Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-606: clarify GA blockers #3863

Merged
merged 1 commit into from
Feb 9, 2023
Merged

KEP-606: clarify GA blockers #3863

merged 1 commit into from
Feb 9, 2023

Conversation

ffromani
Copy link
Contributor

@ffromani ffromani commented Feb 9, 2023

  • Other comments:

Clarify GA blockers as asked in
#3791 (review) #3791 (comment)

  1. Explicitely added windows support (and all the other platforms supported by device plugins) as GA condition.
  2. Added DOS prevention as GA condition, and clarified the perimeter of the DOS attack surface area.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Feb 9, 2023
@k8s-ci-robot k8s-ci-robot added kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/node Categorizes an issue or PR as relevant to SIG Node. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 9, 2023
@ffromani ffromani mentioned this pull request Feb 9, 2023
Merged
@ffromani
node: podresources: clarify GA blockers
d3d2360 
Clarify GA blockers as asked in
kubernetes#3791 (review)
kubernetes#3791 (comment)

- Explicitely added windows support (and all the other platforms supported by
  device plugins) as GA condition.
- Added DOS prevention as GA condition, and clarified the perimeter of
  the DOS attack surface area.

Signed-off-by: Francesco Romani <fromani@redhat.com>
@ffromani
Copy link
Contributor Author

ffromani commented Feb 9, 2023

/cc @SergeyKanzhelev @dchen1107

SergeyKanzhelev
SergeyKanzhelev approved these changes Feb 9, 2023
View reviewed changes
Copy link
Member

@SergeyKanzhelev SergeyKanzhelev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/assign @dchen1107

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 9, 2023
@dchen1107
Copy link
Member

@ffromani thanks for the followup PR. :-)

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dchen1107, ffromani, SergeyKanzhelev

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dchen1107 dchen1107 added this to the v1.27 milestone Feb 9, 2023
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 9, 2023
@k8s-ci-robot k8s-ci-robot merged commit bce62fc into kubernetes:master Feb 9, 2023
@ffromani ffromani mentioned this pull request Feb 17, 2023
Closed
@ffromani ffromani mentioned this pull request Feb 22, 2023
Merged
ffromani added a commit to ffromani/kubernetes that referenced this pull request Mar 2, 2023
@ffromani
api: add ratelimitconfiguration for kubelet endpoints
f3eb3de 
The podresources API is a node-local gRPC API exposed by the kubelet
using a UNIX-domain socket which allows client to query about compute
resources exclusively allocated to pods (devices, cpus...)

As part as the feature GA graduation, we identified the
requirement to add rate limiting to prevent DOS from buggy or malicious
clients [1][2].

So this change extends the KubeletConfiguration to allow to
configure the ratelimit parameters.

The interface intentionally mimics the parameters of the
golang/x/time/rate package [3], because it's simple and already being
used in the codebase.

Because of this, there is an interdependency between the rate limiter
configuration parameters. This is the reason why the rate limiting is
optional, with defaults to "no limits" for backward compatibility, but
if specified, all the rate limit configuration values must be given
(e.g. burst doesn't make much sense without frequency, see [3]).

+++

[1] kubernetes/enhancements#3791
[2] kubernetes/enhancements#3863
[3] https://pkg.go.dev/golang.org/x/time/rate#Limiter

Signed-off-by: Francesco Romani <fromani@redhat.com>
This was referenced Mar 9, 2023
Closed
Merged
@ffromani ffromani deleted the kep-606-ga-fixes branch March 10, 2023 14:54
@ffromani ffromani mentioned this pull request May 3, 2023
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SergeyKanzhelev SergeyKanzhelev SergeyKanzhelev approved these changes

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

Assignees

@dchen1107 dchen1107

@SergeyKanzhelev SergeyKanzhelev

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/node Categorizes an issue or PR as relevant to SIG Node. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
SIG Node: code and documentation PRs
Archived in project
Milestone
v1.27
Development

Successfully merging this pull request may close these issues.
4 participants
@ffromani @dchen1107 @k8s-ci-robot @SergeyKanzhelev