Stay organized with collectionsSave and categorize content based on your preferences.
Configure the controller manager rate limit
This pages describes how to configure the overall rate limit (token bucket rate
limit) for the controller manager in Config Connector.
The rate limit controls how many requests Config Connector makes to the
Kubernetes API server. There are two settings:
Theqps(queries per second) setting determines
the average rate at which Config Connector can make requests to the
Kubernetes API server.
Theburstvalue allows for more requests than theqpslimit
for short periods. This helps Config Connector to reconcile
quickly, even during times which require more queries to the Kubernetes
API server, such as when applying a new batch of configuration using GitOps.
You can think of the "token bucket" algorithm for rate limiting like this:
imagine a bucket of capacitybursttokens, being refilled at theqpsrate. Each request requires one token from the bucket. If the bucket is empty,
requests are delayed until tokens become available.
Configure the rate limit for namespaced controller manager
If Config Connector is configured to run innamespaced mode, you can
use theNamespacedControllerReconcilercustom resource to configure the rate
limit of thecnrm-controller-managercontroller's Kubernetes client
in your designated namespace. You can configure rate limit for this
controller in Config Connector version 1.119 and later.
Create a file namedconfigure-rate-limit.yamland copy the
following YAML into it:
apiVersion:customize.core.cnrm.cloud.google.com/v1beta1kind:NamespacedControllerReconcilermetadata:name:cnrm-controller-manager# name must not contain the namespace ID suffixnamespace:NAMESPACEspec:rateLimit:qps:80# the default value is 20burst:40# the default value is 30
ReplaceNAMESPACEwith the name of your namespace.
Usekubectl applyto apply the rate limit configuration to your cluster:
kubectl apply -f configure-rate-limit.yaml
Verify the configuration is successful by running the following command:
kubectl get namespacedcontrollerreconciler cnrm-controller-manager -nNAMESPACE-o jsonpath='{.status.healthy}'
The output should displaystatus.healthyfield set totrue.
Verify that the--qpsand--burstflags are added to thecnrm-controller-managercontroller's manager container by running the following command:
Starting in version 1.125, if Config Connector is configured to run in cluster
mode, you can configure the rate limit of thecnrm-controller-managercontroller's Kubernetes client using theControllerReconcilercustom resource.
The usage is similar to the namespaced mode, but in this case, you should
use theControllerReconcilerCR instead ofNamespacedControllerReconciler,
as in the following example:
apiVersion:customize.core.cnrm.cloud.google.com/v1alpha1kind:ControllerReconcilermetadata:name:cnrm-controller-managerspec:rateLimit:qps:80# the default value is 20burst:40# the default value is 30
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eConfig Connector's controller manager rate limit can be configured to control the number of requests made to the Kubernetes API server.\u003c/p\u003e\n"],["\u003cp\u003eThe rate limit is defined by \u003ccode\u003eqps\u003c/code\u003e (queries per second) which determines the average request rate, and \u003ccode\u003eburst\u003c/code\u003e which allows for temporary higher request volumes.\u003c/p\u003e\n"],["\u003cp\u003eIn namespaced mode (version 1.119+), the \u003ccode\u003eNamespacedControllerReconciler\u003c/code\u003e custom resource is used to set the rate limit, specifying \u003ccode\u003eqps\u003c/code\u003e and \u003ccode\u003eburst\u003c/code\u003e values within a given namespace.\u003c/p\u003e\n"],["\u003cp\u003eIn cluster mode (version 1.125+), the \u003ccode\u003eControllerReconciler\u003c/code\u003e custom resource is used to configure the \u003ccode\u003ecnrm-controller-manager\u003c/code\u003e's rate limit, defining \u003ccode\u003eqps\u003c/code\u003e and \u003ccode\u003eburst\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Configure the controller manager rate limit\n===========================================\n\n*** ** * ** ***\n\nThis pages describes how to configure the overall rate limit (token bucket rate\nlimit) for the controller manager in Config Connector.\n\nThe rate limit controls how many requests Config Connector makes to the\nKubernetes API server. There are two settings:\n\n- The `qps` (queries per second) setting determines\n the average rate at which Config Connector can make requests to the\n Kubernetes API server.\n\n- The `burst` value allows for more requests than the `qps` limit\n for short periods. This helps Config Connector to reconcile\n quickly, even during times which require more queries to the Kubernetes\n API server, such as when applying a new batch of configuration using GitOps.\n\nYou can think of the \"token bucket\" algorithm for rate limiting like this:\nimagine a bucket of capacity `burst` tokens, being refilled at the `qps`\nrate. Each request requires one token from the bucket. If the bucket is empty,\nrequests are delayed until tokens become available.\n\nConfigure the rate limit for namespaced controller manager\n----------------------------------------------------------\n\nIf Config Connector is configured to run in\n[namespaced mode](/config-connector/docs/how-to/install-namespaced), you can\nuse the `NamespacedControllerReconciler` custom resource to configure the rate\nlimit of the `cnrm-controller-manager` controller's Kubernetes client\nin your designated namespace. You can configure rate limit for this\ncontroller in Config Connector version 1.119 and later.\n\n1. Create a file named `configure-rate-limit.yaml` and copy the\n following YAML into it:\n\n apiVersion: customize.core.cnrm.cloud.google.com/v1beta1\n kind: NamespacedControllerReconciler\n metadata:\n name: cnrm-controller-manager # name must not contain the namespace ID suffix\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eNAMESPACE\u003c/span\u003e\u003c/var\u003e\n spec:\n rateLimit:\n qps: 80 # the default value is 20\n burst: 40 # the default value is 30\n\n Replace \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e with the name of your namespace.\n2. Use `kubectl apply` to apply the rate limit configuration to your cluster:\n\n ```\n kubectl apply -f configure-rate-limit.yaml\n ```\n3. Verify the configuration is successful by running the following command:\n\n ```\n kubectl get namespacedcontrollerreconciler cnrm-controller-manager -n NAMESPACE -o jsonpath='{.status.healthy}'\n ```\n\n The output should display `status.healthy` field set to `true`.\n4. Verify that the `--qps` and `--burst` flags are added to the\n `cnrm-controller-manager` controller's manager container by running the following command:\n\n ```\n kubectl describe statefulsets -n cnrm-system -l \"cnrm.cloud.google.com/scoped-namespace=NAMESPACE\"\n ```\n\n The output should contain the following: \n\n Containers:\n manager:\n Image: gcr.io/gke-release/cnrm/controller:fd4c42c\n Port: 23232/TCP\n Host Port: 0/TCP\n Command:\n /configconnector/manager\n Args:\n --qps=80\n --burst=40\n --scoped-namespace=config-control\n --prometheus-scrape-endpoint=:8888\n\nConfigure the rate limit in cluster mode\n----------------------------------------\n\nStarting in version 1.125, if Config Connector is configured to run in cluster\nmode, you can configure the rate limit of the `cnrm-controller-manager`\ncontroller's Kubernetes client using the `ControllerReconciler` custom resource.\nThe usage is similar to the namespaced mode, but in this case, you should\nuse the `ControllerReconciler` CR instead of `NamespacedControllerReconciler`,\nas in the following example: \n\n apiVersion: customize.core.cnrm.cloud.google.com/v1alpha1\n kind: ControllerReconciler\n metadata:\n name: cnrm-controller-manager\n spec:\n rateLimit:\n qps: 80 # the default value is 20\n burst: 40 # the default value is 30"]]
