MeshRateLimit
This policy uses new policy matching algorithm. Do not combine with Rate Limit.
This policy enables per-instance service request limiting. Policy supports ratelimiting of HTTP/HTTP2 requests and TCP connections.
The MeshRateLimit
policy leverages Envoy’s local rate limiting for HTTP/HTTP2 and local rate limit filter for TCP connections.
You can configure:
- how many HTTP requests are allowed in a specified time period
- how the HTTP service responds when the limit is reached
- how many TCP connections are allowed in a specified time period
The policy is applied per service instance. This means that if a service backend
has 3 instances rate limited to 100 requests per second, the overall service rate limit is 300 requests per second.
Rate limiting supports an ExternalService only when ZoneEgress
is enabled.
TargetRef support matrix
TargetRef type | top level | to | from |
---|---|---|---|
Mesh | ✅ | ❌ | ✅ |
MeshSubset | ✅ | ❌ | ❌ |
MeshService | ✅ | ❌ | ❌ |
MeshServiceSubset | ✅ | ❌ | ❌ |
To learn more about the information in this table, see the matching docs.
Configuration
The MeshRateLimit
policy supports both L4/TCP and L7/HTTP limiting. Envoy implements Token Bucket algorithm for rate limiting.
HTTP Rate limiting
disabled
- (optional) - should rate limiting policy be disabledrequestRate
- configuration of the number of requests in the specific time windownum
- the number of requests to limitinterval
- the interval for whichrequests
will be limited
onRateLimit
(optional) - actions to take on RateLimit eventstatus
(optional) - the status code to return, defaults to429
headers
- (optional) headers which should be added to every rate limited response
Headers
set
- (optional) - list of headers to set. Overrides value if the header exists.name
- header’s namevalue
- header’s value
add
- (optional) - list of headers to add. Appends value if the header exists.name
- header’s namevalue
- header’s value
TCP Rate limiting
TCP rate limiting allows the configuration of a number of connections in the specific time window
disabled
- (optional) - should rate limiting policy be disabledconnectionRate
- configuration of the number of connections in the specific time windownum
- the number of requests to limitinterval
- the interval for whichconnections
will be limited
Examples
HTTP Rate limit configured for service backend
from all services in the Mesh
apiVersion: kuma.io/v1alpha1
kind: MeshRateLimit
metadata:
name: backend-rate-limit
namespace: kuma-system
spec:
targetRef:
kind: MeshService
name: backend
from:
- targetRef:
kind: Mesh
default:
local:
http:
requestRate:
num: 5
interval: 10s
onRateLimit:
status: 423
headers:
set:
- name: "x-kuma-rate-limited"
value: "true"
We will apply the configuration with kubectl apply -f [..]
.
type: MeshRateLimit
mesh: default
name: backend-rate-limit
spec:
targetRef:
kind: MeshService
name: backend
from:
- targetRef:
kind: Mesh
default:
local:
http:
requestRate:
num: 5
interval: 10s
onRateLimit:
status: 423
headers:
set:
- name: "x-kuma-rate-limited"
value: "true"
We will apply the configuration with kumactl apply -f [..]
or via the HTTP API.
TCP rate limit for service backend from all services in the Mesh
apiVersion: kuma.io/v1alpha1
kind: MeshRateLimit
metadata:
name: backend-rate-limit
namespace: kuma-system
spec:
targetRef:
kind: MeshService
name: backend
from:
- targetRef:
kind: Mesh
default:
local:
tcp:
connectionRate:
num: 5
interval: 10s
We will apply the configuration with kubectl apply -f [..]
.
type: MeshRateLimit
name: backend-rate-limit
mesh: default
spec:
targetRef:
kind: MeshService
name: backend
from:
- targetRef:
kind: Mesh
default:
local:
tcp:
connectionRate:
num: 5
interval: 10s
We will apply the configuration with kumactl apply -f [..]
or via the HTTP API.