From e4bb986b9c80e0e126bf3697657a644003dff721 Mon Sep 17 00:00:00 2001 From: David McCormick Date: Fri, 14 Jun 2019 12:00:11 +0100 Subject: [PATCH] Make the EventRateLimit alpha admission controller experimental and enabled by default. Allow users to override the limits section through the cluster.yaml --- builtin/files/cluster.yaml.tmpl | 15 ++++++++++++++ .../files/userdata/cloud-config-controller | 16 +++++++-------- pkg/api/cluster.go | 10 ++++++++++ pkg/api/types.go | 6 ++++++ test/integration/maincluster_test.go | 20 +++++++++++++++++++ 5 files changed, 58 insertions(+), 9 deletions(-) diff --git a/builtin/files/cluster.yaml.tmpl b/builtin/files/cluster.yaml.tmpl index b7eff80b7..fecd715fd 100644 --- a/builtin/files/cluster.yaml.tmpl +++ b/builtin/files/cluster.yaml.tmpl @@ -1385,6 +1385,21 @@ experimental: enabled: false OwnerReferencesPermissionEnforcement: enabled: false + # eventRateLimit Note + # We recommend that you leave this admission controller on/enabled by default as it protects your cluster + # apiserver from becomming overloaded with events from failing deployments etc. Tweak the limits to your needs. + # The limits field is a 'string' representation of the yaml limits section defined here:- + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit + eventRateLimit: + enabled: true + limits: | + - type: Namespace + qps: 250 + burst: 500 + cacheSize: 4096 + - type: User + qps: 50 + burst: 250 # Used to provide `/etc/environment` env vars with values from arbitrary CloudFormation refs awsEnvironment: diff --git a/builtin/files/userdata/cloud-config-controller b/builtin/files/userdata/cloud-config-controller index 4cb773e9a..e1c416020 100644 --- a/builtin/files/userdata/cloud-config-controller +++ b/builtin/files/userdata/cloud-config-controller @@ -3348,8 +3348,10 @@ write_files: {{- else }} - --apiserver-count={{if .MinControllerCount}}{{ .MinControllerCount }}{{else}}{{ .Controller.Count }}{{end}} {{- end }} - - --enable-admission-plugins=EventRateLimit,ExtendedResourceToleration,NodeRestriction,PodSecurityPolicy{{if .Experimental.Admission.AlwaysPullImages.Enabled}},AlwaysPullImages{{ end }}{{if .Experimental.Admission.Initializers.Enabled}},Initializers{{end}} + - --enable-admission-plugins=ExtendedResourceToleration,NodeRestriction,PodSecurityPolicy{{if .Experimental.Admission.AlwaysPullImages.Enabled}},AlwaysPullImages{{ end }}{{if .Experimental.Admission.Initializers.Enabled}},Initializers{{end}}{{ if .Experimental.Admission.EventRateLimit.Enabled }},EventRateLimit{{end}} + {{ if .Experimental.Admission.EventRateLimit.Enabled -}} - --admission-control-config-file=/etc/kubernetes/auth/admission-control-config.yaml + {{ end -}} - --bind-address=0.0.0.0 - --etcd-servers=#ETCD_ENDPOINTS# - --etcd-cafile=/etc/kubernetes/ssl/etcd-trusted-ca.pem @@ -3494,6 +3496,7 @@ write_files: name: {{quote $v.Name}} {{end}} + {{ if .Experimental.Admission.EventRateLimit.Enabled -}} - path: /etc/kubernetes/auth/admission-control-config.yaml content: | kind: AdmissionConfiguration @@ -3507,14 +3510,9 @@ write_files: kind: Configuration apiVersion: eventratelimit.admission.k8s.io/v1alpha1 limits: - - type: Namespace - qps: 250 - burst: 500 - cacheSize: 4096 - - type: User - qps: 50 - burst: 250 - +{{ .Experimental.Admission.EventRateLimit.Limits | indent 6 }} + {{- end }} + - path: /etc/kubernetes/manifests/kube-controller-manager.yaml content: | apiVersion: v1 diff --git a/pkg/api/cluster.go b/pkg/api/cluster.go index 1d61f86ab..b3eec1cb2 100644 --- a/pkg/api/cluster.go +++ b/pkg/api/cluster.go @@ -43,6 +43,16 @@ func NewDefaultCluster() *Cluster { OwnerReferencesPermissionEnforcement{ Enabled: false, }, + EventRateLimit{ + Enabled: true, + Limits: `- type: Namespace + qps: 250 + burst: 500 + cacheSize: 4096 +- type: User + qps: 50 + burst: 250`, + }, }, AuditLog: AuditLog{ Enabled: false, diff --git a/pkg/api/types.go b/pkg/api/types.go index 4c648dc6d..8b330d29b 100644 --- a/pkg/api/types.go +++ b/pkg/api/types.go @@ -54,6 +54,7 @@ type Admission struct { AlwaysPullImages AlwaysPullImages `yaml:"alwaysPullImages"` Initializers Initializers `yaml:"initializers"` OwnerReferencesPermissionEnforcement OwnerReferencesPermissionEnforcement `yaml:"ownerReferencesPermissionEnforcement"` + EventRateLimit EventRateLimit `yaml:"eventRateLimit"` } type AlwaysPullImages struct { @@ -72,6 +73,11 @@ type PersistentVolumeClaimResize struct { Enabled bool `yaml:"enabled"` } +type EventRateLimit struct { + Enabled bool `yaml:"enabled"` + Limits string `yaml:"limits"` +} + type AuditLog struct { Enabled bool `yaml:"enabled"` LogPath string `yaml:"logPath"` diff --git a/test/integration/maincluster_test.go b/test/integration/maincluster_test.go index 18b244796..260b6e0ed 100644 --- a/test/integration/maincluster_test.go +++ b/test/integration/maincluster_test.go @@ -85,6 +85,16 @@ func TestMainClusterConfig(t *testing.T) { AlwaysPullImages: api.AlwaysPullImages{ Enabled: false, }, + EventRateLimit: api.EventRateLimit{ + Enabled: true, + Limits: `- type: Namespace + qps: 250 + burst: 500 + cacheSize: 4096 +- type: User + qps: 50 + burst: 250`, + }, }, AuditLog: api.AuditLog{ Enabled: false, @@ -1300,6 +1310,16 @@ worker: AlwaysPullImages: api.AlwaysPullImages{ Enabled: true, }, + EventRateLimit: api.EventRateLimit{ + Enabled: true, + Limits: `- type: Namespace + qps: 250 + burst: 500 + cacheSize: 4096 +- type: User + qps: 50 + burst: 250`, + }, }, AuditLog: api.AuditLog{ Enabled: true,