Tweaked wording and added codenew example re health-for-strangers

MikeSpreitzer · MikeSpreitzer · commit 499d0f4df13b · 2020-07-31T15:30:57.000-04:00
diff --git a/content/en/docs/concepts/cluster-administration/flow-control.md b/content/en/docs/concepts/cluster-administration/flow-control.md
@@ -162,7 +162,7 @@ are built in and may not be overwritten:
   that only matches the `catch-all` FlowSchema will be rejected with an HTTP 429
   error.
 
-## Potentially interesting additional configuration
+## Health check concurrency exemption
 
 The suggested configuration gives no special treatment to the health
 check requests on kube-apiservers from their local kubelets --- which
@@ -171,32 +171,21 @@ suggested config, these requests get assigned to the `global-default`
 FlowSchema and the corresponding `global-default` priority level,
 where other traffic can crowd them out.
 
-Adding the following additional FlowSchema will cause those requests
-to be exempt from limiting.  Unfortunately, any hostile party could
-submit requests matching this FlowSchema.
-
-```yaml
-apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1
-kind: FlowSchema
-metadata:
-  name: health-for-strangers
-spec:
-  matchingPrecedence: 1000
-  priorityLevelConfiguration:
-    name: exempt
-  rules:
-  - nonResourceRules:
-    - nonResourceURLs:
-      - "/healthz"
-      - "/livez"
-      - "/readyz"
-      verbs:
-      - "*"
-    subjects:
-    - kind: Group
-      group:
-        name: system:unauthenticated
-```
+If you add the following additional FlowSchema, this exempts those
+requests from rate limiting.
+
+{{< caution >}}
+
+Making this change also allows any hostile party to then send
+health-check requests that match this FlowSchema, at any volume they
+like.  If you have a web traffic filter or similar external security
+mechanism to protect your cluster's API server from general internet
+traffic, you can configure rules to block any health check requests
+that originate from outside your cluster.
+
+{{< /caution >}}
+
+{{< codenew file="priority-and-fairness/health-for-strangers.yaml" >}}
 
 ## Resources
 The flow control API involves two kinds of resources.
diff --git a/content/en/examples/priority-and-fairness/health-for-strangers.yaml b/content/en/examples/priority-and-fairness/health-for-strangers.yaml
@@ -0,0 +1,20 @@
+apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1
+kind: FlowSchema
+metadata:
+  name: health-for-strangers
+spec:
+  matchingPrecedence: 1000
+  priorityLevelConfiguration:
+    name: exempt
+  rules:
+  - nonResourceRules:
+    - nonResourceURLs:
+      - "/healthz"
+      - "/livez"
+      - "/readyz"
+      verbs:
+      - "*"
+    subjects:
+    - kind: Group
+      group:
+        name: system:unauthenticated
