From d1f62ead18f97f98dd01073ca47c3b19382765a3 Mon Sep 17 00:00:00 2001 From: yue9944882 <291271447@qq.com> Date: Mon, 13 Jan 2020 15:56:54 +0800 Subject: [PATCH 1/2] fork out a new global-default from catch-all to handle unclassified traffic --- .../pkg/apis/flowcontrol/bootstrap/default.go | 61 +++++++++++++++---- 1 file changed, 48 insertions(+), 13 deletions(-) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go b/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go index 7e8962b9978..200cc8a7e01 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go @@ -59,6 +59,8 @@ var ( // "workload-low" is used by those workloads with lower priority which availability only has a // minor impact on the cluster. SuggestedPriorityLevelConfigurationWorkloadLow, + // "global-default" serves the rest traffic not handled by the other suggested flow-schemas above. + SuggestedPriorityLevelConfigurationGlobalDefault, } SuggestedFlowSchemas = []*flowcontrol.FlowSchema{ SuggestedFlowSchemaSystemNodes, // references "system" priority-level @@ -68,6 +70,7 @@ var ( SuggestedFlowSchemaKubeScheduler, // references "workload-high" priority-level SuggestedFlowSchemaKubeSystemServiceAccounts, // references "workload-high" priority-level SuggestedFlowSchemaServiceAccounts, // references "workload-low" priority-level + SuggestedFlowSchemaGlobalDefault, // references "global-default" priority-level } ) @@ -84,14 +87,9 @@ var ( flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ - AssuredConcurrencyShares: 100, + AssuredConcurrencyShares: 1, LimitResponse: flowcontrol.LimitResponse{ - Type: flowcontrol.LimitResponseTypeQueue, - Queuing: &flowcontrol.QueuingConfiguration{ - Queues: 128, - HandSize: 6, - QueueLengthLimit: 100, - }, + Type: flowcontrol.LimitResponseTypeReject, }, }, }) @@ -99,7 +97,8 @@ var ( // Mandatory FlowSchema objects var ( - // exempt priority-level + // "exempt" priority-level is used for preventing priority inversion and ensuring that sysadmin + // requests are always possible. MandatoryFlowSchemaExempt = newFlowSchema( "exempt", flowcontrol.PriorityLevelConfigurationNameExempt, @@ -124,7 +123,8 @@ var ( }, }, ) - // catch-all priority-level + // "catch-all" priority-level only gets a minimal positive share of concurrency and won't be reaching + // ideally unless you intentionally deleted the suggested "global-default". MandatoryFlowSchemaCatchAll = newFlowSchema( "catch-all", "catch-all", @@ -165,7 +165,7 @@ var ( Queuing: &flowcontrol.QueuingConfiguration{ Queues: 64, HandSize: 6, - QueueLengthLimit: 1000, + QueueLengthLimit: 50, }, }, }, @@ -182,7 +182,7 @@ var ( Queuing: &flowcontrol.QueuingConfiguration{ Queues: 16, HandSize: 4, - QueueLengthLimit: 100, + QueueLengthLimit: 50, }, }, }, @@ -199,7 +199,7 @@ var ( Queuing: &flowcontrol.QueuingConfiguration{ Queues: 128, HandSize: 6, - QueueLengthLimit: 100, + QueueLengthLimit: 50, }, }, }, @@ -216,7 +216,24 @@ var ( Queuing: &flowcontrol.QueuingConfiguration{ Queues: 128, HandSize: 6, - QueueLengthLimit: 100, + QueueLengthLimit: 50, + }, + }, + }, + }) + // global-default priority-level + SuggestedPriorityLevelConfigurationGlobalDefault = newPriorityLevelConfiguration( + "global-default", + flowcontrol.PriorityLevelConfigurationSpec{ + Type: flowcontrol.PriorityLevelEnablementLimited, + Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ + AssuredConcurrencyShares: 100, + LimitResponse: flowcontrol.LimitResponse{ + Type: flowcontrol.LimitResponseTypeQueue, + Queuing: &flowcontrol.QueuingConfiguration{ + Queues: 128, + HandSize: 6, + QueueLengthLimit: 50, }, }, }, @@ -359,6 +376,24 @@ var ( }, }, ) + SuggestedFlowSchemaGlobalDefault = newFlowSchema( + "global-default", "global-default", 9900, + flowcontrol.FlowDistinguisherMethodByUserType, + flowcontrol.PolicyRulesWithSubjects{ + Subjects: groups(serviceaccount.AllServiceAccountsGroup), + ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule( + []string{flowcontrol.VerbAll}, + []string{flowcontrol.APIGroupAll}, + []string{flowcontrol.ResourceAll}, + []string{flowcontrol.NamespaceEvery}, + true)}, + NonResourceRules: []flowcontrol.NonResourcePolicyRule{ + nonResourceRule( + []string{flowcontrol.VerbAll}, + []string{flowcontrol.NonResourceAll}), + }, + }, + ) ) func newPriorityLevelConfiguration(name string, spec flowcontrol.PriorityLevelConfigurationSpec) *flowcontrol.PriorityLevelConfiguration { From a8e074704383d43ec2a9aad2ef8358babca8b355 Mon Sep 17 00:00:00 2001 From: Mike Spreitzer Date: Fri, 24 Jan 2020 11:57:59 -0500 Subject: [PATCH 2/2] Updated API Priority and Fairness validation to track change in catch-all priority level --- pkg/apis/flowcontrol/validation/validation_test.go | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/pkg/apis/flowcontrol/validation/validation_test.go b/pkg/apis/flowcontrol/validation/validation_test.go index be77e0e1cc2..29bc12755b1 100644 --- a/pkg/apis/flowcontrol/validation/validation_test.go +++ b/pkg/apis/flowcontrol/validation/validation_test.go @@ -1013,14 +1013,10 @@ func TestPriorityLevelConfigurationValidation(t *testing.T) { Spec: flowcontrol.PriorityLevelConfigurationSpec{ Type: flowcontrol.PriorityLevelEnablementLimited, Limited: &flowcontrol.LimitedPriorityLevelConfiguration{ - AssuredConcurrencyShares: 100, + AssuredConcurrencyShares: 1, LimitResponse: flowcontrol.LimitResponse{ - Type: flowcontrol.LimitResponseTypeQueue, - Queuing: &flowcontrol.QueuingConfiguration{ - Queues: 128, - HandSize: 6, - QueueLengthLimit: 100, - }}}}, + Type: flowcontrol.LimitResponseTypeReject, + }}}, }, expectedErrors: field.ErrorList{}, },