MeshRateLimit
This policy uses new policy matching algorithm. Do not combine with Rate Limit.
This policy enables per-instance service request limiting. Policy supports rate limiting of HTTP/HTTP2 requests and TCP connections.
The MeshRateLimit
policy leverages Envoy’s local rate limiting for HTTP/HTTP2 and local rate limit filter for TCP connections.
You can configure:
- how many HTTP requests are allowed in a specified time period
- how the HTTP service responds when the limit is reached
- how many TCP connections are allowed in a specified time period
The policy is applied per service instance. This means that if a service backend
has 3 instances rate limited to 100 requests per second, the overall service rate limit is 300 requests per second.
Rate limiting supports an ExternalService only when ZoneEgress
is enabled.
TargetRef support matrix
targetRef |
Allowed kinds |
---|---|
targetRef.kind |
Mesh , MeshSubset
|
from[].targetRef.kind |
Mesh |
To learn more about the information in this table, see the matching docs.
Configuration
The MeshRateLimit
policy supports both L4/TCP and L7/HTTP limiting. Envoy implements Token Bucket algorithm for rate limiting.
HTTP Rate limiting
-
disabled
- (optional) - should rate limiting policy be disabled -
requestRate
- configuration of the number of requests in the specific time window-
num
- the number of requests to limit -
interval
- the interval for whichrequests
will be limited
-
-
onRateLimit
(optional) - actions to take on RateLimit event-
status
(optional) - the status code to return, defaults to429
-
headers
- (optional) headers which should be added to every rate limited response
-
Headers
-
set
- (optional) - list of headers to set. Overrides value if the header exists.-
name
- header’s name -
value
- header’s value
-
-
add
- (optional) - list of headers to add. Appends value if the header exists.-
name
- header’s name -
value
- header’s value
-
TCP Rate limiting
TCP rate limiting allows the configuration of a number of connections in the specific time window
-
disabled
- (optional) - should rate limiting policy be disabled -
connectionRate
- configuration of the number of connections in the specific time window-
num
- the number of requests to limit -
interval
- the interval for whichconnections
will be limited
-
Examples
HTTP Rate limit configured for service backend
from all services in the Mesh
apiVersion: kuma.io/v1alpha1
kind: MeshRateLimit
metadata:
name: backend-rate-limit
namespace: kuma-demo
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: MeshSubset
tags:
app: backend
from:
- targetRef:
kind: Mesh
default:
local:
http:
requestRate:
num: 5
interval: 10s
onRateLimit:
status: 423
headers:
set:
- name: x-kuma-rate-limited
value: 'true'
TCP rate limit for service backend from all services in the Mesh
apiVersion: kuma.io/v1alpha1
kind: MeshRateLimit
metadata:
name: backend-rate-limit
namespace: kuma-demo
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: MeshSubset
tags:
app: backend
from:
- targetRef:
kind: Mesh
default:
local:
tcp:
connectionRate:
num: 5
interval: 10s
All policy options
Spec is the specification of the Kuma MeshRateLimit resource.
Type: object
Properties
- from
- From list makes a match between clients and corresponding configurations
- Type:
array
- Items
- Type:
object
- Properties
- default
- Default is a configuration specific to the group of clients referenced in'targetRef'
- Type:
object
- Properties
- local
- LocalConf defines local http or/and tcp rate limit configuration
- Type:
object
- Properties
- http
- LocalHTTP defines configuration of local HTTP rate limitinghttps://www.envoyproxy.io/docs/envoy/latest/configuration/http/httpfilters/localratelimitfilter
- Type:
object
- Properties
- disabled
- Define if rate limiting should be disabled.
