15

I need to implement Rate Limiting (based on URL and path) on applications deployed on Kubernetes Cluster (EKS).

I'm looking for a managed way that involves least scripting and does provide an interface through which to manage rate limits for different application.

That system should be able to work accurately at the enterprise level.

Can somebody please suggest me the path/tool/framework to follow in order to achieve it.

Talha Tariq
  • 151
  • 1
  • 1
  • 3

1 Answers1

27

Rate-limiting is available in NGINX Ingress by using correct annotations. Available options are:

  1. nginx.ingress.kubernetes.io/limit-connections: number of concurrent connections allowed from a single IP address. A 503 error is returned when exceeding this limit.
  2. nginx.ingress.kubernetes.io/limit-rps: number of requests accepted from a given IP each second. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, limit-req-status-code default: 503 is returned.
  3. nginx.ingress.kubernetes.io/limit-rpm: number of requests accepted from a given IP each minute. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, limit-req-status-code default: 503 is returned.
  4. nginx.ingress.kubernetes.io/limit-burst-multiplier: multiplier of the limit rate for burst size. The default burst multiplier is 5, this annotation override the default multiplier. When clients exceed this limit, limit-req-status-code default: 503 is returned.
  5. nginx.ingress.kubernetes.io/limit-rate-after: initial number of kilobytes after which the further transmission of a response to a given connection will be rate limited. This feature must be used with proxy-buffering enabled.
  6. nginx.ingress.kubernetes.io/limit-rate: number of kilobytes per second allowed to send to a given connection. The zero value disables rate limiting. This feature must be used with proxy-buffering enabled.
  7. nginx.ingress.kubernetes.io/limit-whitelist: client IP source ranges to be excluded from rate-limiting. The value is a comma separated list of CIDRs.

You can read more about NGINX rate limiting here and for NGINX rate limiting in kubernetes in this guide.

kool
  • 3,214
  • 1
  • 10
  • 26
  • 4
    Do you know if this can be configured based on specific path, e.g. /login/? – Richard Scarrott Mar 29 '21 at 11:05
  • 1
    @riscarrott, no, currently it applies to the entire ingress where annotations are added. – SinFulNard Jan 28 '22 at 02:47
  • Suppose I set limit-connections: 5. It means can we only access the site from a single IP address 5 times? or is it 5 times per day? – Techiescorner Jul 13 '22 at 13:40
  • You can use nginx.ingress.kubernetes.io/configuration-snippet to add configuration per location (https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#configuration-snippet) – baskInEminence Jun 14 '23 at 01:39