Setting Up an External Rate Limiting Server
TSB supports using external rate limiting servers. This document will describe how to configure Envoy rate limit service and use it as external rate limiting server in TSB's Ingress Gateway through an example.
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB environment. You can use TSB demo for quick install
✓ Completed TSB usage quickstart. This document assumes you already created Tenant and are familiar with Workspace and Config Groups. Also you need to configure tctl to your TSB environment.
While this document will only describe how to apply rate limiting using an external server for Ingress Gateway, you can do the same for Tier-1 Gateways and service-to-service (through TSB Traffic Settings) using a similar configuration.
Create the Namespace
In this example we will install the external rate limit service in ext-ratelimit
namespace.
Create the namespace if not already present in the target cluster by running the following command:
kubectl create namespace ext-ratelimit
Configure Rate Limit Service
Please read the Envoy rate limit documentation to learn the details about the concept of domains and descriptors.
Create a file name ext-ratelimit-config.yaml
with the following content. This configuration specifies that requests to every unique request path should be limited to 4 requests/minute.
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-config
namespace: ext-ratelimit
data:
config.yaml: |
domain: httpbin-ratelimit
descriptors:
- key: "request-path"
rate_limit:
unit: minute
requests_per_unit: 4
Then create a ConfigMap
using the file you created:
kubectl -n ext-ratelimit apply -f ext-ratelimit-config.yaml
Deploy Rate Limit Server and Redis
Deploy Redis and envoyproxy/ratelimit
. Create a file called redis-ratelimit.yaml
with the following contents:
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
####################################################################################
# Redis service and deployment
# Ratelimit service and deployment
####################################################################################
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: ext-ratelimit
labels:
app: redis
spec:
ports:
- name: redis
port: 6379
selector:
app: redis
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: ext-ratelimit
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- image: redis:alpine
imagePullPolicy: Always
name: redis
ports:
- name: redis
containerPort: 6379
restartPolicy: Always
serviceAccountName: ''
---
apiVersion: v1
kind: Service
metadata:
name: ratelimit
namespace: ext-ratelimit
labels:
app: ratelimit
spec:
ports:
- name: http-port
port: 8080
targetPort: 8080
protocol: TCP
- name: grpc-port
port: 8081
targetPort: 8081
protocol: TCP
- name: http-debug
port: 6070
targetPort: 6070
protocol: TCP
selector:
app: ratelimit
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ratelimit
namespace: ext-ratelimit
spec:
replicas: 1
selector:
matchLabels:
app: ratelimit
strategy:
type: Recreate
template:
metadata:
labels:
app: ratelimit
spec:
containers:
- image: envoyproxy/ratelimit:6f5de117 # 2021/01/08
imagePullPolicy: Always
name: ratelimit
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthcheck
port: 8080
scheme: HTTP
periodSeconds: 3
successThreshold: 1
timeoutSeconds: 1
command: ['/bin/ratelimit']
env:
- name: REDIS_HEALTH_CHECK_ACTIVE_CONNECTION
value: 'true'
- name: LOG_LEVEL
value: debug
- name: REDIS_SOCKET_TYPE
value: tcp
- name: REDIS_URL
value: redis:6379
- name: USE_STATSD
value: 'false'
- name: RUNTIME_ROOT
value: /data
- name: RUNTIME_SUBDIRECTORY
value: ratelimit
ports:
- containerPort: 8080
- containerPort: 8081
- containerPort: 6070
volumeMounts:
- name: config-volume
mountPath: /data/ratelimit/config/config.yaml
subPath: config.yaml
volumes:
- name: config-volume
configMap:
name: ratelimit-config
kubectl -f redis-ratelimit.yaml
If everything is successful, you should have a working rate limit server. Make sure that Redis and the rate limit server are running by executing the following command:
kubectl get pods -n ext-ratelimit
You should see an output resembling the following:
NAME READY STATUS RESTARTS AGE
ratelimit-d5c5b64ff-m87dt 1/1 Running 0 14s
redis-7d757c948f-42sxg 1/1 Running 0 14s
Configure Ingress Gateway
This example assumes that you are applying rate limit to the httpbin
workload. If you have not already done so, deploy the httpbin
service, create httpbin
Workspace and Config Groups and expose the service through an Ingress Gateway.
The following sample sets rate limiting on requests in the httpbin-ratelimit
domain. The request path is stored in descriptorKey
named request-path
, which is then used by the rate limit server.
apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
name: httpbin-gateway # Need not be the same as spec.labels.app
organization: tetrate
tenant: tetrate
group: httpbin-gateway
workspace: httpbin
spec:
workloadSelector:
namespace: httpbin
labels:
app: httpbin-ingress-gateway # name of Ingress Gateway created for httpbin
http:
- name: httpbin
hostname: 'httpbin.tetrate.com'
port: 80
routing:
rules:
- route:
host: 'httpbin/httpbin.httpbin.svc.cluster.local'
port: 8000
rateLimiting:
externalService:
domain: 'httpbin-ratelimit'
rateLimitServerUri: 'grpc://ratelimit.ext-ratelimit.svc.cluster.local:8081'
rules:
- dimensions:
- requestHeaders:
headerName: ':path'
descriptorKey: request-path
Save this to a file named ext-ratelimit-ingress-gateway.yaml
, and apply it using tctl
:
tctl apply -f ext-ratelimit-ingress-gateway.yaml
Testing
You can test the rate limiting by sending HTTP requests from an external machine or your local environment to the httpbin Ingress Gateway, and observe the rate limiting take effect after a certain number of requests.
In the following example, since you do not control httpbin.tetrate.com, you will have to trick curl into thinking that httpbin.tetrate.com resolves to the IP address of the Ingress Gateway.
Obtain the IP address of the Ingress Gateway that you previously created using the following command.
kubectl -n httpbin get service httpbin-ingress-gateway \
-o jsonpath='{.status.loadBalancer.ingress[0].ip}'
Then execute the following command to send HTTP requests to the httpbin service through the Ingress Gateway. Replace the gateway-ip with the value you obtained in the previous step.
curl -k "http://httpbin.tetrate.com/get" \
--resolve "httpbin.tetrate.com:80:<gateway-ip>" \
-s \
-o /dev/null \
-w "%{http_code}\n" \
-H "X-B3-Sampled: 1"
For the first 4 requests you should see "200" on your screen. After that, you should start seeing "429" instead.
You can change the request path to another unique value to get a successful response.
curl -k "http://httpbin.tetrate.com/headers" \
--resolve "httpbin.tetrate.com:80:<gateway-ip>" \
-s \
-o /dev/null \
-w "%{http_code}\n" \
-H "X-B3-Sampled: 1"
After 4 requests, you should start seeing "429" again, until you change the request path.
Considerations for Using Rate Limiting Server over Multiple Clusters
In case you would like to share the same rate limiting rules against multiple cluster, there are two possible choices:
- Deploy a single rate limit service in one cluster, and make it reachable from all other clusters that share the rules, or
- Deploy rate limit services in each cluster, but make them all use the same Redis backend.
In the second scenario, you will have to make Redis accessible from all clusters. Each rate limit server should also use the same domain value.