Ensure catch-all FlowSchema object for API Priority and Fairness Exists
An XCCDF Rule
Description
Using APIPriorityAndFairness
feature provides a fine-grained way
to control the behaviour of the Kubernetes API server in an overload
situation. The well-known FlowSchema catch-all
should be available
to make sure that every request gets some kind of classification. By default,
the catch-all
priority level only allows one concurrency share and
does not queue requests. To inspect all the FlowSchema
objects, run:
oc get flowschemaTo inspect the well-known
catch-all
object, run the following:
oc describe flowschema catch-all
warning alert: Warning
/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all
API endpoint to the local /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all
file. true
warning alert: Dependency Warning
Rationale
The FlowSchema
API objects enforce a limit on the
number of events that the API Server will accept in a given time slice
In a large multi-tenant cluster, there might be a small percentage of
misbehaving tenants which could have a significant impact on the
performance of the cluster overall. It is recommended to limit the rate
of events that the API Server will accept.
- ID
- xccdf_org.ssgproject.content_rule_api_server_api_priority_v1_flowschema_catch_all
- Severity
- Medium
- References
- Updated