podresources API: setting hardcoded ratelimit values

[fro...@redhat.com]

Hi sig-node!

In the context of the GA graduation of the podresources API endpoint (https://github.com/kubernetes/enhancements/issues/3743) we want to mitigate the risk of denial of service through unbounded access to the endpoint (https://github.com/kubernetes/enhancements/pull/3863).

To prevent misbehaving clients to excessively stress the kubelet, we are in the process of hardcoding high but manageable rate limit values: qps=100, burst=10.

In practical terms, clients that access the podresources API less often than 100 times per second should have no impact at all. However if your application uses the podresources API and needs to call the API around or more often than 100 times per second, please get in touch! We want to learn about these use cases.

One last thing: the limits will be hardcoded for the time being because in order to add proper rate limiting to the kubelet endpoints (exposing values in kubeletconfig and make them tunable) is a much larger efforts which will require research, discussion and coordination. The current approach seems reasonnable in the limited context of the podresources GA graduation.

Thanks,

--

Francesco Romani (fromani on slack / ffromani on github)

[fro...@redhat.com]

Link to the PR: https://github.com/kubernetes/kubernetes/pull/116459