files for admission controllers */}}
|
||||||
|
{{ range $key, $val := .Values.conf.admission_controllers }}
|
||||||
|
{{ $key }}: |+
|
||||||
|
{{ toYaml $val | indent 4 }}
|
||||||
|
{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -63,6 +63,7 @@ spec:
|
||||||
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
||||||
- --allow-privileged=true
|
- --allow-privileged=true
|
||||||
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
||||||
|
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
|
||||||
|
|
||||||
ports:
|
ports:
|
||||||
- containerPort: {{ .Values.network.kubernetes_apiserver.port }}
|
- containerPort: {{ .Values.network.kubernetes_apiserver.port }}
|
||||||
|
|
|
@ -55,20 +55,41 @@ anchor:
|
||||||
dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml
|
dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml
|
||||||
- source: /tmp/etc/kubeconfig.yaml
|
- source: /tmp/etc/kubeconfig.yaml
|
||||||
dest: /etc/kubernetes/apiserver/kubeconfig.yaml
|
dest: /etc/kubernetes/apiserver/kubeconfig.yaml
|
||||||
|
# Note: config files for admission controllers are added to this dynamically
|
||||||
|
|
||||||
command_prefix:
|
command_prefix:
|
||||||
- /apiserver
|
- /apiserver
|
||||||
- --authorization-mode=Node,RBAC
|
- --authorization-mode=Node,RBAC
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
|
||||||
- --apiserver-count=3
|
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
- --v=5
|
- --endpoint-reconciler-type=lease
|
||||||
|
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||||
|
- --repair-malformed-updates=false
|
||||||
|
|
||||||
apiserver:
|
apiserver:
|
||||||
host_etc_path: /etc/kubernetes/apiserver
|
host_etc_path: /etc/kubernetes/apiserver
|
||||||
etcd:
|
etcd:
|
||||||
endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
|
endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
|
||||||
|
|
||||||
|
conf:
|
||||||
|
# Admission controllers config files are generated dynamically based on the
|
||||||
|
# config below, as they they are specific to particular ACs that may be
|
||||||
|
# configured by the operator (or added by k8s in the future).
|
||||||
|
admission_controllers:
|
||||||
|
eventconfig.yaml:
|
||||||
|
kind: Configuration
|
||||||
|
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
|
||||||
|
limits:
|
||||||
|
- type: Server
|
||||||
|
qps: 100
|
||||||
|
burst: 1000
|
||||||
|
acconfig.yaml:
|
||||||
|
kind: AdmissionConfiguration
|
||||||
|
apiVersion: apiserver.k8s.io/v1alpha1
|
||||||
|
plugins:
|
||||||
|
- name: EventRateLimit
|
||||||
|
path: eventconfig.yaml
|
||||||
|
|
||||||
network:
|
network:
|
||||||
kubernetes_apiserver:
|
kubernetes_apiserver:
|
||||||
ingress:
|
ingress:
|
||||||
|
|
|
@ -14,7 +14,7 @@ data:
|
||||||
command_prefix:
|
command_prefix:
|
||||||
- /apiserver
|
- /apiserver
|
||||||
- --authorization-mode=Node,RBAC
|
- --authorization-mode=Node,RBAC
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
- --endpoint-reconciler-type=lease
|
- --endpoint-reconciler-type=lease
|
||||||
- --feature-gates=PodShareProcessNamespace=true
|
- --feature-gates=PodShareProcessNamespace=true
|
||||||
|
|
|
@ -721,7 +721,7 @@ data:
|
||||||
command_prefix:
|
command_prefix:
|
||||||
- /apiserver
|
- /apiserver
|
||||||
- --authorization-mode=Node,RBAC
|
- --authorization-mode=Node,RBAC
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
- --endpoint-reconciler-type=lease
|
- --endpoint-reconciler-type=lease
|
||||||
- --feature-gates=PodShareProcessNamespace=true
|
- --feature-gates=PodShareProcessNamespace=true
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
kind: AdmissionConfiguration
|
||||||
|
apiVersion: apiserver.k8s.io/v1alpha1
|
||||||
|
plugins:
|
||||||
|
- name: EventRateLimit
|
||||||
|
path: eventconfig.yaml
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
kind: Configuration
|
||||||
|
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
|
||||||
|
limits:
|
||||||
|
- type: Server
|
||||||
|
qps: 100
|
||||||
|
burst: 1000
|
|
@ -122,8 +122,6 @@ spec:
|
||||||
- "{{ argument }}"
|
- "{{ argument }}"
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
- --advertise-address={{ config['Genesis:ip'] }}
|
- --advertise-address={{ config['Genesis:ip'] }}
|
||||||
- --authorization-mode=Node,RBAC
|
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
|
||||||
- --anonymous-auth=false
|
- --anonymous-auth=false
|
||||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
|
@ -132,15 +130,14 @@ spec:
|
||||||
- --insecure-port=8080
|
- --insecure-port=8080
|
||||||
- --secure-port=6444
|
- --secure-port=6444
|
||||||
- --bind-address=0.0.0.0
|
- --bind-address=0.0.0.0
|
||||||
- --runtime-config=batch/v2alpha1=true
|
|
||||||
- --allow-privileged=true
|
- --allow-privileged=true
|
||||||
- --etcd-servers=https://localhost:12379
|
- --etcd-servers=https://localhost:12379
|
||||||
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
||||||
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
||||||
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
||||||
- --service-cluster-ip-range={{ config['KubernetesNetwork:kubernetes.service_cidr'] }}
|
|
||||||
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||||
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
||||||
|
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
|
||||||
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
|
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
|
||||||
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
||||||
env:
|
env:
|
||||||
|
|
|
@ -20,8 +20,6 @@ spec:
|
||||||
- "{{ argument }}"
|
- "{{ argument }}"
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
- --advertise-address={{ config['Genesis:ip'] }}
|
- --advertise-address={{ config['Genesis:ip'] }}
|
||||||
- --authorization-mode=Node,RBAC
|
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
|
||||||
- --anonymous-auth=false
|
- --anonymous-auth=false
|
||||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
|
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
|
||||||
|
@ -30,15 +28,14 @@ spec:
|
||||||
- --insecure-port=0
|
- --insecure-port=0
|
||||||
- --bind-address=0.0.0.0
|
- --bind-address=0.0.0.0
|
||||||
- --secure-port=6443
|
- --secure-port=6443
|
||||||
- --runtime-config=batch/v2alpha1=true
|
|
||||||
- --allow-privileged=true
|
- --allow-privileged=true
|
||||||
- --etcd-servers=https://localhost:2379
|
- --etcd-servers=https://localhost:2379
|
||||||
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
||||||
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
||||||
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
||||||
- --service-cluster-ip-range={{ config['KubernetesNetwork:kubernetes.service_cidr'] }}
|
|
||||||
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||||
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
||||||
|
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
|
||||||
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
|
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
|
||||||
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
|
Loading…
Reference in New Issue