Rate Limits主要功能是防止request过量打爆服务,当同一来源的request到达特定频率时,就会直接从Istio Envoy这边直接return http status 429 Too Many Requests,後面的服务不会持续被request到。
安装好Istio跟Gateway与Virtual Service後,继续进行Rate Limit的设定,Rate Limit的设定会分成二个part。
1.Istio :部署EnvoyFilter,让Request走到external service
2.Rate Limit Service:需要部署一个external service让Istio把流量导过去进行限流行为判断
这部的yaml档来自官方文档中,基本上只需要调整external service就好了
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit
namespace: istio-system
spec:
workloadSelector:
# select by label in the same namespace
labels:
istio: ingressgateway #这边的gateway名称为填入你部署的gateway名称
configPatches:
# The Envoy config you want to modify
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
# Adds the Envoy Rate Limit Filter in HTTP filter chain.
value:
name: envoy.filters.http.ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
# domain can be anything! Match it to the ratelimter service config
domain: productpage-ratelimit # damain 可以自填,但是domain要跟config档的一致才行
failure_mode_deny: true # 如果external service坏掉了,是否要一律挡掉流量,预设false
timeout: 10s
rate_limit_service:
grpc_service: # 除了使用grpc_service外,也有http,但是一般都是预设gRPC
envoy_grpc:
cluster_name: rate_limit_cluster # 跟下面的设定的cluster_name要一样
transport_api_version: V3
- applyTo: CLUSTER
match:
cluster:
service: ratelimit.default.svc.cluster.local #你的external service路径
patch:
operation: ADD
# Adds the rate limit service cluster for rate limit service defined in step 1.
value:
name: rate_limit_cluster # 与上面的cluster_name设定一致
type: STRICT_DNS
connect_timeout: 10s
lb_policy: ROUND_ROBIN
http2_protocol_options: {}
load_assignment:
cluster_name: rate_limit_cluster # 与上面的cluster_name设定一致
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: ratelimit.default.svc.cluster.local #你的external service路径
port_value: 8081 # gRPC port
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit-svc
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway #这边的gateway名称为填入你部署的gateway名称
configPatches:
- applyTo: VIRTUAL_HOST #针对Virtual Service
match:
context: GATEWAY
routeConfiguration:
vhost:
name: "*:80" #ingress设定的host,*表示全部,後面为80port
route:
name: your_service 对应原本virtual service的service name
action: ANY
patch:
operation: MERGE
# Applies the rate limit rules.
value:
rate_limits: #Rate limit的设定
- actions: # any actions in here
- request_headers: #用header的auth_token进行ratelimit
header_name: "auth_token"
descriptor_key: "auth_token" #config里面的value一致
这边可以使用 ratelimit进行部署,记得要设定config,
或是直接在k8s上面设定configMap
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-config
data:
config.yaml: |
domain: productpage-ratelimit # 这边的domain要跟前面的一致才行
descriptors:
- key: generic_key
value: auth_token # 跟上面envoyfilter定义的descriptor_key一致
descriptors:
- key: remote_address #来源ip
rate_limit:
requests_per_unit: 60 # 60 / 时间单位
unit: minute #时间单位
- key: PATH
value: "/productpage" 针对path
rate_limit:
unit: minute
requests_per_unit: 1
- key: PATH
rate_limit:
unit: minute
requests_per_unit: 100
以上部署完成就可以看到external service的access log啦,顺带一提,上面的external service是采用每时间单位就会重置的作法,像上面有设定60/min的设定,就是每分钟会重置次数的意思啦
逻辑运算子(Logical Operators) 常用来判断多个条件并回传结果,有 &&am...
前言 昨天文章有提到在 Tooltips 看到有趣的范例, 有用到 useEffect, 不过我有将...
去年因为肺炎导致广告收入骤降,加上iOS的IDFA政策的双重打击,我们决定开始做月费制的功能。 上线...
当我在Unreal Engine 4.27.0下载好试图启动软件时,跳出了下面这个视窗, U...
铁人赛至今已进入下半场,今天就来个素食Buffet吧~ 受到疫情波及,许多店家的生意都是属於「门可罗...