Has anyone been able to set local rate limit with descriptors in Istio 1.9+?
I have not been able to find the right place to put the rate limit actions to work with local rate limit. I see examples with setting it for global rate limit config.
I am not sure if this is a limitation in EnvoyFilter API w.r.t how local rate limit with descriptors’ actions need to be set up for Envoy to work correctly. For reference, I have opened this issue in git EnvoyFilter configuration for http local rate limit with descriptors · Issue #31324 · istio/istio · GitHub
Update: it turns out we can configure the local rate limit descriptors’ actions for the route like this.
- applyTo: HTTP_ROUTE
match:
context: SIDECAR_INBOUND
routeConfiguration:
vhost:
name: "inbound|http|8000"
route:
name: "default"
patch:
operation: MERGE
value:
route:
rate_limits:
- actions:
- request_headers:
header_name: user-id
descriptor_key: id
typed_per_filter_config:
envoy.filters.http.local_ratelimit:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
This is my full config
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: httpbin-inbound-8000
namespace: app-namespace
spec:
workloadSelector:
labels:
app: httpbin
configPatches:
- applyTo: HTTP_FILTER
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: http_local_rate_limiter
- applyTo: HTTP_ROUTE
match:
context: SIDECAR_INBOUND
routeConfiguration:
vhost:
name: "inbound|http|8000"
patch:
operation: MERGE
value:
route:
rate_limits:
- actions:
- request_headers:
header_name: "user-id"
descriptor_key: "ID"
typed_per_filter_config:
envoy.filters.http.local_ratelimit:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: http_local_rate_limiter
descriptors:
# each descriptor limit MUST be a multiple of the
# default limit, otherwise, sidecar fails to inject
# or config fails to update on existing sidecar
#local rate descriptor limit is not a multiple of token bucket fill timer
- entries:
- key: ID
value: a
token_bucket:
max_tokens: 2
tokens_per_fill: 2
fill_interval: 20s
- entries:
- key: ID
value: b
token_bucket:
max_tokens: 2
tokens_per_fill: 2
fill_interval: 20s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
response_headers_to_add:
- append: false
header:
key: x-local-rate-limit
value: 'true'
token_bucket:
max_tokens: 10
tokens_per_fill: 10
fill_interval: 20s
2 Likes