-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-606: clarify GA blockers #3863
Conversation
Clarify GA blockers as asked in kubernetes#3791 (review) kubernetes#3791 (comment) - Explicitely added windows support (and all the other platforms supported by device plugins) as GA condition. - Added DOS prevention as GA condition, and clarified the perimeter of the DOS attack surface area. Signed-off-by: Francesco Romani <[email protected]>
84447ee
to
d3d2360
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/assign @dchen1107
@ffromani thanks for the followup PR. :-) /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, ffromani, SergeyKanzhelev The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The podresources API is a node-local gRPC API exposed by the kubelet using a UNIX-domain socket which allows client to query about compute resources exclusively allocated to pods (devices, cpus...) As part as the feature GA graduation, we identified the requirement to add rate limiting to prevent DOS from buggy or malicious clients [1][2]. So this change extends the KubeletConfiguration to allow to configure the ratelimit parameters. The interface intentionally mimics the parameters of the golang/x/time/rate package [3], because it's simple and already being used in the codebase. Because of this, there is an interdependency between the rate limiter configuration parameters. This is the reason why the rate limiting is optional, with defaults to "no limits" for backward compatibility, but if specified, all the rate limit configuration values must be given (e.g. burst doesn't make much sense without frequency, see [3]). +++ [1] kubernetes/enhancements#3791 [2] kubernetes/enhancements#3863 [3] https://pkg.go.dev/golang.org/x/time/rate#Limiter Signed-off-by: Francesco Romani <[email protected]>
One-line PR description: clarify GA blockers as requested in the KEP review
Issue link: graduate the kubelet podresources endpoint to GA #3743
Clarify GA blockers as asked in
#3791 (review) #3791 (comment)