Rate limiting within the cluster is working with memquota, although I still am not able to rate limit requests to an external service entry.
I deployed a redis pod+service and checked that I could access it from a golang script using its connection string: “redis-quotas:6379”. However I am unable to implement the redisquota handler for rate limiting at all. It does not appear to be making any connection to the redis pod according to the redis container log.
If the case is that this is not implemented before version 1.1, is it possible to helm template install v1.1.+ on GKE without anything exploding?
Redis pod + service:
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-quotas
spec:
selector:
matchLabels:
app: redis-quotas
template:
metadata:
labels:
app: redis-quotas
spec:
containers:
- name: redis
image: redis:alpine
ports:
- containerPort: 6379
readinessProbe:
periodSeconds: 5
tcpSocket:
port: 6379
livenessProbe:
periodSeconds: 5
tcpSocket:
port: 6379
volumeMounts:
- mountPath: /data
name: redis-data
resources:
limits:
memory: 256Mi
cpu: 125m
requests:
cpu: 70m
memory: 200Mi
volumes:
- name: redis-data
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: redis-quotas
spec:
type: ClusterIP
selector:
app: redis-quotas
ports:
- name: redis
port: 6379
targetPort: 6379
redis-quota configs:
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: redishandler
namespace: istio-system
spec:
compiledAdapter: redisquota
params:
redisServerUrl: redis-quotas:6379
connectionPoolSize: 10
quotas:
- name: requestcountquota.instance.istio-system
maxAmount: 1
validDuration: 1s
bucketDuration: 500ms
rateLimitAlgorithm: FIXED_WINDOW
overrides:
- dimensions:
destination: api.ipify.org
maxAmount: 1
- dimensions:
destination: whatsmyip
maxAmount: 1
validDuration: 5s
- dimensions:
source: istio-egressgateway
maxAmount: 1
validDuration: 5s
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: requestcountquota
namespace: istio-system
spec:
compiledTemplate: quota
params:
dimensions:
source: source.workload.name | "unknown"
destination: destination.service.name | request.url_path | request.host | "unknown"
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpec
metadata:
name: request-count
namespace: istio-system
spec:
rules:
- quotas:
- charge: 1
quota: requestcountquota
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpecBinding
metadata:
name: request-count
namespace: istio-system
spec:
quotaSpecs:
- name: request-count
namespace: istio-system
services:
- service: '*' # Uncomment this to bind *all* services to request-count
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: quota
namespace: istio-system
spec:
actions:
- handler: redishandler
instances:
- requestcountquota
---
kuat
May 2, 2019, 10:38pm
3
Please make sure you are running istio 1.1.3 or later. The page with the sample shows a different config if you have an earlier version of istio (see https://istio.io/docs/tasks/policy-enforcement/rate-limiting/ ).
Do you know how can we provide username password for the redis server