jaimegag · August 15, 2024 14:01
diff --git a/flowshema-gkp.yaml b/flowshema-gkp.yaml
 apiVersion: flowcontrol.apiserver.k8s.io/v1
 kind: FlowSchema
 metadata:
  name: limit-pods-namespace-appteam1
 spec:
  distinguisherMethod:
    type: ByNamespace # so that requests originated from the same namespace are grouped together
                      # into the same flow so that workloads in the “bad” namespace can’t overwhelm
                      # those in another namespace.
  matchingPrecedence: 8000 # to be adjusted based on other existing FlowSchemas configured in the cluster
                           # (lowest number has more preference)
                           # The matching precedence 8000 is lower than the value of 9000 used by the
                           # existing service-accounts FlowSchema so these list event calls will match
                           # limit-pods-namespace-appteam1 rather than service-accounts.
  priorityLevelConfiguration:
    name: appteam-low
  rules:
    - resourceRules:
      - apiGroups:
          - 'pod'
        namespaces:
          - appteam1
        resources:
          - events
        verbs:
          - get
          - create
          - update
          - delete
      subjects:
        - kind: ServiceAccount
          serviceAccount:
            name: default
            namespace: appteam1
 ---
 apiVersion: flowcontrol.apiserver.k8s.io/v1
 kind: PriorityLevelConfiguration
 metadata:
  name: appteam-low
 spec:
  limited:
    lendablePercent: 90
    limitResponse:
      queuing: # values to be adjusted to reduce queue capacity
               # (any requests that don't fit in the queues get immediately rejected IIRC)
        handSize: 6
        queueLengthLimit: 50
        queues: 128
      type: Queue # supports 2 values - 1) Queue and 2) Reject with a http 429 error.
    nominalConcurrencyShares: 100 # to be adjusted (lowered) to reduce memory impact
                                  # at the cost of queuing/rejecting earlier
  type: Limited
	apiVersion: flowcontrol.apiserver.k8s.io/v1
	kind: FlowSchema
	metadata:
	name: limit-pods-namespace-appteam1
	spec:
	distinguisherMethod:
	type: ByNamespace # so that requests originated from the same namespace are grouped together
	# into the same flow so that workloads in the “bad” namespace can’t overwhelm
	# those in another namespace.
	matchingPrecedence: 8000 # to be adjusted based on other existing FlowSchemas configured in the cluster
	# (lowest number has more preference)
	# The matching precedence 8000 is lower than the value of 9000 used by the
	# existing service-accounts FlowSchema so these list event calls will match
	# limit-pods-namespace-appteam1 rather than service-accounts.
	priorityLevelConfiguration:
	name: appteam-low
	rules:
	- resourceRules:
	- apiGroups:
	- 'pod'
	namespaces:
	- appteam1
	resources:
	- events
	verbs:
	- get
	- create
	- update
	- delete
	subjects:
	- kind: ServiceAccount
	serviceAccount:
	name: default
	namespace: appteam1
	---
	apiVersion: flowcontrol.apiserver.k8s.io/v1
	kind: PriorityLevelConfiguration
	metadata:
	name: appteam-low
	spec:
	limited:
	lendablePercent: 90
	limitResponse:
	queuing: # values to be adjusted to reduce queue capacity
	# (any requests that don't fit in the queues get immediately rejected IIRC)
	handSize: 6
	queueLengthLimit: 50
	queues: 128
	type: Queue # supports 2 values - 1) Queue and 2) Reject with a http 429 error.
	nominalConcurrencyShares: 100 # to be adjusted (lowered) to reduce memory impact
	# at the cost of queuing/rejecting earlier
	type: Limited