MeshRateLimit

This policy uses new policy matching algorithm. Do not combine with Rate Limit.

This policy enables per-instance service request limiting. Policy supports rate limiting of HTTP/HTTP2 requests and TCP connections.

The MeshRateLimit policy leverages Envoy’s local rate limiting for HTTP/HTTP2 and local rate limit filter for TCP connections.

You can configure:

  • how many HTTP requests are allowed in a specified time period
  • how the HTTP service responds when the limit is reached
  • how many TCP connections are allowed in a specified time period

The policy is applied per service instance. This means that if a service backend has 3 instances rate limited to 100 requests per second, the overall service rate limit is 300 requests per second.

Rate limiting supports an ExternalService only when ZoneEgress is enabled.

TargetRef support matrix

targetRefAllowed kinds
targetRef.kindMesh, MeshSubset
from[].targetRef.kindMesh
targetRefAllowed kinds
targetRef.kindMesh, MeshGateway, MeshGateway with listener tags
to[].targetRef.kindMesh

MeshRateLimit isn’t supported on delegated gateways.

To learn more about the information in this table, see the matching docs.

Configuration

The MeshRateLimit policy supports both L4/TCP and L7/HTTP limiting. Envoy implements Token Bucket algorithm for rate limiting.

HTTP Rate limiting

  • disabled - (optional) - should rate limiting policy be disabled
  • requestRate - configuration of the number of requests in the specific time window
    • num - the number of requests to limit
    • interval - the interval for which requests will be limited
  • onRateLimit (optional) - actions to take on RateLimit event
    • status (optional) - the status code to return, defaults to 429
    • headers - (optional) headers which should be added to every rate limited response

Headers

  • set - (optional) - list of headers to set. Overrides value if the header exists.
    • name - header’s name
    • value - header’s value
  • add - (optional) - list of headers to add. Appends value if the header exists.
    • name - header’s name
    • value - header’s value

TCP Rate limiting

TCP rate limiting allows the configuration of a number of connections in the specific time window

  • disabled - (optional) - should rate limiting policy be disabled
  • connectionRate - configuration of the number of connections in the specific time window
    • num - the number of requests to limit
    • interval - the interval for which connections will be limited

Examples

HTTP Rate limit configured for service backend from all services in the Mesh

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshRateLimit
  3. metadata:
  4. name: backend-rate-limit
  5. namespace: kuma-demo
  6. labels:
  7. kuma.io/mesh: default
  8. spec:
  9. targetRef:
  10. kind: MeshSubset
  11. tags:
  12. app: backend
  13. from:
  14. - targetRef:
  15. kind: Mesh
  16. default:
  17. local:
  18. http:
  19. requestRate:
  20. num: 5
  21. interval: 10s
  22. onRateLimit:
  23. status: 423
  24. headers:
  25. set:
  26. - name: x-kuma-rate-limited
  27. value: 'true'
  1. type: MeshRateLimit
  2. mesh: default
  3. name: backend-rate-limit
  4. spec:
  5. targetRef:
  6. kind: MeshSubset
  7. tags:
  8. app: backend
  9. from:
  10. - targetRef:
  11. kind: Mesh
  12. default:
  13. local:
  14. http:
  15. requestRate:
  16. num: 5
  17. interval: 10s
  18. onRateLimit:
  19. status: 423
  20. headers:
  21. set:
  22. - name: x-kuma-rate-limited
  23. value: 'true'

TCP rate limit for service backend from all services in the Mesh

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshRateLimit
  3. metadata:
  4. name: backend-rate-limit
  5. namespace: kuma-demo
  6. labels:
  7. kuma.io/mesh: default
  8. spec:
  9. targetRef:
  10. kind: MeshSubset
  11. tags:
  12. app: backend
  13. from:
  14. - targetRef:
  15. kind: Mesh
  16. default:
  17. local:
  18. tcp:
  19. connectionRate:
  20. num: 5
  21. interval: 10s
  1. type: MeshRateLimit
  2. name: backend-rate-limit
  3. mesh: default
  4. spec:
  5. targetRef:
  6. kind: MeshSubset
  7. tags:
  8. app: backend
  9. from:
  10. - targetRef:
  11. kind: Mesh
  12. default:
  13. local:
  14. tcp:
  15. connectionRate:
  16. num: 5
  17. interval: 10s

All policy options