ASMLocalRateLimiter is a CustomResourceDefinition (CRD) that you can use to declaratively define local rate limiting configurations in Service Mesh (ASM).
How it works
ASMLocalRateLimiter uses a token bucket algorithm to control request rates:
Each Envoy proxy maintains a token bucket with a configured number of tokens (
quota).Tokens are replenished at a regular interval (
fill_interval).If no tokens are available, the request is rejected with HTTP status 429 (configurable).
By default, all worker threads within a single Envoy process share one token bucket. Set per_downstream_connection to true to allocate a separate bucket per connection.
The quota value applies to a single Envoy instance. If you have *n* gateway instances, the effective rate limit for backend services is *n* x quota. Recalculate quotas whenever you scale the number of instances.
CRD structure overview
This skeleton shows how fields nest within the CRD:
apiVersion: istio.alibabacloud.com/v1beta1 # or v1
kind: ASMLocalRateLimiter
metadata:
name: <rule-name>
namespace: <namespace>
spec:
workloadSelector:
labels:
<label-key>: <label-value>
isGateway: true | false
configs:
- name: <config-name>
match:
vhost:
name: <virtual-host-name>
port: <port>
route:
name_match: <route-name>
limit:
status: <http-status-code>
fill_interval:
seconds: <int>
nanos: <int>
quota: <int>
per_downstream_connection: true | false
custom_response_body: <string>
response_header_to_add:
<header-name>: <header-value>
limit_overrides:
- request_match:
header_match:
- name: <header-name>
exact_match: <value>
query_match:
- name: <param-name>
exact_match: <value>
limit:
fill_interval:
seconds: <int>
quota: <int>Configuration example
The following example applies rate limiting to an ingress gateway. Two virtual hosts receive different limits: www.example1.com at 10 requests per second, and www.example2.com at 100 requests per second.
Supported apiVersion values
| ASM version | apiVersion value |
|---|---|
| 1.15.3.105 or later | istio.alibabacloud.com/v1 |
| Earlier than 1.15.3.105 | istio.alibabacloud.com/v1beta1 |
If you previously set the apiVersion to istio.alibabacloud.com/v1beta1 for ASMCircuitBreaker in a Container Service for Kubernetes (ACK) cluster, change the value to istio.alibabacloud.com/v1 and redeploy the cluster.
spec
For more information, see Configure local rate limiting on an ingress gateway.
| Field | Type | Required | Description |
|---|---|---|---|
| workloadSelector | map<string, string> | Yes | Labels that select the pods where rate limiting takes effect. Matching is scoped to the namespace of the resource. For more information, see Workload Selector. |
| isGateway | bool | No | Set to true if the rule targets a gateway. Default: false. |
| configs | LocalRateLimiterConfig[] | Yes | Rate limiting rules. |
LocalRateLimiterConfig
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Name of the rate limiting rule. |
| match | RatelimitMatch | Yes | Criteria that determine which requests this rule applies to. |
| limit | LimitConfig | Yes | Token bucket settings that define the rate limit. |
| limit_overrides | RateLimitOverrideConfig[] | No | Overrides that apply different rate limits to specific requests. Requires ASM V1.19.0 or later. |
RatelimitMatch
| Field | Type | Required | Description |
|---|---|---|---|
| vhost | VirtualHostMatch | No | Criteria for matching a virtual host. |
LimitConfig
| Field | Type | Required | Description |
|---|---|---|---|
| status | int | No | HTTP status code returned when a request is rate-limited. Default: 429. Must be 400 or greater. Requires ASM V1.24.6.64 or later. |
| fill_interval | Duration | No | How often tokens are added to the bucket. Specify seconds (integer) or nanos (nanoseconds). For example, seconds: 1 replenishes the bucket every second. Together with quota, this defines the allowed request rate. |
| quota | int | No | The number of tokens. The value must be an integer. For example, quota: 100 with seconds: 1 allows 100 requests per second per Envoy instance. |
| per_downstream_connection | bool | No | Scope of the token bucket. false (default): one bucket shared across all worker threads per Envoy process. true: one bucket per downstream connection. Requires ASM V1.13.4 or later. |
| custom_response_body | string | No | Response body returned when a request is rate-limited. Requires ASM V1.13.4 or later. |
| response_header_to_add | map[string]string | No | Response headers added when a request is rate-limited. Requires ASM V1.13.4 or later. |
RateLimitOverrideConfig
Use overrides to apply a different rate limit to requests that match specific headers or query parameters, while keeping the base rate limit for all other traffic.
| Field | Type | Required | Description |
|---|---|---|---|
| request_match | RequestMatcher | Yes | Criteria that identify requests receiving the override. |
| limit | LimitConfig | Yes | Rate limit for matched requests. Only fill_interval and quota take effect. The values of per_downstream_connection, custom_response_body, and response_header_to_add are inherited from the parent LocalRateLimiterConfig.limit. |
VirtualHostMatch
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Name of the virtual host to match. |
| port | int | No | Port to match. |
| route | RouteMatch | No | Route to match within the virtual host. |
RouteMatch
| Field | Type | Required | Description |
|---|---|---|---|
| name_match | string | No | Name of a specific route defined in a virtual service. |
| header_match | HeaderMatcher[] | No | Deprecated in ASM V1.19.0 and later. Use RateLimitOverrideConfig instead. |
RequestMatcher
When both header_match and query_match are specified, a request must satisfy all conditions to be matched.
| Field | Type | Required | Description |
|---|---|---|---|
| header_match | HeaderMatcher[] | No | Header-based match criteria. |
| query_match | QueryParameterMatcher[] | No | Query parameter-based match criteria. |
HeaderMatcher
Specify exactly one match mode field (regex_match, exact_match, prefix_match, suffix_match, or present_match) per matcher.
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | No | Header name. |
| regex_match | string | No | Match the header value against a regular expression. |
| exact_match | string | No | Match the header value exactly. |
| prefix_match | string | No | Match the beginning of the header value. |
| suffix_match | string | No | Match the end of the header value. |
| present_match | bool | No | true: match if the header exists, regardless of value. false: match if the header does not exist. |
| invert_match | bool | No | Invert the match result. Default: false. When true, a request that would normally match is treated as not matching, and vice versa. |
QueryParameterMatcher
Specify exactly one match mode field (exact_match, prefix_match, suffix_match, regex_match, contains_match, or present_match) per matcher.
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Query parameter name. |
| exact_match | string | No | Match the parameter value exactly. |
| prefix_match | string | No | Match the beginning of the parameter value. |
| suffix_match | string | No | Match the end of the parameter value. |
| regex_match | string | No | Match the parameter value against a regular expression. |
| contains_match | string | No | Match if the parameter value contains the specified string. |
| present_match | bool | No | true: match if the parameter exists, regardless of value. false is not valid and is equivalent to omitting this field. |
| ignore_case | bool | No | Ignore case when comparing values. |