mirror of https://github.com/istio/istio.io.git
67 lines
22 KiB
HTML
67 lines
22 KiB
HTML
<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage" style="overflow-y: scroll;"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="title" content="Enabling Rate Limits"><meta name="og:title" content="Enabling Rate Limits"><meta name="og:image" content="/v0.4/img/logo.png"/><meta name="theme-color" content="#466BB0"/><meta name="description" content="This task shows you how to use Istio to dynamically limit the traffic to a service."><meta name="og:description" content="This task shows you how to use Istio to dynamically limit the traffic to a service."><title>Istioldie 0.4 / Enabling Rate Limits</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.4/feed.xml"><link rel="shortcut icon" href="/v0.4/favicons/favicon.ico" ><link rel="apple-touch-icon" href="/v0.4/favicons/apple-touch-icon-180x180.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.4/favicons/favicon-16x16.png" sizes="16x16"><link rel="icon" type="image/png" href="/v0.4/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.4/favicons/android-36x36.png" sizes="36x36"><link rel="icon" type="image/png" href="/v0.4/favicons/android-48x48.png" sizes="48x48"><link rel="icon" type="image/png" href="/v0.4/favicons/android-72x72.png" sizes="72x72"><link rel="icon" type="image/png" href="/v0.4/favicons/android-96x196.png" sizes="96x196"><link rel="icon" type="image/png" href="/v0.4/favicons/android-144x144.png" sizes="144x144"><link rel="icon" type="image/png" href="/v0.4/favicons/android-192x192.png" sizes="192x192"><link rel="manifest" href="/v0.4/manifest.json"><meta name="apple-mobile-web-app-title" content="Istio"><meta name="application-name" content="Istio"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><link rel="stylesheet" href="/v0.4/css/all.css"><link rel="stylesheet" href="/v0.4/css/prism.css"></head><body class="language-unknown"> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script><div class="nav-hero-container" style="z-index: 200000;"><nav id="header-nav" class="navbar navbar-inverse" role="navigation" style="z-index: 200000;"><div class="container"><div class="row"><div class="col-md-11 nofloat center-block "><div class="navbar-header"> <button type="button" class="hamburger navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar-collapse-1" aria-expanded="false"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/v0.4/"><div> <img src="/v0.4/img/istio-logo.svg" alt="Istio Logo" height="54px"/> <span class="brand-name">Istioldie 0.4</span></div></a></div><div class="collapse navbar-collapse" id="navbar-collapse-1"><ul class="nav navbar-nav navbar-right"><li><a href="/v0.4/about" >About</a></li><li><a href="/v0.4/blog/posts/2017/mixer-spof-myth.html" >Blog</a></li><li><a href="/v0.4/docs/welcome" class='current'>Docs</a></li><li><a href="/v0.4/help" >Help</a></li><li><a href="/v0.4/community" >Community</a></li><li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href=""> <i class='fa fa-lg fa-cog'></i> <span class="caret"></span> </a><ul class="dropdown-menu"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li></ul></li><li><form name="cse" id="searchbox_demo" class="navbar-form navbar-right" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /><div class="form-group"><div class="input-group"> <input name="q" class="form-control search-box" type="text" size="30" /><div class="input-group-addon"> <span class="btn-search glyphicon glyphicon-search"></span></div></div></div></form> <script type="text/javascript" src="https://www.google.com/cse/brand?form=searchbox_demo"></script></li></ul></div></div></div></div></nav></div><div class="container"><div class="row"><div class="col-md-11 nofloat center-block" style="margin-top: 3px;"><ul class="col-sm-10 nav nav-tabs"><li role="presentation" ><a href="/v0.4/docs/welcome/">Welcome</a></li><li role="presentation" ><a href="/v0.4/docs/concepts/">Concepts</a></li><li role="presentation" ><a href="/v0.4/docs/setup/">Setup</a></li><li role="presentation" class='active'><a href="/v0.4/docs/tasks/">Tasks</a></li><li role="presentation" ><a href="/v0.4/docs/guides/">Guides</a></li><li role="presentation" ><a href="/v0.4/docs/reference/">Reference</a></li></ul></div></div></div><script src="/v0.4/js/navtree.min.js"></script><div class="container docs"><div class="row"><div class="col-md-11 nofloat center-block"><div class="row"><div id="sidebar-container" class="col-sm-3"><ul class="sidebar"><li><h5 class='sidebar-title'>Tasks</h5></li><script type="text/javascript"> var docs = []; docs.push({path: [ "index.md", ], url: "/docs/tasks/", title: "Tasks", order: 20, overview: "Tasks show you how to do a single specific targeted activity with the Istio system."