Kubeconfig: Disable clientside ratelimtier if flowcontrol is supported

alvaroaleman · alvaroaleman · commit efbb0c98cc08 · 2026-02-16T13:20:32.000-05:00
I noticed client-side ratelimiting messages from the kustomization
controller for my kustomization that has a kubeconfig configured.

Looking at the code, I saw that this already gets disabled in
`GetConfigOrDie` if the server supports APF but not in the codepath
where we construct a rest config from a custom kubeconfig, this change
fixes that.

Signed-off-by: Alvaro Aleman &lt;alvaroaleman@users.noreply.github.com&gt;
diff --git a/runtime/client/client.go b/runtime/client/client.go
@@ -75,7 +75,7 @@ func GetConfigOrDie(opts Options) *rest.Config {
 	config := ctrl.GetConfigOrDie()
 	enabled, err := flowcontrol.IsEnabled(context.Background(), config)
 	if err == nil && enabled {
-		// A negative QPS and Burst indicates that the client should not have a rate limiter.
+		// A negative QPS indicates that the client should not have a rate limiter.
 		// Ref: https://github.com/kubernetes/kubernetes/blob/v1.24.0/staging/src/k8s.io/client-go/rest/config.go#L354-L364
 		config.QPS = -1
 		config.Burst = -1
diff --git a/runtime/client/impersonator.go b/runtime/client/impersonator.go
@@ -169,7 +169,7 @@ func (i *Impersonator) clientForKubeConfig(ctx context.Context) (rc.Client, *pol
 		return nil, nil, err
 	}
 
-	restConfig = KubeConfig(restConfig, i.kubeConfigOpts)
+	restConfig = KubeConfig(ctx, restConfig, i.kubeConfigOpts)
 	i.setImpersonationConfig(restConfig)
 
 	restMapper, err := NewDynamicRESTMapper(restConfig)
diff --git a/runtime/client/kubeconfig.go b/runtime/client/kubeconfig.go
@@ -17,8 +17,10 @@ limitations under the License.
 package client
 
 import (
+	"context"
 	"time"
 
+	"github.com/fluxcd/cli-utils/pkg/flowcontrol"
 	"github.com/spf13/pflag"
 	"k8s.io/client-go/rest"
 )
@@ -67,7 +69,11 @@ func (o *KubeConfigOptions) BindFlags(fs *pflag.FlagSet) {
 
 // KubeConfig sanitises a kubeconfig represented as *rest.Config using
 // KubeConfigOptions to inform the transformation decisions.
-func KubeConfig(in *rest.Config, opts KubeConfigOptions) *rest.Config {
+func KubeConfig(ctx context.Context, in *rest.Config, opts KubeConfigOptions) *rest.Config {
+	return kubeconfig(ctx, in, opts, flowcontrol.IsEnabled)
+}
+
+func kubeconfig(ctx context.Context, in *rest.Config, opts KubeConfigOptions, flowcontrolChecker func(context.Context, *rest.Config) (bool, error)) *rest.Config {
 	var out *rest.Config
 
 	if in != nil {
@@ -108,5 +114,12 @@ func KubeConfig(in *rest.Config, opts KubeConfigOptions) *rest.Config {
 		}
 	}
 
+	enabled, err := flowcontrolChecker(ctx, out)
+	if err == nil && enabled {
+		// A negative QPS indicates that the client should not have a rate limiter.
+		// Ref: https://github.com/kubernetes/kubernetes/blob/v1.24.0/staging/src/k8s.io/client-go/rest/config.go#L354-L364
+		out.QPS = -1
+	}
+
 	return out
 }
diff --git a/runtime/client/kubeconfig_test.go b/runtime/client/kubeconfig_test.go
@@ -17,20 +17,22 @@ limitations under the License.
 package client
 
 import (
-	"reflect"
+	"context"
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd/api"
 )
 
 func TestKubeConfig(t *testing.T) {
 	tests := []struct {
-		description string
-		in          *rest.Config
-		opts        KubeConfigOptions
-		expected    *rest.Config
+		description        string
+		in                 *rest.Config
+		opts               KubeConfigOptions
+		flowControlEnabled bool
+		expected           *rest.Config
 	}{
 		{
 			description: "ignore nil configs",
@@ -140,13 +142,24 @@ func TestKubeConfig(t *testing.T) {
 				Timeout:   30 * time.Second,
 			},
 		},
+		{
+			description:        "Flowcontrol enabled disables ratelimiting",
+			in:                 &rest.Config{},
+			opts:               KubeConfigOptions{},
+			flowControlEnabled: true,
+			expected: &rest.Config{
+				QPS:     -1,
+				Timeout: 30 * time.Second,
+			},
+		},
 	}
 
 	for _, tt := range tests {
-		got := KubeConfig(tt.in, tt.opts)
-		if !reflect.DeepEqual(tt.expected, got) {
-			t.Error(tt.description)
-		}
+		t.Run(tt.description, func(t *testing.T) {
+			flowControlChecker := func(context.Context, *rest.Config) (bool, error) { return tt.flowControlEnabled, nil }
+			got := kubeconfig(t.Context(), tt.in, tt.opts, flowControlChecker)
+			assert.Equal(t, tt.expected, got)
+		})
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -169,7 +169,7 @@ func (i Impersonator) clientForKubeConfig(ctx context.Context) (rc.Client, pol`
`169`	`169`	`return nil, nil, err`
`170`	`170`	`}`
`171`	`171`
`172`		`- restConfig = KubeConfig(restConfig, i.kubeConfigOpts)`
	`172`	`+ restConfig = KubeConfig(ctx, restConfig, i.kubeConfigOpts)`
`173`	`173`	`i.setImpersonationConfig(restConfig)`
`174`	`174`
`175`	`175`	`restMapper, err := NewDynamicRESTMapper(restConfig)`