search

Kuadrant / kuadrant-controller

Apache License 2.0
12 stars 7 forks source link

RLP status with gateway configuration #204

Closed eguzki closed 2 years ago

eguzki commented 2 years ago

what

The RateLimitPolicy objects which target a route object have the information of the gateway level rate limit configuration. Does not apply to RLPs targeting a gateway

status.gatewaysRateLimits list (one item per gateway the route points to) the rate limit configurations from the RLP's targeting gateways. It includes the name of the gateway for reference.

apiVersion: apim.kuadrant.io/v1alpha1
kind: RateLimitPolicy
metadata: {}
spec: {}
status:
  conditions:
    - lastTransitionTime: "2022-09-08T17:20:38Z"
      message: HTTPRoute is ratelimited
      reason: HTTPRouteProtected
      status: "True"
      type: Available
  gatewaysRateLimits:
    - gatewayName: istio-system/istio-ingressgateway
      rateLimits:
        - configurations:
            - actions:
                - generic_key:
                    descriptor_key: expensive_op
                    descriptor_value: "1"
          limits:
            - conditions:
                - expensive_op == 1
              maxValue: 2
              seconds: 10
              variables: []
          rules:
            - methods:
                - POST
        - configurations:
            - actions:
                - remote_address: {}
          limits:
            - conditions: []
              maxValue: 25
              seconds: 10
              variables:
                - remote_address
  observedGeneration: 1

verification steps

Setup env

make local-setup

Deploy toystore example deployment

kubectl apply -f examples/toystore/toystore.yaml

Create HTTPRoute to configure routing to the toystore service 

kubectl apply -f - <<EOF
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: toystore
  labels:
    app: toystore
spec:
  parentRefs:
    - name: istio-ingressgateway
      namespace: istio-system
  hostnames: ["*.toystore.com"]
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: "/toy"
          method: GET
        - path:
            type: PathPrefix
            value: "/free"
          method: GET
        - path:
            type: Exact
            value: "/admin/toy"
          method: POST
      backendRefs:
        - name: toystore
          port: 80
EOF

Rate limiting toystore HTTPRoute traffic

RateLimitPolicy applied for the toystore HTTPRoute.

kubectl apply -f - <<EOF
---
apiVersion: apim.kuadrant.io/v1alpha1
kind: RateLimitPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rateLimits:
    - rules:
        - paths: ["/admin/toy"]
          methods: ["POST"]
      configurations:
        - actions:
            - generic_key:
                descriptor_key: admin_operation
                descriptor_value: "1"
      limits:
        - conditions:
            - "admin_operation == 1"
          maxValue: 5
          seconds: 10
          variables: []
    - rules:
        - paths: ["/toy"]
          methods: ["GET"]
      configurations:
        - actions:
            - generic_key:
                descriptor_key: get_operation
                descriptor_value: "1"
      limits:
        - conditions:
            - "get_operation == 1"
          maxValue: 8
          seconds: 10
          variables: []
    - configurations:
        - actions:
            - generic_key:
                descriptor_key: toystore
                descriptor_value: "1"
      limits:
        - conditions: ["toystore == 1"]
          maxValue: 30
          seconds: 10
          variables: []
EOF

RateLimitPolicy applied for the Gateway.

kubectl apply -f - <<EOF
---
apiVersion: apim.kuadrant.io/v1alpha1
kind: RateLimitPolicy
metadata:
  name: kuadrant-gw
  namespace: istio-system
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: istio-ingressgateway
  rateLimits:
    - rules:
      - methods: ["POST"]
      configurations:
        - actions:
            - generic_key:
                descriptor_key: expensive_op
                descriptor_value: "1"
      limits:
        - conditions: ["expensive_op == 1"]
          maxValue: 2
          seconds: 10
          variables: []
    - configurations:
        - actions:
            - remote_address: {}
      limits:
        - conditions: []
          maxValue: 25
          seconds: 10
          variables: ["remote_address"]
EOF

Check route level RLP toystore has the info of the rate limiting applied at the gateway level

k get ratelimitpolicy toystore -o jsonpath='{.status}' | yq_pretty 
conditions:
  - lastTransitionTime: "2022-09-09T08:15:15Z"
    message: HTTPRoute is ratelimited
    reason: HTTPRouteProtected
    status: "True"
    type: Available
gatewaysRateLimits:
  - gatewayName: istio-system/istio-ingressgateway
    rateLimits:
      - configurations:
          - actions:
              - generic_key:
                  descriptor_key: expensive_op
                  descriptor_value: "1"
        limits:
          - conditions:
              - expensive_op == 1
            maxValue: 2
            seconds: 10
            variables: []
        rules:
          - methods:
              - POST
      - configurations:
          - actions:
              - remote_address: {}
        limits:
          - conditions: []
            maxValue: 25
            seconds: 10
            variables:
              - remote_address
observedGeneration: 1

Update configuration from the gateway level policy. Only one rate limit object and change maxValue from 25 to 100.

kubectl apply -f - <<EOF
---
apiVersion: apim.kuadrant.io/v1alpha1
kind: RateLimitPolicy
metadata:
  name: kuadrant-gw
  namespace: istio-system
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: istio-ingressgateway
  rateLimits:
    - configurations:
        - actions:
            - remote_address: {}
      limits:
        - conditions: []
          maxValue: 100
          seconds: 10
          variables: ["remote_address"]
EOF

Check route level RLP toystore has the info of the gateway rate limiting updated

k get ratelimitpolicy toystore -o jsonpath='{.status}' | yq_pretty 
conditions:
  - lastTransitionTime: "2022-09-09T08:15:15Z"
    message: HTTPRoute is ratelimited
    reason: HTTPRouteProtected
    status: "True"
    type: Available
gatewaysRateLimits:
  - gatewayName: istio-system/istio-ingressgateway
    rateLimits:
      - configurations:
          - actions:
              - remote_address: {}
        limits:
          - conditions: []
            maxValue: 100
            seconds: 10
            variables:
              - remote_address
observedGeneration: 1
eguzki commented 2 years ago

all comments addressed @didierofrivia