search

slime-io / slime

An intelligent ServiceMesh manager based on Istio
https://slime-io.github.io/
Other
424 stars 78 forks source link

limiter: support ip match #459

Closed MouceL closed 9 months ago

MouceL commented 9 months ago

支持入方向根据source ip限流(依赖envoy的remote_address特性)

对于单机限流、均分限流、全局共享限流都会支持该特性

使用样例如下:

新增 SourceIpMatch 类型,使用方式如下

单机限流使用样例

apiVersion: microservice.slime.io/v1alpha2
kind: SmartLimiter
metadata:
  name: productpage
  namespace: default
spec:
  sets:
    _base:
      descriptor:
      - action:
          fill_interval:
            seconds: 1
          quota: "1"
          strategy: "single"
        condition: "true"
        target:
          port: 9080
        match:
        - matchSource: SourceIpMatch
          exact_match: "10.244.0.10"

生成envoyfilter 大致如下 =>


## route里插入

  - applyTo: HTTP_ROUTE
    match:
      context: SIDECAR_INBOUND
      routeConfiguration:
        vhost:
          name: inbound|http|9080
          route:
            name: default
    patch:
      operation: MERGE
      value:
        route:
          rate_limits:
          - actions:
            - remote_address: {}

------

  - applyTo: HTTP_ROUTE
    match:
      context: SIDECAR_INBOUND
      routeConfiguration:
        vhost:
          name: inbound|http|9080
          route:
            name: default
    patch:
      operation: MERGE
      value:
        typed_per_filter_config:
          envoy.filters.http.local_ratelimit:
            '@type': type.googleapis.com/udpa.type.v1.TypedStruct
            type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
            value:
              descriptors:
              - entries:
                - key: remote_address
                  value: 10.244.0.10
                token_bucket:
                  fill_interval:
                    seconds: "1"
                  max_tokens: 1
                  tokens_per_fill:
                    value: 1
              filter_enabled:
                default_value:
                  numerator: 100
                runtime_key: local_rate_limit_enabled
              filter_enforced:
                default_value:
                  numerator: 100
                runtime_key: local_rate_limit_enforced
              stat_prefix: http_local_rate_limiter

全局共享限流使用样例

apiVersion: microservice.slime.io/v1alpha2
kind: SmartLimiter
metadata:
  name: productpage
  namespace: default
spec:
  sets:
    _base:
      descriptor:
      - action:
          fill_interval:
            seconds: 1
          quota: "1"
          strategy: "global"
        condition: "true"
        target:
          port: 9080
        match:
        - matchSource: SourceIpMatch
          exact_match: "10.244.0.10"

生成envoyfilter 大致如下 =>


## route里插入generic_key 和 remote_address
  - applyTo: HTTP_ROUTE
    match:
      context: SIDECAR_INBOUND
      routeConfiguration:
        vhost:
          name: inbound|http|9080
          route:
            name: default
    patch:
      operation: MERGE
      value:
        route:
          rate_limits:
          - actions:
            - generic_key:
                descriptor_value: Service[productpage.default]-Id[1516976265]
            - remote_address: {}

------

## rls里插入 generic_key和remote_address

  config.yaml: |
    domain: slime
    descriptors:
    - key: generic_key
      value: Service[productpage.default]-Id[1516976265]
      descriptors:
      - key: remote_address
        value: 10.244.0.10
        rate_limit:
          requests_per_unit: 1
          unit: SECOND
---