diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index 137a1c89c4b62..0202c1448979d 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -40,6 +40,10 @@ - Annotate k8s node upon initialization with Cilium's metadata. - bool - ``false`` + * - :spelling:ignore:`apiRateLimit` + - The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API + - string + - ``nil`` * - :spelling:ignore:`authentication.enabled` - Enable authentication processing and garbage collection. Note that if disabled, policy enforcement will still block requests that require authentication. But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. - bool diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index e61892687c88a..04268824479e8 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -60,6 +60,7 @@ contributors across the globe, there is almost always someone available to help. | aksbyocni.enabled | bool | `false` | Enable AKS BYOCNI integration. Note that this is incompatible with AKS clusters not created in BYOCNI mode: use Azure integration (`azure.enabled`) instead. | | alibabacloud.enabled | bool | `false` | Enable AlibabaCloud ENI integration | | annotateK8sNode | bool | `false` | Annotate k8s node upon initialization with Cilium's metadata. | +| apiRateLimit | string | `nil` | The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API | | authentication.enabled | bool | `true` | Enable authentication processing and garbage collection. Note that if disabled, policy enforcement will still block requests that require authentication. But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. | | authentication.gcInterval | string | `"5m0s"` | Interval for garbage collection of auth map entries. | | authentication.mutual.connectTimeout | string | `"5s"` | Timeout for connecting to the remote node TCP socket | diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml index 971da7cab54c4..4ac3b006e3f8a 100644 --- a/install/kubernetes/cilium/templates/cilium-configmap.yaml +++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml @@ -964,6 +964,10 @@ data: limit-ipam-api-qps: {{ .Values.ipam.operator.externalAPILimitQPS | quote }} {{- end }} +{{- if .Values.apiRateLimit }} + api-rate-limit: {{ .Values.apiRateLimit | quote }} +{{- end }} + {{- if .Values.enableCnpStatusUpdates }} disable-cnp-status-updates: "false" {{- else if (eq $defaultEnableCnpStatusUpdates "false") }} diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index cce302d73eb33..22a4286da9455 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -1572,6 +1572,9 @@ ipam: # @default -- `4.0` externalAPILimitQPS: ~ +# -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API +apiRateLimit: ~ + # -- Configure the eBPF-based ip-masq-agent ipMasqAgent: enabled: false diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl index 54ff4068e7e0e..af4499a95decc 100644 --- a/install/kubernetes/cilium/values.yaml.tmpl +++ b/install/kubernetes/cilium/values.yaml.tmpl @@ -1569,6 +1569,9 @@ ipam: # @default -- `4.0` externalAPILimitQPS: ~ +# -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API +apiRateLimit: ~ + # -- Configure the eBPF-based ip-masq-agent ipMasqAgent: enabled: false