Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( MandatoryPriorityLevelConfigurations = []*flowcontrol.PriorityLevelConfiguration{ MandatoryPriorityLevelConfigurationCatchAll, MandatoryPriorityLevelConfigurationExempt, } MandatoryFlowSchemas = []*flowcontrol.FlowSchema{ MandatoryFlowSchemaExempt, MandatoryFlowSchemaCatchAll, } )
The objects that define an apiserver's initial behavior. The registered defaulting procedures make no changes to these particular objects (this is verified in the unit tests of the internalbootstrap package; it can not be verified in this package because that would require importing k8s.io/kubernetes).
var ( SuggestedPriorityLevelConfigurations = []*flowcontrol.PriorityLevelConfiguration{ SuggestedPriorityLevelConfigurationSystem, SuggestedPriorityLevelConfigurationNodeHigh, SuggestedPriorityLevelConfigurationLeaderElection, SuggestedPriorityLevelConfigurationWorkloadHigh, SuggestedPriorityLevelConfigurationWorkloadLow, SuggestedPriorityLevelConfigurationGlobalDefault, } SuggestedFlowSchemas = []*flowcontrol.FlowSchema{ SuggestedFlowSchemaSystemNodes, SuggestedFlowSchemaSystemNodeHigh, SuggestedFlowSchemaProbes, SuggestedFlowSchemaSystemLeaderElection, SuggestedFlowSchemaWorkloadLeaderElection, SuggestedFlowSchemaEndpointsController, SuggestedFlowSchemaKubeControllerManager, SuggestedFlowSchemaKubeScheduler, SuggestedFlowSchemaKubeSystemServiceAccounts, SuggestedFlowSchemaServiceAccounts, SuggestedFlowSchemaGlobalDefault, } )
The objects that define the current suggested additional configuration
var ( MandatoryPriorityLevelConfigurationExempt = newPriorityLevelConfiguration( flowcontrol.PriorityLevelConfigurationNameExempt, flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementExempt, }, ) MandatoryPriorityLevelConfigurationCatchAll = newPriorityLevelConfiguration( flowcontrol.PriorityLevelConfigurationNameCatchAll, flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ NominalConcurrencyShares: 5, LendablePercent: pointer.Int32(0), LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeReject, }, }, }) )
Mandatory PriorityLevelConfiguration objects
var ( // "exempt" priority-level is used for preventing priority inversion and ensuring that sysadmin // requests are always possible. MandatoryFlowSchemaExempt = newFlowSchema( "exempt", flowcontrol.PriorityLevelConfigurationNameExempt, 1, "", flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.SystemPrivilegedGroup), ResourceRules: []flowcontrol.ResourcePolicyRule{ resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true, ), }, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}, ), }, }, ) // "catch-all" priority-level only gets a minimal positive share of concurrency and won't be reaching // ideally unless you intentionally deleted the suggested "global-default". MandatoryFlowSchemaCatchAll = newFlowSchema( flowcontrol.FlowSchemaNameCatchAll, flowcontrol.PriorityLevelConfigurationNameCatchAll, 10000, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated), ResourceRules: []flowcontrol.ResourcePolicyRule{ resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true, ), }, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}, ), }, }, ) )
Mandatory FlowSchema objects
var ( // system priority-level SuggestedPriorityLevelConfigurationSystem = newPriorityLevelConfiguration( "system", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ NominalConcurrencyShares: 30, LendablePercent: pointer.Int32(33), LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 64, HandSize: 6, QueueLengthLimit: 50, }, }, }, }) SuggestedPriorityLevelConfigurationNodeHigh = newPriorityLevelConfiguration( "node-high", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ NominalConcurrencyShares: 40, LendablePercent: pointer.Int32(25), LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 64, HandSize: 6, QueueLengthLimit: 50, }, }, }, }) // leader-election priority-level SuggestedPriorityLevelConfigurationLeaderElection = newPriorityLevelConfiguration( "leader-election", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ NominalConcurrencyShares: 10, LendablePercent: pointer.Int32(0), LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 16, HandSize: 4, QueueLengthLimit: 50, }, }, }, }) // workload-high priority-level SuggestedPriorityLevelConfigurationWorkloadHigh = newPriorityLevelConfiguration( "workload-high", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ NominalConcurrencyShares: 40, LendablePercent: pointer.Int32(50), LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 128, HandSize: 6, QueueLengthLimit: 50, }, }, }, }) // workload-low priority-level SuggestedPriorityLevelConfigurationWorkloadLow = newPriorityLevelConfiguration( "workload-low", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ NominalConcurrencyShares: 100, LendablePercent: pointer.Int32(90), LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 128, HandSize: 6, QueueLengthLimit: 50, }, }, }, }) // global-default priority-level SuggestedPriorityLevelConfigurationGlobalDefault = newPriorityLevelConfiguration( "global-default", flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ NominalConcurrencyShares: 20, LendablePercent: pointer.Int32(50), LimitResponse: flowcontrol.LimitResponse{ Type: flowcontrol.LimitResponseTypeQueue, Queuing: &flowcontrol.QueuingConfiguration{ Queues: 128, HandSize: 6, QueueLengthLimit: 50, }, }, }, }) )
