Basic rate limit policy
Control the rate of requests to a destination or route. The following example shows you how to create a basic rate limit policy that applies to a destination or route, based on a generic key.
For more in-depth examples of the Envoy and Set-style rate limiting APIs, see More rate limit policy examples.
Before you begin
-
Complete the demo setup to install Gloo Mesh, Istio, and Bookinfo in your cluster.
-
Make sure that the rate limit server is installed and running.
kubectl get pods --context ${REMOTE_CONTEXT1} -A -l app=rate-limiter
-
Create the Gloo Mesh resources for this policy in the management and workload clusters. For more information about the rate limit server and client configuration resources, see Rate limit server setup.
The following files are examples only for testing purposes. Your actual setup might vary. You can use the files as a reference for creating your own tests.
- Download the following Gloo Mesh resources:
- Apply the files to your management cluster.
kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-1.yaml --context ${MGMT_CONTEXT} kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-2.yaml --context ${MGMT_CONTEXT} kubectl apply -f workspace_gloo-mesh_anything.yaml --context ${MGMT_CONTEXT}
-
Download the following Gloo Mesh resources:
- Rate limit server:
- Rate limit client config
- Resources to test policies that apply to routes:
- Workspace settings
-
Apply the files to your workload cluster.
kubectl apply -f rate-limit-server-config_gloo-mesh-addons_rl-server-config.yaml --context ${REMOTE_CONTEXT1} kubectl apply -f rate-limit-server-settings_bookinfo_rl-server.yaml --context ${REMOTE_CONTEXT1} kubectl apply -f rate-limit-client-config_bookinfo_rl-client-config.yaml --context ${REMOTE_CONTEXT1} kubectl apply -f route-table_bookinfo_www-example-com.yaml --context ${REMOTE_CONTEXT1} kubectl apply -f virtual-gateway_bookinfo_north-south-gw.yaml --context ${REMOTE_CONTEXT1} kubectl apply -f workspace-settings_bookinfo_anything.yaml --context ${REMOTE_CONTEXT1}
Configure rate limit policies
You can apply a rate limit policy at the destination or route level. For more information, see Applying policies.
Review the following sample configuration files. Continue to the Verify rate limit policies section for example steps on how to check that rate limiting is working.
apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: RateLimitPolicy
metadata:
name: rl-policy
namespace: bookinfo
spec:
applyToDestinations:
- port:
number: 9080
selector:
labels:
app: reviews
config:
ratelimitClientConfig:
name: rl-client-config
ratelimitServerConfig:
name: rl-server-config
namespace: gloo-mesh-addons
serverSettings:
name: rl-server
apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: RateLimitPolicy
metadata:
name: rl-policy
namespace: bookinfo
spec:
applyToRoutes:
- route:
labels:
route: ratings
config:
ratelimitClientConfig:
name: rl-client-config
ratelimitServerConfig:
name: rl-server-config
namespace: gloo-mesh-addons
serverSettings:
name: rl-server
Setting | Description |
---|---|
spec.applyToDestinations |
Configure which destinations to apply the policy to, by using labels. Destinations can be a Kubernetes service, VirtualService, or ExternalService. If you do not specify any destinations or routes, the rate limit policy applies to all destinations in the workspace by default. If you do not specify any destinations but you do specify a route, the rate limit applies to the route but to no destinations. In this example, the rate limit policy applies to all destinations in the workspace with the app: reviews label. |
spec.applyToRoutes |
Configure which routes to apply the policy to, by using labels. The label matches the app and the route from the route table. If omitted, the policy applies to all routes in the workspace. In this example, the rate limit policy applies to all routes in the workspace with the route: ratings label. |
config |
The ratelimitServerConfig is required. The serverSettings and ratelimitClientConfig are optional, and can be added manually in the policy. In this example, the rate limit policy refers to the client config, server config, and server settings that you downloaded before you began. For more information, see Rate limit server setup. |
Verify rate limit policies
- Update and apply the example rate limit policy in your example setup.
- Download the rate limit policy for destinations.
- Apply the policy.
kubectl apply -f rate-limit-policy_bookinfo_rl-policy.yaml --context ${REMOTE_CONTEXT1}
- Download the rate limit policy for routes.
- Apply the policy.
kubectl apply -f rate-limit-policy_bookinfo_rl-policy.yaml --context ${REMOTE_CONTEXT1}
- Create a
curl
pod to test east-west traffic from within the Istio mesh.kubectl run curl -n bookinfo --image=radial/busyboxplus:curl -i --tty --context $REMOTE_CONTEXT1
- Send a request. For routes, you curl the ratings app through the ingress gateway to test north-south rate limiting. For destinations, you curl the reviews app from within the
curl
pod to test east-west rate limiting.curl -vik --connect-timeout 1 --max-time 5 --resolve www.example.com:32746:35.194.86.237:32746 https://www.example.com:32746/productpage/1
curl reviews:9080/reviews/1 -v
- Repeat each request. Because the rate limit policy limits requests to 1 per day, the request results in a
429 - Too Many Requests
error.