search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.92k stars 4.8k forks source link

Use admission control per domain/virtual_host #17648

Open hochuenw-dd opened 3 years ago

hochuenw-dd commented 3 years ago

Hi folks, I have an outbound listener which routes traffic to different clusters based on domains. For each different cluster, I'd like to apply different admission control configurations (e.g the success criteria). Is it possible to somehow apply this filter to per domain level? Does this filter support typed_per_filter_config? If so, is it going to overwrite the global config or the same filter would be used twice? I'm also wondering if this filter is production ready, since the state on the website is still experimental. https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/admission_control_filter#admission-control Thanks!!

ggreenway commented 3 years ago

cc @tonya11en @mattklein123. It doesn't look like there is per_filter_config for this filter, but it could probably be added.

tonya11en commented 3 years ago

I touched on this in your other question https://github.com/envoyproxy/envoy/issues/17650#issuecomment-896174631, but I'll drop a quote here for folks who stumble on this issue:

The major problem with admission control is that it doesn't have support for per-cluster or per-virtualhost domains. All requests, regardless of their destination vhost/cluster are lumped together in these measurements, so to use this in your case you would need to utilize it on ingress traffic on the destination service's sidecar (if you can). However, it defeats the purpose of "client-side throttling" to do this. It's something I had meant to address but never got around to.

I'd be happy to work with you on an admission control change that adds the distinct failure rate measurements for vhosts or clusters. Otherwise, you're better off using outlier detection for your client-side throttling story until someone gets around to adding this functionality to the admission control filter so it can be considered "finished".

github-actions[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

tonya11en commented 3 years ago

This one could use a "help wanted" tag if someone can add it. I don't have the ability.