Use envoy's local_ratelimit

Networking
1

I’d like to use envoy’s local ratelimit to protect a workload in my scenario

I’m trying to use the envoy filter to merge the configuration with this

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ratelimit-test-workload
  namespace: test
spec:
  workloadSelector:
    labels:
      app: test-workload
  configPatches:
  - applyTo: HTTP_ROUTE
    match:
      context: SIDECAR_INBOUND
      routeConfiguration:
        name: default
    patch:
      operation: MERGE
      value:
        typed_per_filter_config:
          envoy.filters.http.local_ratelimit:
            "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
            stat_prefix: http_local_rate_limiter
            token_bucket:
              max_tokens: 100
              tokens_per_fill: 100
              fill_interval: 1s
            filter_enabled:
              runtime_key: local_rate_limit_enabled
              default_value:
                numerator: 100
                denominator: HUNDRED
            filter_enforced:
              runtime_key: local_rate_limit_enforced
              default_value:
                numerator: 100
                denominator: HUNDRED
            response_headers_to_add:
              - append: false
                header:
                  key: x-local-rate-limit
                  value: 'true'

but I’m receiving this error
admission webhook “validation.istio.io” denied the request: configuration is invalid: Envoy filter: unknown message type “envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit”

I’m using istio 1.5.10

2

looks like there is a test in 1.8 for this now, you might have to upgrade

3

Yeah, local http ratelimit was added very recently in Envoy and would thus be available in Istio 1.8+

4

Thanks guys, this will work only in envoy 1.6. I tried network local_ratelimit too but is not working too

Error from server: error when creating "ratelimit-test.yaml": admission webhook "validation.istio.io" denied the request: configuration is invalid: Envoy filter: can't unmarshal Any nested proto *envoy_config_filter_network_local_rate_limit_v2alpha.LocalRateLimit: json: cannot unmarshal object into Go value of type string

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ratelimit-test-workload
  namespace: test
spec:
  workloadSelector:
    labels:
      app: test-workload
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 15006
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.network.local_ratelimit
        typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.network.local_rate_limit.v2alpha.LocalRateLimit"
          stat_prefix: local_rate_limiter
          token_bucket:
            max_tokens: 100
            tokens_per_fill: 1
            fill_interval: 
              seconds: 60
5

Hi Guys,
The config is working. It was just an convert error from HTTP config to tcp

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ratelimit-test-workload
  namespace: test
spec:
  workloadSelector:
    labels:
      app: test-workload
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 15006
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.network.local_ratelimit
        typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.network.local_rate_limit.v2alpha.LocalRateLimit"
          stat_prefix: local_rate_limiter
          token_bucket:
            max_tokens: 100
            tokens_per_fill: 1
            fill_interval: 60s
2 Likes