summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-11-05 20:27:05 +0000
committerGerrit Code Review <review@openstack.org>2018-11-05 20:27:05 +0000
commita5a17ffe6d117b75e99454640d94f9e63c08e145 (patch)
tree371ecd441bf4e666c04dff0331fe3346bad548ba
parent2b2bb68ab694ab01c728eb2c250be9a2de758619 (diff)
parent178193be8443eac9204adfff49f88efa12abfecb (diff)
Merge "Add EventRateLimit admission controller"
-rw-r--r--charts/apiserver/templates/configmap-etc.yaml20
-rw-r--r--charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl1
-rw-r--r--charts/apiserver/values.yaml27
-rw-r--r--examples/basic/Genesis.yaml2
-rw-r--r--examples/basic/armada-resources.yaml2
-rw-r--r--promenade/templates/roles/genesis/etc/genesis/apiserver/acconfig.yaml6
-rw-r--r--promenade/templates/roles/genesis/etc/genesis/apiserver/eventconfig.yaml7
-rw-r--r--promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml5
-rw-r--r--promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml5
9 files changed, 62 insertions, 13 deletions
diff --git a/charts/apiserver/templates/configmap-etc.yaml b/charts/apiserver/templates/configmap-etc.yaml
index 725f52a..75a22ea 100644
--- a/charts/apiserver/templates/configmap-etc.yaml
+++ b/charts/apiserver/templates/configmap-etc.yaml
@@ -17,6 +17,21 @@ limitations under the License.
17{{- if .Values.manifests.configmap_etc }} 17{{- if .Values.manifests.configmap_etc }}
18{{- $envAll := . }} 18{{- $envAll := . }}
19 19
20{{/* This slightly involved merge of AC config files into the anchor
21 files uses HTK merge, as straighforward appends result in duplicates. */}}
22{{- $_ := set .Values "_ac_files_to_copy" list }}
23{{- range $key, $val := .Values.conf.admission_controllers }}
24 {{- $source := printf "/tmp/etc/%s" $key }}
25 {{- $dest := printf "/etc/kubernetes/apiserver/%s" $key }}
26 {{- $file_to_copy := dict "source" $source "dest" $dest }}
27 {{- $ac_files_to_copy := append $.Values._ac_files_to_copy $file_to_copy }}
28 {{- $_ := set $.Values "_ac_files_to_copy" $ac_files_to_copy }}
29{{- end }}
30{{ $all_files_to_copy := dict }}
31{{ $_ := set $all_files_to_copy "values" (tuple .Values.anchor.files_to_copy .Values._ac_files_to_copy) }}
32{{ $_ := $all_files_to_copy | include "helm-toolkit.utils.merge" }}
33{{ $_ := set .Values.anchor "files_to_copy" $all_files_to_copy.result }}
34
20--- 35---
21apiVersion: v1 36apiVersion: v1
22kind: ConfigMap 37kind: ConfigMap
@@ -27,4 +42,9 @@ data:
27{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} 42{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
28 kubeconfig.yaml: |+ 43 kubeconfig.yaml: |+
29{{ tuple "etc/_kubeconfig.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} 44{{ tuple "etc/_kubeconfig.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
45{{/* Dynamically add config files for admission controllers */}}
46{{ range $key, $val := .Values.conf.admission_controllers }}
47 {{ $key }}: |+
48{{ toYaml $val | indent 4 }}
49{{ end }}
30{{- end }} 50{{- end }}
diff --git a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
index 1d43331..1ef6fac 100644
--- a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
+++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
@@ -63,6 +63,7 @@ spec:
63 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem 63 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
64 - --allow-privileged=true 64 - --allow-privileged=true
65 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub 65 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
66 - --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
66 67
67 ports: 68 ports:
68 - containerPort: {{ .Values.network.kubernetes_apiserver.port }} 69 - containerPort: {{ .Values.network.kubernetes_apiserver.port }}
diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml
index f4bc653..b1dc0c6 100644
--- a/charts/apiserver/values.yaml
+++ b/charts/apiserver/values.yaml
@@ -55,20 +55,41 @@ anchor:
55 dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml 55 dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml
56 - source: /tmp/etc/kubeconfig.yaml 56 - source: /tmp/etc/kubeconfig.yaml
57 dest: /etc/kubernetes/apiserver/kubeconfig.yaml 57 dest: /etc/kubernetes/apiserver/kubeconfig.yaml
