TSB comes with a rate limiting server component for every control plane cluster. By default this is disabled.
The rate limit server can be enabled by explicitly specifying configuration for the
rateLimitServer component in the ControlPlane Operator API and applying it to the relevant control plane clusters.
rateLimitServer requires a Redis backend to keep track of the rate limiting attribute counts and its details need to be included in the configuration.
Your Control Plane operator configuration may look like the example below:
# ... omitted ...
Note the introduction of
rateLimitServer in the
The value for
domain is used to group the storage metadata for rate limits. Specifying the same
domain for all Control Planes will effectively allow you to configure global rate limiting across all clusters. If you use different values for
domain, then the rate limiting effects are localized to only those clusters that are looking at the same
domain. This assumes that the Control Planes are specifying the same Redis server.
We recommend that you specify the same domain only within clusters in the same geographic region, for example
The value for
redis-uri is the server name and port of the Redis instance to use.
You are responsible in making sure that this URI is reachable from the control plane cluster(s).
If your Redis database requires a password, you can either create the secret yourself:
kubectl -n istio-system create secret generic \
If you are running TSB >= 1.4.0, you can specify it in using the
--redis-password argument in the
tctl install manifest control-plane-secrets command to generate the appropriate secrets.
Deploying The Server
Create a manifest using the example shown so far. Make sure to include all of the necessary fields for the Control Plane that has been omitted in the previous example.
If you are updating an existing Control Plane, you can use
kubectl get controlplane -n istio-system -o yaml to obtain the current values.
Save the manifest into a file, e.g.
control-plane-with-rate-limiting.yaml, and then apply it using
kubectl apply -f control-plane-with-rate-limiting.yaml
To check if the rate limit server is properly running in the cluster, execute the following command:
kubectl get pods -n istio-system | grep ratelimit
ratelimit-server-864654b5b5-d77bq 1/1 Running 2 2d1h