Rate Limiting in non-mesh kube pods


#1

I am trying to implement rate limiting on pods that do not have a envoy sidecar pod. I am stuck at this point and need some help.

My first question is if this is even possible?

Can a connection to a pod be rate limited if it doesn’t have a envoy sidecar, but its traffic does go thru a ingress-gateway?

If so my configs are below. These are valid in mixer. However they do not seem to do anything as artillery runs with around 100rps return all 200’s.

The example application was tested and did work correctly, however i would like to not use sidecars till we are ready.

Any help would be greatly appreciated.

Rate Limit Rules

apiVersion: "config.istio.io/v1alpha2"
kind: memquota
metadata:
  name: handler
  namespace: istio-system
spec:
  quotas:
  - name: requestcount.quota.istio-system
    maxAmount: 1
    validDuration: 1s
apiVersion: "config.istio.io/v1alpha2"
kind: quota
metadata:
  name: requestcount
  namespace: istio-system
spec:
  dimensions:
    source: request.headers["true-client-ip"] | "unknown"
    destination: destination.service.name | "unknown"
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: quota
  namespace: istio-system
spec:
  actions:
  - handler: handler.memquota
    instances:
    - requestcount.quota
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpec
metadata:
  name: request-count
  namespace: istio-system
spec:
  rules:
  - quotas:
    - charge: 1
      quota: requestcount.quota.istio-system
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpecBinding
metadata:
  name: request-count
  namespace: istio-system
spec:
  quotaSpecs:
  - name: request-count
    namespace: istio-system
  services:
  - name: feeds-stage
    namespace: default

Virtual Service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: feeds-stage
  namespace: default
spec:
  hosts:
  - "feeds.com"
  gateways:
  - web-gateway
  http:
  - match:
    route:
    - destination:
        port:
          number: 80
        host: feeds-stage-external

Gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: web-gateway
annotations:
  ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  selector:
    istio: web-ingressgateway
  servers:
  - port:
      number: 80
      name: http-web
      protocol: HTTP
    hosts:
    - "feeds.com"
  - port:
      number: 443
      name: https-web
      protocol: HTTP
    hosts:
    - "feeds.com"

Also mixer traces out the following in console but i am unsure if they matter.

2019-02-01T23:11:09.195866Z	warn	Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2019-02-01T23:11:09.598958Z	error	adapters	adapter did not close all the scheduled daemons	{"adapter": "handler.memquota.istio-system"}
2019-02-01T23:11:09.599075Z	error	adapters	adapter did not close all the scheduled daemons	{"adapter": "handler.kubernetesenv.istio-system"}

Override gateway envoy configuration