kubernetes

History

Francesco Romani b837a0c1ff kubelet: podresources: DOS prevention with builtin ratelimit Implement DOS prevention wiring a global rate limit for podresources API. The goal here is not to introduce a general ratelimiting solution for the kubelet (we need more research and discussion to get there), but rather to prevent misuse of the API. Known limitations: - the rate limits value (QPS, BurstTokens) are hardcoded to "high enough" values. Enabling user-configuration would require more discussion and sweeping changes to the other kubelet endpoints, so it is postponed for now. - the rate limiting is global. Malicious clients can starve other clients consuming the QPS quota. Add e2e test to exercise the flow, because the wiring itself is mostly boilerplate and API adaptation.	2023-03-11 08:00:54 +01:00
..
ratelimit.go	kubelet: podresources: DOS prevention with builtin ratelimit	2023-03-11 08:00:54 +01:00

Francesco Romani b837a0c1ff kubelet: podresources: DOS prevention with builtin ratelimit

Implement DOS prevention wiring a global rate limit for podresources
API. The goal here is not to introduce a general ratelimiting solution
for the kubelet (we need more research and discussion to get there),
but rather to prevent misuse of the API.

Known limitations:
- the rate limits value (QPS, BurstTokens) are hardcoded to
  "high enough" values.
  Enabling user-configuration would require more discussion
  and sweeping changes to the other kubelet endpoints, so it
  is postponed for now.
- the rate limiting is global. Malicious clients can starve other
  clients consuming the QPS quota.

Add e2e test to exercise the flow, because the wiring itself
is mostly boilerplate and API adaptation.

2023-03-11 08:00:54 +01:00

ratelimit.go

kubelet: podresources: DOS prevention with builtin ratelimit

2023-03-11 08:00:54 +01:00