当前位置: 首页 > 知识库问答 >
问题:

EnvoyProxy速率限制在Istio 1.7中不起作用

子车宏浚
2023-03-14

通过应用以下脚本,我无法看到istio 1.7中应用的速率限制。

---
apiVersion: v1
kind: Namespace
metadata:
  name: sock-shop
  labels:
    istio-injection: enabled
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-ratelimit
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
         name: envoy.rate_limit
         config:
           domain: sock-shop-ratelimit
           rate_limit_service:
             grpc_service:
               envoy_grpc:
                 cluster_name: rate_limit_service
               timeout: 0.25s
    - applyTo: CLUSTER
      match:
        cluster:
          service: ratelimit.rate-limit.svc.cluster.local
      patch:
        operation: ADD
        value:
          name: rate_limit_service
          type: STRICT_DNS
          connect_timeout: 0.25s
          lb_policy: ROUND_ROBIN
          http2_protocol_options: {}
          hosts:
            - socket_address:
                address: ratelimit.rate-limit.svc.cluster.local
                port_value: 8081
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-ratelimit-svc
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: VIRTUAL_HOST
      match:
        context: GATEWAY
        routeConfiguration:
          vhost:
            name: "*:80"
            route:
              action: ANY
      patch:
        operation: MERGE
        value:
          # rate limit service descriptors config relays on the order of the request headers (desriptor_key)
          rate_limits:
            - actions:
                - request_headers:
                    header_name: "x-plan"
                    descriptor_key: "plan"               
                - request_headers:
                    header_name: "x-account"
                    descriptor_key: "account" 
apiVersion: v1
kind: Namespace
metadata:
  name: rate-limit
  labels:
    istio-injection: enabled
---
apiVersion: v1
kind: Service
metadata:
  name: redis
  namespace: rate-limit
  labels:
    app: redis
spec:
  ports:
  - name: redis
    port: 6379
  selector:
    app: redis
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis
  namespace: rate-limit
spec:
  replicas: 1
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
    spec:
      containers:
      - image: redis:alpine
        imagePullPolicy: Always
        name: redis
        ports:
        - name: redis
          containerPort: 6379
      restartPolicy: Always
      serviceAccountName: ""
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ratelimit-config
  namespace: rate-limit
data:
  # check this example: https://github.com/envoyproxy/ratelimit#example-4
  config.yaml: |
    domain: sock-shop-ratelimit
    descriptors:
      - key: plan
        value: BASIC
        descriptors:
          - key: account
            rate_limit:
              unit: minute
              requests_per_unit: 1
      - key: plan
        value: PLUS
        descriptors:
          - key: account
            rate_limit:
              unit: minute
              requests_per_unit: 2
---
apiVersion: v1
kind: Service
metadata:
  name: ratelimit
  namespace: rate-limit
  labels:
    app: ratelimit
spec:
  ports:
  - name: "8080"
    port: 8080
    targetPort: 8080
    protocol: TCP
  - name: "8081"
    port: 8081
    targetPort: 8081
    protocol: TCP
  - name: "6070"
    port: 6070
    targetPort: 6070
    protocol: TCP
  selector:
    app: ratelimit
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ratelimit
  namespace: rate-limit
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ratelimit
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: ratelimit
    spec:
      containers:
      - image: envoyproxy/ratelimit:v1.4.0
        imagePullPolicy: Always
        name: ratelimit
        command: ["/bin/ratelimit"]
        env:
        - name: LOG_LEVEL
          value: debug
        - name: REDIS_SOCKET_TYPE
          value: tcp
        - name: REDIS_URL
          value: redis:6379
        - name: USE_STATSD
          value: "false"
        - name: RUNTIME_ROOT
          value: /data
        - name: RUNTIME_SUBDIRECTORY
          value: ratelimit
        ports:
        - containerPort: 8080
        - containerPort: 8081
        - containerPort: 6070
        volumeMounts:
        - name: config-volume
          mountPath: /data/ratelimit/config/config.yaml
          subPath: config.yaml
      volumes:
        - name: config-volume
          configMap:
            name: ratelimit-config
---

除此之外,我还部署了istio bookinfo示例应用程序

kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

已配置到此应用的istio入口网关路由

kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

当我通过应用相关的速率限制标头通过入口网关访问应用程序时

    curl -I "http://"$GATEWAY_URL/productpage" --header 'x-plan: BASIC' --header 'x-account: user'

它一直给我200个OK响应,不管我应用它多少次,尽管应用的rimit是每分钟2个请求。

此外,当我试图在redis中查看数据时,在那里看不到任何数据。

export REDIS_POD=$(kubectl get pod -n rate-limit | grep redis | awk '{ print $1 }')

kubectl -n rate-limit exec -it $REDIS_POD -c redis /bin/sh

redis-cli

keys *

任何人都将不胜感激。

共有2个答案

宰宣
2023-03-14

切换到istio 1.6.2对我来说很有效,脚本没有任何变化。

宰父嘉胜
2023-03-14

您的网关设置是什么?

您需要添加与网关中使用的完全相同的fqdn:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: example-gateway
  namespace: example
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - example.com
    port:
      name: http
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true

因此,在这种情况下,vhost应为:

 configPatches:
    - applyTo: VIRTUAL_HOST
      match:
        context: GATEWAY
        routeConfiguration:
          vhost:
            name: "example.com:80"
            route:
              action: ANY
 类似资料:
  • 速率限制配置参考 filter.http.RateLimit filter.http.RateLimit proto { "domain": "...", "stage": "...", "request_type": "...", "timeout": "{...}" } domain (string, REQUIRED) 需要调用速率限制服务时的域。 stage (uint3

  • 速率限制配置参考。 filter.network.RateLimit filter.network.RateLimit proto { "stat_prefix": "...", "domain": "...", "descriptors": [], "timeout": "{...}" } stat_prefix (string, REQUIRED) 发布统计信息时使用的前缀。

  • 速率限制配置概述。 { "name": "rate_limit", "config": { "domain": "...", "stage": "...", "request_type": "...", "timeout_ms": "..." } } domain (required, string) 调用速率限制服务时使用的域。 stage (opt

  • 速率限制配置参考。 { "name": "ratelimit", "config": { "stat_prefix": "...", "domain": "...", "descriptors": [], "timeout_ms": "..." } } stat_prefix (required, string) 发布统计信息时使用的前缀。 domai

  • 速率限制架构概述 v1 API 参考 v2 API 参考 当请求的路由或虚拟主机有一个或多个符合过滤器设置的速率限制配置时,HTTP速率限制过滤器将调用速率限制服务。路由可以选择包含虚拟主机速率限制配置。可配置多个应用于请求。每个配置描述符都会导致被发送到速率限制服务。 如果速率限制服务被调用,并且任何响应超出限制的描述符,都将返回429响应。 组成操作 注意:本文是为v1 API编写的,但这些概

  • 全局限速架构概述 v1 API 参考 v2 API 参考 统计 每个配置的速率限制过滤器的统计信息均以ratelimit.<stat_prefix>.为前缀。统计如下: 名称 类型 描述 total Counter 请求限速服务的总数 error Counter 限速服务请求失败的总数 over_limit Counter 限速服务的响应上限 ok Counter 限速服务的响应下限 cx_clo