Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( MandatoryPriorityLevelConfigurations = []*flowcontrol.PriorityLevelConfiguration{ MandatoryPriorityLevelConfigurationExempt, MandatoryPriorityLevelConfigurationCatchAll, } MandatoryFlowSchemas = []*flowcontrol.FlowSchema{ MandatoryFlowSchemaExempt, MandatoryFlowSchemaCatchAll, } )
The objects that define an apiserver's initial behavior. The registered defaulting procedures make no changes to these particular objects (this is verified in the unit tests of the internalbootstrap package; it can not be verified in this package because that would require importing k8s.io/kubernetes).
View Source
var ( SuggestedPriorityLevelConfigurations = []*flowcontrol.PriorityLevelConfiguration{ SuggestedPriorityLevelConfigurationSystem, SuggestedPriorityLevelConfigurationLeaderElection, SuggestedPriorityLevelConfigurationWorkloadHigh, SuggestedPriorityLevelConfigurationWorkloadLow, SuggestedPriorityLevelConfigurationGlobalDefault, } SuggestedFlowSchemas = []*flowcontrol.FlowSchema{ SuggestedFlowSchemaSystemNodes, SuggestedFlowSchemaProbes, SuggestedFlowSchemaSystemLeaderElection, SuggestedFlowSchemaWorkloadLeaderElection, SuggestedFlowSchemaKubeControllerManager, SuggestedFlowSchemaKubeScheduler, SuggestedFlowSchemaKubeSystemServiceAccounts, SuggestedFlowSchemaServiceAccounts, SuggestedFlowSchemaGlobalDefault, } )
The objects that define the current suggested additional configuration
View Source
var ( MandatoryPriorityLevelConfigurationExempt = newPriorityLevelConfiguration( flowcontrol.PriorityLevelConfigurationNameExempt, flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementExempt, }, ) MandatoryPriorityLevelConfigurationCatchAll = newPriorityLevelConfiguration( "catch-all", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ AssuredConcurrencyShares: 1, LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeReject, }, }, }) )
Mandatory PriorityLevelConfiguration objects
View Source
var ( // "exempt" priority-level is used for preventing priority inversion and ensuring that sysadmin // requests are always possible. MandatoryFlowSchemaExempt = newFlowSchema( "exempt", flowcontrol.PriorityLevelConfigurationNameExempt, 1, "", flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.SystemPrivilegedGroup), ResourceRules: []flowcontrol.ResourcePolicyRule{ resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true, ), }, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}, ), }, }, ) // "catch-all" priority-level only gets a minimal positive share of concurrency and won't be reaching // ideally unless you intentionally deleted the suggested "global-default". MandatoryFlowSchemaCatchAll = newFlowSchema( "catch-all", "catch-all", 10000, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated), ResourceRules: []flowcontrol.ResourcePolicyRule{ resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true, ), }, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}, ), }, }, ) )
Mandatory FlowSchema objects
View Source
var ( // system priority-level SuggestedPriorityLevelConfigurationSystem = newPriorityLevelConfiguration( "system", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ AssuredConcurrencyShares: 30, LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 64, HandSize: 6, QueueLengthLimit: 50, }, }, }, }) // leader-election priority-level SuggestedPriorityLevelConfigurationLeaderElection = newPriorityLevelConfiguration( "leader-election", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ AssuredConcurrencyShares: 10, LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 16, HandSize: 4, QueueLengthLimit: 50, }, }, }, }) // workload-high priority-level SuggestedPriorityLevelConfigurationWorkloadHigh = newPriorityLevelConfiguration( "workload-high", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ AssuredConcurrencyShares: 40, LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 128, HandSize: 6, QueueLengthLimit: 50, }, }, }, }) // workload-low priority-level SuggestedPriorityLevelConfigurationWorkloadLow = newPriorityLevelConfiguration( "workload-low", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ AssuredConcurrencyShares: 20, LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 128, HandSize: 6, QueueLengthLimit: 50, }, }, }, }) // global-default priority-level SuggestedPriorityLevelConfigurationGlobalDefault = newPriorityLevelConfiguration( "global-default", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ AssuredConcurrencyShares: 100, LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 128, HandSize: 6, QueueLengthLimit: 50, }, }, }, }) )
Suggested PriorityLevelConfiguration objects
View Source
var ( SuggestedFlowSchemaSystemNodes = newFlowSchema( "system-nodes", "system", 500, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.NodesGroup), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) SuggestedFlowSchemaSystemLeaderElection = newFlowSchema( "system-leader-election", "leader-election", 100, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: append( users(user.KubeControllerManager, user.KubeScheduler), kubeSystemServiceAccount(flowcontrol.NameAll)...), ResourceRules: []flowcontrol.ResourcePolicyRule{ resourceRule( []string{"get", "create", "update"}, []string{corev1.GroupName}, []string{"endpoints", "configmaps"}, []string{"kube-system"}, false), resourceRule( []string{"get", "create", "update"}, []string{coordinationv1.GroupName}, []string{"leases"}, []string{flowcontrol.NamespaceEvery}, false), }, }, ) SuggestedFlowSchemaWorkloadLeaderElection = newFlowSchema( "workload-leader-election", "leader-election", 200, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: kubeSystemServiceAccount(flowcontrol.NameAll), ResourceRules: []flowcontrol.ResourcePolicyRule{ resourceRule( []string{"get", "create", "update"}, []string{corev1.GroupName}, []string{"endpoints", "configmaps"}, []string{flowcontrol.NamespaceEvery}, false), resourceRule( []string{"get", "create", "update"}, []string{coordinationv1.GroupName}, []string{"leases"}, []string{flowcontrol.NamespaceEvery}, false), }, }, ) SuggestedFlowSchemaKubeControllerManager = newFlowSchema( "kube-controller-manager", "workload-high", 800, flowcontrol.FlowDistinguisherMethodByNamespaceType, flowcontrol.PolicyRulesWithSubjects{ Subjects: users(user.KubeControllerManager), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) SuggestedFlowSchemaKubeScheduler = newFlowSchema( "kube-scheduler", "workload-high", 800, flowcontrol.FlowDistinguisherMethodByNamespaceType, flowcontrol.PolicyRulesWithSubjects{ Subjects: users(user.KubeScheduler), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) SuggestedFlowSchemaKubeSystemServiceAccounts = newFlowSchema( "kube-system-service-accounts", "workload-high", 900, flowcontrol.FlowDistinguisherMethodByNamespaceType, flowcontrol.PolicyRulesWithSubjects{ Subjects: kubeSystemServiceAccount(flowcontrol.NameAll), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) SuggestedFlowSchemaServiceAccounts = newFlowSchema( "service-accounts", "workload-low", 9000, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(serviceaccount.AllServiceAccountsGroup), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) SuggestedFlowSchemaGlobalDefault = newFlowSchema( "global-default", "global-default", 9900, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) // the following flow schema exempts probes SuggestedFlowSchemaProbes = newFlowSchema( "probes", "exempt", 2, "", flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated), NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{"get"}, []string{"/healthz", "/readyz", "/livez"}), }, }, ) )
Suggested FlowSchema objects
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.