Skip to content
Merged
Show file tree
Hide file tree
Changes from 117 commits
Commits
Show all changes
120 commits
Select commit Hold shift + click to select a range
991d39f
wip
Jan 10, 2020
84c1b51
wip
Jan 11, 2020
d3e80e0
wip
tonya11en Jan 13, 2020
668040d
wip
tonya11en Jan 13, 2020
3727a6d
still broken
tonya11en Jan 13, 2020
b91335f
builds wip
Jan 14, 2020
871fe70
stats
tonya11en Jan 14, 2020
cd1d879
thread local
tonya11en Jan 14, 2020
b768ad1
format
tonya11en Jan 14, 2020
7a4678e
tests
tonya11en Jan 15, 2020
d5278b8
Fix bugs and more tests.
tonya11en Jan 16, 2020
34144fd
runtime double
tonya11en Jan 16, 2020
f3ec7f7
runtime double
tonya11en Jan 16, 2020
5e3d1ed
filter config test
tonya11en Jan 17, 2020
5654fa2
wip
tonya11en Jan 17, 2020
10472c0
compiles, wip, test fails
tonya11en Jan 21, 2020
a15ad6e
tests pass
tonya11en Jan 22, 2020
7f30f79
filter disable test
tonya11en Jan 22, 2020
fa3cd1c
Merge remote-tracking branch 'upstream/master' into admctl
tonya11en Jan 22, 2020
29478b0
format and fix merge stuff
tonya11en Jan 22, 2020
6b69513
more filter tests
tonya11en Jan 22, 2020
48043b6
more filter tests
tonya11en Jan 22, 2020
d0b8c50
test stats
tonya11en Jan 22, 2020
5358a78
wip
tonya11en Jan 24, 2020
6bf90d1
Merge remote-tracking branch 'upstream/master' into admctl
tonya11en Mar 2, 2020
fbecc7f
format
tonya11en Mar 2, 2020
c31da84
wip
tonya11en Mar 2, 2020
a9b9f8b
doc: fix SNI FAQ link (#10227)
lizan Mar 2, 2020
e01eda5
builds
Mar 3, 2020
5e97619
wip
tonya11en Mar 3, 2020
fc666b7
wip
tonya11en Mar 3, 2020
d639d37
builds
tonya11en Mar 3, 2020
167133d
progress
tonya11en Mar 3, 2020
598fc5f
passes
tonya11en Mar 3, 2020
bafb45e
format
tonya11en Mar 3, 2020
17fa361
Merge remote-tracking branch 'upstream/master' into admctl
tonya11en Mar 3, 2020
3bde611
format
tonya11en Mar 3, 2020
0d6dc11
Revert "format"
tonya11en Mar 3, 2020
e416db7
grpc status proto
tonya11en Mar 5, 2020
2748f16
wip
tonya11en Mar 6, 2020
0fa0905
wip
tonya11en Mar 6, 2020
72cd42d
Merge remote-tracking branch 'upstream/master' into admctl
tonya11en Mar 6, 2020
8340a73
wip
tonya11en Mar 6, 2020
65c9773
protobuf fixes
tonya11en Mar 6, 2020
dde5ea2
tests pass
tonya11en Mar 6, 2020
74a35a3
small addition to tests. still need to test new behaviors.
tonya11en Mar 6, 2020
dbd2d88
more grpc tests
tonya11en Mar 11, 2020
0359eb4
wip
tonya11en Mar 11, 2020
5bb2747
Merge remote-tracking branch 'upstream/master' into admctl
tonya11en Mar 11, 2020
762b131
format
tonya11en Mar 11, 2020
a29c9eb
tests pass
tonya11en Mar 12, 2020
c83b8fd
more tests and proto stuff
tonya11en Mar 12, 2020
c562c65
fix spelling
tonya11en Mar 12, 2020
b420460
fix api build
tonya11en Mar 12, 2020
935e672
missing protos
tonya11en Mar 12, 2020
cddd71e
http integration test. still need grpc test.
tonya11en Mar 13, 2020
eab6c0f
rm half-baked grpc test
tonya11en Mar 13, 2020
6b893f6
error bars
tonya11en Mar 13, 2020
1379ac5
make test less flaky
tonya11en Mar 13, 2020
9921663
minor test changes
tonya11en Mar 13, 2020
9cb2499
wip
tonya11en Mar 26, 2020
80c219a
Fix the grpc integration test.
tonya11en Mar 26, 2020
43d479b
fix format
tonya11en Mar 26, 2020
20f6036
Kick CI
tonya11en Mar 31, 2020
8f1428e
Merge remote-tracking branch 'upstream/master' into admctl
tonya11en Apr 6, 2020
4dab945
more
tonya11en Apr 7, 2020
cb2e4d8
Merge remote-tracking branch 'upstream/master' into admctl
tonya11en Apr 7, 2020
0bd08e0
wip
tonya11en Apr 7, 2020
c266d3a
response evals
tonya11en Apr 7, 2020
343b75b
wip
tonya11en Apr 28, 2020
d27fbe7
fix tests
tonya11en Apr 28, 2020
6be3d03
add to dictionary
tonya11en Apr 28, 2020
594bd23
Merge remote-tracking branch 'upstream/master' into admctl02
