I am trying to implement rate limiting on pods that do not have a envoy sidecar pod. I am stuck at this point and need some help.
My first question is if this is even possible?
Can a connection to a pod be rate limited if it doesn’t have a envoy sidecar, but its traffic does go thru a ingress-gateway?
If so my configs are below. These are valid in mixer. However they do not seem to do anything as artillery runs with around 100rps return all 200’s.
The example application was tested and did work correctly, however i would like to not use sidecars till we are ready.
Any help would be greatly appreciated.
Rate Limit Rules
apiVersion: "config.istio.io/v1alpha2"
kind: memquota
metadata:
name: handler
namespace: istio-system
spec:
quotas:
- name: requestcount.quota.istio-system
maxAmount: 1
validDuration: 1s
apiVersion: "config.istio.io/v1alpha2"
kind: quota
metadata:
name: requestcount
namespace: istio-system
spec:
dimensions:
source: request.headers["true-client-ip"] | "unknown"
destination: destination.service.name | "unknown"
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: quota
namespace: istio-system
spec:
actions:
- handler: handler.memquota
instances:
- requestcount.quota
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpec
metadata:
name: request-count
namespace: istio-system
spec:
rules:
- quotas:
- charge: 1
quota: requestcount.quota.istio-system
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpecBinding
metadata:
name: request-count
namespace: istio-system
spec:
quotaSpecs:
- name: request-count
namespace: istio-system
services:
- name: feeds-stage
namespace: default
Virtual Service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: feeds-stage
namespace: default
spec:
hosts:
- "feeds.com"
gateways:
- web-gateway
http:
- match:
route:
- destination:
port:
number: 80
host: feeds-stage-external
Gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: web-gateway
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
selector:
istio: web-ingressgateway
servers:
- port:
number: 80
name: http-web
protocol: HTTP
hosts:
- "feeds.com"
- port:
number: 443
name: https-web
protocol: HTTP
hosts:
- "feeds.com"
Also mixer traces out the following in console but i am unsure if they matter.
2019-02-01T23:11:09.195866Z warn Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
2019-02-01T23:11:09.598958Z error adapters adapter did not close all the scheduled daemons {"adapter": "handler.memquota.istio-system"}
2019-02-01T23:11:09.599075Z error adapters adapter did not close all the scheduled daemons {"adapter": "handler.kubernetesenv.istio-system"}