Upgrade k8s package verison (#5358)
* upgrade k8s package version Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> * Script upgrade and code formatting. Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io>
This commit is contained in:
hongzhouzi
148
vendor/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go
generated
vendored
148
vendor/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go
generated
vendored
@@ -19,7 +19,7 @@ package bootstrap
|
||||
import (
|
||||
coordinationv1 "k8s.io/api/coordination/v1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
flowcontrol "k8s.io/api/flowcontrol/v1beta1"
|
||||
flowcontrol "k8s.io/api/flowcontrol/v1beta2"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
@@ -48,6 +48,11 @@ var (
|
||||
// cluster and the availability of those running pods in the cluster, including kubelet and
|
||||
// kube-proxy.
|
||||
SuggestedPriorityLevelConfigurationSystem,
|
||||
// "node-high" priority-level is for the node health reporting. It is separated from "system"
|
||||
// to make sure that nodes are able to report their health even if kube-apiserver is not capable of
|
||||
// handling load caused by pod startup (fetching secrets, events etc).
|
||||
// NOTE: In large clusters 50% - 90% of all API calls use this priority-level.
|
||||
SuggestedPriorityLevelConfigurationNodeHigh,
|
||||
// "leader-election" is dedicated for controllers' leader-election, which majorly affects the
|
||||
// availability of any controller runs in the cluster.
|
||||
SuggestedPriorityLevelConfigurationLeaderElection,
|
||||
@@ -64,9 +69,11 @@ var (
|
||||
}
|
||||
SuggestedFlowSchemas = []*flowcontrol.FlowSchema{
|
||||
SuggestedFlowSchemaSystemNodes, // references "system" priority-level
|
||||
SuggestedFlowSchemaSystemNodeHigh, // references "node-high" priority-level
|
||||
SuggestedFlowSchemaProbes, // references "exempt" priority-level
|
||||
SuggestedFlowSchemaSystemLeaderElection, // references "leader-election" priority-level
|
||||
SuggestedFlowSchemaWorkloadLeaderElection, // references "leader-election" priority-level
|
||||
SuggestedFlowSchemaEndpointsController, // references "workload-high" priority-level
|
||||
SuggestedFlowSchemaKubeControllerManager, // references "workload-high" priority-level
|
||||
SuggestedFlowSchemaKubeScheduler, // references "workload-high" priority-level
|
||||
SuggestedFlowSchemaKubeSystemServiceAccounts, // references "workload-high" priority-level
|
||||
@@ -171,6 +178,22 @@ var (
|
||||
},
|
||||
},
|
||||
})
|
||||
SuggestedPriorityLevelConfigurationNodeHigh = newPriorityLevelConfiguration(
|
||||
"node-high",
|
||||
flowcontrol.PriorityLevelConfigurationSpec{
|
||||
Type: flowcontrol.PriorityLevelEnablementLimited,
|
||||
Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
|
||||
AssuredConcurrencyShares: 40,
|
||||
LimitResponse: flowcontrol.LimitResponse{
|
||||
Type: flowcontrol.LimitResponseTypeQueue,
|
||||
Queuing: &flowcontrol.QueuingConfiguration{
|
||||
Queues: 64,
|
||||
HandSize: 6,
|
||||
QueueLengthLimit: 50,
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
// leader-election priority-level
|
||||
SuggestedPriorityLevelConfigurationLeaderElection = newPriorityLevelConfiguration(
|
||||
"leader-election",
|
||||
@@ -241,23 +264,20 @@ var (
|
||||
})
|
||||
)
|
||||
|
||||
// Suggested FlowSchema objects
|
||||
// Suggested FlowSchema objects.
|
||||
// Ordered by matching precedence, so that their interactions are easier
|
||||
// to follow while reading this source.
|
||||
var (
|
||||
SuggestedFlowSchemaSystemNodes = newFlowSchema(
|
||||
"system-nodes", "system", 500,
|
||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||
// the following flow schema exempts probes
|
||||
SuggestedFlowSchemaProbes = newFlowSchema(
|
||||
"probes", "exempt", 2,
|
||||
"", // distinguisherMethodType
|
||||
flowcontrol.PolicyRulesWithSubjects{
|
||||
Subjects: groups(user.NodesGroup), // the nodes group
|
||||
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{flowcontrol.APIGroupAll},
|
||||
[]string{flowcontrol.ResourceAll},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
true)},
|
||||
Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated),
|
||||
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
|
||||
nonResourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{flowcontrol.NonResourceAll}),
|
||||
[]string{"get"},
|
||||
[]string{"/healthz", "/readyz", "/livez"}),
|
||||
},
|
||||
},
|
||||
)
|
||||
@@ -269,12 +289,6 @@ var (
|
||||
users(user.KubeControllerManager, user.KubeScheduler),
|
||||
kubeSystemServiceAccount(flowcontrol.NameAll)...),
|
||||
ResourceRules: []flowcontrol.ResourcePolicyRule{
|
||||
resourceRule(
|
||||
[]string{"get", "create", "update"},
|
||||
[]string{corev1.GroupName},
|
||||
[]string{"endpoints", "configmaps"},
|
||||
[]string{"kube-system"},
|
||||
false),
|
||||
resourceRule(
|
||||
[]string{"get", "create", "update"},
|
||||
[]string{coordinationv1.GroupName},
|
||||
@@ -284,6 +298,31 @@ var (
|
||||
},
|
||||
},
|
||||
)
|
||||
// We add an explicit rule for endpoint-controller with high precedence
|
||||
// to ensure that those calls won't get caught by the following
|
||||
// <workload-leader-election> flow-schema.
