Kuma Star

MeshRateLimit

This policy uses new policy matching algorithm. Do not combine with Rate Limit.

This policy enables per-instance service request limiting. Policy supports rate limiting of HTTP/HTTP2 requests and TCP connections.

The MeshRateLimit policy leverages Envoy’s local rate limiting for HTTP/HTTP2 and local rate limit filter for TCP connections.

You can configure:

  • how many HTTP requests are allowed in a specified time period
  • how the HTTP service responds when the limit is reached
  • how many TCP connections are allowed in a specified time period

The policy is applied per service instance. This means that if a service backend has 3 instances rate limited to 100 requests per second, the overall service rate limit is 300 requests per second.

Rate limiting supports an ExternalService only when ZoneEgress is enabled.

Configuration

The MeshRateLimit policy supports both L4/TCP and L7/HTTP limiting. Envoy implements Token Bucket algorithm for rate limiting.

HTTP Rate limiting

  • disabled - (optional) - should rate limiting policy be disabled
  • requestRate - configuration of the number of requests in the specific time window
    • num - the number of requests to limit
    • interval - the interval for which requests will be limited
  • onRateLimit (optional) - actions to take on RateLimit event
    • status (optional) - the status code to return, defaults to 429
    • headers - (optional) headers which should be added to every rate limited response

Headers

  • set - (optional) - list of headers to set. Overrides value if the header exists.
    • name - header’s name
    • value - header’s value
  • add - (optional) - list of headers to add. Appends value if the header exists.
    • name - header’s name
    • value - header’s value

TCP Rate limiting

TCP rate limiting allows the configuration of a number of connections in the specific time window

  • disabled - (optional) - should rate limiting policy be disabled
  • connectionRate - configuration of the number of connections in the specific time window
    • num - the number of requests to limit
    • interval - the interval for which connections will be limited

Examples

HTTP Rate limit configured for service backend from all services in the Mesh

apiVersion: kuma.io/v1alpha1
kind: MeshRateLimit
metadata:
  name: backend-rate-limit
  namespace: kuma-demo
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: backend
  rules:
  - default:
      local:
        http:
          requestRate:
            num: 5
            interval: 10s
          onRateLimit:
            status: 423
            headers:
              set:
              - name: x-kuma-rate-limited
                value: 'true'

TCP rate limit for service backend from all services in the Mesh

apiVersion: kuma.io/v1alpha1
kind: MeshRateLimit
metadata:
  name: backend-rate-limit
  namespace: kuma-demo
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: backend
  rules:
  - default:
      local:
        tcp:
          connectionRate:
            num: 5
            interval: 10s

See also

All policy options

targetRef object
TargetRef is a reference to the resource the policy takes an effect on. The resource could be either...
kind enum required
Kind of the referenced resource
Values: Mesh | Dataplane
name string
Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and...
namespace string
Namespace specifies the namespace of target resource. If empty only resources in policy namespace wi...
labels object
Labels are used to select group of MeshServices that match labels. Either Labels or Name and Namespa...
sectionName string
SectionName is used to target specific section of resource. For example, you can target port from Me...
rules array
Rules defines inbound rate limiting configurations. Currently limited to selecting all inbound traff...
Default contains configuration of the inbound rate limits
LocalConf defines local http or/and tcp rate limit configuration
LocalHTTP defines configuration of local HTTP rate limiting https://www.envoyproxy.io/docs/envoy/lat...
disabled boolean
Define if rate limiting should be disabled.
Describes the actions to take on a rate limit event
The Headers to be added to the HTTP response on a rate limit event
name string required
value string required
name string required
value string required
status integer
The HTTP status code to be set on a rate limit event
Defines how many requests are allowed per interval.
interval string required
The interval the number of units is accounted for.
num integer required
Number of units per interval (depending on usage it can be a number of requests, or a number of conn...
LocalTCP defines confguration of local TCP rate limiting https://www.envoyproxy.io/docs/envoy/latest...
Defines how many connections are allowed per interval.
interval string required
The interval the number of units is accounted for.
num integer required
Number of units per interval (depending on usage it can be a number of requests, or a number of conn...
disabled boolean
Define if rate limiting should be disabled. Default: false
to array
To list makes a match between clients and corresponding configurations
TargetRef is a reference to the resource that represents a group of clients.
kind enum required
Kind of the referenced resource
Values: Mesh
name string
Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and...
namespace string
Namespace specifies the namespace of target resource. If empty only resources in policy namespace wi...
labels object
Labels are used to select group of MeshServices that match labels. Either Labels or Name and Namespa...
sectionName string
SectionName is used to target specific section of resource. For example, you can target port from Me...
Default is a configuration specific to the group of clients referenced in 'targetRef'
LocalConf defines local http or/and tcp rate limit configuration
LocalHTTP defines configuration of local HTTP rate limiting https://www.envoyproxy.io/docs/envoy/lat...
disabled boolean
Define if rate limiting should be disabled.
Describes the actions to take on a rate limit event
The Headers to be added to the HTTP response on a rate limit event
name string required
value string required
name string required
value string required
status integer
The HTTP status code to be set on a rate limit event
Defines how many requests are allowed per interval.
interval string required
The interval the number of units is accounted for.
num integer required
Number of units per interval (depending on usage it can be a number of requests, or a number of conn...
LocalTCP defines confguration of local TCP rate limiting https://www.envoyproxy.io/docs/envoy/latest...
Defines how many connections are allowed per interval.
interval string required
The interval the number of units is accounted for.
num integer required
Number of units per interval (depending on usage it can be a number of requests, or a number of conn...
disabled boolean
Define if rate limiting should be disabled. Default: false