Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HTTPLocalRateLimitPolicy support #13231

Merged
merged 7 commits into from
Nov 9, 2024
Merged

Add HTTPLocalRateLimitPolicy support #13231

merged 7 commits into from
Nov 9, 2024

Conversation

alpeb
Copy link
Member

@alpeb alpeb commented Oct 25, 2024

This adds the HTTPLocalRateLimitPolicy CRD, which is indexed by the policy controller and exposed by the inbound API.

  • 81ebc08: HTTPLocalRateLimitPolicy CRD and related changes
  • 01afd23: policy controller central changes
  • b098925: rust tests updates and additions
  • 2f45597: golden files updates.

Testing

In a cluster with linkerd and emojivoto injected, deploy these resources:

 apiVersion: policy.linkerd.io/v1beta3
kind: Server
metadata:
  namespace: emojivoto
  name: web-http
spec:
  # permissive policy, so we don't require setting up authz
  accessPolicy: all-unauthenticated
  podSelector:
    matchLabels:
      app: web-svc
  port: http
  proxyProtocol: HTTP/1
apiVersion: policy.linkerd.io/v1alpha1
kind: HTTPLocalRateLimitPolicy
metadata:
  namespace: emojivoto
  name: web-rl
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: web-http
  total:
    requestsPerSecond: 100
  identity:
    requestsPerSecond: 20
  overrides:
  - requestsPerSecond: 10
    clientRefs:
    - kind: ServiceAccount
      namespace: emojivoto
      name: default
$ kubectl -n emojivoto get httplocalratelimitpolicies.policy.linkerd.io
NAME     TARGET_KIND   TARGET_NAME   TOTAL_RPS   IDENTITY_RPS
web-rl   Server        web-http      100         20

Then see how the RL policy is exposed at the inbound API under the protocol section, with linkerd dg policy -n emojivoto po/web-85f6fb8564-jp67d 8080:

...
protocol:
  Kind:
    Http1:
      local_rate_limit:
        identity:
          requestsPerSecond: 20
        metadata:
          Kind:
            Resource:
              group: policy.linkerd.io
              kind: httplocalratelimitpolicy
              name: web-rl
        overrides:
        - clients:
            identities:
            - name: default.emojivoto.serviceaccount.identity.linkerd.cluster.local
          limit:
            requestsPerSecond: 10
        total:
          requestsPerSecond: 100
...

@alpeb alpeb requested a review from a team as a code owner October 25, 2024 18:37
@alpeb alpeb marked this pull request as draft October 25, 2024 19:00
@alpeb alpeb force-pushed the alpeb/rate-limiting branch 3 times, most recently from b82277b to 1d84d49 Compare October 28, 2024 13:30
@alpeb alpeb force-pushed the alpeb/rate-limiting branch 2 times, most recently from b65187d to b7f983b Compare October 30, 2024 19:08
@alpeb alpeb marked this pull request as ready for review October 31, 2024 00:40
@alpeb alpeb force-pushed the alpeb/rate-limiting branch 2 times, most recently from dcd1ff9 to aff1aab Compare October 31, 2024 15:39
@olix0r olix0r self-assigned this Oct 31, 2024
alpeb added a commit that referenced this pull request Oct 31, 2024
alpeb added a commit that referenced this pull request Nov 1, 2024
policy-test/tests/inbound_api.rs Show resolved Hide resolved
policy-test/src/grpc.rs Outdated Show resolved Hide resolved
policy-controller/k8s/index/src/inbound/index.rs Outdated Show resolved Hide resolved
policy-controller/grpc/src/inbound.rs Outdated Show resolved Hide resolved
alpeb added a commit that referenced this pull request Nov 5, 2024
alpeb added a commit that referenced this pull request Nov 5, 2024
alpeb added a commit that referenced this pull request Nov 5, 2024
alpeb added a commit to linkerd/linkerd2-proxy that referenced this pull request Nov 6, 2024
Implemented inbound http local rate limiting, through the [governor crate](https://github.com/boinkor-net/governor), which uses the Generic Cell Rate algorithm.

Ref linkerd/linkerd2#13231 for the policy-controller support.
---------

Co-authored-by: Oliver Gould <[email protected]>
Cargo.toml Outdated Show resolved Hide resolved
policy-controller/k8s/index/src/inbound/index.rs Outdated Show resolved Hide resolved
@olix0r olix0r merged commit caf8e82 into main Nov 9, 2024
47 checks passed
@olix0r olix0r deleted the alpeb/rate-limiting branch November 9, 2024 00:24
alpeb added a commit that referenced this pull request Nov 9, 2024
alpeb added a commit that referenced this pull request Nov 12, 2024
* HTTPLocalRateLimitPolicy validator

Followup to #13231
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants