Added 6 patches for 1.21 (#1292)

* Added 6 patches for 1.21 * Checksums
aws · Oct 7, 2022 · 372b66e · 372b66e
1 parent 6fc7d7a
commit 372b66e
Show file tree

Hide file tree

Showing 22 changed files with 88,255 additions and 34 deletions.
diff --git a/projects/kubernetes/kubernetes/1-21/CHECKSUMS b/projects/kubernetes/kubernetes/1-21/CHECKSUMS
@@ -1,19 +1,19 @@
-c9771f479d292b48989f1f231a4313cbc04dedf3ac87ba0d15bcaf132782bcbb  _output/1-21/bin/darwin/amd64/kubectl
-3a2395f88ce22cfc9fb09217d8f8a0e4d0b9f76dfab57beb9aeec16dbe4e2260  _output/1-21/bin/linux/amd64/kube-apiserver
-709d9e00c1993fcfe98083b71a9f15e1251766d1e456703d56e1d74e2e5cd8a2  _output/1-21/bin/linux/amd64/kube-controller-manager
-d09beca0f1513f63022d10591a9e4982cf4daddbf100066c0987ce0f0a3a97cf  _output/1-21/bin/linux/amd64/kube-proxy
-08f8bcf571de0247f664969a5b4f0b6eaed7fd290291ee631d2aea7bf409d038  _output/1-21/bin/linux/amd64/kube-scheduler
-91b3c7c12f258bf9cf43448f05b4f059976ce6a87de5a9f90b4d5527bdc73002  _output/1-21/bin/linux/amd64/kubeadm
-bb23925f7c1315176024e0586500cfd04dc148fa40979756e2e378afd76c0f5b  _output/1-21/bin/linux/amd64/kubectl
-45a9ba8deebaeb6037720e5939d7402e05c7f68ec54214e8409646aa7b6f7e86  _output/1-21/bin/linux/amd64/kubelet
-e55aa250112fc9d190b83367ee547b48a37187f65de577513111b0da96c6ee11  _output/1-21/bin/linux/arm64/kube-apiserver
-3511d7cf4a1dd9714d8a723391abf5e1a87c6cb5c17f3f03b618ebc1a3cf66e5  _output/1-21/bin/linux/arm64/kube-controller-manager
-d463f4464cbe75b6fa74c75a608b2d11ffc641f55d1b8dc1c8b6d55a04425cab  _output/1-21/bin/linux/arm64/kube-proxy
-825bed2fe05f7018179a2dae5003c6ef960eebc240e5f14c01fab5e057e424e1  _output/1-21/bin/linux/arm64/kube-scheduler
-e1c778dbc33cbe6877ab5e5cbb75d23a241d6d989fee449bf8caf4108e1bcfeb  _output/1-21/bin/linux/arm64/kubeadm
-83209aa40b3a258c558da86a71b97fa6f9144158b319c833844e2e776e3538f4  _output/1-21/bin/linux/arm64/kubectl
-c254928fad19cb09baff101141fdbb78596486738bf05a8af759cfd72a19450c  _output/1-21/bin/linux/arm64/kubelet
-92e6457a59db57f39ed6e3887f942a5b84f6afa5d6354442b9afde842cd5a655  _output/1-21/bin/windows/amd64/kube-proxy.exe
-5795f1a2acd887d81e51e611a9a6419dbdd396f0eb03235dc4f649d000f03d72  _output/1-21/bin/windows/amd64/kubeadm.exe
-33f3668cba750ac7f35e8578dd9690ffccfc2a3bda7151e927377f42089a2bcb  _output/1-21/bin/windows/amd64/kubectl.exe
-1a97ff8602f0f71609bc067f8eb522fe1f44e36019e60b00cbe85381dd817d95  _output/1-21/bin/windows/amd64/kubelet.exe
+7afc44a44385f815a0073f89415ff67fc7714961b53d4bae042a36367afde14f  _output/1-21/bin/darwin/amd64/kubectl
+082140bca4696fa0493f7a92a0b810209fa8df78ec0eeb7b8d1b48e93e56d34b  _output/1-21/bin/linux/amd64/kube-apiserver
+28b1ce22688ae71568fcbc11f0179d0d2cf6f120a2ad35bb98097e3cf154d2ea  _output/1-21/bin/linux/amd64/kube-controller-manager
+70c8492bf959813d4635cd3f5d30b96db9f80cfe677f019ef90c33e014764601  _output/1-21/bin/linux/amd64/kube-proxy
+48eaadc6258a6e45d9e788a0fdefaa88ded716800125a1bae24ea8166aec3c05  _output/1-21/bin/linux/amd64/kube-scheduler
+764d807eff897d071eccdd5e9d0182594172e0b2e8083d20a84f5ce06df15d60  _output/1-21/bin/linux/amd64/kubeadm
+018d31fb0bd07140af033c473614965587862e6d9a047536f19a0b1f1c4eca9b  _output/1-21/bin/linux/amd64/kubectl
+edd89c4ef24eaf73af172b708bc2654784461ec8b4228f329bf1509feeee99e9  _output/1-21/bin/linux/amd64/kubelet
+33d1767d7d2cf0a79b8cac099ea03eca98caf7de478713a31a1c5d7e47fe887a  _output/1-21/bin/linux/arm64/kube-apiserver
+53aaadd16aaad0dd9f36cd9936b5c3d51efab374efa2d852977a3b3f72bd41d3  _output/1-21/bin/linux/arm64/kube-controller-manager
+60c09d314d8579fbeffad27303b68d7480a97bd4dd486a3983835603ba5f78ba  _output/1-21/bin/linux/arm64/kube-proxy
+62b19170af1cb9a7edb627e45c4baf5afa4839dbaf65fa845c1d539b80ef54bf  _output/1-21/bin/linux/arm64/kube-scheduler
+0cbccf18b6600d26e5cd0247b44f5633fc5c2bfbe766850be183a81057e6f674  _output/1-21/bin/linux/arm64/kubeadm
+844701d78b60db37f2aff5f61f763a1e09de0ddbad592ad96dd948687ed1c381  _output/1-21/bin/linux/arm64/kubectl
+f9b0ee3800468ce27d1ce10ba9fbd5044c208de89473ed6c0bb2c994b79bccd9  _output/1-21/bin/linux/arm64/kubelet
+fd713d4ae9e7732ebe1bba4b53ade177d81d134f7bea211de3aa0d9d3d62294d  _output/1-21/bin/windows/amd64/kube-proxy.exe
+94de31e745b08aabfc2dc26d11ed71c4a1079b30728bc8479727db6df48d1eb6  _output/1-21/bin/windows/amd64/kubeadm.exe
+bd2a7f0a5791ac1ae423dae51d64f29044bb42de8186a75768dd4ef32dc6bdfb  _output/1-21/bin/windows/amd64/kubectl.exe
+e2ecc2db83180c8c63805374ccbf200a0eda1f47c5ebb41f4c6e54b403ff4bf8  _output/1-21/bin/windows/amd64/kubelet.exe
diff --git a/projects/kubernetes/kubernetes/1-21/patches/0002-EKS-PATCH-Pass-region-to-sts-client.patch b/projects/kubernetes/kubernetes/1-21/patches/0002-EKS-PATCH-Pass-region-to-sts-client.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Rasita Pai <prasita@amazon.com>
 Date: Wed, 13 Oct 2021 10:46:18 -0700
-Subject: --EKS-PATCH-- Pass region to sts client
+Subject: [PATCH] --EKS-PATCH-- Pass region to sts client
 
 Signed-off-by: Jyoti Mahapatra <jyotima@amazon.com>
 ---

diff --git a/...s/kubernetes/1-21/patches/0003-EKS-PATCH-staging-apiserver-disable-info-level-gRPC-.patch b/...s/kubernetes/1-21/patches/0003-EKS-PATCH-staging-apiserver-disable-info-level-gRPC-.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Gyuho Lee <leegyuho@amazon.com>
 Date: Thu, 17 Oct 2019 13:02:49 -0700
-Subject: --EKS-PATCH-- staging/*/apiserver: disable info level gRPC
+Subject: [PATCH] --EKS-PATCH-- staging/*/apiserver: disable info level gRPC
  logging
 
 gRPC balancer wrapper has (non-leveled) info logging on "Notify" call,

diff --git a/...s/kubernetes/1-21/patches/0005-EKS-PATCH-Bypassed-admission-controller-webhook-for-.patch b/...s/kubernetes/1-21/patches/0005-EKS-PATCH-Bypassed-admission-controller-webhook-for-.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Qing Ju <juqing@amazon.com>
 Date: Sun, 18 Oct 2020 10:31:39 -0700
-Subject: --EKS-PATCH-- Bypassed admission controller webhook for
+Subject: [PATCH] --EKS-PATCH-- Bypassed admission controller webhook for
  cluster critical resources
 
 Workaround for Kubernetes issue:

diff --git a/projects/kubernetes/kubernetes/1-21/patches/0006-EKS-PATCH-Use-GNU-date.patch b/projects/kubernetes/kubernetes/1-21/patches/0006-EKS-PATCH-Use-GNU-date.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Micah Hausler <mhausler@amazon.com>
 Date: Sun, 1 Nov 2020 09:24:08 -0800
-Subject: --EKS-PATCH-- Use GNU date
+Subject: [PATCH] --EKS-PATCH-- Use GNU date
 
 Use GNU date if available for builds on darwin
 

diff --git a/...s/kubernetes/1-21/patches/0007-EKS-PATCH-aws_credentials-update-ecr-url-validation-.patch b/...s/kubernetes/1-21/patches/0007-EKS-PATCH-aws_credentials-update-ecr-url-validation-.patch
@@ -2,7 +2,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?chrisDallas=20=E2=98=95=20=F0=9F=8C=A7=EF=B8=8F=20?=
  =?UTF-8?q?=E2=98=82?= <cdalla@amazon.com>
 Date: Thu, 8 Oct 2020 11:58:58 -0700
-Subject: --EKS-PATCH-- (aws_credentials): update ecr url validation
+Subject: [PATCH] --EKS-PATCH-- (aws_credentials): update ecr url validation
  regex
 
 Updates the regex for ECR URL validation to support isolated regions

diff --git a/...s/kubernetes/1-21/patches/0008-EKS-PATCH-delete-leaked-volume-if-driver-doesn-t-kno.patch b/...s/kubernetes/1-21/patches/0008-EKS-PATCH-delete-leaked-volume-if-driver-doesn-t-kno.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Xiang Li <lixiang1992@gwu.edu>
 Date: Mon, 15 Mar 2021 10:59:32 -0700
-Subject: --EKS PATCH-- delete leaked volume if driver doesn't know the
+Subject: [PATCH] --EKS-PATCH-- delete leaked volume if driver doesn't know the
  volume status -- aws
 
 Cherry-pick of upstream Kubernetes:

diff --git a/...s/kubernetes/1-21/patches/0020-EKS-PATCH-extend-sa-token-if-audience-is-apiserver-1.patch b/...s/kubernetes/1-21/patches/0020-EKS-PATCH-extend-sa-token-if-audience-is-apiserver-1.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Jyoti Mahapatra <49211422+jyotimahapatra@users.noreply.github.com>
 Date: Mon, 31 Jan 2022 16:01:52 -0800
-Subject: --EKS-PATCH-- extend sa token if audience is apiserver
+Subject: [PATCH] --EKS-PATCH-- extend sa token if audience is apiserver
  (#105954)
 
 Cherry-pick of upstream Kubernetes PR

diff --git a/...s/kubernetes/1-21/patches/0021-EKS-PATCH-Parse-ipv6-address-before-comparison-10773.patch b/...s/kubernetes/1-21/patches/0021-EKS-PATCH-Parse-ipv6-address-before-comparison-10773.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Jyoti Mahapatra <jyotima@amazon.com>
 Date: Sat, 22 Jan 2022 01:16:11 +0000
-Subject: --EKS-PATCH-- Parse ipv6 address before comparison (#107736)
+Subject: [PATCH] --EKS-PATCH-- Parse ipv6 address before comparison (#107736)
 
 Modified cherry-pick of upstream Kubernetes:
 https://github.com/kubernetes/kubernetes/pull/107736, which is

diff --git a/...s/kubernetes/1-21/patches/0022-EKS-PATCH-AWS-Include-IPv6-addresses-in-NodeAddresse.patch b/...s/kubernetes/1-21/patches/0022-EKS-PATCH-AWS-Include-IPv6-addresses-in-NodeAddresse.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Angus Lees <gus@inodes.org>
 Date: Thu, 19 Nov 2020 17:34:07 +1100
-Subject: --EKS-PATCH-- AWS: Include IPv6 addresses in NodeAddresses
+Subject: [PATCH] --EKS-PATCH-- AWS: Include IPv6 addresses in NodeAddresses
 
 This patch is taken from this commit:
 https://github.com/anguslees/kubernetes/commit/f8ea814e2d459a900bfb5e6f613dbe521b31515b.

diff --git a/...netes/kubernetes/1-21/patches/0023-EKS-PATCH-Update-aws-sdk-to-v1.42.23-for-ap-se-3.patch b/...netes/kubernetes/1-21/patches/0023-EKS-PATCH-Update-aws-sdk-to-v1.42.23-for-ap-se-3.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Jyoti Mahapatra <jyotima@amazon.com>
 Date: Thu, 31 Mar 2022 17:14:16 -0700
-Subject: --EKS-PATCH-- Update aws-sdk to v1.42.23 for ap-se-3
+Subject: [PATCH] --EKS-PATCH-- Update aws-sdk to v1.42.23 for ap-se-3
 
 Update aws-sdk to v1.42.23 for ap-southeast-3 region build
 ---

diff --git a/...cts/kubernetes/kubernetes/1-21/patches/0024-EKS-PATCH-Fix-kubectl-version-unit-test.patch b/...cts/kubernetes/kubernetes/1-21/patches/0024-EKS-PATCH-Fix-kubectl-version-unit-test.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eddie Zaneski <eddiezane@gmail.com>
 Date: Tue, 27 Jul 2021 11:46:45 -0600
-Subject: --EKS-PATCH-- Fix kubectl version unit test
+Subject: [PATCH] --EKS-PATCH-- Fix kubectl version unit test
 
 Cherry-pick of upstream Kubernetes:
 https://github.com/kubernetes/kubernetes/pull/103955, which is

diff --git a/...s/kubernetes/1-21/patches/0025-EKS-PATCH-Add-rate-limiting-when-calling-STS-assume-.patch b/...s/kubernetes/1-21/patches/0025-EKS-PATCH-Add-rate-limiting-when-calling-STS-assume-.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Prateek Gogia <pgogia@amazon.com>
 Date: Mon, 20 Jun 2022 17:35:35 -0500
-Subject: --EKS-PATCH-- Add rate limiting when calling STS assume role
+Subject: [PATCH] --EKS-PATCH-- Add rate limiting when calling STS assume role
  API
 
 Cherry-pick of upstream Kubernetes PR # 110706

diff --git a/projects/kubernetes/kubernetes/1-21/patches/0027-EKS-PATCH-Update-naming-for-a-const.patch b/projects/kubernetes/kubernetes/1-21/patches/0027-EKS-PATCH-Update-naming-for-a-const.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Prateek Gogia <pgogia@amazon.com>
 Date: Thu, 14 Jul 2022 19:13:22 -0500
-Subject: --EKS-PATCH-- Update naming for a const
+Subject: [PATCH] --EKS-PATCH-- Update naming for a const
 
 Cherry-pick of upstream Kubernetes PR # 110706
 The upstream PR is merged and should be available in future k/k releases.

diff --git a/...s/kubernetes/1-21/patches/0028-EKS-PATCH-Skip-mount-point-checks-when-possible-duri.patch b/...s/kubernetes/1-21/patches/0028-EKS-PATCH-Skip-mount-point-checks-when-possible-duri.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Kubernetes Prow Robot <k8s-ci-robot@users.noreply.github.com>
 Date: Thu, 14 Jul 2022 03:02:57 -0700
-Subject: --EKS-PATCH-- Skip mount point checks when possible during
+Subject: [PATCH] --EKS-PATCH-- Skip mount point checks when possible during
  mount cleanup.
 
 Cherry-pick of upstream Kubernetes PR #109676

diff --git a/...s/kubernetes/1-21/patches/0029-EKS-PATCH-Overlaid-OS-s-environment-variables-with-t.patch b/...s/kubernetes/1-21/patches/0029-EKS-PATCH-Overlaid-OS-s-environment-variables-with-t.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Neeraj Shah <neerajx86@gmail.com>
 Date: Fri, 23 Jul 2021 09:45:19 +0530
-Subject: --EKS-PATCH-- Overlaid OS's environment variables with the
+Subject: [PATCH] --EKS-PATCH-- Overlaid OS's environment variables with the
  ones specified in the CredentialProviderConfig
 
  Cherrypick of https://github.com/kubernetes/kubernetes/pull/103231

diff --git a/...s/kubernetes/1-21/patches/0030-EKS-PATCH-Reduce-default-gzip-compression-level-from.patch b/...s/kubernetes/1-21/patches/0030-EKS-PATCH-Reduce-default-gzip-compression-level-from.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shyam Jeedigunta <jeedigv@amazon.com>
+Date: Wed, 7 Sep 2022 13:23:53 -0700
+Subject: [PATCH] --EKS-PATCH-- Reduce default gzip compression level from 4 to
+ 1 in apiserver
+
+Cherry-pick of upstream Kubernetes PR #112299 (https://github.com/kubernetes/kubernetes/pull/112299),
+which has been merged into upstream Kubernetes and back-ported to all minor version branches >= 1.23.
+For versions <= 1.22 which Kubernetes no longer intends to release new patch versions for, we are
+back-porting the patch.
+
+From the original PR description:
+    kube-apiserver: gzip compression switched from level 4 to level 1 to improve large list call
+    latencies in exchange for higher network bandwidth usage (10-50% higher). This increases the
+    headroom before very large unpaged list calls exceed request timeout limits.
+---
+ .../pkg/endpoints/handlers/responsewriters/writers.go       | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers.go
+index 16e16c35376..2a50c1c589c 100644
+--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers.go
++++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers.go
+@@ -143,8 +143,10 @@ var gzipPool = &sync.Pool{
+ }
+
+ const (
+-	// defaultGzipContentEncodingLevel is set to 4 which uses less CPU than the default level
+-	defaultGzipContentEncodingLevel = 4
++	// defaultGzipContentEncodingLevel is set to 1 which uses least CPU compared to higher levels, yet offers
++	// similar compression ratios (off by at most 1.5x, but typically within 1.1x-1.3x). For further details see -
++	// https://github.com/kubernetes/kubernetes/issues/112296
++	defaultGzipContentEncodingLevel = 1
+ 	// defaultGzipThresholdBytes is compared to the size of the first write from the stream
+ 	// (usually the entire object), and if the size is smaller no gzipping will be performed
+ 	// if the client requests it.
diff --git a/...ects/kubernetes/kubernetes/1-21/patches/0031-EKS-PATCH-Add-node-high-priority-level.patch b/...ects/kubernetes/kubernetes/1-21/patches/0031-EKS-PATCH-Add-node-high-priority-level.patch
@@ -0,0 +1,96 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maciej Borsz <maciejborsz@google.com>
+Date: Thu, 15 Apr 2021 16:24:02 +0200
+Subject: [PATCH] --EKS-PATCH-- Add "node-high" priority-level
+
+Cherry-pick of upstream Kubernetes PR #101151
+(https://github.com/kubernetes/kubernetes/pull/101151),
+which is available in Kubernetes versions 1.22+.
+
+From the original PR description:
+    It adds "node-high" priority-level that is used by kubelets to report their status.
+    It has two goal:
+        - making sure that kubelets are able to report their status even if control
+          plane is overloaded by high pod churn (e.g. pod creation events, fetching
+          secrets, fetching pods).
+        - increasing total shares assigned to traffic that before this PR used "system"
+          (in large clusters this is ~1K QPS, up to 90% of traffic in the cluster).
+---
+ .../pkg/apis/flowcontrol/bootstrap/default.go | 43 +++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go b/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go
+index a3a1dddc6ff..64600beca31 100644
+--- a/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go
++++ b/staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go
+@@ -48,6 +48,11 @@ var (
+ 		// cluster and the availability of those running pods in the cluster, including kubelet and
+ 		// kube-proxy.
+ 		SuggestedPriorityLevelConfigurationSystem,
++		// "node-high" priority-level is for the node health reporting. It is separated from "system"
++		// to make sure that nodes are able to report their health even if kube-apiserver is not capable of
++		// handling load caused by pod startup (fetching secrets, events etc).
++		// NOTE: In large clusters 50% - 90% of all API calls use this priority-level.
++		SuggestedPriorityLevelConfigurationNodeHigh,
+ 		// "leader-election" is dedicated for controllers' leader-election, which majorly affects the
+ 		// availability of any controller runs in the cluster.
+ 		SuggestedPriorityLevelConfigurationLeaderElection,
+@@ -64,6 +69,7 @@ var (
+ 	}
+ 	SuggestedFlowSchemas = []*flowcontrol.FlowSchema{
+ 		SuggestedFlowSchemaSystemNodes,               // references "system" priority-level
++		SuggestedFlowSchemaSystemNodeHigh,            // references "node-high" priority-level
+ 		SuggestedFlowSchemaProbes,                    // references "exempt" priority-level
+ 		SuggestedFlowSchemaSystemLeaderElection,      // references "leader-election" priority-level
+ 		SuggestedFlowSchemaWorkloadLeaderElection,    // references "leader-election" priority-level
+@@ -171,6 +177,22 @@ var (
+ 				},
+ 			},
+ 		})
++	SuggestedPriorityLevelConfigurationNodeHigh = newPriorityLevelConfiguration(
++		"node-high",
++		flowcontrol.PriorityLevelConfigurationSpec{
++			Type: flowcontrol.PriorityLevelEnablementLimited,
++			Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
++				AssuredConcurrencyShares: 40,
++				LimitResponse: flowcontrol.LimitResponse{
++					Type: flowcontrol.LimitResponseTypeQueue,
++					Queuing: &flowcontrol.QueuingConfiguration{
++						Queues:           64,
++						HandSize:         6,
++						QueueLengthLimit: 50,
++					},
++				},
++			},
++		})
+ 	// leader-election priority-level
+ 	SuggestedPriorityLevelConfigurationLeaderElection = newPriorityLevelConfiguration(
+ 		"leader-election",
+@@ -261,6 +283,27 @@ var (
+ 			},
+ 		},
+ 	)
++	SuggestedFlowSchemaSystemNodeHigh = newFlowSchema(
++		"system-node-high", "node-high", 400,
++		flowcontrol.FlowDistinguisherMethodByUserType,
++		flowcontrol.PolicyRulesWithSubjects{
++			Subjects: groups(user.NodesGroup), // the nodes group
++			ResourceRules: []flowcontrol.ResourcePolicyRule{
++				resourceRule(
++					[]string{flowcontrol.VerbAll},
++					[]string{corev1.GroupName},
++					[]string{"nodes", "nodes/status"},
++					[]string{flowcontrol.NamespaceEvery},
++					true),
++				resourceRule(
++					[]string{flowcontrol.VerbAll},
++					[]string{coordinationv1.GroupName},
++					[]string{"leases"},
++					[]string{flowcontrol.NamespaceEvery},
++					false),
++			},
++		},
++	)
+ 	SuggestedFlowSchemaSystemLeaderElection = newFlowSchema(
+ 		"system-leader-election", "leader-election", 100,
+ 		flowcontrol.FlowDistinguisherMethodByUserType,