Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ratelimiting or Circuit breaking based on L7 rules #10207

Closed
kprakasam opened this issue Feb 28, 2020 · 4 comments
Closed

Ratelimiting or Circuit breaking based on L7 rules #10207

kprakasam opened this issue Feb 28, 2020 · 4 comments
Labels
design proposal Needs design doc/proposal before implementation stale stalebot believes this issue/PR has not been touched recently

Comments

@kprakasam
Copy link
Contributor

Title: Ratelimiting or Circuit breaking based on L7 rules

Description:
Envoy currently allows only one circuit breaker per upstream cluster and a global rate limiter service, this is very constraining when dealing with DDOS attacks when there is only one upstream cluster (If you want to understand the specific use case we can discuss offline). We are wondering if we can create a filter that can configure one or more localized rate limiter/circuit-breaker (https://github.com/Netflix/concurrency-limits) associated with an arbitrary L7 rule and when the breaker is trigger allow arbitrary action to be takes (ex: Serve a static page, cached version of page, etc.). I would like to hear the community's thoughts on this approach.

Sample Filter Configuration

  rate-limiters:
    ingressRoute: mweb-1-80
    www.acme.com :
    - name: view-item
      match:
        - header: { name: "path", regex_match: "/itm/.*" }
      circuit-breakers:
         - windowed:
        ...
       - fixed: 
        ...
      action:
          drop: true
   - name: default
     circuit-breakers:
       - gradient2:
        ...
       - aimd
        ...
     action:
       monitor: true
@mattklein123 mattklein123 added the design proposal Needs design doc/proposal before implementation label Feb 29, 2020
@mattklein123
Copy link
Member

See #7918. I would like to see this happen in the context of a dedicated WAF filter which can perform various actions that are configured on a per-route basis. cc @gkleiman who can provide more color and I have discussed this with also.

@kprakasam
Copy link
Contributor Author

kprakasam commented Feb 29, 2020
edited
Loading

@mattklein123, I and my team member did have a meeting with @gkleiman around the holidays and we have forked the RBAC to implement the our WAF and rolled out the OFAC functionality few weeks back in our clusters. I thought circuit breaker could be built as a standalone isolated feature since WAF could evolve in to much larger in scope. Anyway I'd be happy to setup a meeting with Gaston to discuss further.

@kprakasam kprakasam reopened this Feb 29, 2020
@kprakasam kprakasam mentioned this issue Mar 12, 2020
Open
@stale
Copy link

stale bot commented Mar 30, 2020

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

@stale stale bot added the stale stalebot believes this issue/PR has not been touched recently label Mar 30, 2020
@stale
Copy link

stale bot commented Apr 6, 2020

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.

@stale stale bot closed this as completed Apr 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
design proposal Needs design doc/proposal before implementation stale stalebot believes this issue/PR has not been touched recently
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kprakasam @mattklein123