K
Q

Istio rating limit with redisquota not taken into account

7/28/2020

I'm trying to use rate limitings with istio (i've already done it with envoy but the project manager wants me to try it that way). I based my config on the tutorial of istio. I tried a few different things but can't make it work and i don't even know how to debug this. Kiali doesn't give any nice information about quotas, rules,... My goal is to block to max 2 request per XX seconds the traffic to a service. you can find my code here if you want to give a try: https://github.com/hagakure/istio_rating.

first step i did was: istioctl install --set meshConfig.disablePolicyChecks=false --set values.pilot.policy.enabled=true as said on istio website

then i add some yaml config:

My service:

apiVersion: v1
kind: Service
metadata:
  name: hello-world-svc
  namespace: rate-limit
spec:
  selector:
    app: hello-world
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80

Exposed by Istio:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: hello-world-gateway
  namespace: rate-limit
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http-web
        protocol: HTTP
      hosts:
        - '*'
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: hello-world-vs
  namespace: rate-limit
spec:
  hosts:
    - "*"
  gateways:
    - hello-world-gateway
  http:
    - route:
       - destination:
            port:
              number: 80
            host: hello-world-svc.rate-limit.svc.cluster.local

My rate-limiting configuration for istio:

apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
  name: requestcount
  namespace: rate-limit
spec:
  compiledTemplate: quota
  params:
    dimensions:
      destination: destination.labels["app"] | destination.service.host | "unknown"
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpec
metadata:
  name: quota
  namespace: rate-limit
spec:
  rules:
    - quotas:
        - quota: requestcount.instance.rate-limit
          charge: 1
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpecBinding
metadata:
  name: quota-binding
  namespace: rate-limit
spec:
  quotaSpecs:
    - name: quota
      namespace: rate-limit
  services:
    - service: '*'
---
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: quotahandler
  namespace: rate-limit
spec:
  compiledAdapter: redisquota
  params:
      redisServerUrl: localhost:6379
      connectionPoolSize: 10
      quotas:
      - name: requestcount.instance.rate-limit
        maxAmount: 2
        validDuration: 30s
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: quota-rule
  namespace: rate-limit
spec:
  actions:
  - handler: quotahandler.handler.rate-limit
    instances:
    - requestcount.instance.rate-limit

But nothing appends, i can curl as much as i want the service, no problem :'(

-- Fieux cédric
istio
kubernetes
rate-limiting

Similar Questions

Kubernetes Ingress routing by service label
How to deploy spark on Kubeedge?
How could affect my billing if i use docker hub instead of google image registry?
How to expose mongo containers to outside of the overlay network?
How to install fluxctl on WSL

1 Answer

7/28/2020

1.6.2 i know it's deprecated but it is still usable no?

As mentioned in documentation

The mixer policy is deprecated in Istio 1.5 and not recommended for production usage.

Consider using Envoy native rate limiting instead of mixer rate limiting. Istio will add support for native rate limiting API through the Istio extensions API.

As far as I know mixer no longer exist when you install istio, documentation says that

If you depend on specific Mixer features like out of process adapters, you may re-enable Mixer. Mixer will continue receiving bug fixes and security fixes until Istio 1.7.

But I couldnĀ“t find a proper documentation on how to do that.

There is older github issue about rate limiting when mixer is deprecated.

i've already done it with envoy but the project manager wants me to try it that way

There is a github issue with envoy filter rate limiting example, which as mentioned in above issue and documentation should be used now instead of deprecated rate limiting from istio documentation. So I would recommend to talk with your project manager about that. This is actually the right way to go.

About the issue which might occur if you have used older version of istio with mixer or you have enabled it somehow on newer versions.

Take a look at this github issue.

There were some issues with the commands from documentation you mentioned

istioctl install --set meshConfig.disablePolicyChecks=false --set values.pilot.policy.enabled=true

Instead you should use

istioctl install --set values.pilot.policy.enabled=true --set values.global.policyCheckFailOpen=true

OR

apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  values:
    pilot:
      policy:
        enabled: true
    global:
      policyCheckFailOpen: true

Hope you find this informations useful.

-- Jakub
Source: StackOverflow