Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var (
MandatoryPriorityLevelConfigurations = []*flowcontrol.PriorityLevelConfiguration{
MandatoryPriorityLevelConfigurationCatchAll,
MandatoryPriorityLevelConfigurationExempt,
}
MandatoryFlowSchemas = []*flowcontrol.FlowSchema{
MandatoryFlowSchemaExempt,
MandatoryFlowSchemaCatchAll,
}
)
The objects that define an apiserver's initial behavior. The registered defaulting procedures make no changes to these particular objects (this is verified in the unit tests of the internalbootstrap package; it can not be verified in this package because that would require importing k8s.io/kubernetes).
View Source
var (
SuggestedPriorityLevelConfigurations = []*flowcontrol.PriorityLevelConfiguration{
SuggestedPriorityLevelConfigurationSystem,
SuggestedPriorityLevelConfigurationNodeHigh,
SuggestedPriorityLevelConfigurationLeaderElection,
SuggestedPriorityLevelConfigurationWorkloadHigh,
SuggestedPriorityLevelConfigurationWorkloadLow,
SuggestedPriorityLevelConfigurationGlobalDefault,
}
SuggestedFlowSchemas = []*flowcontrol.FlowSchema{
SuggestedFlowSchemaSystemNodes,
SuggestedFlowSchemaSystemNodeHigh,
SuggestedFlowSchemaProbes,
SuggestedFlowSchemaSystemLeaderElection,
SuggestedFlowSchemaWorkloadLeaderElection,
SuggestedFlowSchemaEndpointsController,
SuggestedFlowSchemaKubeControllerManager,
SuggestedFlowSchemaKubeScheduler,
SuggestedFlowSchemaKubeSystemServiceAccounts,
SuggestedFlowSchemaServiceAccounts,
SuggestedFlowSchemaGlobalDefault,
}
)
The objects that define the current suggested additional configuration
View Source
var (
MandatoryPriorityLevelConfigurationExempt = newPriorityLevelConfiguration(
flowcontrol.PriorityLevelConfigurationNameExempt,
flowcontrol.PriorityLevelConfigurationSpec{
Type: flowcontrol.PriorityLevelEnablementExempt,
},
)
MandatoryPriorityLevelConfigurationCatchAll = newPriorityLevelConfiguration(
flowcontrol.PriorityLevelConfigurationNameCatchAll,
flowcontrol.PriorityLevelConfigurationSpec{
Type: flowcontrol.PriorityLevelEnablementLimited,
Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
AssuredConcurrencyShares: 5,
LimitResponse: flowcontrol.LimitResponse{
Type: flowcontrol.LimitResponseTypeReject,
},
},
})
)
Mandatory PriorityLevelConfiguration objects
View Source
var (
// "exempt" priority-level is used for preventing priority inversion and ensuring that sysadmin
// requests are always possible.
MandatoryFlowSchemaExempt = newFlowSchema(
"exempt",
flowcontrol.PriorityLevelConfigurationNameExempt,
1,
"",
flowcontrol.PolicyRulesWithSubjects{
Subjects: groups(user.SystemPrivilegedGroup),
ResourceRules: []flowcontrol.ResourcePolicyRule{
resourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.APIGroupAll},
[]string{flowcontrol.ResourceAll},
[]string{flowcontrol.NamespaceEvery},
true,
),
},
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
nonResourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.NonResourceAll},
),
},
},
)
// "catch-all" priority-level only gets a minimal positive share of concurrency and won't be reaching
// ideally unless you intentionally deleted the suggested "global-default".
