Order suggested FlowSchemas by matching precedence
Kubernetes-commit: 798fc67a3711d83af4b25241e17b80fbcf46e9fd
This commit is contained in:
Mike Spreitzer
Kubernetes Publisher
parent
56ff18e72e
commit
259f814897
|
|
@ -264,44 +264,20 @@ var (
|
|||
})
|
||||
)
|
||||
|
||||
// Suggested FlowSchema objects
|
||||
// Suggested FlowSchema objects.
|
||||
// Ordered by matching precedence, so that their interactions are easier
|
||||
// to follow while reading this source.
|
||||
var (
|
||||
SuggestedFlowSchemaSystemNodes = newFlowSchema(
|
||||
"system-nodes", "system", 500,
|
||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||
// the following flow schema exempts probes
|
||||
SuggestedFlowSchemaProbes = newFlowSchema(
|
||||
"probes", "exempt", 2,
|
||||
"", // distinguisherMethodType
|
||||
flowcontrol.PolicyRulesWithSubjects{
|
||||
Subjects: groups(user.NodesGroup), // the nodes group
|
||||
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{flowcontrol.APIGroupAll},
|
||||
[]string{flowcontrol.ResourceAll},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
true)},
|
||||
Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated),
|
||||
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
|
||||
nonResourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{flowcontrol.NonResourceAll}),
|
||||
},
|
||||
},
|
||||
)
|
||||
SuggestedFlowSchemaSystemNodeHigh = newFlowSchema(
|
||||
"system-node-high", "node-high", 400,
|
||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||
flowcontrol.PolicyRulesWithSubjects{
|
||||
Subjects: groups(user.NodesGroup), // the nodes group
|
||||
ResourceRules: []flowcontrol.ResourcePolicyRule{
|
||||
resourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{corev1.GroupName},
|
||||
[]string{"nodes", "nodes/status"},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
true),
|
||||
resourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{coordinationv1.GroupName},
|
||||
[]string{"leases"},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
false),
|
||||
[]string{"get"},
|
||||
[]string{"/healthz", "/readyz", "/livez"}),
|
||||
},
|
||||
},
|
||||
)
|
||||
|
|
@ -368,6 +344,45 @@ var (
|
|||
},
|
||||
},
|
||||
)
|
||||
SuggestedFlowSchemaSystemNodeHigh = newFlowSchema(
|
||||
"system-node-high", "node-high", 400,
|
||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||
flowcontrol.PolicyRulesWithSubjects{
|
||||
Subjects: groups(user.NodesGroup), // the nodes group
|
||||
ResourceRules: []flowcontrol.ResourcePolicyRule{
|
||||
resourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{corev1.GroupName},
|
||||
[]string{"nodes", "nodes/status"},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
true),
|
||||
resourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{coordinationv1.GroupName},
|
||||
[]string{"leases"},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
false),
|
||||
},
|
||||
},
|
||||
)
|
||||
SuggestedFlowSchemaSystemNodes = newFlowSchema(
|
||||
"system-nodes", "system", 500,
|
||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||
flowcontrol.PolicyRulesWithSubjects{
|
||||
Subjects: groups(user.NodesGroup), // the nodes group
|
||||
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{flowcontrol.APIGroupAll},
|
||||
[]string{flowcontrol.ResourceAll},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
true)},
|
||||
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
|
||||
nonResourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{flowcontrol.NonResourceAll}),
|
||||
},
|
||||
},
|
||||
)
|
||||
SuggestedFlowSchemaKubeControllerManager = newFlowSchema(
|
||||
"kube-controller-manager", "workload-high", 800,
|
||||
flowcontrol.FlowDistinguisherMethodByNamespaceType,
|
||||
|
|
@ -458,19 +473,6 @@ var (
|
|||
},
|
||||
},
|
||||
)
|
||||
// the following flow schema exempts probes
|
||||
SuggestedFlowSchemaProbes = newFlowSchema(
|
||||
"probes", "exempt", 2,
|
||||
"", // distinguisherMethodType
|
||||
flowcontrol.PolicyRulesWithSubjects{
|
||||
Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated),
|
||||
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
|
||||
nonResourceRule(
|
||||
[]string{"get"},
|
||||
[]string{"/healthz", "/readyz", "/livez"}),
|
||||
},
|
||||
},
|
||||
)
|
||||
)
|
||||
|
||||
func newPriorityLevelConfiguration(name string, spec flowcontrol.PriorityLevelConfigurationSpec) *flowcontrol.PriorityLevelConfiguration {
|
||||
|
|
|
|||
Loading…
Reference in New Issue