tonya11en May 6, 2020
b6591d3
fix doc build
tonya11en May 8, 2020
ae1ca6e
fix simulated time
tonya11en May 8, 2020
1a5b3ba
proto format
tonya11en May 8, 2020
08ab835
clang tidy..
tonya11en May 8, 2020
40dc2ec
clang tidy forever
tonya11en May 8, 2020
1d516aa
Kick CI
tonya11en May 9, 2020
0baddea
Merge remote-tracking branch 'upstream/master' into admctl02
tonya11en May 11, 2020
59fe97c
safer vector array pointer
tonya11en May 11, 2020
7e7844c
format
tonya11en May 11, 2020
53e3476
shorten file names
tonya11en May 12, 2020
648a936
guessing to fix windows build
tonya11en May 13, 2020
1976891
stats integration test
tonya11en May 13, 2020
70cf114
Revert "stats integration test"
tonya11en May 13, 2020
c557fe7
fix windows CI
tonya11en May 14, 2020
0f25dbb
format
tonya11en May 14, 2020
6681bc0
Merge remote-tracking branch 'upstream/master' into admctl02
tonya11en May 19, 2020
6846ce8
matt's first wave
tonya11en May 19, 2020
c3d1b42
fix deferred failure
tonya11en May 31, 2020
02f8a79
wip
tonya11en May 31, 2020
39e3286
wip
tonya11en May 31, 2020
775619f
filter test passing
tonya11en Jun 2, 2020
ca85a3e
finished
tonya11en Jun 2, 2020
7368a10
validate ranges
tonya11en Jun 3, 2020
cf292eb
docs
tonya11en Jun 3, 2020
af7ac9f
grpc validation
tonya11en Jun 3, 2020
5f2e0d0
rm config files
tonya11en Jun 3, 2020
d8841cd
name change
tonya11en Jun 3, 2020
ca62264
wip
tonya11en Jun 3, 2020
18a92b9
snow comments
tonya11en Jun 3, 2020
811af9e
pedantic
tonya11en Jun 4, 2020
f6884ed
Merge remote-tracking branch 'upstream/master' into admctl_pt1
tonya11en Jun 4, 2020
aca33f6
format
tonya11en Jun 4, 2020
2f6e768
fix .bzl
tonya11en Jun 4, 2020
e610c6c
clang tidy
tonya11en Jun 4, 2020
c37c1d1
docs
tonya11en Jun 4, 2020
a0dcb07
format
tonya11en Jun 5, 2020
15354d2
fix build
tonya11en Jun 5, 2020
c8953b0
Merge remote-tracking branch 'upstream/master' into admctl_pt1
tonya11en Jun 5, 2020
1123eef
remove autonomous upstream changes
tonya11en Jun 5, 2020
57ecfb7
snow's comments
tonya11en Jun 8, 2020
aa38fec
Merge remote-tracking branch 'upstream/master' into admctl_pt1
tonya11en Jun 8, 2020
529db5c
tidy
tonya11en Jun 8, 2020
d73174c
coverage
tonya11en Jun 10, 2020
7724223
comment
tonya11en Jun 10, 2020
446c279
matt comments
tonya11en Jun 16, 2020
440a83c
Merge remote-tracking branch 'upstream/master' into admctl_pt1
tonya11en Jun 16, 2020
da072c2
todo comment
tonya11en Jun 17, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CODEOWNERS
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ extensions/filters/common/original_src @snowp @klarose
/*/extensions/common/aws @lavignes @mattklein123
# adaptive concurrency limit extension.
/*/extensions/filters/http/adaptive_concurrency @tonya11en @mattklein123
# admission control extension.
/*/extensions/filters/http/admission_control @tonya11en @mattklein123
# http inspector
/*/extensions/filters/listener/http_inspector @yxue @PiotrSikora @lizan
# attribute context
Expand Down
1 change: 1 addition & 0 deletions api/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ proto_library(
"//envoy/extensions/compression/gzip/decompressor/v3:pkg",
"//envoy/extensions/filters/common/fault/v3:pkg",
"//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg",
"//envoy/extensions/filters/http/admission_control/v3alpha:pkg",
"//envoy/extensions/filters/http/aws_lambda/v3:pkg",
"//envoy/extensions/filters/http/aws_request_signing/v3:pkg",
"//envoy/extensions/filters/http/buffer/v3:pkg",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ package envoy.extensions.filters.http.adaptive_concurrency.v3;
import "envoy/config/core/v3/base.proto";
import "envoy/type/v3/percent.proto";