- Type:
boolean
- onRateLimit
- Describes the actions to take on a rate limit event
- Type:
object
- Properties
- headers
- The Headers to be added to the HTTP response on a rate limit event
- Type:
object
- Properties
- add
- Type:
array
- Item Count: ≤ 16
- Items
- Type:
object
- Properties
- name
required
- Type:
string
- The value must match this pattern:
^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
- Length: between 1 and 256
- Type:
- value
required
- Type:
string
- Type:
- name
- Type:
- set
- Type:
array
- Item Count: ≤ 16
- Items
- Type:
object
- Properties
- name
required
- Type:
string
- The value must match this pattern:
^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
- Length: between 1 and 256
- Type:
- value
required
- Type:
string
- Type:
- name
- Type:
- add
- status
- The HTTP status code to be set on a rate limit event
- Type:
integer
- headers
- requestRate
- Defines how many requests are allowed per interval.
- Type:
object
- Properties
- interval
required
- The interval the number of units is accounted for.
- Type:
string
- num
required
- Number of units per interval (depending on usage it can be a number of requests,or a number of connections).
- Type:
integer
- interval
- disabled
- tcp
- LocalTCP defines confguration of local TCP rate limitinghttps://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/networkfilters/localratelimitfilter
- Type:
object
- Properties
- connectionRate
- Defines how many connections are allowed per interval.
- Type:
object
- Properties
- interval
required
- The interval the number of units is accounted for.
- Type:
string
- num
required
- Number of units per interval (depending on usage it can be a number of requests,or a number of connections).
- Type:
integer
- interval
- disabled
- Define if rate limiting should be disabled.Default: false
- Type:
boolean
- connectionRate
- http
- local
- targetRef
required
- TargetRef is a reference to the resource that represents a group ofclients.
- Type:
object
- Properties
- kind
- Kind of the referenced resource
- Type:
string
- The value is restricted to the following:
- "Mesh"
- "MeshSubset"
- "MeshGateway"
- "MeshService"
- "MeshExternalService"
- "MeshMultiZoneService"
- "MeshServiceSubset"
- "MeshHTTPRoute"
- labels
- Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
- Type:
object
- This schema accepts additional properties.
- Properties
- mesh
- Mesh is reserved for future use to identify cross mesh resources.
- Type:
string
- name
- Name of the referenced resource. Can only be used with kinds:
MeshService
,MeshServiceSubset
andMeshGatewayRoute
- Type:
string
- Name of the referenced resource. Can only be used with kinds:
- namespace
- Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
- Type:
string
- proxyTypes
- ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
- Type:
array
- Item Count: ≥ 1
- Items
- Type:
string
- The value is restricted to the following:
- "Sidecar"
- "Gateway"
- sectionName
- SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
- Type:
string
- tags
- Tags used to select a subset of proxies by tags. Can only be used with kinds
MeshSubset
andMeshServiceSubset
- Type:
object
- This schema accepts additional properties.
- Properties
- Tags used to select a subset of proxies by tags. Can only be used with kinds
- kind
- default
- targetRef
- TargetRef is a reference to the resource the policy takes an effect on.The resource could be either a real store object or virtual resourcedefined inplace.
- Type:
object
- Properties
- kind
- Kind of the referenced resource
- Type:
string
- The value is restricted to the following:
- "Mesh"
- "MeshSubset"
- "MeshGateway"
- "MeshService"
- "MeshExternalService"
- "MeshMultiZoneService"
- "MeshServiceSubset"
- "MeshHTTPRoute"
- labels
- Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
- Type:
object
- This schema accepts additional properties.
- Properties
- mesh
- Mesh is reserved for future use to identify cross mesh resources.
- Type:
string
- name
- Name of the referenced resource. Can only be used with kinds:
MeshService
,MeshServiceSubset
andMeshGatewayRoute
- Type:
string
- Name of the referenced resource. Can only be used with kinds:
- namespace
- Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
- Type:
string
- proxyTypes
- ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
- Type:
array
- Item Count: ≥ 1
- Items
- Type:
string
- The value is restricted to the following:
- "Sidecar"
- "Gateway"
- sectionName
- SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
- Type:
string
- tags
- Tags used to select a subset of proxies by tags. Can only be used with kinds
MeshSubset
andMeshServiceSubset
- Type:
object
- This schema accepts additional properties.
