istio: configuring rate limit for the API does not take effect
Bug Description
multiple access to the /ip will not return 429
i did not deploy the redis and ratelimit
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-local-ratelimit-svc-httpbin
namespace: boook
spec:
workloadSelector:
labels:
app: httpbin
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 10
tokens_per_fill: 10
fill_interval: 60s
descriptors:
- entries:
- key: "PATH"
value: "/ip"
token_bucket:
max_tokens: 1
tokens_per_fill: 1
fill_interval: 120s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
response_headers_to_add:
- append: false
header:
key: cbcccbbb
value: 'true'
/ $ curl -I http://httpbin.boook:8000/ip
HTTP/1.1 200 OK
server: envoy
date: Sun, 26 Sep 2021 09:24:07 GMT
content-type: application/json
content-length: 28
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 3
/ $ curl -I http://httpbin.boook:8000/ip
HTTP/1.1 200 OK
server: envoy
date: Sun, 26 Sep 2021 09:24:07 GMT
content-type: application/json
content-length: 28
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 9
ratelimit image: envoyproxy/ratelimit:40393342
Version
# ~/istio-1.11.1/bin/istioctl version
client version: 1.11.1
control plane version: 1.10.0
data plane version: 1.10.0 (9 proxies)
Additional Information
NONE
Affected product area
- Docs
- Installation
- Networking
- Performance and Scalability
- Extensions and Telemetry
- Security
- Test and Release
- User Experience
- Developer Infrastructure
- Upgrade
- Multi Cluster
- Virtual Machine
- Control Plane Revisions
Is this the right place to submit this?
- This is not a security vulnerability
- This is not a question about how to use Istio
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 17 (17 by maintainers)
Besides
:path, there are some other special headers that can be used inrequestHeaders, like:method,:authority,:scheme,host. All the attributes can be represented as headers, so maybe no need to add arequestPathor other configs.@xichengliudui The
rateLimits.actionsis also needed in thelocalratelimitto define the descriptors so that envoy can understand whatPATHmeans. You can add a configPatch in that EnvoyFilter.Without that configPatch, on your condition, the global ratelimit(10 tokens per 60s) is working.