K
Q

How to debug QuotaSpecBinding for rate-limits in istio?

8/6/2018

I am trying to enable the rate-limit for my istio enabled service. But it doesn't work. How do I debug if my configuration is correct?

apiVersion: config.istio.io/v1alpha2
kind: memquota
metadata:
  name: handler
  namespace: istio-system
spec:
  quotas:
  - name: requestcount.quota.istio-system
    maxAmount: 5
    validDuration: 1s
    overrides:
    - dimensions:
        engine: myEngineValue
      maxAmount: 5
      validDuration: 1s
---
apiVersion: config.istio.io/v1alpha2
kind: quota
metadata:
  name: requestcount
  namespace: istio-system
spec:
  dimensions:
    source: request.headers["x-forwarded-for"] | "unknown"
    destination: destination.labels["app"] | destination.service | "unknown"
    destinationVersion: destination.labels["version"] | "unknown"
    engine: destination.labels["engine"] | "unknown"
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpec
metadata:
  name: request-count
  namespace: istio-system
spec:
  rules:
  - quotas:
    - charge: 1
      quota: requestcount
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpecBinding
metadata:
  name: request-count
  namespace: istio-system
spec:
  quotaSpecs:
  - name: request-count
    namespace: istio-system
  services:
  # - service: '*' ; I tried with this as well
  - name: my-service
    namespace: default
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: quota
  namespace: istio-system
spec:
  actions:
  - handler: handler.memquota
    instances:
    - requestcount.quota

I tried with - service: '*' as well in the QuotaSpecBinding; but no luck.

How, do I confirm if my configuration was correct? the my-service is the kubernetes service for my deployment. (Does this have to be a VirtualService of istio for rate limits to work? Edit: Yes, it has to!)

I followed this doc except the VirtualService part.

I have a feeling somewhere in the namespaces I am doing a mistake.

-- enator
istio
kubernetes

Similar Questions

Static global IP on GKE using Nginx Ingress?
How can I define threshold in receiving requests by the pods(In Kubernetes environment)
Backup and Restore Cassandra On Kubernetes
vsts release - Azure Container Registry Artifact

1 Answer

8/7/2018

You have to define the virtual service for the service my-service:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myservice
spec:
  hosts:
  - myservice
  http:
  - route:
    - destination:
        host: myservice

This way, you allow Istio to know which service are you host you are referring to.

In terms of debugging, I know that there is a project named Kiali that aims to leverage observability in Istio environments. I know that they have validations for some Istio and Kubernetes objects: Istio configuration browse.

-- Xavier Canal Masjuan
Source: StackOverflow