Make pod firewall nflog rate-limiting configurable #1078
Conversation
|
@bnu0 I definitely understand the motivation for this PR. However, I'm hesitant to add more CLI flags for kube-router for something this obscure (at least IMO). One of the benefits to kube-router is that it is easy to understand and configure when compared to the other offerings available. So we try to police how many flags we add to the interface so as to only highlight major features and try to choose sane defaults rather than potentially overwhelming the end-user with configuration options for every knob that could be turned. I'll likely wait and see if @murali-reddy has any opinions on whether or not to include this feature. |
|
Also, thanks for the stabilizing that unit test, I actually cherry-picked that commit and pushed it to master ahead of this PR so regardless of the action here, unit tests will be more stable in the future: fce90b0 If you can, please rebase your PR so that commit gets taken out. |
bnu0
force-pushed
the
bnu-nflog-rate-config
branch
from
46ad438
to
e59cc7e
Compare
|
Thanks for creating this, and sorry that it has taken so long to come back around to this. However, adding 2 additional parameter flags isn't worth what this feature brings to the table. I definitely see how it could be useful in certain situations, but given that its been posted for almost a year and no one else has chimed in, I don't think that it would be widely used. Maybe in the future, if we create more ways of configuring kube-router, maybe expose some conf like mechanism for more advanced options or some such, then we could revisit this. |
For compliance reasons, it might be desired to tune the nflog rate-limits for packets that are rejected from pod firewalls. This PR makes it possible to tune the limit/burst parameters, or remove limiting entirely if you know what you are doing.
The defaults remain at
burst=10,limit=10/minuteas before.