Skip to content

Commit

Permalink
Add optional flag to disable client side rate limiting
Browse files Browse the repository at this point in the history
Signed-off-by: Alex Richman <[email protected]>
  • Loading branch information
ARichman555 committed Sep 19, 2024
1 parent 7cf59b5 commit ec91cdd
Show file tree
Hide file tree
Showing 6 changed files with 28 additions and 5 deletions.
6 changes: 4 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ OS := $(shell go env GOOS)
ARCH := $(shell go env GOARCH)

# Kind
KIND_VERSION := 0.11.1
KIND_VERSION := 0.19.0
KIND := ${BIN}/kind-${KIND_VERSION}
K8S_CLUSTER_NAME := pca-external-issuer

Expand Down Expand Up @@ -281,7 +281,9 @@ kind-export-logs:

.PHONY: deploy-cert-manager
deploy-cert-manager: ## Deploy cert-manager in the configured Kubernetes cluster in ~/.kube/config
kubectl apply --filename=https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml --kubeconfig=${TEST_KUBECONFIG_LOCATION}
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.crds.yaml --kubeconfig=${TEST_KUBECONFIG_LOCATION}
helm repo add jetstack https://charts.jetstack.io --force-update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version ${CERT_MANAGER_VERSION} --set config.apiVersion=controller.config.cert-manager.io/v1alpha1 --set config.kind=ControllerConfiguration --set config.kubernetesAPIQPS=10000 --set config.kubernetesAPIBurst=10000 --kubeconfig=${TEST_KUBECONFIG_LOCATION}
kubectl wait --for=condition=Available --timeout=300s apiservice v1.cert-manager.io --kubeconfig=${TEST_KUBECONFIG_LOCATION}

.PHONY: install-local
Expand Down
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,10 @@ signing. If using an older version of cert-manager (pre v1.3), you can disable
this check by supplying the command line flag `-disable-approved-check` to the
Issuer Deployment.

### Disable Kubernetes Client-Side Rate Limiting

The AWSPCA Issuer will throttle the rate of requests to the kubernetes API server to 20 queries per second by default. This is not necessary for newer versions of Kubernetes that have implemented [API Priority and Fairness](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/). If using a newer version of Kubernetes, you can disable this client-side rate limiting by supplying the command line flag `-disable-client-side-rate-limiting` to the Issuer Deployment.

### Authentication

Please note that if you are using [KIAM](https://github.com/uswitch/kiam) for authentication, this plugin has been tested on KIAM v4.0. [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) is also tested and supported.
Expand Down
3 changes: 3 additions & 0 deletions charts/aws-pca-issuer/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ spec:
{{- if .Values.disableApprovedCheck }}
- -disable-approved-check
{{- end }}
{{- if .Values.disableClientSideRateLimiting }}
- -disable-client-side-rate-limiting
{{- end }}
ports:
- containerPort: 8080
name: http
Expand Down
5 changes: 4 additions & 1 deletion charts/aws-pca-issuer/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ image:
# Disable waiting for CertificateRequests to be Approved before signing
disableApprovedCheck: false

# Disables Kubernetes client-side rate limiting (only use if API Priority & Fairness is enabled on the cluster).
disableClientSideRateLimiting: false

# Optional secrets used for pulling the container image
#
# For example:
Expand Down Expand Up @@ -179,4 +182,4 @@ serviceMonitor:
# Annotations to add to the Prometheus ServiceMonitor
annotations: {}
# Labels to add to the Prometheus ServiceMonitor
labels: {}
labels: {}
2 changes: 1 addition & 1 deletion e2e/kind_config/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ containerdConfigPatches:
endpoint = ["http://kind-registry:5000"]
nodes:
- role: control-plane
image: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
image: "kindest/node:v1.22.17@sha256:9af784f45a584f6b28bce2af84c494d947a05bd709151466489008f80a9ce9d5"
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
Expand Down
13 changes: 12 additions & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ func main() {
var enableLeaderElection bool
var probeAddr string
var disableApprovedCheck bool
var disableClientSideRateLimiting bool

flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
Expand All @@ -66,6 +67,8 @@ func main() {
"Enabling this will ensure there is only one active controller manager.")
flag.BoolVar(&disableApprovedCheck, "disable-approved-check", false,
"Disables waiting for CertificateRequests to have an approved condition before signing.")
flag.BoolVar(&disableClientSideRateLimiting, "disable-client-side-rate-limiting", false,
"Disables Kubernetes client-side rate limiting (only use if API Priority & Fairness is enabled on the cluster).")

opts := zap.Options{
Development: false,
Expand All @@ -75,7 +78,15 @@ func main() {

ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))

mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
config := ctrl.GetConfigOrDie()
if disableClientSideRateLimiting {
// A negative QPS and Burst indicates that the client should not have a rate limiter.
// Ref: https://github.com/kubernetes/kubernetes/blob/v1.24.0/staging/src/k8s.io/client-go/rest/config.go#L354-L364
setupLog.Info("Disabling Kubernetes client rate limiter.")
config.QPS = -1
config.Burst = -1
}
mgr, err := ctrl.NewManager(config, ctrl.Options{
Scheme: scheme,
Metrics: metricsserver.Options{
BindAddress: metricsAddr,
Expand Down

0 comments on commit ec91cdd

Please sign in to comment.