MandatoryFlowSchemaCatchAll = newFlowSchema(
flowcontrol.FlowSchemaNameCatchAll,
flowcontrol.PriorityLevelConfigurationNameCatchAll,
10000,
flowcontrol.FlowDistinguisherMethodByUserType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated),
ResourceRules: []flowcontrol.ResourcePolicyRule{
resourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.APIGroupAll},
[]string{flowcontrol.ResourceAll},
[]string{flowcontrol.NamespaceEvery},
true,
),
},
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
nonResourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.NonResourceAll},
),
},
},
)
)
Mandatory FlowSchema objects
View Source
var (
// system priority-level
SuggestedPriorityLevelConfigurationSystem = newPriorityLevelConfiguration(
"system",
flowcontrol.PriorityLevelConfigurationSpec{
Type: flowcontrol.PriorityLevelEnablementLimited,
Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
AssuredConcurrencyShares: 30,
LimitResponse: flowcontrol.LimitResponse{
Type: flowcontrol.LimitResponseTypeQueue,
Queuing: &flowcontrol.QueuingConfiguration{
Queues: 64,
HandSize: 6,
QueueLengthLimit: 50,
},
},
},
})
SuggestedPriorityLevelConfigurationNodeHigh = newPriorityLevelConfiguration(
"node-high",
flowcontrol.PriorityLevelConfigurationSpec{
Type: flowcontrol.PriorityLevelEnablementLimited,
Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
AssuredConcurrencyShares: 40,
LimitResponse: flowcontrol.LimitResponse{
Type: flowcontrol.LimitResponseTypeQueue,
Queuing: &flowcontrol.QueuingConfiguration{
Queues: 64,
HandSize: 6,
QueueLengthLimit: 50,
},
},
},
})
// leader-election priority-level
SuggestedPriorityLevelConfigurationLeaderElection = newPriorityLevelConfiguration(
"leader-election",
flowcontrol.PriorityLevelConfigurationSpec{
Type: flowcontrol.PriorityLevelEnablementLimited,
Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
AssuredConcurrencyShares: 10,
LimitResponse: flowcontrol.LimitResponse{
Type: flowcontrol.LimitResponseTypeQueue,
Queuing: &flowcontrol.QueuingConfiguration{
Queues: 16,
HandSize: 4,
QueueLengthLimit: 50,
},
},
},
})
// workload-high priority-level
SuggestedPriorityLevelConfigurationWorkloadHigh = newPriorityLevelConfiguration(
"workload-high",
flowcontrol.PriorityLevelConfigurationSpec{
Type: flowcontrol.PriorityLevelEnablementLimited,
Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
AssuredConcurrencyShares: 40,
LimitResponse: flowcontrol.LimitResponse{
Type: flowcontrol.LimitResponseTypeQueue,
Queuing: &flowcontrol.QueuingConfiguration{
Queues: 128,
HandSize: 6,
QueueLengthLimit: 50,
},
},
},
})
// workload-low priority-level
SuggestedPriorityLevelConfigurationWorkloadLow = newPriorityLevelConfiguration(
"workload-low",
flowcontrol.PriorityLevelConfigurationSpec{
Type: flowcontrol.PriorityLevelEnablementLimited,
Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
AssuredConcurrencyShares: 100,
LimitResponse: flowcontrol.LimitResponse{
Type: flowcontrol.LimitResponseTypeQueue,
Queuing: &flowcontrol.QueuingConfiguration{
Queues: 128,
HandSize: 6,
QueueLengthLimit: 50,
},
},
},
})
// global-default priority-level
SuggestedPriorityLevelConfigurationGlobalDefault = newPriorityLevelConfiguration(
"global-default",
flowcontrol.PriorityLevelConfigurationSpec{
Type: flowcontrol.PriorityLevelEnablementLimited,
Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
AssuredConcurrencyShares: 20,
LimitResponse: flowcontrol.LimitResponse{
Type: flowcontrol.LimitResponseTypeQueue,
Queuing: &flowcontrol.QueuingConfiguration{
Queues: 128,
HandSize: 6,
QueueLengthLimit: 50,
},
},
},
})
)
Suggested PriorityLevelConfiguration objects
View Source
var (
// the following flow schema exempts probes
SuggestedFlowSchemaProbes = newFlowSchema(
"probes", "exempt", 2,
"",
flowcontrol.PolicyRulesWithSubjects{
Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated),
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
nonResourceRule(
[]string{"get"},
[]string{"/healthz", "/readyz", "/livez"}),
},
},
)
SuggestedFlowSchemaSystemLeaderElection = newFlowSchema(
"system-leader-election", "leader-election", 100,
flowcontrol.FlowDistinguisherMethodByUserType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: append(
users(user.KubeControllerManager, user.KubeScheduler),
kubeSystemServiceAccount(flowcontrol.NameAll)...),
ResourceRules: []flowcontrol.ResourcePolicyRule{
resourceRule(
[]string{"get", "create", "update"},
[]string{coordinationv1.GroupName},
[]string{"leases"},
[]string{flowcontrol.NamespaceEvery},
false),
},
},
)
// We add an explicit rule for endpoint-controller with high precedence
// to ensure that those calls won't get caught by the following
// <workload-leader-election> flow-schema.
//
// TODO(#80289): Get rid of this rule once we get rid of support for
// using endpoints and configmaps objects for leader election.
