api: add ratelimitconfiguration for kubelet endpoints

The podresources API is a node-local gRPC API exposed by the kubelet using a UNIX-domain socket which allows client to query about compute resources exclusively allocated to pods (devices, cpus...) As part as the feature GA graduation, we identified the requirement to add rate limiting to prevent DOS from buggy or malicious clients [1][2]. So this change extends the KubeletConfiguration to allow to configure the ratelimit parameters. The interface intentionally mimics the parameters of the golang/x/time/rate package [3], because it's simple and already being used in the codebase. Because of this, there is an interdependency between the rate limiter configuration parameters. This is the reason why the rate limiting is optional, with defaults to "no limits" for backward compatibility, but if specified, all the rate limit configuration values must be given (e.g. burst doesn't make much sense without frequency, see [3]). +++ [1] kubernetes/enhancements#3791 [2] kubernetes/enhancements#3863 [3] https://pkg.go.dev/golang.org/x/time/rate#Limiter Signed-off-by: Francesco Romani <fromani@redhat.com>
ffromani · Mar 2, 2023 · f3eb3de · f3eb3de
1 parent af9f7a4
commit f3eb3de
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 0 deletions.
diff --git a/pkg/kubelet/apis/config/helpers_test.go b/pkg/kubelet/apis/config/helpers_test.go
@@ -251,6 +251,8 @@ var (
 		"OOMScoreAdj",
 		"PodCIDR",
 		"PodPidsLimit",
+		"PodresourcesLimits.MaxFrequency",
+		"PodresourcesLimits.MaxBurst",
 		"PodsPerCore",
 		"Port",
 		"ProtectKernelDefaults",

diff --git a/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/after/v1beta1.yaml b/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/after/v1beta1.yaml
@@ -68,6 +68,7 @@ nodeStatusReportFrequency: 5m0s
 nodeStatusUpdateFrequency: 10s
 oomScoreAdj: -999
 podPidsLimit: -1
+podresourcesLimits: {}
 port: 10250
 registerNode: true
 registryBurst: 10

diff --git a/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/roundtrip/default/v1beta1.yaml b/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/roundtrip/default/v1beta1.yaml
@@ -68,6 +68,7 @@ nodeStatusReportFrequency: 5m0s
 nodeStatusUpdateFrequency: 10s
 oomScoreAdj: -999
 podPidsLimit: -1
+podresourcesLimits: {}
 port: 10250
 registerNode: true
 registryBurst: 10

diff --git a/pkg/kubelet/apis/config/types.go b/pkg/kubelet/apis/config/types.go
@@ -478,6 +478,11 @@ type KubeletConfiguration struct {
 	// If not specified the default value is ContainerRuntimeEndpoint
 	// +optional
 	ImageServiceEndpoint string
+
+	// PodresourcesLimits specifies the rate limits for the node-local podresources API endpoint
+	// +featureGate=KubeletPodResources
+	// +optional
+	PodresourcesLimits RateLimitConfiguration
 }
 
 // KubeletAuthorizationMode denotes the authorization mode for the kubelet
@@ -656,3 +661,16 @@ type MemorySwapConfiguration struct {
 	// +optional
 	SwapBehavior string
 }
+
+// RateLimitConfiguration is used for setting the rate limits for the kubelet APIs exposed
+// locally on the node as gRPC over UNIX-domain sockets, like the podresources API
+type RateLimitConfiguration struct {
+	// MaxFrequency  defines the maximum allowed frequency of the calls represented
+	// as number of calls per second, cumulating all the calls.
+	// Omitting the value or setting to zero means no limit.
+	MaxFrequency float64
+	// MaxBurst defines the maximum numbers of calls that may happen at once, within
+	// the boundaries set by frequency.
+	// This value is ignored if the frequuency is unlimited.
+	MaxBurst int32
+}
diff --git a/pkg/kubelet/apis/config/v1beta1/defaults_test.go b/pkg/kubelet/apis/config/v1beta1/defaults_test.go
@@ -251,6 +251,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				MemoryThrottlingFactor:          utilpointer.Float64(0),
 				RegisterNode:                    utilpointer.Bool(false),
 				LocalStorageCapacityIsolation:   utilpointer.Bool(false),
+				PodresourcesLimits:              v1beta1.RateLimitConfiguration{MaxFrequency: 0, MaxBurst: 0},
 			},
 			&v1beta1.KubeletConfiguration{
 				EnableServer:       utilpointer.Bool(false),
@@ -349,6 +350,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				MemoryThrottlingFactor:        utilpointer.Float64(0),
 				RegisterNode:                  utilpointer.Bool(false),
 				LocalStorageCapacityIsolation: utilpointer.Bool(false),
+				PodresourcesLimits:            v1beta1.RateLimitConfiguration{MaxFrequency: 0, MaxBurst: 0},
 			},
 		},
 		{
@@ -498,6 +500,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				MemoryThrottlingFactor:        utilpointer.Float64(1),
 				RegisterNode:                  utilpointer.Bool(true),
 				LocalStorageCapacityIsolation: utilpointer.Bool(true),
+				PodresourcesLimits:            v1beta1.RateLimitConfiguration{MaxFrequency: 100.0, MaxBurst: 10},
 			},
 			&v1beta1.KubeletConfiguration{
 				EnableServer:       utilpointer.Bool(true),
@@ -644,6 +647,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				MemoryThrottlingFactor:        utilpointer.Float64(1),
 				RegisterNode:                  utilpointer.Bool(true),
 				LocalStorageCapacityIsolation: utilpointer.Bool(true),
+				PodresourcesLimits:            v1beta1.RateLimitConfiguration{MaxFrequency: 100.0, MaxBurst: 10},
 			},
 		},
 		{

diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/types.go b/staging/src/k8s.io/kubelet/config/v1beta1/types.go
@@ -820,6 +820,11 @@ type KubeletConfiguration struct {
 	// If not specified, the value in containerRuntimeEndpoint is used.
 	// +optional
 	ImageServiceEndpoint string `json:"imageServiceEndpoint,omitempty"`
+
+	// PodresourcesLimits specifies the rate limits for the node-local podresources API endpoint
+	// +featureGate=KubeletPodResources
+	// +optional
+	PodresourcesLimits RateLimitConfiguration `json:"podresourcesLimits,omitempty"`
 }
 
 type KubeletAuthorizationMode string
@@ -1005,3 +1010,16 @@ type ExecEnvVar struct {
 	Name  string `json:"name"`
 	Value string `json:"value"`
 }
+
+// RateLimitConfiguration is used for setting the rate limits for the kubelet APIs exposed
+// locally on the node as gRPC over UNIX-domain sockets, like the podresources API
+type RateLimitConfiguration struct {
+	// MaxFrequency  defines the maximum allowed frequency of the calls represented
+	// as number of calls per second, cumulating all the calls.
+	// Setting the values to zero means no limit.
+	MaxFrequency float64 `json:"maxFrequency,omitempty"`
+	// MaxBurst defines the maximum numbers of calls that may happen at once, within
+	// the boundaries set by frequency.
+	// This value is ignored if the frequuency is unlimited.
+	MaxBurst int32 `json:"maxBurst,omitempty"`
+}