feat: local rate limit #2258
feat: local rate limit #2258
Conversation
zhaohuabing
force-pushed
the
local-rate-limit
branch
from
03dfcab to
fd6b283
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #2258 +/- ##
==========================================
+ Coverage 64.59% 64.71% +0.11%
==========================================
Files 112 113 +1
Lines 16072 16442 +370
==========================================
+ Hits 10382 10640 +258
- Misses 5038 5132 +94
- Partials 652 670 +18 ☔ View full report in Codecov by Sentry. |
zhaohuabing
force-pushed
the
local-rate-limit
branch
6 times, most recently
from
47d6937 to
9734e3a
Compare
zhaohuabing
force-pushed
the
local-rate-limit
branch
9 times, most recently
from
c363f43 to
186f0a1
Compare
zhaohuabing
force-pushed
the
local-rate-limit
branch
8 times, most recently
from
e8b3dec to
726beb4
Compare
| @@ -91,6 +133,7 @@ const ( | |||
| SourceMatchExact SourceMatchType = "Exact" | |||
| // SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector | |||
| // and uses a separate rate limit bucket/counter. | |||
| // Note: This is only supported for Global Rate Limits. | |||
There was a problem hiding this comment.
I suggest creating separate fields for Local and Global or adding CEL validation we cannot support something like Distinct for local
There was a problem hiding this comment.
I am inclined to add a CEL validation. It's simpler.
There was a problem hiding this comment.
This has been validated when translating GatewayAPI to IR, and the Policy status is set to Invalid if the type is Distinct.
I tried to validate it with the below CEL rule but no luck:
// +kubebuilder:validation:XValidation:rule="self.rules.all(r, has(r.clientSelectors)? (r.clientSelectors.all(s, has(s.sourceCIDR) && has(s.sourceCIDR.type)? s.sourceCIDR.type!='Distinct' : true)) : true)", message="Distinct SourceMatchType is not supported for Local Rate Limit"
And verified it on https://playcel.undistro.io/.
However, k8s throws the below error, complaining this rule is invalid.
Error: Received unexpected error:
unable to install CRDs onto control plane: unable to create CRD instances: unable to create CRD "backendtrafficpolicies.gateway.envoyproxy.io": CustomResourceDefinition.apiextensions.k8s.io "backendtrafficpolicies.gateway.envoyproxy.io" is invalid: spec.validation.openAPIV3Schema.properties[spec].properties[rateLimit].properties[local].properties[rules].x-kubernetes-validations[0].rule: Invalid value: apiextensions.ValidationRule{Rule:"self.rules.all(r, has(r.clientSelectors)? (r.clientSelectors.all(s, has(s.sourceCIDR) && has(s.sourceCIDR.type)? s.sourceCIDR.type!='Distinct' : true)) : true)", Message:"Distinct SourceMatchType is not supported for Local Rate Limit", MessageExpression:""}: compilation failed: ERROR: <input>:1:5: type 'list_type:{elem_type:{message_type:"selfType61480208.@idx"}}' does not support field selection
| self.rules.all(r, has(r.clientSelectors)? (r.clientSelectors.all(s, has(s.sourceCIDR) && has(s.sourceCIDR.type)? s.sourceCIDR.type!='Distinct' : true)) : true)
Maybe I can try CEL later in a follow-up PR.
Signed-off-by: huabing zhao <[email protected]>
Signed-off-by: huabing zhao <[email protected]>
Signed-off-by: huabing zhao <[email protected]>
Signed-off-by: huabing zhao <[email protected]>
zhaohuabing
force-pushed
the
local-rate-limit
branch
from
ef09625 to
a8da2c7
Compare
Signed-off-by: huabing zhao <[email protected]>
Signed-off-by: huabing zhao <[email protected]>
| // rate limit decisions of all matching rules. For example, if a request | ||
| // matches two rules, one rate limited and one not, the final decision will be | ||
| // to rate limit the request. | ||
| // +kubebuilder:validation:MaxItems=16 |
There was a problem hiding this comment.
Adding a few lines to explain what happens if a request matches multiple rules, originally from https://github.com/envoyproxy/ratelimit?tab=readme-ov-file#example-2
Signed-off-by: huabing zhao <[email protected]>
Signed-off-by: huabing zhao <[email protected]>
| // Rules are a list of RateLimit selectors and limits. If a request matches | ||
| // multiple rules, the strictest limit is applied. For example, if a request | ||
| // matches two rules, one with 10rps and one with 20rps, the final limit will | ||
| // be based on the rule with 10rps. |
There was a problem hiding this comment.
Explaining how local rate limit behaves if a request matches multiple rules, originally from https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter#using-rate-limit-descriptors-for-local-rate-limiting
Signed-off-by: huabing zhao <[email protected]>
zhaohuabing
force-pushed
the
local-rate-limit
branch
from
801e6a8 to
c0bc74a
Compare
Signed-off-by: huabing zhao <[email protected]>
|
/retest |
Related issue: #1336