SuggestedFlowSchemaEndpointsController = newFlowSchema(
"endpoint-controller", "workload-high", 150,
flowcontrol.FlowDistinguisherMethodByUserType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: append(
users(user.KubeControllerManager),
kubeSystemServiceAccount("endpoint-controller", "endpointslicemirroring-controller")...),
ResourceRules: []flowcontrol.ResourcePolicyRule{
resourceRule(
[]string{"get", "create", "update"},
[]string{corev1.GroupName},
[]string{"endpoints"},
[]string{flowcontrol.NamespaceEvery},
false),
},
},
)
// TODO(#80289): Get rid of this rule once we get rid of support for
// using endpoints and configmaps objects for leader election.
SuggestedFlowSchemaWorkloadLeaderElection = newFlowSchema(
"workload-leader-election", "leader-election", 200,
flowcontrol.FlowDistinguisherMethodByUserType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: kubeSystemServiceAccount(flowcontrol.NameAll),
ResourceRules: []flowcontrol.ResourcePolicyRule{
resourceRule(
[]string{"get", "create", "update"},
[]string{corev1.GroupName},
[]string{"endpoints", "configmaps"},
[]string{flowcontrol.NamespaceEvery},
false),
resourceRule(
[]string{"get", "create", "update"},
[]string{coordinationv1.GroupName},
[]string{"leases"},
[]string{flowcontrol.NamespaceEvery},
false),
},
},
)
SuggestedFlowSchemaSystemNodeHigh = newFlowSchema(
"system-node-high", "node-high", 400,
flowcontrol.FlowDistinguisherMethodByUserType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: groups(user.NodesGroup),
ResourceRules: []flowcontrol.ResourcePolicyRule{
resourceRule(
[]string{flowcontrol.VerbAll},
[]string{corev1.GroupName},
[]string{"nodes", "nodes/status"},
[]string{flowcontrol.NamespaceEvery},
true),
resourceRule(
[]string{flowcontrol.VerbAll},
[]string{coordinationv1.GroupName},
[]string{"leases"},
[]string{flowcontrol.NamespaceEvery},
false),
},
},
)
SuggestedFlowSchemaSystemNodes = newFlowSchema(
"system-nodes", "system", 500,
flowcontrol.FlowDistinguisherMethodByUserType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: groups(user.NodesGroup),
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.APIGroupAll},
[]string{flowcontrol.ResourceAll},
[]string{flowcontrol.NamespaceEvery},
true)},
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
nonResourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.NonResourceAll}),
},
},
)
SuggestedFlowSchemaKubeControllerManager = newFlowSchema(
"kube-controller-manager", "workload-high", 800,
flowcontrol.FlowDistinguisherMethodByNamespaceType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: users(user.KubeControllerManager),
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.APIGroupAll},
[]string{flowcontrol.ResourceAll},
[]string{flowcontrol.NamespaceEvery},
true)},
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
nonResourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.NonResourceAll}),
},
},
)
SuggestedFlowSchemaKubeScheduler = newFlowSchema(
"kube-scheduler", "workload-high", 800,
flowcontrol.FlowDistinguisherMethodByNamespaceType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: users(user.KubeScheduler),
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.APIGroupAll},
[]string{flowcontrol.ResourceAll},
[]string{flowcontrol.NamespaceEvery},
true)},
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
nonResourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.NonResourceAll}),
},
},
)
SuggestedFlowSchemaKubeSystemServiceAccounts = newFlowSchema(
"kube-system-service-accounts", "workload-high", 900,
flowcontrol.FlowDistinguisherMethodByNamespaceType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: kubeSystemServiceAccount(flowcontrol.NameAll),
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.APIGroupAll},
[]string{flowcontrol.ResourceAll},
[]string{flowcontrol.NamespaceEvery},
true)},
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
nonResourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.NonResourceAll}),
},
},
)
SuggestedFlowSchemaServiceAccounts = newFlowSchema(
"service-accounts", "workload-low", 9000,
flowcontrol.FlowDistinguisherMethodByUserType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: groups(serviceaccount.AllServiceAccountsGroup),
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.APIGroupAll},
[]string{flowcontrol.ResourceAll},
[]string{flowcontrol.NamespaceEvery},
true)},
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
nonResourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.NonResourceAll}),
},
},
)
SuggestedFlowSchemaGlobalDefault = newFlowSchema(
"global-default", "global-default", 9900,
flowcontrol.FlowDistinguisherMethodByUserType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated),
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.APIGroupAll},
[]string{flowcontrol.ResourceAll},
[]string{flowcontrol.NamespaceEvery},
true)},
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
nonResourceRule(
[]string{flowcontrol.VerbAll},
[]string{flowcontrol.NonResourceAll}),
},
},
)
)
Suggested FlowSchema objects. Ordered by matching precedence, so that their interactions are easier to follow while reading this source.
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.