58 # Note: config files for admission controllers are added to this dynamically
58 59
59command_prefix: 60command_prefix:
60 - /apiserver 61 - /apiserver
61 - --authorization-mode=Node,RBAC 62 - --authorization-mode=Node,RBAC
62 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds 63 - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
63 - --apiserver-count=3
64 - --service-cluster-ip-range=10.96.0.0/16 64 - --service-cluster-ip-range=10.96.0.0/16
65 - --v=5 65 - --endpoint-reconciler-type=lease
66 # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
67 - --repair-malformed-updates=false
66 68
67apiserver: 69apiserver:
68 host_etc_path: /etc/kubernetes/apiserver 70 host_etc_path: /etc/kubernetes/apiserver
69 etcd: 71 etcd:
70 endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local 72 endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
71 73
74conf:
75 # Admission controllers config files are generated dynamically based on the
76 # config below, as they they are specific to particular ACs that may be
77 # configured by the operator (or added by k8s in the future).
78 admission_controllers:
79 eventconfig.yaml:
80 kind: Configuration
81 apiVersion: eventratelimit.admission.k8s.io/v1alpha1
82 limits:
83 - type: Server
84 qps: 100
85 burst: 1000
86 acconfig.yaml:
87 kind: AdmissionConfiguration
88 apiVersion: apiserver.k8s.io/v1alpha1
89 plugins:
90 - name: EventRateLimit
91 path: eventconfig.yaml
92
72network: 93network:
73 kubernetes_apiserver: 94 kubernetes_apiserver:
74 ingress: 95 ingress:
diff --git a/examples/basic/Genesis.yaml b/examples/basic/Genesis.yaml
index 9079fa9..9d64e05 100644
--- a/examples/basic/Genesis.yaml
+++ b/examples/basic/Genesis.yaml
@@ -14,7 +14,7 @@ data:
14 command_prefix: 14 command_prefix:
15 - /apiserver 15 - /apiserver
16 - --authorization-mode=Node,RBAC 16 - --authorization-mode=Node,RBAC
17 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction 17 - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
18 - --service-cluster-ip-range=10.96.0.0/16 18 - --service-cluster-ip-range=10.96.0.0/16
19 - --endpoint-reconciler-type=lease 19 - --endpoint-reconciler-type=lease
20 - --feature-gates=PodShareProcessNamespace=true 20 - --feature-gates=PodShareProcessNamespace=true
diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml
index f39b7a8..56fabd2 100644
--- a/examples/basic/armada-resources.yaml
+++ b/examples/basic/armada-resources.yaml
@@ -721,7 +721,7 @@ data:
721 command_prefix: 721 command_prefix:
722 - /apiserver 722 - /apiserver
723 - --authorization-mode=Node,RBAC 723 - --authorization-mode=Node,RBAC
724 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction 724 - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
725 - --service-cluster-ip-range=10.96.0.0/16 725 - --service-cluster-ip-range=10.96.0.0/16
726 - --endpoint-reconciler-type=lease 726 - --endpoint-reconciler-type=lease
727 - --feature-gates=PodShareProcessNamespace=true 727 - --feature-gates=PodShareProcessNamespace=true
diff --git a/promenade/templates/roles/genesis/etc/genesis/apiserver/acconfig.yaml b/promenade/templates/roles/genesis/etc/genesis/apiserver/acconfig.yaml
new file mode 100644
index 0000000..c792a8b
--- /dev/null
+++ b/promenade/templates/roles/genesis/etc/genesis/apiserver/acconfig.yaml
@@ -0,0 +1,6 @@
1---
2kind: AdmissionConfiguration
3apiVersion: apiserver.k8s.io/v1alpha1
4plugins:
5- name: EventRateLimit
6 path: eventconfig.yaml \ No newline at end of file
diff --git a/promenade/templates/roles/genesis/etc/genesis/apiserver/eventconfig.yaml b/promenade/templates/roles/genesis/etc/genesis/apiserver/eventconfig.yaml
new file mode 100644
index 0000000..ae78968
--- /dev/null
+++ b/promenade/templates/roles/genesis/etc/genesis/apiserver/eventconfig.yaml
@@ -0,0 +1,7 @@
1---
2kind: Configuration
3apiVersion: eventratelimit.admission.k8s.io/v1alpha1
4limits:
5- type: Server
6 qps: 100
7 burst: 1000 \ No newline at end of file
diff --git a/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml b/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml
index adfa41e..3e6e48b 100644
--- a/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml
+++ b/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml
@@ -122,8 +122,6 @@ spec:
122 - "{{ argument }}" 122 - "{{ argument }}"
123 {%- endfor %} 123 {%- endfor %}
124 - --advertise-address={{ config['Genesis:ip'] }} 124 - --advertise-address={{ config['Genesis:ip'] }}
125 - --authorization-mode=Node,RBAC
126 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
127 - --anonymous-auth=false 125 - --anonymous-auth=false
128 - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem 126 - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
129 - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem 127 - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
@@ -132,15 +130,14 @@ spec:
132 - --insecure-port=8080 130 - --insecure-port=8080
133 - --secure-port=6444 131 - --secure-port=6444
134 - --bind-address=0.0.0.0 132 - --bind-address=0.0.0.0
135 - --runtime-config=batch/v2alpha1=true
136 - --allow-privileged=true 133 - --allow-privileged=true
137 - --etcd-servers=https://localhost:12379 134 - --etcd-servers=https://localhost:12379
138 - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem 135 - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
139 - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem 136 - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
140 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem 137 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
141 - --service-cluster-ip-range={{ config['KubernetesNetwork:kubernetes.service_cidr'] }}
142 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 138 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
143 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub 139 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
140 - --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
144 - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem 141 - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
145 - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem 142 - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
146 env: 143 env:
diff --git a/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml b/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml
index ef27e8b..606f0f3 100644
--- a/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml
+++ b/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml
@@ -20,8 +20,6 @@ spec:
20 - "{{ argument }}" 20 - "{{ argument }}"
21 {%- endfor %} 21 {%- endfor %}
22 - --advertise-address={{ config['Genesis:ip'] }} 22 - --advertise-address={{ config['Genesis:ip'] }}
23 - --authorization-mode=Node,RBAC
24 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
25 - --anonymous-auth=false 23 - --anonymous-auth=false
26 - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem 24 - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
27 - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem 25 - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
@@ -30,15 +28,14 @@ spec:
30 - --insecure-port=0 28 - --insecure-port=0
31 - --bind-address=0.0.0.0 29 - --bind-address=0.0.0.0
32 - --secure-port=6443 30 - --secure-port=6443
33 - --runtime-config=batch/v2alpha1=true
34 - --allow-privileged=true 31 - --allow-privileged=true
35 - --etcd-servers=https://localhost:2379 32 - --etcd-servers=https://localhost:2379
36 - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem 33 - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
37 - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem 34 - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
38 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem 35 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
39 - --service-cluster-ip-range={{ config['KubernetesNetwork:kubernetes.service_cidr'] }}
40 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 36 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
41 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub 37 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
38 - --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
42 - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem 39 - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
43 - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem 40 - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
44 volumeMounts: 41 volumeMounts: