Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #968 from tkashem/flowschema-4.5
BUG 1885353: protect openshift traffic by using dedicated flowschema
- Loading branch information
Showing
1 changed file
with
261 additions
and
0 deletions.
There are no files selected for viewing
261 changes: 261 additions & 0 deletions
261
manifests/0000_20_kube-apiserver-operator_08_flowschema.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,261 @@ | ||
| apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1 | ||
| kind: PriorityLevelConfiguration | ||
| metadata: | ||
| name: openshift-control-plane-operators | ||
| spec: | ||
| limited: | ||
| assuredConcurrencyShares: 10 | ||
| limitResponse: | ||
| queuing: | ||
| handSize: 6 | ||
| queueLengthLimit: 50 | ||
| queues: 128 | ||
| type: Queue | ||
| type: Limited | ||
| --- | ||
| apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1 | ||
| kind: FlowSchema | ||
| metadata: | ||
| name: openshift-monitoring-metrics | ||
| spec: | ||
| distinguisherMethod: | ||
| type: ByUser | ||
| matchingPrecedence: 2000 | ||
| priorityLevelConfiguration: | ||
| name: workload-high | ||
| rules: | ||
| - nonResourceRules: | ||
| - verbs: | ||
| - '*' | ||
| nonResourceURLs: | ||
| - "/metrics" | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| serviceAccount: | ||
| name: prometheus-k8s | ||
| namespace: openshift-monitoring | ||
| --- | ||
| apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1 | ||
| kind: FlowSchema | ||
| metadata: | ||
| name: openshift-kube-apiserver-operator | ||
| spec: | ||
| distinguisherMethod: | ||
| type: ByUser | ||
| matchingPrecedence: 2000 | ||
| priorityLevelConfiguration: | ||
| name: openshift-control-plane-operators | ||
| rules: | ||
| - resourceRules: | ||
| - apiGroups: | ||
| - '*' | ||
| clusterScope: true | ||
| namespaces: | ||
| - '*' | ||
| resources: | ||
| - '*' | ||
| verbs: | ||
| - '*' | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| serviceAccount: | ||
| name: kube-apiserver-operator | ||
| namespace: openshift-kube-apiserver-operator | ||
| --- | ||
| apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1 | ||
| kind: FlowSchema | ||
| metadata: | ||
| name: openshift-apiserver-sar | ||
| spec: | ||
| distinguisherMethod: | ||
| type: ByUser | ||
| matchingPrecedence: 2 | ||
| priorityLevelConfiguration: | ||
| name: exempt | ||
| rules: | ||
| - resourceRules: | ||
| - apiGroups: | ||
| - authorization.k8s.io | ||
| clusterScope: true | ||
| namespaces: | ||
| - '*' | ||
| resources: | ||
| - subjectaccessreviews | ||
| verbs: | ||
| - '*' | ||
| - apiGroups: | ||
| - authentication.k8s.io | ||
| clusterScope: true | ||
| namespaces: | ||
| - '*' | ||
| resources: | ||
| - tokenreviews | ||
| verbs: | ||
| - '*' | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| serviceAccount: | ||
| name: openshift-apiserver-sa | ||
| namespace: openshift-apiserver | ||
| --- | ||
| apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1 | ||
| kind: FlowSchema | ||
| metadata: | ||
| name: openshift-apiserver | ||
| spec: | ||
| distinguisherMethod: | ||
| type: ByUser | ||
| matchingPrecedence: 1000 | ||
| priorityLevelConfiguration: | ||
| name: workload-high | ||
| rules: | ||
| - resourceRules: | ||
| - apiGroups: | ||
| - '*' | ||
| clusterScope: true | ||
| namespaces: | ||
| - '*' | ||
| resources: | ||
| - '*' | ||
| verbs: | ||
| - '*' | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| serviceAccount: | ||
| name: openshift-apiserver-sa | ||
| namespace: openshift-apiserver | ||
| --- | ||
| apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1 | ||
| kind: FlowSchema | ||
| metadata: | ||
| name: openshift-apiserver-operator | ||
| spec: | ||
| distinguisherMethod: | ||
| type: ByUser | ||
| matchingPrecedence: 2000 | ||
| priorityLevelConfiguration: | ||
| name: openshift-control-plane-operators | ||
| rules: | ||
| - resourceRules: | ||
| - apiGroups: | ||
| - '*' | ||
| clusterScope: true | ||
| namespaces: | ||
| - '*' | ||
| resources: | ||
| - '*' | ||
| verbs: | ||
| - '*' | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| serviceAccount: | ||
| name: openshift-apiserver-operator | ||
| namespace: openshift-apiserver-operator | ||
| --- | ||
| apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1 | ||
| kind: FlowSchema | ||
| metadata: | ||
| name: openshift-authentication-operator | ||
| spec: | ||
| distinguisherMethod: | ||
| type: ByUser | ||
| matchingPrecedence: 2000 | ||
| priorityLevelConfiguration: | ||
| name: openshift-control-plane-operators | ||
| rules: | ||
| - resourceRules: | ||
| - apiGroups: | ||
| - '*' | ||
| clusterScope: true | ||
| namespaces: | ||
| - '*' | ||
| resources: | ||
| - '*' | ||
| verbs: | ||
| - '*' | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| serviceAccount: | ||
| name: authentication-operator | ||
| namespace: openshift-authentication-operator | ||
| --- | ||
| apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1 | ||
| kind: FlowSchema | ||
| metadata: | ||
| name: openshift-oauth-server | ||
| spec: | ||
| distinguisherMethod: | ||
| type: ByUser | ||
| matchingPrecedence: 1000 | ||
| priorityLevelConfiguration: | ||
| name: workload-high | ||
| rules: | ||
| - resourceRules: | ||
| - apiGroups: | ||
| - '*' | ||
| clusterScope: true | ||
| namespaces: | ||
| - '*' | ||
| resources: | ||
| - '*' | ||
| verbs: | ||
| - '*' | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| serviceAccount: | ||
| name: oauth-openshift | ||
| namespace: openshift-authentication | ||
| --- | ||
| apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1 | ||
| kind: FlowSchema | ||
| metadata: | ||
| name: openshift-controller-manager | ||
| spec: | ||
| distinguisherMethod: | ||
| type: ByUser | ||
| matchingPrecedence: 1000 | ||
| priorityLevelConfiguration: | ||
| name: workload-high | ||
| rules: | ||
| - resourceRules: | ||
| - apiGroups: | ||
| - '*' | ||
| clusterScope: true | ||
| namespaces: | ||
| - '*' | ||
| resources: | ||
| - '*' | ||
| verbs: | ||
| - '*' | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| serviceAccount: | ||
| name: openshift-controller-manager-sa | ||
| namespace: openshift-controller-manager | ||
| --- | ||
| apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1 | ||
| kind: FlowSchema | ||
| metadata: | ||
| name: openshift-etcd-operator | ||
| spec: | ||
| distinguisherMethod: | ||
| type: ByUser | ||
| matchingPrecedence: 2000 | ||
| priorityLevelConfiguration: | ||
| name: openshift-control-plane-operators | ||
| rules: | ||
| - resourceRules: | ||
| - apiGroups: | ||
| - '*' | ||
| clusterScope: true | ||
| namespaces: | ||
| - '*' | ||
| resources: | ||
| - '*' | ||
| verbs: | ||
| - '*' | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| serviceAccount: | ||
| name: etcd-operator | ||
| namespace: openshift-etcd-operator |