public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-16 10:03:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Document RKE event rate limiting feature

Browse Source
This commit is contained in:
Catherine Luse
2019-12-12 12:53:40 -07:00
parent a70b7062bf
commit 3c65879db3
2 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rke/latest/en/config-options/_index.md
+1
View File
@@ -25,6 +25,7 @@ There are several options that can be configured in cluster configuration option
* [External Etcd]({{< baseurl >}}/rke/latest/en/config-options/services/external-etcd/)
* [Authentication]({{< baseurl >}}/rke/latest/en/config-options/authentication/)
* [Authorization]({{< baseurl >}}/rke/latest/en/config-options/authorization/)
* [Rate Limiting]({{<baseurl>}}/rke/latest/en/config-options/rate-limiting/)
* [Cloud Providers]({{< baseurl >}}/rke/latest/en/config-options/cloud-providers/)
* [Add-ons]({{< baseurl >}}/rke/latest/en/config-options/add-ons/)
* [Network Plug-ins]({{< baseurl >}}/rke/latest/en/config-options/add-ons/network-plugins/)
content/rke/latest/en/config-options/rate-limiting/_index.md
+56
View File
@@ -0,0 +1,56 @@
---
title: Rate Limiting
weight: 241
---
Using the `EventRateLimit` admission control enforces a limit on the number of events that the API Server will accept in a given time period. In a large multi-tenant cluster, there might be a small percentage of tenants that flood the server with event requests, which could have a significant impact on the performance of the cluster overall. Therefore, it is recommended to limit the rate of events that the API server will accept.
You might want to configure event rate limit as part of compliance with the CIS (Center for Internet Security) Kubernetes Benchmark. Event rate limiting corresponds to the CIS Kubernetes Benchmark 1.1.36 - Ensure that the admission control plugin `EventRateLimit` is set (Scored).
Rate limits can be configured for the server, a namespace, a user, or a combination of a source and an object.
For configuration details, refer to the [official Kubernetes documentation.](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit)
### Example Configurations
The following configuration in the `cluster.yml` can be used to enable the event rate limit by default:
```yaml
services:
kube-api:
service_cluster_ip_range: 10.44.0.0/24
event_rate_limit:
enabled: true
```
When the event rate limit is enabled, you should be able to see the default values at `/etc/kubernetes/admission.yaml`:
```yaml
...
plugins:
- configuration:
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
kind: Configuration
limits:
- burst: 20000
qps: 5000
type: Server
...
```
To customize the event rate limit, the entire Kubernetes resource for the configuration must be provided in the `configuration` directive:
```yaml
services:
kube-api:
service_cluster_ip_range: 10.44.0.0/24
event_rate_limit:
enabled: true
configuration:
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
kind: Configuration
limits:
- type: Server
qps: 6000
burst: 30000
```