|
||||
//
|
||||
// TODO(#80289): Get rid of this rule once we get rid of support for
|
||||
// using endpoints and configmaps objects for leader election.
|
||||
SuggestedFlowSchemaEndpointsController = newFlowSchema(
|
||||
"endpoint-controller", "workload-high", 150,
|
||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||
flowcontrol.PolicyRulesWithSubjects{
|
||||
Subjects: append(
|
||||
users(user.KubeControllerManager),
|
||||
kubeSystemServiceAccount("endpoint-controller", "endpointslicemirroring-controller")...),
|
||||
ResourceRules: []flowcontrol.ResourcePolicyRule{
|
||||
resourceRule(
|
||||
[]string{"get", "create", "update"},
|
||||
[]string{corev1.GroupName},
|
||||
[]string{"endpoints"},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
false),
|
||||
},
|
||||
},
|
||||
)
|
||||
// TODO(#80289): Get rid of this rule once we get rid of support for
|
||||
// using endpoints and configmaps objects for leader election.
|
||||
SuggestedFlowSchemaWorkloadLeaderElection = newFlowSchema(
|
||||
"workload-leader-election", "leader-election", 200,
|
||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||
@@ -305,6 +344,45 @@ var (
|
||||
},
|
||||
},
|
||||
)
|
||||
SuggestedFlowSchemaSystemNodeHigh = newFlowSchema(
|
||||
"system-node-high", "node-high", 400,
|
||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||
flowcontrol.PolicyRulesWithSubjects{
|
||||
Subjects: groups(user.NodesGroup), // the nodes group
|
||||
ResourceRules: []flowcontrol.ResourcePolicyRule{
|
||||
resourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{corev1.GroupName},
|
||||
[]string{"nodes", "nodes/status"},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
true),
|
||||
resourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{coordinationv1.GroupName},
|
||||
[]string{"leases"},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
false),
|
||||
},
|
||||
},
|
||||
)
|
||||
SuggestedFlowSchemaSystemNodes = newFlowSchema(
|
||||
"system-nodes", "system", 500,
|
||||
flowcontrol.FlowDistinguisherMethodByUserType,
|
||||
flowcontrol.PolicyRulesWithSubjects{
|
||||
Subjects: groups(user.NodesGroup), // the nodes group
|
||||
ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{flowcontrol.APIGroupAll},
|
||||
[]string{flowcontrol.ResourceAll},
|
||||
[]string{flowcontrol.NamespaceEvery},
|
||||
true)},
|
||||
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
|
||||
nonResourceRule(
|
||||
[]string{flowcontrol.VerbAll},
|
||||
[]string{flowcontrol.NonResourceAll}),
|
||||
},
|
||||
},
|
||||
)
|
||||
SuggestedFlowSchemaKubeControllerManager = newFlowSchema(
|
||||
"kube-controller-manager", "workload-high", 800,
|
||||
flowcontrol.FlowDistinguisherMethodByNamespaceType,
|
||||
@@ -395,25 +473,18 @@ var (
|
||||
},
|
||||
},
|
||||
)
|
||||
// the following flow schema exempts probes
|
||||
SuggestedFlowSchemaProbes = newFlowSchema(
|
||||
"probes", "exempt", 2,
|
||||
"", // distinguisherMethodType
|
||||
flowcontrol.PolicyRulesWithSubjects{
|
||||
Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated),
|
||||
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
|
||||
nonResourceRule(
|
||||
[]string{"get"},
|
||||
[]string{"/healthz", "/readyz", "/livez"}),
|
||||
},
|
||||
},
|
||||
)
|
||||
)
|
||||
|
||||
func newPriorityLevelConfiguration(name string, spec flowcontrol.PriorityLevelConfigurationSpec) *flowcontrol.PriorityLevelConfiguration {
|
||||
return &flowcontrol.PriorityLevelConfiguration{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: name},
|
||||
Spec: spec}
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Annotations: map[string]string{
|
||||
flowcontrol.AutoUpdateAnnotationKey: "true",
|
||||
},
|
||||
},
|
||||
Spec: spec,
|
||||
}
|
||||
}
|
||||
|
||||
func newFlowSchema(name, plName string, matchingPrecedence int32, dmType flowcontrol.FlowDistinguisherMethodType, rules ...flowcontrol.PolicyRulesWithSubjects) *flowcontrol.FlowSchema {
|
||||
@@ -422,7 +493,12 @@ func newFlowSchema(name, plName string, matchingPrecedence int32, dmType flowcon
|
||||
dm = &flowcontrol.FlowDistinguisherMethod{Type: dmType}
|
||||
}
|
||||
return &flowcontrol.FlowSchema{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: name},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Annotations: map[string]string{
|
||||
flowcontrol.AutoUpdateAnnotationKey: "true",
|
||||
},
|
||||
},
|
||||
Spec: flowcontrol.FlowSchemaSpec{
|
||||
PriorityLevelConfiguration: flowcontrol.PriorityLevelConfigurationReference{
|
||||
Name: plName,
|
||||
|
||||
Reference in New Issue
Block a user