Rate limiting

[strekm]

Description

Istio module should support rate limiting. New CRD should be introduced to support rate limiting configuration. User should be able to limit access to given workload based on caller ID, custom header or client certificate. Introduced CRD should hide complexity of EnvoyFilters.

TODO:

• [x] POC local/global rate limiting
• [x] POC memcached/redis rate limit service
• [ ] API design
• [ ] technical design
• [ ] threat modeling
• [ ] implementation
• [ ] rollout

Reasons

Attachments https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/ https://github.com/kyma-project/kyma/issues/17572 https://killercoda.com/interactive-kyma/scenario/rate-limit

[strekm]

We are still doing research and POC around Envoy global rate limit service