From 8bdb5cfa384603ae5502d6be5cd1e3980de680a6 Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Thu, 11 Mar 2021 13:23:58 -0500
Subject: [PATCH] add a flowschema to ensure that probes never get 429s

---
 ...kube-apiserver-operator_08_flowschema.yaml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/manifests/0000_20_kube-apiserver-operator_08_flowschema.yaml b/manifests/0000_20_kube-apiserver-operator_08_flowschema.yaml
index 9a0abbe278..5407bc6927 100644
--- a/manifests/0000_20_kube-apiserver-operator_08_flowschema.yaml
+++ b/manifests/0000_20_kube-apiserver-operator_08_flowschema.yaml
@@ -73,3 +73,31 @@ spec:
       serviceAccount:
         name: kube-apiserver-operator
         namespace: openshift-kube-apiserver-operator
+---
+# probes need to always work.  If probes get 429s, then the kubelet will treat them as probe failures.
+# Since probes are cheap to run, we won't rate limit these at all.
+apiVersion: flowcontrol.apiserver.k8s.io/v1beta1
+kind: FlowSchema
+metadata:
+  name: probes
+spec:
+  distinguisherMethod:
+    type: ByUser
+  matchingPrecedence: 2
+  priorityLevelConfiguration:
+    name: exempt
+  rules:
+    - nonResourceRules:
+        - nonResourceURLs:
+            - '/healthz'
+            - '/readyz'
+            - '/livez'
+          verbs:
+            - 'get'
+      subjects:
+        - group:
+            name: system:authenticated
+          kind: Group
+        - group:
+            name: system:unauthenticated
+          kind: Group