Istio EnvoyFilter rate limiting

Question

We have to configure Istio with rate limiting. We are using istio 1.6. All the examples provided have rate limiting based on headers. Can we rate limit our application for all the requests irrespective of headers. Like istio should limit all the users from hitting the application more than 500 times in a minute.

Answer 1

As envoy filter rate limiting uses key-value pairs to apply rate limiting rules. Istio/Envoy role is to assign the correct keys and corresponding values to the traffic being sent to rateLimit service. Based on that I would say it's not possible to limit all the users out of the box, but I think you can get around it with some workaround.

Such ideas came to mind, it is worth a try.

• Add some random header to every incoming request. Then use rate limit based on this value. There is an example of how to add custom header to every request.
• Specify your app domain as the value. Then use your domain as rate limit value. There is very well described example.

Answer 2

you can limit all users if you know your application port number. lets assume your application pod exposes container port: 8200 so your deployment yaml may look like:

apiVersion: apps/v1
kind: Deployment
....
spec:
  selector:
    matchLabels:
      app: my-app
  replicas: 3
  template:
    metadata:
      labels:
        app: my-app

... more yaml here...

      containers:
      - name: main-container
        ports:
        - containerPort: 8200
        image: alpine....

(ignore the public istio gateway port in your cluster. its not the same) and we saw your application pod also has label of app: my-app then you can simply apply this to limit 20 incoming requests per minute.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: local-ratelimit-envoy-filter
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: my-app
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.local_ratelimit
          typed_config:
            "@type": type.googleapis.com/udpa.type.v1.TypedStruct
            type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
            value:
              stat_prefix: http_local_rate_limiter
    - applyTo: HTTP_ROUTE
      match:
        context: SIDECAR_INBOUND
        routeConfiguration:
          vhost:
            name: "inbound|http|8200"
            route:
              action: ANY
      patch:
        operation: MERGE
        value:
          typed_per_filter_config:
            envoy.filters.http.local_ratelimit:
              "@type": type.googleapis.com/udpa.type.v1.TypedStruct
              type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              value:
                stat_prefix: http_local_rate_limiter
                token_bucket:
                  max_tokens: 20  # this will give us 20 req/min
                  tokens_per_fill: 20
                  fill_interval: 1m
                filter_enabled:
                  runtime_key: local_rate_limit_enabled
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
                filter_enforced:
                  runtime_key: local_rate_limit_enforced
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
                response_headers_to_add:
                 - append: false
                   header:
                     key: Retry-After
                     value: '60'