diff --git a/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go b/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go index 8ae15a0ec7d..793dcbaf35e 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go @@ -73,6 +73,7 @@ var ( SuggestedFlowSchemaProbes, // references "exempt" priority-level SuggestedFlowSchemaSystemLeaderElection, // references "leader-election" priority-level SuggestedFlowSchemaWorkloadLeaderElection, // references "leader-election" priority-level + SuggestedFlowSchemaEndpointsController, // references "workload-high" priority-level SuggestedFlowSchemaKubeControllerManager, // references "workload-high" priority-level SuggestedFlowSchemaKubeScheduler, // references "workload-high" priority-level SuggestedFlowSchemaKubeSystemServiceAccounts, // references "workload-high" priority-level @@ -312,12 +313,6 @@ var ( users(user.KubeControllerManager, user.KubeScheduler), kubeSystemServiceAccount(flowcontrol.NameAll)...), ResourceRules: []flowcontrol.ResourcePolicyRule{ - resourceRule( - []string{"get", "create", "update"}, - []string{corev1.GroupName}, - []string{"endpoints", "configmaps"}, - []string{"kube-system"}, - false), resourceRule( []string{"get", "create", "update"}, []string{coordinationv1.GroupName}, @@ -327,6 +322,31 @@ var ( }, }, ) + // We add an explicit rule for endpoint-controller with high precedence + // to ensure that those calls won't get caught by the following + // flow-schema. + // + // TODO(#80289): Get rid of this rule once we get rid of support for + // using endpoints and configmaps objects for leader election. + SuggestedFlowSchemaEndpointsController = newFlowSchema( + "endpoint-controller", "workload-high", 150, + flowcontrol.FlowDistinguisherMethodByUserType, + flowcontrol.PolicyRulesWithSubjects{ + Subjects: append( + users(user.KubeControllerManager), + kubeSystemServiceAccount("endpoint-controller", "endpointslicemirroring-controller")...), + ResourceRules: []flowcontrol.ResourcePolicyRule{ + resourceRule( + []string{"get", "create", "update"}, + []string{corev1.GroupName}, + []string{"endpoints"}, + []string{flowcontrol.NamespaceEvery}, + false), + }, + }, + ) + // TODO(#80289): Get rid of this rule once we get rid of support for + // using endpoints and configmaps objects for leader election. SuggestedFlowSchemaWorkloadLeaderElection = newFlowSchema( "workload-leader-election", "leader-election", 200, flowcontrol.FlowDistinguisherMethodByUserType,