K
Q

why Istio rate-limiting working incorrect?

5/29/2019

I configured rate-limiting correctly according to the istio tutorial, and it worked. But when I lowered the limit, it seemed that rate-limiting had not changed.Here are all my configuration files. I hope you can give me some help. Thank you very much.

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: quotahandler
  namespace: istio-system
spec:
  compiledAdapter: memquota
  params:
    quotas:
    - name: requestcountquota.instance.istio-system
      maxAmount: 500
      validDuration: 1s
      overrides:
      - dimensions:
          destination: productpage
          source: "10.28.11.20"
        maxAmount: 500
        validDuration: 1s
      - dimensions:
          destination: productpage
        maxAmount: 500Here I increased the number of requests per second.)
        validDuration: 1s
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: requestcountquota
  namespace: istio-system
spec:
  compiledTemplate: quota
  params:
    dimensions:
      source: request.headers["x-forwarded-for"] | "unknown"
      destination: destination.labels["app"] | destination.service.name | "unknown"
      destinationVersion: destination.labels["version"] | "unknown"
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpec
metadata:
  name: request-count
  namespace: istio-system
spec:
  rules:
  - quotas:
    - charge: 1
      quota: requestcountquota
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpecBinding
metadata:
  name: request-count
  namespace: istio-system
spec:
  quotaSpecs:
  - name: request-count
    namespace: istio-system
  services:
  - name: productpage
    namespace: default
    #  - service: '*'  # Uncomment this to bind *all* services to request-count
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: quota
  namespace: istio-system
spec:
  # quota only applies if you are not logged in.
  # match: match(request.headers["cookie"], "user=*") == false
  actions:
  - handler: quotahandler
    instances:
    - requestcountquota

At first, I configure it directly.

- dimensions:
Destination: product page
MaxAmount: 1
Valid Duration: 5S

Rate-limiting works well. When I configure:

- dimensions:
Destination: product page
MaxAmount: 500
ValidDuration: 1s

The request will still return 429 in a short time,configuration (500/s) should be unrestricted at this time.During the test, I visited k8s product page service IP directly, such as curl 10.233.5.240:9080/product page.

I hope you can tell me why. Thank you very much for your answer.

-- Qs F
istio
kubernetes

Similar Questions

Configure base url in Zero to JupyterHub with Kubernetes
Extreme latency in Django API running on EKS
Connecting to codefresh image registry via kubectl, problem with secrets
How to mount a kubernetes.io/dockerconfigjson
how to send request to all instance of service (POD/ReplicaSet) behind NGINX load balancer
Getting Kafka Connect JMX metrics reporting into Datadog

1 Answer

5/30/2019

I've solved this problem because the istio-policy component has insufficient resources (cpu&memory) and is allocated too little by default, which makes the policy ineffective.But I don't know why. Please explain what's in memquota or redisquota. Aren't quota configurations all in envoy configurations?

-- Qs F
Source: StackOverflow