summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt McEuen <matt.mceuen@att.com>2018-10-17 18:22:04 -0500
committerMatt McEuen <matt.mceuen@att.com>2018-10-27 15:35:43 -0500
commit178193be8443eac9204adfff49f88efa12abfecb (patch)
tree75f33d6483b2b03891900ab11a0e9c82e8c618a7
parent20f27f628141752a98948453217a897d9df9bf8c (diff)
Add EventRateLimit admission controller
Add the EventRateLimit admission controller, to allow operators to define rate limits for the k8s API server at the server, namespace, or user account level. This also * cleans up some of the parameters passed into the API server * replaces the deprecated --admission-control parameter * applies --repair-malformed-updates consistently, incl examples * removes unused batch/v2alpha1 runtime config * https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ * removes duplicate --service-cluster-ip-range setting This PS adds EventRateLimits to the bootstrap and anchor API servers; future work will need to add it to the Keystone Webhook API server. Change-Id: I32a2d4add880e50f470e4cb0687e20d16e6e926d
Notes
Notes (review): Code-Review+2: Scott Hussey <sthussey@att.com> Code-Review+1: Ahmad Mahmoudi <am495p@att.com> Code-Review+2: Aaron Sheffield <ajs@sheffieldfamily.net> Workflow+1: Aaron Sheffield <ajs@sheffieldfamily.net> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Mon, 05 Nov 2018 20:27:05 +0000 Reviewed-on: https://review.openstack.org/611713 Project: openstack/airship-promenade Branch: refs/heads/master
-rw-r--r--charts/apiserver/templates/configmap-etc.yaml20
-rw-r--r--charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl1
-rw-r--r--charts/apiserver/values.yaml27
-rw-r--r--examples/basic/Genesis.yaml2
-rw-r--r--examples/basic/armada-resources.yaml2
-rw-r--r--promenade/templates/roles/genesis/etc/genesis/apiserver/acconfig.yaml6
-rw-r--r--promenade/templates/roles/genesis/etc/genesis/apiserver/eventconfig.yaml7
-rw-r--r--promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml5
-rw-r--r--promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml5
9 files changed, 62 insertions, 13 deletions
diff --git a/charts/apiserver/templates/configmap-etc.yaml b/charts/apiserver/templates/configmap-etc.yaml
index 725f52a..75a22ea 100644
--- a/charts/apiserver/templates/configmap-etc.yaml
+++ b/charts/apiserver/templates/configmap-etc.yaml
@@ -17,6 +17,21 @@ limitations under the License.
17{{- if .Values.manifests.configmap_etc }} 17{{- if .Values.manifests.configmap_etc }}
18{{- $envAll := . }} 18{{- $envAll := . }}
19 19
20{{/* This slightly involved merge of AC config files into the anchor
21 files uses HTK merge, as straighforward appends result in duplicates. */}}
22{{- $_ := set .Values "_ac_files_to_copy" list }}
23{{- range $key, $val := .Values.conf.admission_controllers }}
24 {{- $source := printf "/tmp/etc/%s" $key }}
25 {{- $dest := printf "/etc/kubernetes/apiserver/%s" $key }}
26 {{- $file_to_copy := dict "source" $source "dest" $dest }}
27 {{- $ac_files_to_copy := append $.Values._ac_files_to_copy $file_to_copy }}
28 {{- $_ := set $.Values "_ac_files_to_copy" $ac_files_to_copy }}
29{{- end }}
30{{ $all_files_to_copy := dict }}
31{{ $_ := set $all_files_to_copy "values" (tuple .Values.anchor.files_to_copy .Values._ac_files_to_copy) }}
32{{ $_ := $all_files_to_copy | include "helm-toolkit.utils.merge" }}
33{{ $_ := set .Values.anchor "files_to_copy" $all_files_to_copy.result }}
34
20--- 35---
21apiVersion: v1 36apiVersion: v1
22kind: ConfigMap 37kind: ConfigMap
@@ -27,4 +42,9 @@ data:
27{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} 42{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
28 kubeconfig.yaml: |+ 43 kubeconfig.yaml: |+
29{{ tuple "etc/_kubeconfig.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} 44{{ tuple "etc/_kubeconfig.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
45{{/* Dynamically add config files for admission controllers */}}
46{{ range $key, $val := .Values.conf.admission_controllers }}
47 {{ $key }}: |+
48{{ toYaml $val | indent 4 }}
49{{ end }}
30{{- end }} 50{{- end }}
diff --git a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
index 0d2f36d..70fbd40 100644
--- a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
+++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
@@ -62,6 +62,7 @@ spec:
62 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem 62 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
63 - --allow-privileged=true 63 - --allow-privileged=true
64 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub 64 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
