Service to service rate limiting
TSB is capable of applying rate limits for both gateways and sidecars. In this document, we will enable rate limiting for sidecars to control quota for service to service traffic.
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB environment. You can use TSB demo for quick install
✓ Completed TSB usage quickstart. This document assumes you already created Tenant and are familiar with Workspace and Config Groups. Also you need to configure tctl to your TSB environment.
Enable Rate Limiting Server
Read and follow the instructions on Enabling the Rate Limiting Server document.
If you are using the TSB demo installation, you already have rate limit service running and ready to use, and can skip this section.
If you intend to use the same rate limiting server in a multi-cluster setup, all clusters must point to the same Redis backend and domain
Deploy httpbin
Service
Follow the instructions in this document to create the httpbin
service. You can skip the sections "Expose the httpbin
Service", "Create Certificates", and "Onboard httpbin
Application".
Create TrafficSetting
Create a TrafficSetting object in a file named service-to-service-rate-limiting-traffic-setting.yaml
. In this example the rate limit is set to maximum of 4 requests per minute per path. Replace the organization
and tenant
with appropriate values
apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
organization: <organization>
tenant: <tenant>
workspace: httpbin
group: httpbin-traffic
name: httpbin-traffic-settings-ratelimit
spec:
inbound:
rateLimiting:
settings:
rules:
- dimensions:
- header:
name: ":path"
value:
prefix: "/"
limit:
requestsPerUnit: 4
unit: MINUTE
Apply the manifest using tctl
:
tctl apply -f service-to-service-rate-limiting-traffic-setting.yaml
Deploy sleep
Service
Since you will be configuring service-to-service rate limiting, another service to act as a client to your httpbin
service is necessary.
Follow the instructions in this document to create the sleep
service. You can skip the section on "Create a sleep
Workspace".
Testing
You can test the rate limiting by sending HTTP requests from the sleep
service to httpbin
service, and observe the rate limiting take effect after a certain number of requests.
To send a request from sleep service, you need to identify the pod within your sleep service. Execute the following command to find out the pod name:
kubectl get pod -n sleep -l app=sleep -o jsonpath={.items..metadata.name}
Then send a request from this pod to the httpbin
service, which should be reachable at http://httpbin.httpbin:8000
. Make sure to replace the value for sleep-pod
with an appropriate value:
kubectl exec <sleep-pod> -n sleep -c sleep -- \
curl http://httpbin.httpbin:8000/get \
-s \
-o /dev/null \
-w "%{http_code}\n" \
-H "X-B3-Sampled: 1"
Repeat executing the above command more than 4 times. After 4 requests, the response code that you see should change from 200 to 429.
Since the rate limiting rule was based on the request path, accessing another path on the httpbin
, you should see a 200 response again:
kubectl exec <sleep-pod> -n sleep -c sleep -- \
curl http://httpbin.httpbin:8000/headers \
-s \
-o /dev/null \
-w "%{http_code}\n" \
-H "X-B3-Sampled: 1"
Similar to the previous example, repeating the above command more than 4 times should result in the rate limiting activating, and you should start getting a 429 instead of 200.