Does rate limiting using redisquota work on latest GKE release: 1.0.6-GKE.3?

#1

Rate limiting within the cluster is working with memquota, although I still am not able to rate limit requests to an external service entry.

I deployed a redis pod+service and checked that I could access it from a golang script using its connection string: “redis-quotas:6379”. However I am unable to implement the redisquota handler for rate limiting at all. It does not appear to be making any connection to the redis pod according to the redis container log.

If the case is that this is not implemented before version 1.1, is it possible to helm template install v1.1.+ on GKE without anything exploding?

#2

Redis pod + service:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis-quotas
spec:
  selector:
    matchLabels:
      app: redis-quotas
  template:
    metadata:
      labels:
        app: redis-quotas
    spec:
      containers:
      - name: redis
        image: redis:alpine
        ports:
        - containerPort: 6379
        readinessProbe:
          periodSeconds: 5
          tcpSocket:
            port: 6379
        livenessProbe:
          periodSeconds: 5
          tcpSocket:
            port: 6379
        volumeMounts:
        - mountPath: /data
          name: redis-data
        resources:
          limits:
            memory: 256Mi
            cpu: 125m
          requests:
            cpu: 70m
            memory: 200Mi
      volumes:
      - name: redis-data
        emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: redis-quotas
spec:
  type: ClusterIP
  selector:
    app: redis-quotas
  ports:
  - name: redis
    port: 6379
    targetPort: 6379

redis-quota configs:

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: redishandler
  namespace: istio-system
spec:
  compiledAdapter: redisquota
  params:
    redisServerUrl: redis-quotas:6379
    connectionPoolSize: 10
    quotas:
    - name: requestcountquota.instance.istio-system
      maxAmount: 1
      validDuration: 1s
      bucketDuration: 500ms
      rateLimitAlgorithm: FIXED_WINDOW
      overrides:
      - dimensions:
          destination: api.ipify.org
      maxAmount: 1
      - dimensions:
        destination: whatsmyip
      maxAmount: 1
      validDuration: 5s
      - dimensions:
        source: istio-egressgateway
      maxAmount: 1
      validDuration: 5s
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: requestcountquota
  namespace: istio-system
spec:
  compiledTemplate: quota
  params:
    dimensions:
      source: source.workload.name | "unknown"
      destination: destination.service.name | request.url_path | request.host | "unknown"
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpec
metadata:
  name: request-count
  namespace: istio-system
spec:
  rules:
  - quotas:
    - charge: 1
      quota: requestcountquota
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpecBinding
metadata:
  name: request-count
  namespace: istio-system
spec:
  quotaSpecs:
  - name: request-count
    namespace: istio-system
  services:
  - service: '*'  # Uncomment this to bind *all* services to request-count
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: quota
  namespace: istio-system
spec:
  actions:
  - handler: redishandler
    instances:
    - requestcountquota
---
#3

Please make sure you are running istio 1.1.3 or later. The page with the sample shows a different config if you have an earlier version of istio (see https://istio.io/docs/tasks/policy-enforcement/rate-limiting/).

#4

Do you know how can we provide username password for the redis server