emissary: Request with "x-ambassador-test-allow: probably" is 200 OK
Describe the bug I followed the rate limiting tutorial using minikube, but I don’t see 429 status codes as expected:
$ curl -i -H "x-ambassador-test-allow: probably" $AMBASSADORURL/qotm/quote/1
HTTP/1.1 200 OK
content-type: application/json
content-length: 147
server: envoy
date: Thu, 24 Jan 2019 09:30:47 GMT
x-envoy-upstream-service-time: 65
{"hostname":"qotm-7c6cccd985-4s8kg","ok":true,"quote":"A late night does not make any sense.","time":"2019-01-24T09:30:47.705604","version":"1.3"}
To Reproduce
Create a new Kubernetes cluster and install Ambassador quay.io/datawire/ambassador:0.50.0-rc5.
$ minikube delete
$ minikube start
Starting local Kubernetes v1.13.2 cluster...
$ kubectl apply -f https://www.getambassador.io/yaml/ambassador/ambassador-rbac.yaml
$ kubectl apply -f - <<<'
apiVersion: v1
kind: Service
metadata:
name: ambassador
spec:
selector:
service: ambassador
type: NodePort
ports:
- port: 80
# Propagate the original source IP of the client.
externalTrafficPolicy: Local
'
$ AMBASSADORURL=$(minikube service --url ambassador)
Then deploy a qotm service:
$ kubectl apply -f - <<<'
---
apiVersion: v1
kind: Service
metadata:
name: qotm
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v0
kind: Mapping
name: qotm_mapping
prefix: /qotm/
service: qotm
spec:
selector:
app: qotm
ports:
- port: 80
name: http-qotm
targetPort: http-api
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: qotm
spec:
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: qotm
spec:
containers:
- name: qotm
image: datawire/qotm:1.2
ports:
- name: http-api
containerPort: 5000
readinessProbe:
httpGet:
path: /health
port: 5000
initialDelaySeconds: 30
periodSeconds: 3
resources:
limits:
cpu: "0.1"
memory: 100Mi
'
and ratelimit service:
$ kubectl apply -f - <<<'
---
apiVersion: v1
kind: Service
metadata:
name: example-rate-limit
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v0
kind: RateLimitService
name: ratelimit
service: "example-rate-limit:5000"
spec:
type: ClusterIP
selector:
app: example-rate-limit
ports:
- port: 5000
name: http-example-rate-limit
targetPort: http-api
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: example-rate-limit
spec:
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: example-rate-limit
spec:
containers:
- name: example-rate-limit
image: agervais/ambassador-ratelimit-service:1.0.0
imagePullPolicy: Always
ports:
- name: http-api
containerPort: 5000
resources:
limits:
cpu: "0.1"
memory: 100Mi
'
Finally, add rate_limits to qotm service:
$ kubectl apply -f - <<<'
---
apiVersion: v1
kind: Service
metadata:
name: qotm
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v0
kind: Mapping
name: qotm_mapping
prefix: /qotm/
service: qotm
rate_limits:
- descriptor: A test case
headers:
- "x-ambassador-test-allow"
spec:
type: ClusterIP
selector:
app: qotm
ports:
- port: 80
name: http-qotm
targetPort: http-api
'
Expected behavior I expect 429 status code as described in the tutorial.
Versions (please complete the following information):
- Ambassador: 0.50.0-rc5
- Kubernetes environment: Minikube v0.33.1
- Version: v1.13.2
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 16 (2 by maintainers)
Can you reopen this issue as the rate limiting is still not working with the latest 2.0 dev version.
Maybe another idea…
Per https://www.envoyproxy.io/docs/envoy/v1.9.0/api-v2/config/filter/http/rate_limit/v2/rate_limit.proto a “rate_limit_service” needs to be defined for the HTTP filter chain. If not specified, any calls to the rate limit service will immediately return success. On my Ambassador 0.52 from the envoy config in the container it is not there:
It looks like older versions of Envoy did not require this: https://www.envoyproxy.io/docs/envoy/v1.8.0/api-v2/config/filter/http/rate_limit/v2/rate_limit.proto