- Properties
- Tags used to select a subset of proxies by tags. Can only be used with kinds
- kind
- to
- To list makes a match between clients and corresponding configurations
- Type:
array
- Items
- Type:
object
- Properties
- default
- Default is a configuration specific to the group of clients referenced in'targetRef'
- Type:
object
- Properties
- local
- LocalConf defines local http or/and tcp rate limit configuration
- Type:
object
- Properties
- http
- LocalHTTP defines configuration of local HTTP rate limitinghttps://www.envoyproxy.io/docs/envoy/latest/configuration/http/httpfilters/localratelimitfilter
- Type:
object
- Properties
- disabled
- Define if rate limiting should be disabled.
- Type:
boolean
- onRateLimit
- Describes the actions to take on a rate limit event
- Type:
object
- Properties
- headers
- The Headers to be added to the HTTP response on a rate limit event
- Type:
object
- Properties
- add
- Type:
array
- Item Count: ≤ 16
- Items
- Type:
object
- Properties
- name
required
- Type:
string
- The value must match this pattern:
^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
- Length: between 1 and 256
- Type:
- value
required
- Type:
string
- Type:
- name
- Type:
- set
- Type:
array
- Item Count: ≤ 16
- Items
- Type:
object
- Properties
- name
required
- Type:
string
- The value must match this pattern:
^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
- Length: between 1 and 256
- Type:
- value
required
- Type:
string
- Type:
- name
- Type:
- add
- status
- The HTTP status code to be set on a rate limit event
- Type:
integer
- headers
- requestRate
- Defines how many requests are allowed per interval.
- Type:
object
- Properties
- interval
required
- The interval the number of units is accounted for.
- Type:
string
- num
required
- Number of units per interval (depending on usage it can be a number of requests,or a number of connections).
- Type:
integer
- interval
- disabled
- tcp
- LocalTCP defines confguration of local TCP rate limitinghttps://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/networkfilters/localratelimitfilter
- Type:
object
- Properties
- connectionRate
- Defines how many connections are allowed per interval.
- Type:
object
- Properties
- interval
required
- The interval the number of units is accounted for.
- Type:
string
- num
required
- Number of units per interval (depending on usage it can be a number of requests,or a number of connections).
- Type:
integer
- interval
- disabled
- Define if rate limiting should be disabled.Default: false
- Type:
boolean
- connectionRate
- http
- local
- targetRef
required
- TargetRef is a reference to the resource that represents a group ofclients.
- Type:
object
- Properties
- kind
- Kind of the referenced resource
- Type:
string
- The value is restricted to the following:
- "Mesh"
- "MeshSubset"
- "MeshGateway"
- "MeshService"
- "MeshExternalService"
- "MeshMultiZoneService"
- "MeshServiceSubset"
- "MeshHTTPRoute"
- labels
- Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
- Type:
object
- This schema accepts additional properties.
- Properties
- mesh
- Mesh is reserved for future use to identify cross mesh resources.
- Type:
string
- name
- Name of the referenced resource. Can only be used with kinds:
MeshService
,MeshServiceSubset
andMeshGatewayRoute
- Type:
string
- Name of the referenced resource. Can only be used with kinds:
- namespace
- Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
- Type:
string
- proxyTypes
- ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
- Type:
array
- Item Count: ≥ 1
- Items
- Type:
string
- The value is restricted to the following:
- "Sidecar"
- "Gateway"
- sectionName
- SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
- Type:
string
- tags
- Tags used to select a subset of proxies by tags. Can only be used with kinds
MeshSubset
andMeshServiceSubset
- Type:
object
- This schema accepts additional properties.
- Properties
- Tags used to select a subset of proxies by tags. Can only be used with kinds
- kind
- default
Generated with json-schema-md-doc