bug 1885358: protect openshift traffic by using dedicated flowschema

[tkashem]

Define dedicated flowschema and priority configuration that will protect openshift specific traffic.

• SAR and tokenreviews from both oas and oauth are very important
• kcm, other oas and oauth requests, /metrics requests from openshift-monitoring is pretty important
• openshift controller manager is as important as kcm.
• control plane operators are important (kas-o, oas-o, auth operator, etcd operator)
• workloads-low goes below the traffic defined above.

Question:

• do we want to include cvo in the control plane operators, or are there traffic from any other critical operators that we should protect?

New configuration:

After applying the above configuration, we can see that the number of requests from workload-low drops. This implies that traffic from oas, /metrics call from openshift monitoring, traffic from control plane operators are not being throttled anymore.

[tkashem]

/retest

[deads2k]

etcd, kas, kcm, ks, auth, oas

[tkashem]

@deads2k

• kcm (kube controller manager) and ks (scheduler) are already covered by the default set of flowschema shipped.
• by auth you mean openshift-authentication-operator? This is included here.
• oas (openshift apiserver) can't be here, it has a higher priority and will be assigned to aggregated-api-delegated-auth priority configuration.

[deads2k]

found openshift/cluster-openshift-apiserver-operator#398 I like it.

[deads2k]

This should be allowed more requests than openshift-control-plane-operators. Even though it's one server, really don't want to run out.

Also, rename aggregated-api-delegated-auth I think. We'll want to tie the oauth-apiserver to it too, right?

[tkashem]

Also, rename aggregated-api-delegated-auth

sounds good, I am adding a prefix openshift to it.

We'll want to tie the oauth-apiserver to it too, right?

I have added oauth apiserver.

This should be allowed more requests than openshift-control-plane-operators. Even though it's one server, really don't want to run out.

Yes, makes sense. we expect the operators to have a steady call rate (unless there is a bug that causes a hot loop or something) and openshift api servers are tied to the user traffic. I doubled the concurrency share to 20 and reduced for the operators to 10.

[deads2k]

I'd rather keep rules like this local to operators that use them.

[tkashem]

@deads2k Yes, I thought about it. the only concern I have is the matchingPrecedence field. This defines the matching order, so we need to keep in mind all the other values to make sure the right order is maintained.

[deads2k]

@deads2k Yes, I thought about it. the only concern I have is the matchingPrecedence field. This defines the matching order, so we need to keep in mind all the other values to make sure the right order is maintained.

We did this with conventions in the CVO. Our payloads are local. I'm ok moving these in 4.7 instead of 4.6.

[openshift-ci-robot]

@tkashem: This pull request references Bugzilla bug 1885358, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.7.0) matches configured target release for branch (4.7.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

BUG 1885358: protect openshift traffic by using dedicated flowschema

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@tkashem: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

protect openshift traffic by using dedicated flowschema

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[deads2k]

bump this to 100 for me? It should only matter when we start hitting pressure.

[deads2k]

bump this to 100 for me? It should only matter when we start hitting pressure

actually, when looking at it, this is an ok starting point.

[deads2k]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, tkashem

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mfojtik]

/bugzilla refresh

[openshift-ci-robot]

@tkashem: All pull requests linked via external trackers have merged:

• openshift/cluster-kube-apiserver-operator#966

Bugzilla bug 1885358 has been moved to the MODIFIED state.

In response to this:

bug 1885358: protect openshift traffic by using dedicated flowschema

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.