github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

Update default PF flow schemas to avoid all endpoint/configmaps operations from controller-manager to match leader-election PL

Browse Source
This commit is contained in:
Wojciech Tyczyński 2021-11-29 20:21:07 +01:00
parent cc6f12583f
commit 849952813b
1 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go
View File

@ -73,6 +73,7 @@ var (
SuggestedFlowSchemaProbes, // references "exempt" priority-level SuggestedFlowSchemaProbes, // references "exempt" priority-level
SuggestedFlowSchemaSystemLeaderElection, // references "leader-election" priority-level SuggestedFlowSchemaSystemLeaderElection, // references "leader-election" priority-level
SuggestedFlowSchemaWorkloadLeaderElection, // references "leader-election" priority-level SuggestedFlowSchemaWorkloadLeaderElection, // references "leader-election" priority-level
SuggestedFlowSchemaEndpointsController, // references "workload-high" priority-level
SuggestedFlowSchemaKubeControllerManager, // references "workload-high" priority-level SuggestedFlowSchemaKubeControllerManager, // references "workload-high" priority-level
SuggestedFlowSchemaKubeScheduler, // references "workload-high" priority-level SuggestedFlowSchemaKubeScheduler, // references "workload-high" priority-level
SuggestedFlowSchemaKubeSystemServiceAccounts, // references "workload-high" priority-level SuggestedFlowSchemaKubeSystemServiceAccounts, // references "workload-high" priority-level
@ -312,12 +313,6 @@ var (
users(user.KubeControllerManager, user.KubeScheduler), users(user.KubeControllerManager, user.KubeScheduler),
kubeSystemServiceAccount(flowcontrol.NameAll)...), kubeSystemServiceAccount(flowcontrol.NameAll)...),
ResourceRules: []flowcontrol.ResourcePolicyRule{ ResourceRules: []flowcontrol.ResourcePolicyRule{
resourceRule(
[]string{"get", "create", "update"},
[]string{corev1.GroupName},
[]string{"endpoints", "configmaps"},
[]string{"kube-system"},
false),
resourceRule( resourceRule(
[]string{"get", "create", "update"}, []string{"get", "create", "update"},
[]string{coordinationv1.GroupName}, []string{coordinationv1.GroupName},
@ -327,6 +322,31 @@ var (
}, },
}, },
) )
// We add an explicit rule for endpoint-controller with high precedence
// to ensure that those calls won't get caught by the following
// <workload-leader-election> flow-schema.
//
// TODO(#80289): Get rid of this rule once we get rid of support for
// using endpoints and configmaps objects for leader election.
SuggestedFlowSchemaEndpointsController = newFlowSchema(
"endpoint-controller", "workload-high", 150,
flowcontrol.FlowDistinguisherMethodByUserType,
flowcontrol.PolicyRulesWithSubjects{
Subjects: append(
users(user.KubeControllerManager),
kubeSystemServiceAccount("endpoint-controller", "endpointslicemirroring-controller")...),
ResourceRules: []flowcontrol.ResourcePolicyRule{
resourceRule(
[]string{"get", "create", "update"},
[]string{corev1.GroupName},
[]string{"endpoints"},
[]string{flowcontrol.NamespaceEvery},
false),
},
},
)
// TODO(#80289): Get rid of this rule once we get rid of support for
// using endpoints and configmaps objects for leader election.
SuggestedFlowSchemaWorkloadLeaderElection = newFlowSchema( SuggestedFlowSchemaWorkloadLeaderElection = newFlowSchema(
"workload-leader-election", "leader-election", 200, "workload-leader-election", "leader-election", 200,
flowcontrol.FlowDistinguisherMethodByUserType, flowcontrol.FlowDistinguisherMethodByUserType,