Environment 环境Rancher, RKE2 and K3s 牧场机、RKE2 和 K3Procedure 程序Enabling EventRateLimit in RKE2在 RKE2 中启用 EventRateLimit事件速率限制This article outlines the steps required to enable the EventRateLimit admission configuration in an RKE2 cluster.本文概述了在 RKE2 集群中启用 EventRateLimit 准入配置所需的步骤。Step 1: Create the Admission Control Configuration File步骤1创建准入控制配置文件On each control plane node, create the file:在每个控制平面节点上创建以下文件/etc/rancher/rke2/admission-control-config.yamlNote: This YAML also includes a PodSecurityConfiguration TemplateName section, which sets the default policy to privileged. Adjust this configuration if you require stricter security policies or remove it entirely if not needed.注意该 YAML 还包含 PodSecurityConfiguration TemplateName 部分将默认策略设置为特权。如果您需要更严格的安全策略请调整该配置若不需要则完全移除。apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: EventRateLimit configuration: apiVersion: eventratelimit.admission.k8s.io/v1alpha1 kind: Configuration limits: - type: Server qps: 5000 burst: 20000 - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: enforce: privileged enforce-version: latest audit: privileged audit-version: latest warn: privileged warn-version: latest exemptions: namespaces: - cattle-fleet-system - cattle-impersonation-system - cattle-system - cert-manager - kube-node-lease - kube-public - kube-system - longhorn-systemTip: For initial testing, configure lower qps and burst values, and increase them later as required for production workloads.提示在初始测试时配置较低的 qps 和突发值并在生产工作负载需要时提高。Step 2: Update the API Server Arguments步骤 2更新 API 服务器参数Log in to the Rancher UI.登录牧场主界面。Navigate to ☰ Cluster Management.导航到☰集群管理。On the Clusters page, edit the configuration of the target cluster.在集群页面编辑目标集群的配置。Click on Advanced Options.点击高级选项。Under API Server Args, add the following parameters and save the changes:在 API Server Args 中添加以下参数并保存更改--enable-admission-pluginsEventRateLimit --admission-control-config-file/etc/rancher/rke2/new-admission-control-config.yamlStep 3: Verify the Configuration步骤3验证配置On a control plane node, confirm that the API server is using the specified admission plugins:在控制平面节点上确认 API 服务器正在使用指定的准入插件ps -C kube-apiserver -o pid,cmd | grep -i enable-admission-pluginsIf configured correctly, the command output should include EventRateLimit along with other enabled plugins.如果配置正确命令输出应包含 EventRateLimit 以及其他启用的插件。Additional Notes 附加注释If you are using the default Pod Security Admission Configuration Template, you might see the --admission-control-config-file argument listed twice in the kube-apiserver pod specification.如果你使用默认的 Pod Security Admission 配置模板你可能会在 kube-apiserver pod 规范中看到 --admission-control-config-file 参数重复列出。The --admission-control-config-file argument only accepts a single value; if multiple values are present, the last one takes precedence.--admission-control-config-file 参数只接受一个值;如果存在多个值则最后一个值优先。访问Rancher-K8S解决方案博主企业合作伙伴 https://blog.csdn.net/lidw2009
81. 如何在 RKE2 中启用 EventRateLimit
Environment 环境Rancher, RKE2 and K3s 牧场机、RKE2 和 K3Procedure 程序Enabling EventRateLimit in RKE2在 RKE2 中启用 EventRateLimit事件速率限制This article outlines the steps required to enable the EventRateLimit admission configuration in an RKE2 cluster.本文概述了在 RKE2 集群中启用 EventRateLimit 准入配置所需的步骤。Step 1: Create the Admission Control Configuration File步骤1创建准入控制配置文件On each control plane node, create the file:在每个控制平面节点上创建以下文件/etc/rancher/rke2/admission-control-config.yamlNote: This YAML also includes a PodSecurityConfiguration TemplateName section, which sets the default policy to privileged. Adjust this configuration if you require stricter security policies or remove it entirely if not needed.注意该 YAML 还包含 PodSecurityConfiguration TemplateName 部分将默认策略设置为特权。如果您需要更严格的安全策略请调整该配置若不需要则完全移除。apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: EventRateLimit configuration: apiVersion: eventratelimit.admission.k8s.io/v1alpha1 kind: Configuration limits: - type: Server qps: 5000 burst: 20000 - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: enforce: privileged enforce-version: latest audit: privileged audit-version: latest warn: privileged warn-version: latest exemptions: namespaces: - cattle-fleet-system - cattle-impersonation-system - cattle-system - cert-manager - kube-node-lease - kube-public - kube-system - longhorn-systemTip: For initial testing, configure lower qps and burst values, and increase them later as required for production workloads.提示在初始测试时配置较低的 qps 和突发值并在生产工作负载需要时提高。Step 2: Update the API Server Arguments步骤 2更新 API 服务器参数Log in to the Rancher UI.登录牧场主界面。Navigate to ☰ Cluster Management.导航到☰集群管理。On the Clusters page, edit the configuration of the target cluster.在集群页面编辑目标集群的配置。Click on Advanced Options.点击高级选项。Under API Server Args, add the following parameters and save the changes:在 API Server Args 中添加以下参数并保存更改--enable-admission-pluginsEventRateLimit --admission-control-config-file/etc/rancher/rke2/new-admission-control-config.yamlStep 3: Verify the Configuration步骤3验证配置On a control plane node, confirm that the API server is using the specified admission plugins:在控制平面节点上确认 API 服务器正在使用指定的准入插件ps -C kube-apiserver -o pid,cmd | grep -i enable-admission-pluginsIf configured correctly, the command output should include EventRateLimit along with other enabled plugins.如果配置正确命令输出应包含 EventRateLimit 以及其他启用的插件。Additional Notes 附加注释If you are using the default Pod Security Admission Configuration Template, you might see the --admission-control-config-file argument listed twice in the kube-apiserver pod specification.如果你使用默认的 Pod Security Admission 配置模板你可能会在 kube-apiserver pod 规范中看到 --admission-control-config-file 参数重复列出。The --admission-control-config-file argument only accepts a single value; if multiple values are present, the last one takes precedence.--admission-control-config-file 参数只接受一个值;如果存在多个值则最后一个值优先。访问Rancher-K8S解决方案博主企业合作伙伴 https://blog.csdn.net/lidw2009
