EnvoyProxy速率限制在Istio 1.7中不起作用
通过应用以下脚本,我无法看到istio 1.7中应用的速率限制。
---
apiVersion: v1
kind: Namespace
metadata:
name: sock-shop
labels:
istio-injection: enabled
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.rate_limit
config:
domain: sock-shop-ratelimit
rate_limit_service:
grpc_service:
envoy_grpc:
cluster_name: rate_limit_service
timeout: 0.25s
- applyTo: CLUSTER
match:
cluster:
service: ratelimit.rate-limit.svc.cluster.local
patch:
operation: ADD
value:
name: rate_limit_service
type: STRICT_DNS
connect_timeout: 0.25s
lb_policy: ROUND_ROBIN
http2_protocol_options: {}
hosts:
- socket_address:
address: ratelimit.rate-limit.svc.cluster.local
port_value: 8081
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit-svc
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: VIRTUAL_HOST
match:
context: GATEWAY
routeConfiguration:
vhost:
name: "*:80"
route:
action: ANY
patch:
operation: MERGE
value:
# rate limit service descriptors config relays on the order of the request headers (desriptor_key)
rate_limits:
- actions:
- request_headers:
header_name: "x-plan"
descriptor_key: "plan"
- request_headers:
header_name: "x-account"
descriptor_key: "account"
apiVersion: v1
kind: Namespace
metadata:
name: rate-limit
labels:
istio-injection: enabled
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: rate-limit
labels:
app: redis
spec:
ports:
- name: redis
port: 6379
selector:
app: redis
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: rate-limit
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- image: redis:alpine
imagePullPolicy: Always
name: redis
ports:
- name: redis
containerPort: 6379
restartPolicy: Always
serviceAccountName: ""
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-config
namespace: rate-limit
data:
# check this example: https://github.com/envoyproxy/ratelimit#example-4
config.yaml: |
domain: sock-shop-ratelimit
descriptors:
- key: plan
value: BASIC
descriptors:
- key: account
rate_limit:
unit: minute
requests_per_unit: 1
- key: plan
value: PLUS
descriptors:
- key: account
rate_limit:
unit: minute
requests_per_unit: 2
---
apiVersion: v1
kind: Service
metadata:
name: ratelimit
namespace: rate-limit
labels:
app: ratelimit
spec:
ports:
- name: "8080"
port: 8080
targetPort: 8080
protocol: TCP
- name: "8081"
port: 8081
targetPort: 8081
protocol: TCP
- name: "6070"
port: 6070
targetPort: 6070
protocol: TCP
selector:
app: ratelimit
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ratelimit
namespace: rate-limit
spec:
replicas: 1
selector:
matchLabels:
app: ratelimit
strategy:
type: Recreate
template:
metadata:
labels:
app: ratelimit
spec:
containers:
- image: envoyproxy/ratelimit:v1.4.0
imagePullPolicy: Always
name: ratelimit
command: ["/bin/ratelimit"]
env:
- name: LOG_LEVEL
value: debug
- name: REDIS_SOCKET_TYPE
value: tcp
- name: REDIS_URL
value: redis:6379
- name: USE_STATSD
value: "false"
- name: RUNTIME_ROOT
value: /data
- name: RUNTIME_SUBDIRECTORY
value: ratelimit
ports:
- containerPort: 8080
- containerPort: 8081
- containerPort: 6070
volumeMounts:
- name: config-volume
mountPath: /data/ratelimit/config/config.yaml
subPath: config.yaml
volumes:
- name: config-volume
configMap:
name: ratelimit-config
---
除此之外,我还部署了istio bookinfo示例应用程序
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
已配置到此应用的istio入口网关路由
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
当我通过应用相关的速率限制标头通过入口网关访问应用程序时
curl -I "http://"$GATEWAY_URL/productpage" --header 'x-plan: BASIC' --header 'x-account: user'
它一直给我200个OK响应,不管我应用它多少次,尽管应用的rimit是每分钟2个请求。
此外,当我试图在redis中查看数据时,在那里看不到任何数据。
export REDIS_POD=$(kubectl get pod -n rate-limit | grep redis | awk '{ print $1 }')
kubectl -n rate-limit exec -it $REDIS_POD -c redis /bin/sh
redis-cli
keys *
任何人都将不胜感激。
共有2个答案
切换到istio 1.6.2对我来说很有效,脚本没有任何变化。
您的网关设置是什么?
您需要添加与网关中使用的完全相同的fqdn:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: example-gateway
namespace: example
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- example.com
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
因此,在这种情况下,vhost应为:
configPatches:
- applyTo: VIRTUAL_HOST
match:
context: GATEWAY
routeConfiguration:
vhost:
name: "example.com:80"
route:
action: ANY
-
速率限制配置参考 filter.http.RateLimit filter.http.RateLimit proto { "domain": "...", "stage": "...", "request_type": "...", "timeout": "{...}" } domain (string, REQUIRED) 需要调用速率限制服务时的域。 stage (uint3
-
速率限制配置参考。 filter.network.RateLimit filter.network.RateLimit proto { "stat_prefix": "...", "domain": "...", "descriptors": [], "timeout": "{...}" } stat_prefix (string, REQUIRED) 发布统计信息时使用的前缀。
-
速率限制配置概述。 { "name": "rate_limit", "config": { "domain": "...", "stage": "...", "request_type": "...", "timeout_ms": "..." } } domain (required, string) 调用速率限制服务时使用的域。 stage (opt
-
速率限制配置参考。 { "name": "ratelimit", "config": { "stat_prefix": "...", "domain": "...", "descriptors": [], "timeout_ms": "..." } } stat_prefix (required, string) 发布统计信息时使用的前缀。 domai
-
速率限制架构概述 v1 API 参考 v2 API 参考 当请求的路由或虚拟主机有一个或多个符合过滤器设置的速率限制配置时,HTTP速率限制过滤器将调用速率限制服务。路由可以选择包含虚拟主机速率限制配置。可配置多个应用于请求。每个配置描述符都会导致被发送到速率限制服务。 如果速率限制服务被调用,并且任何响应超出限制的描述符,都将返回429响应。 组成操作 注意:本文是为v1 API编写的,但这些概
-
全局限速架构概述 v1 API 参考 v2 API 参考 统计 每个配置的速率限制过滤器的统计信息均以ratelimit.<stat_prefix>.为前缀。统计如下: 名称 类型 描述 total Counter 请求限速服务的总数 error Counter 限速服务请求失败的总数 over_limit Counter 限速服务的响应上限 ok Counter 限速服务的响应下限 cx_clo