65 - --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
65 66
66 ports: 67 ports:
67 - containerPort: {{ .Values.network.kubernetes_apiserver.port }} 68 - containerPort: {{ .Values.network.kubernetes_apiserver.port }}
diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml
index f4bc653..b1dc0c6 100644
--- a/charts/apiserver/values.yaml
+++ b/charts/apiserver/values.yaml
@@ -55,20 +55,41 @@ anchor:
55 dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml 55 dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml
56 - source: /tmp/etc/kubeconfig.yaml 56 - source: /tmp/etc/kubeconfig.yaml
57 dest: /etc/kubernetes/apiserver/kubeconfig.yaml 57 dest: /etc/kubernetes/apiserver/kubeconfig.yaml
58 # Note: config files for admission controllers are added to this dynamically
58 59
59command_prefix: 60command_prefix:
60 - /apiserver 61 - /apiserver
61 - --authorization-mode=Node,RBAC 62 - --authorization-mode=Node,RBAC
62 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds 63 - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
63 - --apiserver-count=3
64 - --service-cluster-ip-range=10.96.0.0/16 64 - --service-cluster-ip-range=10.96.0.0/16
65 - --v=5 65 - --endpoint-reconciler-type=lease
66 # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
67 - --repair-malformed-updates=false
66 68
67apiserver: 69apiserver:
68 host_etc_path: /etc/kubernetes/apiserver 70 host_etc_path: /etc/kubernetes/apiserver
69 etcd: 71 etcd:
70 endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local 72 endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
71 73
74conf:
75 # Admission controllers config files are generated dynamically based on the
76 # config below, as they they are specific to particular ACs that may be
77 # configured by the operator (or added by k8s in the future).
78 admission_controllers:
79 eventconfig.yaml:
80 kind: Configuration
81 apiVersion: eventratelimit.admission.k8s.io/v1alpha1
82 limits:
83 - type: Server
84 qps: 100
85 burst: 1000
86 acconfig.yaml:
87 kind: AdmissionConfiguration
88 apiVersion: apiserver.k8s.io/v1alpha1
89 plugins:
90 - name: EventRateLimit
91 path: eventconfig.yaml
92
72network: 93network:
73 kubernetes_apiserver: 94 kubernetes_apiserver:
74 ingress: 95 ingress:
diff --git a/examples/basic/Genesis.yaml b/examples/basic/Genesis.yaml
index 7bade7d..3f11c82 100644
--- a/examples/basic/Genesis.yaml
+++ b/examples/basic/Genesis.yaml
@@ -14,7 +14,7 @@ data:
14 command_prefix: 14 command_prefix:
15 - /apiserver 15 - /apiserver
16 - --authorization-mode=Node,RBAC 16 - --authorization-mode=Node,RBAC
17 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction 17 - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
18 - --service-cluster-ip-range=10.96.0.0/16 18 - --service-cluster-ip-range=10.96.0.0/16
19 - --endpoint-reconciler-type=lease 19 - --endpoint-reconciler-type=lease
20 # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11 20 # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml
index 8b49fea..d5330f9 100644
--- a/examples/basic/armada-resources.yaml
+++ b/examples/basic/armada-resources.yaml
@@ -743,7 +743,7 @@ data:
743 command_prefix: 743 command_prefix:
744 - /apiserver 744 - /apiserver
745 - --authorization-mode=Node,RBAC 745 - --authorization-mode=Node,RBAC
746 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction 746 - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
747 - --service-cluster-ip-range=10.96.0.0/16 747 - --service-cluster-ip-range=10.96.0.0/16
748 - --endpoint-reconciler-type=lease 748 - --endpoint-reconciler-type=lease
749 # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11 749 # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
diff --git a/promenade/templates/roles/genesis/etc/genesis/apiserver/acconfig.yaml b/promenade/templates/roles/genesis/etc/genesis/apiserver/acconfig.yaml
new file mode 100644
index 0000000..c792a8b
--- /dev/null
+++ b/promenade/templates/roles/genesis/etc/genesis/apiserver/acconfig.yaml
@@ -0,0 +1,6 @@
1---
2kind: AdmissionConfiguration
3apiVersion: apiserver.k8s.io/v1alpha1
4plugins:
5- name: EventRateLimit
6 path: eventconfig.yaml \ No newline at end of file
diff --git a/promenade/templates/roles/genesis/etc/genesis/apiserver/eventconfig.yaml b/promenade/templates/roles/genesis/etc/genesis/apiserver/eventconfig.yaml
new file mode 100644
index 0000000..ae78968
--- /dev/null
+++ b/promenade/templates/roles/genesis/etc/genesis/apiserver/eventconfig.yaml
@@ -0,0 +1,7 @@
1---
2kind: Configuration
3apiVersion: eventratelimit.admission.k8s.io/v1alpha1
4limits:
