From d4bd26a438e71633eac6f653c9430bcb8e8c20ea Mon Sep 17 00:00:00 2001 From: Michael Voelker Date: Mon, 18 Mar 2024 14:37:12 +0100 Subject: [PATCH 1/2] add command line args --kube-api-qps/--kube-api-burst --- cmd/kube-rbac-proxy/app/kube-rbac-proxy.go | 7 +++++++ cmd/kube-rbac-proxy/app/options/options.go | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go b/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go index e0ffb794e..fcd13551d 100644 --- a/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go +++ b/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go @@ -189,6 +189,13 @@ func Complete(o *options.ProxyRunOptions) (*completedProxyRunOptions, error) { return nil, fmt.Errorf("failed to load kubeconfig: %w", err) } + if o.QPS > 0 { + kubeconfig.QPS = o.QPS + } + if o.Burst > 0 { + kubeconfig.Burst = o.Burst + } + completed.kubeClient, err = kubernetes.NewForConfig(kubeconfig) if err != nil { return nil, fmt.Errorf("failed to instantiate Kubernetes client: %w", err) diff --git a/cmd/kube-rbac-proxy/app/options/options.go b/cmd/kube-rbac-proxy/app/options/options.go index 3ef6ed739..fe46c92e3 100644 --- a/cmd/kube-rbac-proxy/app/options/options.go +++ b/cmd/kube-rbac-proxy/app/options/options.go @@ -51,6 +51,9 @@ type ProxyRunOptions struct { HTTP2MaxConcurrentStreams uint32 HTTP2MaxSize uint32 + QPS float32 + Burst int + flagSet *pflag.FlagSet } @@ -137,6 +140,8 @@ func (o *ProxyRunOptions) Flags() k8sapiflag.NamedFlagSets { //Kubeconfig flag flagset.StringVar(&o.KubeconfigLocation, "kubeconfig", "", "Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used") + flagset.Float32Var(&o.QPS, "kube-api-qps", 0, "queries per second to the api, kube-client starts client-side throttling, when breached") + flagset.IntVar(&o.Burst, "kube-api-burst", 0, "kube-api burst value; needed when kube-api-qps is set") // HTTP2 flags flagset.BoolVar(&o.HTTP2Disable, "http2-disable", false, "Disable HTTP/2 support") From eaebcdc84743a1338acf7393f658e0b688475bb2 Mon Sep 17 00:00:00 2001 From: Michael Voelker Date: Mon, 18 Mar 2024 17:13:21 +0100 Subject: [PATCH 2/2] add changed README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index c706cb143..e8d835121 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,8 @@ Kube-rbac-proxy flags: --http2-max-size uint32 The maximum number of bytes that the server will accept for frame size and buffer per stream in a HTTP/2 request. (default 262144) --ignore-paths strings Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths. --insecure-listen-address string [DEPRECATED] The address the kube-rbac-proxy HTTP server should listen on. + --kube-api-burst int kube-api burst value; needed when kube-api-qps is set + --kube-api-qps float32 queries per second to the api, kube-client starts client-side throttling, when breached --kubeconfig string Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used --oidc-ca-file string If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used. --oidc-clientID string The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.