Basic rate limit policy

Control the rate of requests to a destination or route. The following example shows you how to create a basic rate limit policy that applies to a destination or route, based on a generic key.

For more in-depth examples of the Envoy and Set-style rate limiting APIs, see More rate limit policy examples.

Before you begin

  1. Complete the demo setup to install Gloo Mesh, Istio, and Bookinfo in your cluster.

  2. Make sure that the rate limit server is installed and running.

    kubectl get pods --context ${REMOTE_CONTEXT1} -A -l app=rate-limiter
    
  3. Create the Gloo Mesh resources for this policy in the management and workload clusters. For more information about the rate limit server and client configuration resources, see Rate limit server setup.

    The following files are examples only for testing purposes. Your actual setup might vary. You can use the files as a reference for creating your own tests.

    1. Download the following Gloo Mesh resources:
    2. Apply the files to your management cluster.
      kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-1.yaml --context ${MGMT_CONTEXT}
      kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-2.yaml --context ${MGMT_CONTEXT}
      kubectl apply -f workspace_gloo-mesh_anything.yaml --context ${MGMT_CONTEXT}
      
    1. Download the following Gloo Mesh resources:

    2. Apply the files to your workload cluster.

      kubectl apply -f rate-limit-server-config_gloo-mesh-addons_rl-server-config.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f rate-limit-server-settings_bookinfo_rl-server.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f rate-limit-client-config_bookinfo_rl-client-config.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f route-table_bookinfo_www-example-com.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f virtual-gateway_bookinfo_north-south-gw.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f workspace-settings_bookinfo_anything.yaml --context ${REMOTE_CONTEXT1}
      

Configure rate limit policies

You can apply a rate limit policy at the destination or route level. For more information, see Applying policies.

Review the following sample configuration files. Continue to the Verify rate limit policies section for example steps on how to check that rate limiting is working.


apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: RateLimitPolicy
metadata:
  name: rl-policy
  namespace: bookinfo
spec:
  applyToDestinations:
  - port:
      number: 9080
    selector:
      labels:
        app: reviews
  config:
    ratelimitClientConfig:
      name: rl-client-config
    ratelimitServerConfig:
      name: rl-server-config
      namespace: gloo-mesh-addons
    serverSettings:
      name: rl-server

apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: RateLimitPolicy
metadata:
  name: rl-policy
  namespace: bookinfo
spec:
  applyToRoutes:
  - route:
      labels:
        route: ratings
  config:
    ratelimitClientConfig:
      name: rl-client-config
    ratelimitServerConfig:
      name: rl-server-config
      namespace: gloo-mesh-addons
    serverSettings:
      name: rl-server
Review the following table to understand this configuration.
Setting Description
spec.applyToDestinations Configure which destinations to apply the policy to, by using labels. Destinations can be a Kubernetes service, VirtualService, or ExternalService. If you do not specify any destinations or routes, the rate limit policy applies to all destinations in the workspace by default. If you do not specify any destinations but you do specify a route, the rate limit applies to the route but to no destinations. In this example, the rate limit policy applies to all destinations in the workspace with the app: reviews label.
spec.applyToRoutes Configure which routes to apply the policy to, by using labels. The label matches the app and the route from the route table. If omitted, the policy applies to all routes in the workspace. In this example, the rate limit policy applies to all routes in the workspace with the route: ratings label.
config The ratelimitServerConfig is required. The serverSettings and ratelimitClientConfig are optional, and can be added manually in the policy. In this example, the rate limit policy refers to the client config, server config, and server settings that you downloaded before you began. For more information, see Rate limit server setup.

Verify rate limit policies

  1. Update and apply the example rate limit policy in your example setup.
    1. Download the rate limit policy for destinations.
    2. Apply the policy.
      kubectl apply -f rate-limit-policy_bookinfo_rl-policy.yaml --context ${REMOTE_CONTEXT1}
      
    1. Download the rate limit policy for routes.
    2. Apply the policy.
      kubectl apply -f rate-limit-policy_bookinfo_rl-policy.yaml --context ${REMOTE_CONTEXT1}
      
  2. Create a curl pod to test east-west traffic from within the Istio mesh.
    kubectl run curl -n bookinfo --image=radial/busyboxplus:curl -i --tty --context $REMOTE_CONTEXT1
    
  3. Send a request. For routes, you curl the ratings app through the ingress gateway to test north-south rate limiting. For destinations, you curl the reviews app from within the curl pod to test east-west rate limiting.
    
       curl -vik --connect-timeout 1 --max-time 5 --resolve www.example.com:32746:35.194.86.237:32746 https://www.example.com:32746/productpage/1
       
    
       curl reviews:9080/reviews/1 -v
       
  4. Repeat each request. Because the rate limit policy limits requests to 1 per day, the request results in a 429 - Too Many Requests error.