Docs
Emissary-ingress2.2Basic rate limiting
Basic rate limiting
Rate limiting in Emissary-ingress is composed of two parts:
The
RateLimitServiceresource tells Emissary-ingress what external service to use for rate limiting.Labels that get attached to requests. A label is basic metadata that is used by the
RateLimitServiceto decide which limits to apply to the request.
Labels are grouped according to domain and group:
The names of domains and groups are not interpreted by Emissary-ingress in any way:
they are solely there to help configuration authors remember the different groupings.
Note that at present, rate limiting supports just one domain: the name of the
domain must be configured in the RateLimitService.
Attaching labels to requests
There are two ways of setting labels on a request:
You can set labels on an individual
Mapping. These labels will only apply to requests that use thatMapping.You can set global labels in the
ambassadorModule. These labels will apply to every request that goes through Emissary-ingress.If a
Mappingand the defaults both give label groups for the same domain, the default labels are prepended to each label group from theMapping. If theMappingdoes not give any labels for that domain, the global labels are placed into a new label group named "default" for that domain.
Each label group is a list of labels; each label is a key/value pair. Since the label group is a list rather than a map:
- it is possible to have multiple labels with the same key, and
- the order of labels matters.
Note: The terminology used by the Envoy documentation differs from the terminology used by Emissary-ingress:
Emissary-ingress Envoy label group descriptor label descriptor entry label specifier rate limit action
The Mappings' listing of the groups of specifiers have names for the
groups; the group names are useful for humans dealing with the YAML,
but are ignored by Emissary-ingress, all Emissary-ingress cares about are the
contents of the groupings of label specifiers.
There are 5 types of label specifiers in Emissary-ingress:
source_clusterSets the label
source_cluster=«Envoy source cluster name»". The Envoy source cluster name is the name of the Envoy cluster that the request came in on.The syntax of this label currently requires
source_cluster: {}.destination_clusterSets the label
destination_cluster=«Envoy destination cluster name»". The Envoy destination cluster name is the name of the Envoy cluster to which theMappingroutes the request. You can get the name for a cluster from the diagnostics service.The syntax of this label currently requires
destination_cluster: {}.remote_addressSets the label
remote_address=«IP address of the client»". The IP address of the client will be taken from theX-Forwarded-Forheader, to correctly manage situations with L7 proxies. This requires that Emissary-ingress be correctly configured to communicate.The syntax of this label currently requires
remote_address: {}.request_headersIf a header named
header-nameis present, set the labelmykey=«value of the header». If no header namedheader-nameis present, the entire label group is dropped.generic_keySets the label
«mykey»=«myval». Note that supplying akeyis supported only with the Envoy V3 API: if you are using Envoy V2, thekeywill always be the constantgeneric_key.
Rate limiting requests based on their labels
This is determined by your RateLimitService implementation. See the
Basic Rate Limiting tutorial for an
example RateLimitService implementation for Emissary-ingress.
If you'd rather not write your own RateLimitService implementation,
Ambassador Edge Stack provides a RateLimitService implementation that is
configured by a RateLimit custom resource. See the
Ambassador Edge Stack RateLimit Reference
for more information.