ASMGlobalRateLimiter CRD fields reference - Alibaba Cloud Service Mesh

The ASMGlobalRateLimiter Custom Resource Definition (CRD) configures global rate limiting in Service Mesh (ASM). Each ASMGlobalRateLimiter resource specifies which workloads to target, which external rate limit service to query, and the rate limiting rules to enforce. At request time, the sidecar or waypoint proxy queries the rate limit service and either allows or rejects the request based on the configured thresholds.

Configuration examples

All examples use the istio.alibabacloud.com/v1 API version and require an ASM instance of version 1.25.6.74 or later.

Limit inbound requests to a service (server-side)

This configuration limits the httpbin application to 1 request per minute across all clients. Because applyToTraffic is set to sidecar_inbound, the rate limit is enforced at the server side regardless of which client sends the request.

apiVersion: istio.alibabacloud.com/v1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
spec:
  configs:
  - limit:
      quota: 1
      unit: MINUTE
    target_services:
    - name: httpbin
      port: 8000
    name: default
  applyToTraffic: sidecar_inbound
  rateLimitService:
    host: ratelimit.default.svc.cluster.local # Queries this service to determine whether the current request needs to be throttled.
    port: 8081
    timeout:
      seconds: 5
  workloadSelector:
    labels:
      app: httpbin

Limit outbound requests from a client (client-side)

This configuration limits the sleep application to 1 request per minute when calling the httpbin service. Because applyToTraffic is set to sidecar_outbound, only this specific client is rate-limited. Other clients that call httpbin are not affected.

apiVersion: istio.alibabacloud.com/v1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
spec:
  configs:
  - limit:
      quota: 1
      unit: MINUTE
    target_services:
    - name: httpbin
      port: 8000
    name: default
  applyToTraffic: sidecar_outbound
  rateLimitService:
    host: ratelimit.default.svc.cluster.local # Queries this service to determine whether the current request needs to be throttled.
    port: 8081
    timeout:
      seconds: 5
  workloadSelector:
    labels:
      app: sleep

Rate limit by request header on a waypoint (Ambient mode)

This example applies only to Ambient mode and requires an ASM instance of version 1.25.6.74 or later.

This configuration attaches a rate limiting rule to the default waypoint. Requests that include the x-user header get a per-user bucket limited to 1 request per minute (distinct: true). Requests without the header share a common bucket limited to 20 requests per minute.

apiVersion: istio.alibabacloud.com/v1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
spec:
  configs:
  - limit_overrides:
    - limit:
        quota: 1
        unit: MINUTE
      request_match:
        header_match:
        - distinct: true
          name: x-user
    limit:
      quota: 20
      unit: MINUTE
    target_services:
    - name: httpbin
      port: 8000
    name: default
  applyToTraffic: waypoint
  rateLimitService:
    host: ratelimit.default.svc.cluster.local # Queries this service to determine whether the current request needs to be throttled.
    port: 8081
    timeout:
      seconds: 5
  workloadSelector:
    labels:
      gateway.networking.k8s.io/gateway-name: default

spec

The top-level spec object defines the target workloads, rate limit service connection, and rules:

spec:
  workloadSelector:
    labels: { ... }
  isGateway: false
  applyToTraffic: sidecar_inbound
  rateLimitService: { ... }
  configs:
  - { ... }

Field	Type	Required	Description
`workloadSelector`	map\	Yes	Labels that select the workloads where rate limiting rules take effect. The label scope is restricted to the namespace where the resource is defined. For more information, see Workload Selector.
`isGateway`	bool	No	Whether the rule targets a gateway. Default: `false`.
`rateLimitService`	RateLimitServiceConfig	Yes	Connection settings for the external rate limit service.
`configs`	GlobalRateLimiterConfig[]	Yes	One or more rate limiting rules.
`applyToTraffic`	string	No	Traffic direction the rules apply to. Default: `sidecar_inbound`. See applyToTraffic values. Supported in ASM 1.25 and later.

applyToTraffic values

Value	Traffic direction	Use case
`sidecar_inbound`	Inbound traffic received by a sidecar-attached application (server side)	Protect a service from excessive requests
`sidecar_outbound`	Outbound traffic sent by a sidecar-attached application (client side)	Limit how often a specific client calls a service
`waypoint`	Traffic processed by a waypoint proxy in Ambient mode	Rate limit at the waypoint layer without sidecars
`gateway`	Traffic passing through an ingress gateway	Protect backend services from external traffic

RateLimitServiceConfig

Connection settings for the gRPC rate limit service that the mesh proxy queries at request time:

rateLimitService:
  host: ratelimit.default.svc.cluster.local
  port: 8081
  timeout:
    seconds: 5

Field	Type	Required	Description
`host`	string	Yes	In-cluster domain name of the rate limit service.
`port`	int	Yes	gRPC port of the rate limit service.
`timeout`	Duration	No	Timeout for the mesh proxy to connect to the rate limit service. Specify as `seconds: <n>` or `nanos: <n>` (nanoseconds).

GlobalRateLimiterConfig

Each entry in the configs array defines a rate limiting rule:

configs:
- name: default
  match: { ... }
  limit:
    quota: 10
    unit: MINUTE
  limit_overrides:
  - { ... }
  target_services:
  - { ... }

Field	Type	Required	Description
`name`	string	Yes	Name of the rate limiting rule.
`match`	RatelimitMatch	Yes	Criteria that requests must match for this rule to apply.
`limit`	GlobalServiceLimitConfig	Yes	Default rate limit threshold.
`limit_overrides`	GlobalRateLimitOverrideConfig[]	No	Override the default threshold for requests that match specific criteria. Supported in ASM V1.19.0 and later.
`target_services`	TargetServiceRef[]	No	Services to which this rule applies. Supported in ASM 1.25 and later.

GlobalServiceLimitConfig

Defines the rate limit threshold as a quota within a time window:

Field	Type	Required	Description
`unit`	string	Yes	Time window unit. Valid values: `SECOND`, `MINUTE`.
`quota`	int	Yes	Maximum number of requests allowed per time window.

GlobalRateLimitOverrideConfig

Overrides the default rate limit threshold for requests that match specific criteria. When a request matches an override, the override threshold applies instead of the rule-level limit.

Supported in ASM V1.19.0 and later.

Field	Type	Required	Description
`request_match`	RequestMatcher	Yes	Criteria that a request must match for this override to apply.
`limit`	GlobalServiceLimitConfig	Yes	Rate limit threshold for matching requests.

TargetServiceRef

Specifies the service to which a rate limiting rule applies.

Supported in ASM 1.25 and later.

target_services:
- kind: Service
  namespace: default
  name: httpbin
  port: 8000

Field	Type	Required	Description
`kind`	string	No	Resource type of the target service. Valid values: `Service`, `ServiceEntry`, `VirtualService`. Default: `Service`.
`name`	string	Yes	Name of the target service resource.
`namespace`	string	No	Namespace of the target service. Default: the namespace where the rate limiting policy is defined.
`port`	int32	No	Port of the target service.
`section_name`	string	No	Route name within a `VirtualService`. Only valid when `kind` is `VirtualService`.

TargetServiceRef examples

Target a Service

Apply the rule to port 8000 of the httpbin Service in the default namespace:

target_services:
- kind: Service
  namespace: default
  name: httpbin
  port: 8000

Target a ServiceEntry

If your mesh includes the following ServiceEntry for an external service:

apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
  name: se-httpbin-external
spec:
  hosts:
  - httpbin.test.com
  location: MESH_EXTERNAL
  ports:
  - name: http
    number: 80
    protocol: HTTP
  - name: https
    number: 443
    protocol: HTTPS
  resolution: DNS

Apply the rule to port 80:

target_services:
- kind: ServiceEntry
  namespace: default
  name: se-httpbin-external
  port: 80

Target a VirtualService route

If your mesh includes the following VirtualService:

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: vs-httpbin
spec:
  hosts:
  - httpbin.test.com
  http:
  - name: default
    route:
    - destination:
        host: httpbin
        port:
          number: 8000

Apply the rule to the route named default:

target_services:
- kind: VirtualService
  namespace: default
  name: vs-httpbin
  section_name: default

RatelimitMatch

Defines the virtual host matching criteria for a rate limiting rule:

Field	Type	Required	Description
`vhost`	VirtualHostMatch	Yes	Virtual host to match.

VirtualHostMatch

Field	Type	Required	Description
`name`	string	Yes	Name of the virtual host.
`port`	int	No	Request port to match.
`route`	RouteMatch	No	Route within the virtual host to match.

RouteMatch

Field	Type	Required	Description
`name_match`	string	No	Name of a specific route in a virtual service.
`header_match`	HeaderMatcher[]	No	Headers to match. Deprecated in ASM V1.19.0 and later. Use GlobalRateLimitOverrideConfig instead.

RequestMatcher

Defines criteria for matching requests in override configurations. When multiple fields are specified, a request must match all of them (AND logic).

Field	Type	Required	Description
`header_match`	HeaderMatcher[]	No	Match by request headers.
`remote_address`	RemoteAddressMatcher	No	Match by source IP address.
`query_match`	QueryParameterMatcher[]	No	Match by query parameters.

RemoteAddressMatcher

Matches requests by source IP address or CIDR range. To match a range, specify the base address in address and the prefix length in v4_prefix_mask_len or v6_prefix_mask_len.

Field	Type	Required	Description
`address`	string	Yes	Source IP address or base address of a CIDR range.
`v4_prefix_mask_len`	uint32	No	IPv4 subnet mask length. Combined with `address`, matches the calculated CIDR range.
`v6_prefix_mask_len`	uint32	No	IPv6 subnet mask length. Combined with `address`, matches the calculated CIDR range.

HeaderMatcher

Matches requests by HTTP header values. Specify exactly one match type (regex_match, exact_match, prefix_match, or suffix_match) per matcher entry.

Field	Type	Required	Description
`name`	string	No	Header name.
`regex_match`	string	No	Regular expression to match the header value.
`exact_match`	string	No	Exact string to match the header value.
`prefix_match`	string	No	Prefix to match the header value.
`suffix_match`	string	No	Suffix to match the header value.
`present_match`	bool	No	If `true`, matches when the header is present (value is ignored). If `false`, matches when the header is absent.
`invert_match`	bool	No	If `true`, inverts the match result. Default: `false`.

QueryParameterMatcher

Matches requests by URL query parameter values. Specify exactly one match type (exact_match, prefix_match, suffix_match, regex_match, or contains_match) per matcher entry.

Field	Type	Required	Description
`name`	string	Yes	Query parameter name.
`exact_match`	string	No	Exact string to match the query parameter value.
`prefix_match`	string	No	Prefix to match the query parameter value.
`suffix_match`	string	No	Suffix to match the query parameter value.
`regex_match`	string	No	Regular expression to match the query parameter value.
`contains_match`	string	No	Substring that the query parameter value must contain.
`present_match`	bool	No	If `true`, matches when the query parameter is present (value is ignored). Cannot be set to `false`; use other match types instead.
`ignore_case`	bool	No	Whether to ignore case when matching the query parameter value.

References

Use ASMGlobalRateLimiter to configure global throttling for ingress gateways and inbound traffic to services