ROX-19562: Add annotations to rate limit managed-central routes traffic #1288

rhybrillou · 2023-09-20T12:16:30Z

Description

In order to protect against (D)DOS attacks, the OpenShift routes to Central managed by FleetShard sync are being annotated in order to activate traffic throttling features.

The default values were derived from the haproxy metrics available in the current ACS CS instances.

The most busy central shows a total HTTP response count of 9 averaged over a 5 minute period.
Assuming all the averaged requests were a burst of concurrent requests, these could have been about 3000 requests.
Adding a safety 10 factor, and using powers of two as throttling value, the default would be 32768 concurrent requests.
The most busy central reported up to 43 concurrent connections on a 5 minute period. The limit derived from here is 512 concurrent connections, allowing at most the half as being established at the same time.

Checklist (Definition of Done)

Unit and integration tests added
Added test description under Test manual
Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
CI and all relevant tests are passing
Add the ticket number to the PR title if available, i.e. ROX-12345: ...
Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
Add secret to app-interface Vault or Secrets Manager if necessary
RDS changes were e2e tested manually
Check AWS limits are reasonable for changes provisioning new resources

Test manual

TODO: Add manual testing efforts

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup OCM_OFFLINE_TOKEN=<ocm-offline-token> OCM_ENV=development
make verify lint binary test test/integration

openshift-ci · 2023-09-20T12:16:35Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

fleetshard/config/config.go

fleetshard/pkg/k8s/route.go

fleetshard/pkg/k8s/route_test.go

openshift-ci · 2023-11-02T08:06:51Z

New changes are detected. LGTM label has been removed.

… traffic

openshift-ci · 2023-11-03T12:40:48Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: janisz, rhybrillou
Once this PR has been reviewed and has the lgtm label, please assign porridge for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci bot added the do-not-merge/work-in-progress label Sep 20, 2023

rhybrillou temporarily deployed to development September 20, 2023 12:16 — with GitHub Actions Inactive

rhybrillou requested review from mtodor and a team September 20, 2023 12:16

rhybrillou temporarily deployed to development September 20, 2023 12:27 — with GitHub Actions Inactive

rhybrillou force-pushed the yann/ROX-19562-add_tcp_limits_to_acscs_routes branch from 51c70e7 to 427fd8f Compare October 2, 2023 14:09

rhybrillou temporarily deployed to development October 2, 2023 14:09 — with GitHub Actions Inactive

openshift-merge-robot added the needs-rebase label Oct 6, 2023

rhybrillou force-pushed the yann/ROX-19562-add_tcp_limits_to_acscs_routes branch from 23f3386 to 591c49a Compare October 13, 2023 06:49

rhybrillou temporarily deployed to development October 13, 2023 06:49 — with GitHub Actions Inactive

openshift-merge-robot removed the needs-rebase label Oct 13, 2023

janisz reviewed Oct 13, 2023

View reviewed changes

rhybrillou temporarily deployed to development October 18, 2023 15:28 — with GitHub Actions Inactive

rhybrillou temporarily deployed to development October 19, 2023 12:59 — with GitHub Actions Inactive

rhybrillou force-pushed the yann/ROX-19562-add_tcp_limits_to_acscs_routes branch from 6319464 to f693384 Compare October 19, 2023 13:00

rhybrillou temporarily deployed to development October 19, 2023 13:00 — with GitHub Actions Inactive

rhybrillou force-pushed the yann/test_route_service branch from fb58e81 to 8b78e0a Compare November 2, 2023 08:06

rhybrillou force-pushed the yann/ROX-19562-add_tcp_limits_to_acscs_routes branch from d7d2c9b to 2c01aee Compare November 2, 2023 08:06

openshift-ci bot removed the lgtm label Nov 2, 2023

rhybrillou temporarily deployed to development November 2, 2023 08:06 — with GitHub Actions Inactive

rhybrillou temporarily deployed to development November 2, 2023 08:08 — with GitHub Actions Inactive

rhybrillou force-pushed the yann/ROX-19562-add_tcp_limits_to_acscs_routes branch from 2c01aee to 9dd71e5 Compare November 2, 2023 11:30

rhybrillou temporarily deployed to development November 2, 2023 11:30 — with GitHub Actions Inactive

rhybrillou temporarily deployed to development November 2, 2023 11:31 — with GitHub Actions Inactive

Base automatically changed from yann/test_route_service to main November 2, 2023 16:39

openshift-merge-robot added the needs-rebase label Nov 2, 2023

rhybrillou added 5 commits November 3, 2023 13:37

ROX-19562: Add route annotations to rate limit managed-central routes…

e672f2c

… traffic

Fix precomit hook - attempt #1

c28531f

Increase default route throttling thresholds

2e82eb0

Align route config TCP values

ef8104b

Address some review comments

82ff178

rhybrillou force-pushed the yann/ROX-19562-add_tcp_limits_to_acscs_routes branch from 9dd71e5 to 82ff178 Compare November 3, 2023 12:40

rhybrillou temporarily deployed to development November 3, 2023 12:40 — with GitHub Actions Inactive

openshift-merge-robot removed the needs-rebase label Nov 3, 2023

Address review comments

ab1c4c2

rhybrillou temporarily deployed to development November 3, 2023 13:05 — with GitHub Actions Inactive

rhybrillou merged commit 4a22e2c into main Nov 3, 2023
5 checks passed

rhybrillou deleted the yann/ROX-19562-add_tcp_limits_to_acscs_routes branch November 3, 2023 13:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ROX-19562: Add annotations to rate limit managed-central routes traffic #1288

ROX-19562: Add annotations to rate limit managed-central routes traffic #1288

rhybrillou commented Sep 20, 2023 •

edited

Loading

openshift-ci bot commented Sep 20, 2023

openshift-ci bot commented Nov 2, 2023

openshift-ci bot commented Nov 3, 2023

ROX-19562: Add annotations to rate limit managed-central routes traffic #1288

ROX-19562: Add annotations to rate limit managed-central routes traffic #1288

Conversation

rhybrillou commented Sep 20, 2023 • edited Loading

Description

Checklist (Definition of Done)

Test manual

openshift-ci bot commented Sep 20, 2023

openshift-ci bot commented Nov 2, 2023

openshift-ci bot commented Nov 3, 2023

rhybrillou commented Sep 20, 2023 •

edited

Loading