From 798fc67a3711d83af4b25241e17b80fbcf46e9fd Mon Sep 17 00:00:00 2001 From: Mike Spreitzer Date: Wed, 12 Jan 2022 21:40:22 -0500 Subject: [PATCH] Order suggested FlowSchemas by matching precedence --- .../pkg/apis/flowcontrol/bootstrap/default.go | 96 ++++++++++--------- 1 file changed, 49 insertions(+), 47 deletions(-) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go b/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go index 793dcbaf35e..3644a04490a 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go @@ -264,44 +264,20 @@ var ( }) ) -// Suggested FlowSchema objects +// Suggested FlowSchema objects. +// Ordered by matching precedence, so that their interactions are easier +// to follow while reading this source. var ( - SuggestedFlowSchemaSystemNodes = newFlowSchema( - "system-nodes", "system", 500, - flowcontrol.FlowDistinguisherMethodByUserType, + // the following flow schema exempts probes + SuggestedFlowSchemaProbes = newFlowSchema( + "probes", "exempt", 2, + "", // distinguisherMethodType flowcontrol.PolicyRulesWithSubjects{ - Subjects: groups(user.NodesGroup), // the nodes group - ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( - []string{flowcontrol.VerbAll}, - []string{flowcontrol.APIGroupAll}, - []string{flowcontrol.ResourceAll}, - []string{flowcontrol.NamespaceEvery}, - true)}, + Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated), NonResourceRules: []flowcontrol.NonResourcePolicyRule{ nonResourceRule( - []string{flowcontrol.VerbAll}, - []string{flowcontrol.NonResourceAll}), - }, - }, - ) - SuggestedFlowSchemaSystemNodeHigh = newFlowSchema( - "system-node-high", "node-high", 400, - flowcontrol.FlowDistinguisherMethodByUserType, - flowcontrol.PolicyRulesWithSubjects{ - Subjects: groups(user.NodesGroup), // the nodes group - ResourceRules: []flowcontrol.ResourcePolicyRule{ - resourceRule( - []string{flowcontrol.VerbAll}, - []string{corev1.GroupName}, - []string{"nodes", "nodes/status"}, - []string{flowcontrol.NamespaceEvery}, - true), - resourceRule( - []string{flowcontrol.VerbAll}, - []string{coordinationv1.GroupName}, - []string{"leases"}, - []string{flowcontrol.NamespaceEvery}, - false), + []string{"get"}, + []string{"/healthz", "/readyz", "/livez"}), }, }, ) @@ -368,6 +344,45 @@ var ( }, }, ) + SuggestedFlowSchemaSystemNodeHigh = newFlowSchema( + "system-node-high", "node-high", 400, + flowcontrol.FlowDistinguisherMethodByUserType, + flowcontrol.PolicyRulesWithSubjects{ + Subjects: groups(user.NodesGroup), // the nodes group + ResourceRules: []flowcontrol.ResourcePolicyRule{ + resourceRule( + []string{flowcontrol.VerbAll}, + []string{corev1.GroupName}, + []string{"nodes", "nodes/status"}, + []string{flowcontrol.NamespaceEvery}, + true), + resourceRule( + []string{flowcontrol.VerbAll}, + []string{coordinationv1.GroupName}, + []string{"leases"}, + []string{flowcontrol.NamespaceEvery}, + false), + }, + }, + ) + SuggestedFlowSchemaSystemNodes = newFlowSchema( + "system-nodes", "system", 500, + flowcontrol.FlowDistinguisherMethodByUserType, + flowcontrol.PolicyRulesWithSubjects{ + Subjects: groups(user.NodesGroup), // the nodes group + ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( + []string{flowcontrol.VerbAll}, + []string{flowcontrol.APIGroupAll}, + []string{flowcontrol.ResourceAll}, + []string{flowcontrol.NamespaceEvery}, + true)}, + NonResourceRules: []flowcontrol.NonResourcePolicyRule{ + nonResourceRule( + []string{flowcontrol.VerbAll}, + []string{flowcontrol.NonResourceAll}), + }, + }, + ) SuggestedFlowSchemaKubeControllerManager = newFlowSchema( "kube-controller-manager", "workload-high", 800, flowcontrol.FlowDistinguisherMethodByNamespaceType, @@ -458,19 +473,6 @@ var ( }, }, ) - // the following flow schema exempts probes - SuggestedFlowSchemaProbes = newFlowSchema( - "probes", "exempt", 2, - "", // distinguisherMethodType - flowcontrol.PolicyRulesWithSubjects{ - Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated), - NonResourceRules: []flowcontrol.NonResourcePolicyRule{ - nonResourceRule( - []string{"get"}, - []string{"/healthz", "/readyz", "/livez"}), - }, - }, - ) ) func newPriorityLevelConfiguration(name string, spec flowcontrol.PriorityLevelConfigurationSpec) *flowcontrol.PriorityLevelConfiguration {