}); docs.push({path: [ "policy-enforcement", "index.md", ], url: "/docs/tasks/policy-enforcement/", title: "Policy Enforcement", order: 20, overview: "Describes tasks that demonstrate policy enforcement features."}); docs.push({path: [ "policy-enforcement", "rate-limiting.md", ], url: "/docs/tasks/policy-enforcement/rate-limiting.html", title: "Enabling Rate Limits", order: 10, overview: "This task shows you how to use Istio to dynamically limit the traffic to a service."}); docs.push({path: [ "security", "basic-access-control.md", ], url: "/docs/tasks/security/basic-access-control.html", title: "Setting up Basic Access Control", order: 20, overview: "This task shows how to control access to a service using the Kubernetes labels."}); docs.push({path: [ "security", "index.md", ], url: "/docs/tasks/security/", title: "Security", order: 40, overview: "Describes tasks that help securing the service mesh traffic."}); docs.push({path: [ "security", "mutual-tls.md", ], url: "/docs/tasks/security/mutual-tls.html", title: "Testing Istio mutual TLS authentication", order: 10, overview: "This task shows you how to verify and test Istio's automatic mutual TLS authentication."}); docs.push({path: [ "security", "per-service-mtls.md", ], url: "/docs/tasks/security/per-service-mtls.html", title: "Per-service mutual TLS authentication enablement", order: 40, overview: "This task shows how to change mutual TLS authentication for a single service."}); docs.push({path: [ "security", "plugin-ca-cert.md", ], url: "/docs/tasks/security/plugin-ca-cert.html", title: "Plugging in CA certificate and key", order: 40, overview: "This task shows how operators can plug existing certificate and key into Istio CA."}); docs.push({path: [ "security", "secure-access-control.md", ], url: "/docs/tasks/security/secure-access-control.html", title: "Setting up Secure Access Control", order: 30, overview: "This task shows how to securely control access to a service using service accounts."}); docs.push({path: [ "telemetry", "distributed-tracing.md", ], url: "/docs/tasks/telemetry/distributed-tracing.html", title: "Distributed Tracing", order: 10, overview: "How to configure the proxies to send tracing requests to Zipkin or Jaeger"}); docs.push({path: [ "telemetry", "index.md", ], url: "/docs/tasks/telemetry/", title: "Metrics, Logs, and Traces", order: 30, overview: "Describes tasks that demonstrate how to collect telemetry information from the service mesh."}); docs.push({path: [ "telemetry", "metrics-logs.md", ], url: "/docs/tasks/telemetry/metrics-logs.html", title: "Collecting Metrics and Logs", order: 20, overview: "This task shows you how to configure Istio to collect metrics and logs."}); docs.push({path: [ "telemetry", "querying-metrics.md", ], url: "/docs/tasks/telemetry/querying-metrics.html", title: "Querying Metrics from Prometheus", order: 30, overview: "This task shows you how to query for Istio Metrics using Prometheus."}); docs.push({path: [ "telemetry", "servicegraph.md", ], url: "/docs/tasks/telemetry/servicegraph.html", title: "Generating a Service Graph", order: 50, overview: "This task shows you how to generate a graph of services within an Istio mesh."}); docs.push({path: [ "telemetry", "tcp-metrics.md", ], url: "/docs/tasks/telemetry/tcp-metrics.html", title: "Collecting Metrics for TCP services", order: 25, overview: "This task shows you how to configure Istio to collect metrics for TCP services."}); docs.push({path: [ "telemetry", "using-istio-dashboard.md", ], url: "/docs/tasks/telemetry/using-istio-dashboard.html", title: "Visualizing Metrics with Grafana", order: 40, overview: "This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic."}); docs.push({path: [ "traffic-management", "egress.md", ], url: "/docs/tasks/traffic-management/egress.html", title: "Control Egress Traffic", order: 40, overview: "Describes how to configure Istio to route traffic from services in the mesh to external services."}); docs.push({path: [ "traffic-management", "fault-injection.md", ], url: "/docs/tasks/traffic-management/fault-injection.html", title: "Fault Injection", order: 20, overview: "This task shows how to inject delays and test the resiliency of your application."}); docs.push({path: [ "traffic-management", "index.md", ], url: "/docs/tasks/traffic-management/", title: "Traffic Management", order: 10, overview: "Describes tasks that demonstrate traffic routing features of Istio service mesh."}); docs.push({path: [ "traffic-management", "ingress.md", ], url: "/docs/tasks/traffic-management/ingress.html", title: "Istio Ingress Controller", order: 30, overview: "Describes how to configure the Istio ingress controller on Kubernetes."}); docs.push({path: [ "traffic-management", "request-routing.md", ], url: "/docs/tasks/traffic-management/request-routing.html", title: "Configuring Request Routing", order: 10, overview: "This task shows you how to configure dynamic request routing based on weights and HTTP headers."}); docs.push({path: [ "traffic-management", "request-timeouts.md", ], url: "/docs/tasks/traffic-management/request-timeouts.html", title: "Setting Request Timeouts", order: 28, overview: "This task shows you how to setup request timeouts in Envoy using Istio."}); docs.push({path: [ "traffic-management", "traffic-shifting.md", ], url: "/docs/tasks/traffic-management/traffic-shifting.html", title: "Traffic Shifting", order: 25, overview: "This task shows you how to migrate traffic from an old to new version of a service."}); genSideBarTree(docs) </script></ul></div><div id="tab-container" class="col-xs-1 tab-neg-margin pull-left"> <a id="sidebar-tab" class="glyphicon glyphicon-chevron-left" href="javascript:void 0;"> </a></div><div id="content-container" class="thin-left-border col-sm-9 markdown"><div id="toc" class="toc"></div><div id="doc-content"><h1>Enabling Rate Limits</h1><p>This task shows you how to use Istio to dynamically limit the traffic to a service.</p><h2 id="before-you-begin">Before you begin</h2><ul><li><p>Setup Istio in a Kubernetes cluster by following the quick start instructions in the <a href="/v0.4/docs/setup/kubernetes/quick-start.html">Installation guide</a>.</p></li><li><p>Deploy the <a href="/v0.4/docs/guides/bookinfo.html">BookInfo</a> sample application.</p></li><li><p>Initialize the application version routing to direct <code>reviews</code> service requests from test user “jason” to version v2 and requests from any other user to v3.</p><pre><code class="language-bash">istioctl create -f samples/bookinfo/kube/route-rule-reviews-test-v2.yaml
|
|
istioctl create -f samples/bookinfo/kube/route-rule-reviews-v3.yaml
|
|
</code></pre><blockquote><p>Note: if you have conflicting rule that you set in previous tasks, use <code>istioctl replace</code> instead of <code>istioctl create</code>.</p></blockquote></li></ul><h2 id="rate-limits">Rate limits</h2><p>Istio enables users to rate limit traffic to a service.</p><p>Consider <code>ratings</code> as an external paid service like Rotten Tomatoes® with <code>1qps</code> free quota. Using Istio we can ensure that <code>1qps</code> is not breached.</p><ol><li><p>Point your browser at the BookInfo <code>productpage</code> (http://$GATEWAY_URL/productpage).</p><p>If you log in as user “jason”, you should see black ratings stars with each review, indicating that the <code>ratings</code> service is being called by the “v2” version of the <code>reviews</code> service.</p><p>If you log in as any other user (or logout) you should see red ratings stars with each review, indicating that the <code>ratings</code> service is being called by the “v3” version of the <code>reviews</code> service.</p></li><li><p>Configure a <code>memquota</code> adapter with rate limits.</p><p>Save the following YAML snippet as <code>ratelimit-handler.yaml</code>.</p><pre><code class="language-yaml">apiVersion: config.istio.io/v1alpha2
|
|
kind: memquota
|
|
metadata:
|
|
name: handler
|
|
namespace: istio-system
|
|
spec:
|
|
quotas:
