search

envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
https://gateway.envoyproxy.io
Apache License 2.0
1.62k stars 352 forks source link

Set ratelimiting to all cidrs with exceptions #4385

Open zetaab opened 1 month ago

zetaab commented 1 month ago

Description:

I have usecase that I should add ratelimiting to all cidrs EXCEPT few "whitelisted ips". As I see it, it is quite common use case that people want to set rate limits to everything except few internal api ips (whitelist services that should work always, no matter what).

Relevant Links:

https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-ratelimit-action envoy does not support any complex logic in this field. So envoy changes needed as well

zetaab commented 1 month ago

envoy issue https://github.com/envoyproxy/envoy/issues/36442

avinandi commented 2 weeks ago

@envoyproxy/gateway-maintainers / @zetaab / @arkodg Do you have any idea why this does not work? this is built following the reference here

The idea is to set a lower rate limit for certain CIDR blocks and for rest define a higher limit.

---

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: api--rate-limit-all
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: api--http-route
  rateLimit:
    type: Global
    global:
      rules:
        - limit:
            requests: 100
            unit: Second
        - limit:
            requests: 500
            unit: Minute

---

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: api--limit-whitelist
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: api--http-route
  rateLimit:
    type: Global
    global:
      rules:
        - clientSelectors:
          - sourceCIDR:
              value: x.y.z.r/30
              type: Distinct
          - sourceCIDR:
              value: x.y.x.r/32
          - sourceCIDR:
              value: x.y.y.r/32
          - sourceCIDR:
              value: x.y.r.r/32
          - sourceCIDR:
              value: y.y.x.r/31
              type: Distinct
          limit:
            requests: 10000
            unit: Minute

---

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: api--http-route
spec:
  parentRefs:
    - name: external-gateway
  hostnames:
    - example.com
  rules:
    - matches:
      - path:
          type: PathPrefix
          value: /
      filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: BackendTrafficPolicy
            name: api--limit-whitelist
      backendRefs:
        - name: api--service
          port: 3000
    - matches:
      - path:
          type: PathPrefix
          value: /
      filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: BackendTrafficPolicy
            name: api--rate-limit-all
      backendRefs:
        - name: api--service
          port: 3000