import "google/api/annotations.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";

Expand Down
13 changes: 13 additions & 0 deletions api/envoy/extensions/filters/http/admission_control/v3alpha/BUILD
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# DO NOT EDIT. This file is generated by tools/proto_sync.py.

load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")

licenses(["notice"]) # Apache 2

api_proto_package(
deps = [
"//envoy/config/core/v3:pkg",
"//envoy/type/v3:pkg",
"@com_github_cncf_udpa//udpa/annotations:pkg",
],
)
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
syntax = "proto3";

package envoy.extensions.filters.http.admission_control.v3alpha;

import "envoy/config/core/v3/base.proto";
import "envoy/type/v3/range.proto";

import "google/api/annotations.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "google/rpc/status.proto";

import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";

option java_package = "io.envoyproxy.envoy.extensions.filters.http.admission_control.v3alpha";
option java_outer_classname = "AdmissionControlProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).work_in_progress = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: Admission Control]
// [#extension: envoy.filters.http.admission_control]

message AdmissionControl {
// Default method of specifying what constitutes a successful request. All status codes that
// indicate a successful request must be explicitly specified if not relying on the default
// values.
message SuccessCriteria {
message HttpCriteria {
// Status code ranges that constitute a successful request. Configurable codes are in the
// range [100, 600). If empty, all HTTP requests will be considered unsuccessful.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a good default? Should we have 200-299 be successful by default?

repeated type.v3.Int32Range http_success_status = 1;
}

message GrpcCriteria {
// Status codes that constitute a successful request. If empty, all gRPC requests will be
// considered unsuccessful.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a good default? Should we have 0 be successful if empty?

// Mappings can be found at: https://github.com/grpc/grpc/blob/master/doc/statuscodes.md.
repeated uint32 grpc_success_status = 1;
}

// If HTTP criteria are unspecified, all HTTP status codes below 500 are treated as successful
// responses.
Comment on lines +44 to +45

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I see how you structured this. I would do 200-299 by default, and if specified I would make http_success_status min length 1 in the message above.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the grpc code comment below. I think it also applies here for things like redirects or 403/404/etc.

HttpCriteria http_criteria = 1;

// GRPC status codes to consider as request successes. If unspecified, defaults to: Ok,
Comment thread
tonya11en marked this conversation as resolved.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar comment above. I would make the min repeated above required if the message is specified, and I think the default should be just OK here?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My reasoning for picking these specific codes is that something like Unauthenticated or Unimplemented or InvalidArgument won't be fixed by simply sending less requests. If a client starts sending bogus/malformed requests along with good ones, I don't want the admission controller to start rejecting the good requests if it won't make things better. In that contrived case, it would make things worse.

Does that change anything for you?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess? I'm fine either way but I would flesh out the docs as to why the default is what it is. Same for the HTTP one.

// Cancelled, Unknown, InvalidArgument, NotFound, AlreadyExists, Unauthenticated,
// FailedPrecondition, OutOfRange, and Unimplemented.
GrpcCriteria grpc_criteria = 2;
}

// If set to false, the admission control filter will operate as a pass-through filter. If the
// message is unspecified, the filter will be enabled.
config.core.v3.RuntimeFeatureFlag enabled = 1;

// Defines how a request is considered a success/failure.
oneof evaluation_criteria {
option (validate.required) = true;

SuccessCriteria success_criteria = 2;
}

// The sliding time window over which the success rate is calculated. The window is rounded to the
// nearest second. Defaults to 120s.
google.protobuf.Duration sampling_window = 3;
Comment thread
tonya11en marked this conversation as resolved.