Suggested PriorityLevelConfiguration objects
var ( // the following flow schema exempts probes SuggestedFlowSchemaProbes = newFlowSchema( "probes", "exempt", 2, "", flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated), NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{"get"}, []string{"/healthz", "/readyz", "/livez"}), }, }, ) SuggestedFlowSchemaSystemLeaderElection = newFlowSchema( "system-leader-election", "leader-election", 100, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: append( users(user.KubeControllerManager, user.KubeScheduler), kubeSystemServiceAccount(flowcontrol.NameAll)...), ResourceRules: []flowcontrol.ResourcePolicyRule{ resourceRule( []string{"get", "create", "update"}, []string{coordinationv1.GroupName}, []string{"leases"}, []string{flowcontrol.NamespaceEvery}, false), }, }, ) // We add an explicit rule for endpoint-controller with high precedence // to ensure that those calls won't get caught by the following // <workload-leader-election> flow-schema. // // TODO(#80289): Get rid of this rule once we get rid of support for // using endpoints and configmaps objects for leader election. SuggestedFlowSchemaEndpointsController = newFlowSchema( "endpoint-controller", "workload-high", 150, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: append( users(user.KubeControllerManager), kubeSystemServiceAccount("endpoint-controller", "endpointslicemirroring-controller")...), ResourceRules: []flowcontrol.ResourcePolicyRule{ resourceRule( []string{"get", "create", "update"}, []string{corev1.GroupName}, []string{"endpoints"}, []string{flowcontrol.NamespaceEvery}, false), }, }, ) // TODO(#80289): Get rid of this rule once we get rid of support for // using endpoints and configmaps objects for leader election. SuggestedFlowSchemaWorkloadLeaderElection = newFlowSchema( "workload-leader-election", "leader-election", 200, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: kubeSystemServiceAccount(flowcontrol.NameAll), ResourceRules: []flowcontrol.ResourcePolicyRule{ resourceRule( []string{"get", "create", "update"}, []string{corev1.GroupName}, []string{"endpoints", "configmaps"}, []string{flowcontrol.NamespaceEvery}, false), resourceRule( []string{"get", "create", "update"}, []string{coordinationv1.GroupName}, []string{"leases"}, []string{flowcontrol.NamespaceEvery}, false), }, }, ) SuggestedFlowSchemaSystemNodeHigh = newFlowSchema( "system-node-high", "node-high", 400, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.NodesGroup), ResourceRules: []flowcontrol.ResourcePolicyRule{ resourceRule( []string{flowcontrol.VerbAll}, []string{corev1.GroupName}, []string{"nodes", "nodes/status"}, []string{flowcontrol.NamespaceEvery}, true), resourceRule( []string{flowcontrol.VerbAll}, []string{coordinationv1.GroupName}, []string{"leases"}, []string{flowcontrol.NamespaceEvery}, false), }, }, ) SuggestedFlowSchemaSystemNodes = newFlowSchema( "system-nodes", "system", 500, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.NodesGroup), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) SuggestedFlowSchemaKubeControllerManager = newFlowSchema( "kube-controller-manager", "workload-high", 800, flowcontrol.FlowDistinguisherMethodByNamespaceType, flowcontrol.PolicyRulesWithSubjects{ Subjects: users(user.KubeControllerManager), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) SuggestedFlowSchemaKubeScheduler = newFlowSchema( "kube-scheduler", "workload-high", 800, flowcontrol.FlowDistinguisherMethodByNamespaceType, flowcontrol.PolicyRulesWithSubjects{ Subjects: users(user.KubeScheduler), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) SuggestedFlowSchemaKubeSystemServiceAccounts = newFlowSchema( "kube-system-service-accounts", "workload-high", 900, flowcontrol.FlowDistinguisherMethodByNamespaceType, flowcontrol.PolicyRulesWithSubjects{ Subjects: kubeSystemServiceAccount(flowcontrol.NameAll), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) SuggestedFlowSchemaServiceAccounts = newFlowSchema( "service-accounts", "workload-low", 9000, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(serviceaccount.AllServiceAccountsGroup), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) SuggestedFlowSchemaGlobalDefault = newFlowSchema( "global-default", "global-default", 9900, flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.PolicyRulesWithSubjects{ Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated), ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.APIGroupAll}, []string{flowcontrol.ResourceAll}, []string{flowcontrol.NamespaceEvery}, true)}, NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( []string{flowcontrol.VerbAll}, []string{flowcontrol.NonResourceAll}), }, }, ) )
Suggested FlowSchema objects. Ordered by matching precedence, so that their interactions are easier to follow while reading this source.
Functions ¶
This section is empty.
Types ¶
This section is empty.