|
|
- name: requestcount.quota.istio-system
|
|
# default rate limit is 5000qps
|
|
maxAmount: 5000
|
|
validDuration: 1s
|
|
# The first matching override is applied.
|
|
# A requestcount instance is checked against override dimensions.
|
|
overrides:
|
|
# The following override applies to traffic from 'rewiews' version v2,
|
|
# destined for the ratings service. The destinationVersion dimension is ignored.
|
|
- dimensions:
|
|
destination: ratings
|
|
source: reviews
|
|
sourceVersion: v2
|
|
maxAmount: 1
|
|
validDuration: 1s
|
|
</code></pre><p>and then run the following command:</p><pre><code class="language-bash">istioctl create -f ratelimit-handler.yaml
|
|
</code></pre><p>This configuration specifies a default 5000 qps rate limit. Traffic reaching the ratings service via reviews-v2 is subject to a 1qps rate limit. In our example user “jason” is routed via reviews-v2 and is therefore subject to the 1qps rate limit.</p></li><li><p>Configure rate limit instance and rule</p><p>Create a quota instance named <code>requestcount</code> that maps incoming attributes to quota dimensions, and create a rule that uses it with the memquota handler.</p><pre><code class="language-yaml">apiVersion: config.istio.io/v1alpha2
|
|
kind: quota
|
|
metadata:
|
|
name: requestcount
|
|
namespace: istio-system
|
|
spec:
|
|
dimensions:
|
|
source: source.labels["app"] | source.service | "unknown"
|
|
sourceVersion: source.labels["version"] | "unknown"
|
|
destination: destination.labels["app"] | destination.service | "unknown"
|
|
destinationVersion: destination.labels["version"] | "unknown"
|
|
---
|
|
apiVersion: config.istio.io/v1alpha2
|
|
kind: rule
|
|
metadata:
|
|
name: quota
|
|
namespace: istio-system
|
|
spec:
|
|
actions:
|
|
- handler: handler.memquota
|
|
instances:
|
|
- requestcount.quota
|
|
</code></pre><p>Save the configuration as <code>ratelimit-rule.yaml</code> and run the following command:</p><pre><code class="language-bash">istioctl create -f ratelimit-rule.yaml
|
|
</code></pre></li><li><p>Generate load on the <code>productpage</code> with the following command:</p><pre><code class="language-bash">while true; do curl -s -o /dev/null http://$GATEWAY_URL/productpage; done
|
|
</code></pre></li><li><p>Refresh the <code>productpage</code> in your browser.</p><p>If you log in as user “jason” while the load generator is running (i.e., generating more than 1 req/s), the traffic generated by your browser will be rate limited to 1qps. The reviews-v2 service is unable to access the ratings service and you stop seeing stars. For all other users the default 5000qps rate limit will apply and you will continue seeing red stars.</p></li></ol><h2 id="conditional-rate-limits">Conditional rate limits</h2><p>In the previous example we applied a rate limit to the <code>ratings</code> service without regard to non-dimension attributes. It is possible to conditionally apply rate limits based on arbitrary attributes using a match condition in the quota rule.</p><p>For example, consider the following configuration:</p><pre><code class="language-yaml"> apiVersion: config.istio.io/v1alpha2
|
|
kind: rule
|
|
metadata:
|
|
name: quota
|
|
namespace: istio-system
|
|
spec:
|
|
match: source.namespace != destination.namespace
|
|
actions:
|
|
- handler: handler.memquota
|
|
instances:
|
|
- requestcount.quota
|
|
|
|
</code></pre><p>This configuration applies the quota rule to requests whose source and destination namespaces are different.</p><h2 id="understanding-rate-limits">Understanding rate limits</h2><p>In the preceding examples we saw how Mixer applies rate limits to requests that match certain conditions.</p><p>Every named quota instance like <code>requestcount</code> represents a set of counters. The set is defined by a Cartesian product of all quota dimensions. If the number of requests in the last <code>expiration</code> duration exceed <code>maxAmount</code>, Mixer returns a <code>RESOURCE_EXHAUSTED</code> message to the proxy. The proxy in turn returns status <code>HTTP 429</code> to the caller.</p><p>The <code>memquota</code> adapter uses a sliding window of sub second resolution to enforce rate limits.