@@ -35,6 +35,7 @@ import (
3535 "k8s.io/apiserver/pkg/audit"
3636 "k8s.io/apiserver/pkg/util/webhook"
3737 "k8s.io/client-go/rest"
38+ "k8s.io/client-go/util/flowcontrol"
3839)
3940
4041const (
@@ -63,6 +64,9 @@ const (
6364 defaultBatchMaxSize = 400 // Only send up to 400 events at a time.
6465 defaultBatchMaxWait = 30 * time .Second // Send events at least twice a minute.
6566 defaultInitialBackoff = 10 * time .Second // Wait at least 10 seconds before retrying.
67+
68+ defaultBatchThrottleQPS = 10 // Limit the send rate by 10 QPS.
69+ defaultBatchThrottleBurst = 15 // Allow up to 15 QPS burst.
6670)
6771
6872// The plugin name reported in error metrics.
@@ -154,6 +158,7 @@ func newBatchWebhook(configFile string, groupVersion schema.GroupVersion) (*batc
154158 maxBatchSize : defaultBatchMaxSize ,
155159 maxBatchWait : defaultBatchMaxWait ,
156160 shutdownCh : make (chan struct {}),
161+ throttle : flowcontrol .NewTokenBucketRateLimiter (defaultBatchThrottleQPS , defaultBatchThrottleBurst ),
157162 }, nil
158163}
159164
@@ -181,6 +186,9 @@ type batchBackend struct {
181186 // all requests have been completed and no new will be spawned, since the
182187 // sending routine is not running anymore.
183188 reqMutex sync.RWMutex
189+
190+ // Limits the number of requests sent to the backend per second.
191+ throttle flowcontrol.RateLimiter
184192}
185193
186194func (b * batchBackend ) Run (stopCh <- chan struct {}) error {
@@ -306,6 +314,10 @@ func (b *batchBackend) sendBatchEvents(events []auditinternal.Event) {
306314
307315 list := auditinternal.EventList {Items : events }
308316
317+ if b .throttle != nil {
318+ b .throttle .Accept ()
319+ }
320+
309321 // Locking reqMutex for read will guarantee that the shutdown process will
310322 // block until the goroutine started below is finished. At the same time, it
311323 // will not prevent other batches from being proceed further this point.
0 commit comments