Rate Limiting

Using the EventRateLimit admission control enforces a limit on the number of events that the API Server will accept in a given time period. In a large multi-tenant cluster, there might be a small percentage of tenants that flood the server with event requests, which could have a significant impact on the performance of the cluster overall. Therefore, it is recommended to limit the rate of events that the API server will accept.

You might want to configure event rate limit as part of compliance with the CIS (Center for Internet Security) Kubernetes Benchmark. Event rate limiting corresponds to the CIS Kubernetes Benchmark 1.1.36 - Ensure that the admission control plugin EventRateLimit is set (Scored).

Rate limits can be configured for the server, a namespace, a user, or a combination of a source and an object.

For configuration details, refer to the official Kubernetes documentation.

Example Configurations

The following configuration in the cluster.yml can be used to enable the event rate limit by default:

services:
  kube-api:
    event_rate_limit:
      enabled: true

When the event rate limit is enabled, you should be able to see the default values at /etc/kubernetes/admission.yaml:

...
plugins:
- configuration:
    apiVersion: eventratelimit.admission.k8s.io/v1alpha1
    kind: Configuration
    limits:
    - burst: 20000
      qps: 5000
      type: Server
...

To customize the event rate limit, the entire Kubernetes resource for the configuration must be provided in the configuration directive:

services:
  kube-api:
    event_rate_limit:
      enabled: true
      configuration:
        apiVersion: eventratelimit.admission.k8s.io/v1alpha1
        kind: Configuration
        limits:
        - type: Server
          qps: 6000
          burst: 30000