Order suggested FlowSchemas by matching precedence
Kubernetes-commit: 798fc67a3711d83af4b25241e17b80fbcf46e9fd
This commit is contained in:
Mike Spreitzer
Kubernetes Publisher
parent
56ff18e72e
commit
259f814897
|
|
@ -264,44 +264,20 @@ var (
|
||||||
})
|
})
|
||||||
)
|
)
|
||||||
|
|
||||||
// Suggested FlowSchema objects
|
// Suggested FlowSchema objects.
|
||||||
|
// Ordered by matching precedence, so that their interactions are easier
|
||||||
|
// to follow while reading this source.
|
||||||
var (
|
var (
|
||||||
SuggestedFlowSchemaSystemNodes = newFlowSchema(
|
// the following flow schema exempts probes
|
||||||
"system-nodes", "system", 500,
|
SuggestedFlowSchemaProbes = newFlowSchema(
|
||||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
"probes", "exempt", 2,
|
||||||
|
"", // distinguisherMethodType
|
||||||
flowcontrol.PolicyRulesWithSubjects{
|
flowcontrol.PolicyRulesWithSubjects{
|
||||||
Subjects: groups(user.NodesGroup), // the nodes group
|
Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated),
|
||||||
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
|
|
||||||
[]string{flowcontrol.VerbAll},
|
|
||||||
[]string{flowcontrol.APIGroupAll},
|
|
||||||
[]string{flowcontrol.ResourceAll},
|
|
||||||
[]string{flowcontrol.NamespaceEvery},
|
|
||||||
true)},
|
|
||||||
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
|
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
|
||||||
nonResourceRule(
|
nonResourceRule(
|
||||||
[]string{flowcontrol.VerbAll},
|
[]string{"get"},
|
||||||
[]string{flowcontrol.NonResourceAll}),
|
[]string{"/healthz", "/readyz", "/livez"}),
|
||||||
},
|
|
||||||
},
|
|
||||||
)
|
|
||||||
SuggestedFlowSchemaSystemNodeHigh = newFlowSchema(
|
|
||||||
"system-node-high", "node-high", 400,
|
|
||||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
|
||||||
flowcontrol.PolicyRulesWithSubjects{
|
|
||||||
Subjects: groups(user.NodesGroup), // the nodes group
|
|
||||||
ResourceRules: []flowcontrol.ResourcePolicyRule{
|
|
||||||
resourceRule(
|
|
||||||
[]string{flowcontrol.VerbAll},
|
|
||||||
[]string{corev1.GroupName},
|
|
||||||
[]string{"nodes", "nodes/status"},
|
|
||||||
[]string{flowcontrol.NamespaceEvery},
|
|
||||||
true),
|
|
||||||
resourceRule(
|
|
||||||
[]string{flowcontrol.VerbAll},
|
|
||||||
[]string{coordinationv1.GroupName},
|
|
||||||
[]string{"leases"},
|
|
||||||
[]string{flowcontrol.NamespaceEvery},
|
|
||||||
false),
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
@ -368,6 +344,45 @@ var (
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
SuggestedFlowSchemaSystemNodeHigh = newFlowSchema(
|
||||||
|
"system-node-high", "node-high", 400,
|
||||||
|
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||||
|
flowcontrol.PolicyRulesWithSubjects{
|
||||||
|
Subjects: groups(user.NodesGroup), // the nodes group
|
||||||
|
ResourceRules: []flowcontrol.ResourcePolicyRule{
|
||||||
|
resourceRule(
|
||||||
|
[]string{flowcontrol.VerbAll},
|
||||||
|
[]string{corev1.GroupName},
|
||||||
|
[]string{"nodes", "nodes/status"},
|
||||||
|
[]string{flowcontrol.NamespaceEvery},
|
||||||
|
true),
|
||||||
|
resourceRule(
|
||||||
|
[]string{flowcontrol.VerbAll},
|
||||||
|
[]string{coordinationv1.GroupName},
|
||||||
|
[]string{"leases"},
|
||||||
|
[]string{flowcontrol.NamespaceEvery},
|
||||||
|
false),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
)
|
||||||
|
SuggestedFlowSchemaSystemNodes = newFlowSchema(
|
||||||
|
"system-nodes", "system", 500,
|
||||||
|
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||||
|
flowcontrol.PolicyRulesWithSubjects{
|
||||||
|
Subjects: groups(user.NodesGroup), // the nodes group
|
||||||
|
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
|
||||||
|
[]string{flowcontrol.VerbAll},
|
||||||
|
[]string{flowcontrol.APIGroupAll},
|
||||||
|
[]string{flowcontrol.ResourceAll},
|
||||||
|
[]string{flowcontrol.NamespaceEvery},
|
||||||
|
true)},
|
||||||
|
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
|
||||||
|
nonResourceRule(
|
||||||
|
[]string{flowcontrol.VerbAll},
|
||||||
|
[]string{flowcontrol.NonResourceAll}),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
)
|
||||||
SuggestedFlowSchemaKubeControllerManager = newFlowSchema(
|
SuggestedFlowSchemaKubeControllerManager = newFlowSchema(
|
||||||
"kube-controller-manager", "workload-high", 800,
|
"kube-controller-manager", "workload-high", 800,
|
||||||
flowcontrol.FlowDistinguisherMethodByNamespaceType,
|
flowcontrol.FlowDistinguisherMethodByNamespaceType,
|
||||||
|
|
@ -458,19 +473,6 @@ var (
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
// the following flow schema exempts probes
|
|
||||||
SuggestedFlowSchemaProbes = newFlowSchema(
|
|
||||||
"probes", "exempt", 2,
|
|
||||||
"", // distinguisherMethodType
|
|
||||||
flowcontrol.PolicyRulesWithSubjects{
|
|
||||||
Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated),
|
|
||||||
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
|
|
||||||
nonResourceRule(
|
|
||||||
[]string{"get"},
|
|
||||||
[]string{"/healthz", "/readyz", "/livez"}),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
)
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func newPriorityLevelConfiguration(name string, spec flowcontrol.PriorityLevelConfigurationSpec) *flowcontrol.PriorityLevelConfiguration {
|
func newPriorityLevelConfiguration(name string, spec flowcontrol.PriorityLevelConfigurationSpec) *flowcontrol.PriorityLevelConfiguration {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue