Skip to content

How to enable EventRateLimit in RKE2.

Article Number: 000022027

Environment

Rancher, RKE2 and K3s

Procedure

Enabling EventRateLimit in RKE2

This article outlines the steps required to enable the EventRateLimit admission configuration in an RKE2 cluster.

Step 1: Create the Admission Control Configuration File

On each control plane node, create the file:
/etc/rancher/rke2/admission-control-config.yaml

Note: This YAML also includes a PodSecurityConfiguration TemplateName section, which sets the default policy to privileged. Adjust this configuration if you require stricter security policies or remove it entirely if not needed.

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: EventRateLimit
  configuration:
    apiVersion: eventratelimit.admission.k8s.io/v1alpha1
    kind: Configuration
    limits:
    - type: Server
      qps: 5000
      burst: 20000
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1
    kind: PodSecurityConfiguration
    defaults:
      enforce: privileged
      enforce-version: latest
      audit: privileged
      audit-version: latest
      warn: privileged
      warn-version: latest
    exemptions:
      namespaces:
      - cattle-fleet-system
      - cattle-impersonation-system
      - cattle-system
      - cert-manager
      - kube-node-lease
      - kube-public
      - kube-system
      - longhorn-system

Tip: For initial testing, configure lower qps and burst values, and increase them later as required for production workloads.

Step 2: Update the API Server Arguments

  1. Log in to the Rancher UI.
  2. Navigate to ☰ > Cluster Management.
  3. On the Clusters page, edit the configuration of the target cluster.
  4. Click on Advanced Options.
  5. Under API Server Args, add the following parameters and save the changes:
--enable-admission-plugins=EventRateLimit
--admission-control-config-file=/etc/rancher/rke2/new-admission-control-config.yaml

Step 3: Verify the Configuration

On a control plane node, confirm that the API server is using the specified admission plugins:

ps -C kube-apiserver -o pid,cmd | grep -i enable-admission-plugins

If configured correctly, the command output should include EventRateLimit along with other enabled plugins.

Additional Notes

  • If you are using the default Pod Security Admission Configuration Template, you might see the --admission-control-config-file argument listed twice in the kube-apiserver pod specification.
  • The --admission-control-config-file argument only accepts a single value; if multiple values are present, the last one takes precedence.