5- type: Server
6 qps: 100
7 burst: 1000 \ No newline at end of file
diff --git a/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml b/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml
index adfa41e..3e6e48b 100644
--- a/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml
+++ b/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml
@@ -122,8 +122,6 @@ spec:
122 - "{{ argument }}" 122 - "{{ argument }}"
123 {%- endfor %} 123 {%- endfor %}
124 - --advertise-address={{ config['Genesis:ip'] }} 124 - --advertise-address={{ config['Genesis:ip'] }}
125 - --authorization-mode=Node,RBAC
126 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
127 - --anonymous-auth=false 125 - --anonymous-auth=false
128 - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem 126 - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
129 - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem 127 - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
@@ -132,15 +130,14 @@ spec:
132 - --insecure-port=8080 130 - --insecure-port=8080
133 - --secure-port=6444 131 - --secure-port=6444
134 - --bind-address=0.0.0.0 132 - --bind-address=0.0.0.0
135 - --runtime-config=batch/v2alpha1=true
136 - --allow-privileged=true 133 - --allow-privileged=true
137 - --etcd-servers=https://localhost:12379 134 - --etcd-servers=https://localhost:12379
138 - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem 135 - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
139 - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem 136 - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
140 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem 137 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
141 - --service-cluster-ip-range={{ config['KubernetesNetwork:kubernetes.service_cidr'] }}
142 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 138 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
143 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub 139 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
140 - --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
144 - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem 141 - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
145 - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem 142 - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
146 env: 143 env:
diff --git a/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml b/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml
index ef27e8b..606f0f3 100644
--- a/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml
+++ b/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml
@@ -20,8 +20,6 @@ spec:
20 - "{{ argument }}" 20 - "{{ argument }}"
21 {%- endfor %} 21 {%- endfor %}
22 - --advertise-address={{ config['Genesis:ip'] }} 22 - --advertise-address={{ config['Genesis:ip'] }}
23 - --authorization-mode=Node,RBAC
24 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
25 - --anonymous-auth=false 23 - --anonymous-auth=false
26 - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem 24 - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
27 - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem 25 - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
@@ -30,15 +28,14 @@ spec:
30 - --insecure-port=0 28 - --insecure-port=0
31 - --bind-address=0.0.0.0 29 - --bind-address=0.0.0.0
32 - --secure-port=6443 30 - --secure-port=6443
33 - --runtime-config=batch/v2alpha1=true
34 - --allow-privileged=true 31 - --allow-privileged=true
35 - --etcd-servers=https://localhost:2379 32 - --etcd-servers=https://localhost:2379
36 - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem 33 - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
37 - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem 34 - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
38 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem 35 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
39 - --service-cluster-ip-range={{ config['KubernetesNetwork:kubernetes.service_cidr'] }}
40 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 36 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
41 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub 37 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
38 - --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
42 - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem 39 - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
43 - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem 40 - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
44 volumeMounts: 41 volumeMounts: