kubernetes-retired · davidmccormick · Jun 19, 2019 · Jun 14, 2019
diff --git a/builtin/files/cluster.yaml.tmpl b/builtin/files/cluster.yaml.tmpl
@@ -1385,6 +1385,21 @@ experimental:
       enabled: false
     OwnerReferencesPermissionEnforcement:
       enabled: false
+    # eventRateLimit Note
+    # We recommend that you leave this admission controller on/enabled by default as it protects your cluster
+    # apiserver from becomming overloaded with events from failing deployments etc.  Tweak the limits to your needs.
+    # The limits field is a 'string' representation of the yaml limits section defined here:-
+    # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit
+    eventRateLimit:
+      enabled: true
+      limits: |
+        - type: Namespace
+          qps: 250
+          burst: 500
+          cacheSize: 4096
+        - type: User
+          qps: 50
+          burst: 250
 
   # Used to provide `/etc/environment` env vars with values from arbitrary CloudFormation refs
   awsEnvironment:

diff --git a/builtin/files/userdata/cloud-config-controller b/builtin/files/userdata/cloud-config-controller
@@ -3348,8 +3348,10 @@ write_files:
           {{- else }}
           - --apiserver-count={{if .MinControllerCount}}{{ .MinControllerCount }}{{else}}{{ .Controller.Count }}{{end}}
           {{- end }}
-          - --enable-admission-plugins=EventRateLimit,ExtendedResourceToleration,NodeRestriction,PodSecurityPolicy{{if .Experimental.Admission.AlwaysPullImages.Enabled}},AlwaysPullImages{{ end }}{{if .Experimental.Admission.Initializers.Enabled}},Initializers{{end}}
+          - --enable-admission-plugins=ExtendedResourceToleration,NodeRestriction,PodSecurityPolicy{{if .Experimental.Admission.AlwaysPullImages.Enabled}},AlwaysPullImages{{ end }}{{if .Experimental.Admission.Initializers.Enabled}},Initializers{{end}}{{ if .Experimental.Admission.EventRateLimit.Enabled }},EventRateLimit{{end}}
+          {{ if .Experimental.Admission.EventRateLimit.Enabled -}}
           - --admission-control-config-file=/etc/kubernetes/auth/admission-control-config.yaml
+          {{ end -}}
           - --bind-address=0.0.0.0
           - --etcd-servers=#ETCD_ENDPOINTS#
           - --etcd-cafile=/etc/kubernetes/ssl/etcd-trusted-ca.pem
@@ -3494,6 +3496,7 @@ write_files:
           name: {{quote $v.Name}}
         {{end}}
 
+  {{ if .Experimental.Admission.EventRateLimit.Enabled -}}
   - path: /etc/kubernetes/auth/admission-control-config.yaml
     content: |
       kind: AdmissionConfiguration
@@ -3507,14 +3510,9 @@ write_files:
       kind: Configuration
       apiVersion: eventratelimit.admission.k8s.io/v1alpha1
       limits:
-      - type: Namespace
-        qps: 250
-        burst: 500
-        cacheSize: 4096
-      - type: User
-        qps: 50
-        burst: 250
-
+{{ .Experimental.Admission.EventRateLimit.Limits | indent 6 }}
+  {{- end }}
+
   - path: /etc/kubernetes/manifests/kube-controller-manager.yaml
     content: |
       apiVersion: v1

diff --git a/pkg/api/cluster.go b/pkg/api/cluster.go
@@ -43,6 +43,16 @@ func NewDefaultCluster() *Cluster {
 			OwnerReferencesPermissionEnforcement{
 				Enabled: false,
 			},
+			EventRateLimit{
+				Enabled: true,
+				Limits: `- type: Namespace
+  qps: 250
+  burst: 500
+  cacheSize: 4096
+- type: User
+  qps: 50
+  burst: 250`,
+			},
 		},
 		AuditLog: AuditLog{
 			Enabled:   false,

diff --git a/pkg/api/types.go b/pkg/api/types.go
@@ -54,6 +54,7 @@ type Admission struct {
 	AlwaysPullImages                     AlwaysPullImages                     `yaml:"alwaysPullImages"`
 	Initializers                         Initializers                         `yaml:"initializers"`
 	OwnerReferencesPermissionEnforcement OwnerReferencesPermissionEnforcement `yaml:"ownerReferencesPermissionEnforcement"`
+	EventRateLimit                       EventRateLimit                       `yaml:"eventRateLimit"`
 }
 
 type AlwaysPullImages struct {
@@ -72,6 +73,11 @@ type PersistentVolumeClaimResize struct {
 	Enabled bool `yaml:"enabled"`
 }
 
+type EventRateLimit struct {
+	Enabled bool   `yaml:"enabled"`
+	Limits  string `yaml:"limits"`
+}
+
 type AuditLog struct {
 	Enabled   bool   `yaml:"enabled"`
 	LogPath   string `yaml:"logPath"`

diff --git a/test/integration/maincluster_test.go b/test/integration/maincluster_test.go
@@ -85,6 +85,16 @@ func TestMainClusterConfig(t *testing.T) {
 				AlwaysPullImages: api.AlwaysPullImages{
 					Enabled: false,
 				},
+				EventRateLimit: api.EventRateLimit{
+					Enabled: true,
+					Limits: `- type: Namespace
+  qps: 250
+  burst: 500
+  cacheSize: 4096
+- type: User
+  qps: 50
+  burst: 250`,
+				},
 			},
 			AuditLog: api.AuditLog{
 				Enabled:   false,
@@ -1300,6 +1310,16 @@ worker:
 							AlwaysPullImages: api.AlwaysPullImages{
 								Enabled: true,
 							},
+							EventRateLimit: api.EventRateLimit{
+								Enabled: true,
+								Limits: `- type: Namespace
+  qps: 250
+  burst: 500
+  cacheSize: 4096
+- type: User
+  qps: 50
+  burst: 250`,
+							},
 						},
 						AuditLog: api.AuditLog{
 							Enabled:   true,