Rate Limit

The RateLimit policy leverages Envoy’s local rate limitingRate Limit - 图1 (opens new window) to allow for per-instance service request limiting. All HTTP/HTTP2 based requests are supported.

You can configure how many requests are allowed in a specified time period, and how the service responds when the limit is reached.

The policy is applied per service instance. This means that if a service backend has 3 instances rate limited to 100 requests per second, the overall service is rate limited to 300 requests per second.

Usage

  1. apiVersion: kuma.io/v1alpha1
  2. kind: RateLimit
  3. mesh: default
  4. metadata:
  5. name: rate-limit-all-to-backend
  6. spec:
  7. sources:
  8. - match:
  9. kuma.io/service: "*"
  10. destinations:
  11. - match:
  12. kuma.io/service: backend
  13. conf:
  14. http:
  15. requests: 5
  16. interval: 10s
  17. onRateLimit:
  18. status: 423
  19. headers:
  20. - key: "x-kuma-rate-limited"
  21. value: "true"
  22. append: true

Apply the configuration with kubectl apply -f [..].

  1. type: RateLimit
  2. mesh: default
  3. name: rate-limit-all-to-backend
  4. sources:
  5. - match:
  6. kuma.io/service: "*"
  7. destinations:
  8. - match:
  9. kuma.io/service: backend
  10. conf:
  11. http:
  12. requests: 5
  13. interval: 10s
  14. onRateLimit:
  15. status: 423
  16. headers:
  17. - key: "x-kuma-rate-limited"
  18. value: "true"
  19. append: true

Apply the configuration with kumactl apply -f [..] or with the HTTP API.

Configuration fields

The conf section of the RateLimit resource provides the following configuration options:

  • http -
    • requests - the number of requests to limit
    • interval - the interval for which requests will be limited
    • onRateLimit (optional) - actions to take on RateLimit event
      • status (optional) - the status code to return, defaults to 429
      • headers - list of headers which should be added to every rate limited response:
        • key - the name of the header
        • value - the value of the header
        • append (optional) - should the value of the provided header be appended to already existing headers (if present)

Matching sources

This policy is applied on the destination data plane proxy and generates a set of matching rules for the originating service. These matching rules are ordered from the most specific one, to the more generic ones. Given the following RateLimit resources:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: RateLimit
  3. mesh: default
  4. metadata:
  5. name: rate-limit-all-to-backend
  6. spec:
  7. sources:
  8. - match:
  9. kuma.io/service: "*"
  10. destinations:
  11. - match:
  12. kuma.io/service: backend
  13. conf:
  14. http:
  15. requests: 5
  16. interval: 10s
  17. ---
  18. apiVersion: kuma.io/v1alpha1
  19. kind: RateLimit
  20. mesh: default
  21. metadata:
  22. name: rate-limit-frontend
  23. spec:
  24. sources:
  25. - match:
  26. kuma.io/service: "frontend"
  27. destinations:
  28. - match:
  29. kuma.io/service: backend
  30. conf:
  31. http:
  32. requests: 10
  33. interval: 10s
  34. ---
  35. apiVersion: kuma.io/v1alpha1
  36. kind: RateLimit
  37. mesh: default
  38. metadata:
  39. name: rate-limit-frontend-zone-eu
  40. spec:
  41. sources:
  42. - match:
  43. kuma.io/service: "frontend"
  44. kuma.io/zone: "eu"
  45. destinations:
  46. - match:
  47. kuma.io/service: backend
  48. conf:
  49. http:
  50. requests: 20
  51. interval: 10s

The service backend is configured with the following rate limiting hierarchy:

  • rate-limit-frontend-zone-eu
  • rate-limit-frontend
  • rate-limit-all-to-backend