// Rejection probability is defined by the formula::
//
// max(0, (rq_count - aggression_coefficient * rq_success_count) / (rq_count + 1))
//
// The coefficient dictates how aggressively the admission controller will throttle requests as
// the success rate drops. Lower values will cause throttling to kick in at higher success rates
// and result in more aggressive throttling. Any values less than 1.0, will be set to 1.0. If the
// message is unspecified, the coefficient is 2.0.
config.core.v3.RuntimeDouble aggression_coefficient = 4;
}
1 change: 1 addition & 0 deletions api/versioning/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ proto_library(
"//envoy/extensions/compression/gzip/decompressor/v3:pkg",
"//envoy/extensions/filters/common/fault/v3:pkg",
"//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg",
"//envoy/extensions/filters/http/admission_control/v3alpha:pkg",
"//envoy/extensions/filters/http/aws_lambda/v3:pkg",
"//envoy/extensions/filters/http/aws_request_signing/v3:pkg",
"//envoy/extensions/filters/http/buffer/v3:pkg",
Expand Down
1 change: 1 addition & 0 deletions docs/root/configuration/http/http_filters/http_filters.rst
Original file line number Diff line number Diff line change
Expand Up @@ -41,4 +41,5 @@ HTTP filters
.. toctree::
:hidden:

../../../api-v3/extensions/filters/http/admission_control/v3alpha/admission_control.proto
../../../api-v3/extensions/filters/http/cache/v3alpha/cache.proto
2 changes: 2 additions & 0 deletions generated_api_shadow/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ proto_library(
"//envoy/config/filter/dubbo/router/v2alpha1:pkg",
"//envoy/config/filter/fault/v2:pkg",
"//envoy/config/filter/http/adaptive_concurrency/v2alpha:pkg",
"//envoy/config/filter/http/admission_control/v2alpha:pkg",
"//envoy/config/filter/http/buffer/v2:pkg",
"//envoy/config/filter/http/compressor/v2:pkg",
"//envoy/config/filter/http/cors/v2:pkg",
Expand Down Expand Up @@ -129,6 +130,7 @@ proto_library(
"//envoy/extensions/common/tap/v3:pkg",
"//envoy/extensions/filters/common/fault/v3:pkg",
"//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg",
"//envoy/extensions/filters/http/admission_control/v3alpha:pkg",
"//envoy/extensions/filters/http/buffer/v3:pkg",
"//envoy/extensions/filters/http/compressor/v3:pkg",
"//envoy/extensions/filters/http/cors/v3:pkg",
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions source/extensions/extensions_build_config.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ EXTENSIONS = {
#

"envoy.filters.http.adaptive_concurrency": "//source/extensions/filters/http/adaptive_concurrency:config",
# NOTE: The admission control filter does not have a proper filter
# implemented right now. We are just referencing the filter lib here.
"envoy.filters.http.admission_control": "//source/extensions/filters/http/admission_control:admission_control_filter_lib",
"envoy.filters.http.aws_lambda": "//source/extensions/filters/http/aws_lambda:config",
"envoy.filters.http.aws_request_signing": "//source/extensions/filters/http/aws_request_signing:config",
"envoy.filters.http.buffer": "//source/extensions/filters/http/buffer:config",
Expand Down
35 changes: 35 additions & 0 deletions source/extensions/filters/http/admission_control/BUILD
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_extension",
"envoy_package",
)

licenses(["notice"]) # Apache 2

# HTTP L7 filter that probabilistically rejects requests based on upstream success-rate.
# Public docs: docs/root/configuration/http_filters/admission_control.rst

envoy_package()

envoy_cc_extension(
name = "admission_control_filter_lib",
srcs = [
"admission_control.cc",
],
hdrs = [
"admission_control.h",
"thread_local_controller.h",
],
security_posture = "unknown",
deps = [
"//include/envoy/http:filter_interface",
"//include/envoy/runtime:runtime_interface",
"//source/common/common:cleanup_lib",
"//source/common/http:codes_lib",
"//source/common/runtime:runtime_lib",
"//source/extensions/filters/http:well_known_names",
"//source/extensions/filters/http/admission_control/evaluators:response_evaluator_lib",
"//source/extensions/filters/http/common:pass_through_filter_lib",
"@envoy_api//envoy/extensions/filters/http/admission_control/v3alpha:pkg_cc_proto",
],
)
Loading