</p><p>The <code>maxAmount</code> in the adapter configuration sets the default limit for all counters associated with a quota instance. This default limit applies if a quota override does not match the request. Memquota selects the first override that matches a request. An override need not specify all quota dimensions. In the ratelimit-handler.yaml example, the <code>1qps</code> override is selected by matching only three out of four quota dimensions.</p><p>If you would like the above policies enforced for a given namespace instead of the entire Istio mesh, you can replace all occurrences of istio-system with the given namespace.</p><h2 id="cleanup">Cleanup</h2><ul><li><p>Remove the rate limit configuration:</p><pre><code class="language-bash">istioctl delete -f ratelimit-handler.yaml
|
|
istioctl delete -f ratelimit-rule.yaml
|
|
</code></pre></li><li><p>Remove the application routing rules:</p><pre><code>istioctl delete -f samples/bookinfo/kube/route-rule-reviews-test-v2.yaml
|
|
istioctl delete -f samples/bookinfo/kube/route-rule-reviews-v3.yaml
|
|
</code></pre></li><li><p>If you are not planning to explore any follow-on tasks, refer to the <a href="/v0.4/docs/guides/bookinfo.html#cleanup">BookInfo cleanup</a> instructions to shutdown the application.</p></li></ul><h2 id="further-reading">Further reading</h2><ul><li><p>Learn more about <a href="/v0.4/docs/concepts/policy-and-control/mixer.html">Mixer</a> and <a href="/v0.4/docs/concepts/policy-and-control/mixer-config.html">Mixer Config</a>.</p></li><li><p>Discover the full <a href="/v0.4/docs/reference/config/mixer/attribute-vocabulary.html">Attribute Vocabulary</a>.</p></li><li><p>Read the reference guide to <a href="/v0.4/docs/reference/writing-config.html">Writing Config</a>.</p></li></ul></div></div></div></div></div></div><script src="/v0.4/js/sidebar.min.js"></script><footer><div class="container"><div class="row"><div class="col-lg-2 col-md-2 col-sm-2"></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li><a class="header" href="/v0.4/docs/welcome">Docs</a></li><li><a href="/v0.4/docs/concepts">Concepts</a></li><li><a href="/v0.4/docs/setup">Setup</a></li><li><a href="/v0.4/docs/tasks">Tasks</a></li><li><a href="/v0.4/docs/guides">Guides</a></li><li><a href="/v0.4/docs/reference">Reference</a></li></ul></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li><a class="header" href="/v0.4/help">Help</a></li><li><a href="/v0.4/faq">FAQ</a></li><li><a href="/v0.4/glossary">Glossary</a></li><li><a href="/v0.4/troubleshooting">Troubleshooting</a></li><li><a href="/v0.4/bugs">Report Bugs</a></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _docs/tasks/policy-enforcement/rate-limiting.md">Doc Bugs & Gaps</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_docs/tasks/policy-enforcement/rate-limiting.md">Edit This Page</a></li></ul></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li> <a class="header" href="/v0.4/community">Community</a></li><li> <a href="https://groups.google.com/forum/#!forum/istio-users" target="_blank" rel="noopener">User</a> | <a href="https://groups.google.com/forum/#!forum/istio-dev" target="_blank" rel="noopener">Dev Mailing Lists</a></li><li><a href="https://twitter.com/IstioMesh" target="_blank" rel="noopener">Twitter</a></li><li><a href="https://stackoverflow.com/questions/tagged/istio" target="_blank" rel="noopener">Stack Overflow</a></li><li><a href="https://github.com/istio/community" target="_blank" rel="noopener">GitHub</a></li><li><a href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md" target="_blank" rel="noopener">Working Groups</a></li></ul></div><div class="col-lg-1 col-md-1 col-sm-1"></div></div><div class="row"><p class="description small text-center"> Istio 0.4, Copyright © 2017 Istio Authors<br> Archived on 20-Dec-2017</p></div></div></footer><script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.15.0/jquery.validate.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery.form/4.2.1/jquery.form.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-visible/1.2.0/jquery.visible.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.6.0/slick.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <script src="/v0.4/js/common.min.js"></script> <script src="/v0.4/js/search.js"></script> <script src="/v0.4/js/prism.min.js"></script></body></html>
|