DocsEmissary-ingress2.5Basic rate limiting
Basic rate limiting
Rate limiting in Emissary-ingress is composed of two parts:
The
RateLimitService
resource tells Emissary-ingress what external service to use for rate limiting.Labels that get attached to requests. A label is basic metadata that is used by the
RateLimitService
to decide which limits to apply to the request.
Labels are grouped according to domain and group:
The names of domains and groups are not interpreted by Emissary-ingress in any way:
they are solely there to help configuration authors remember the different groupings.
Note that at present, rate limiting supports just one domain: the name of the
domain must be configured in the RateLimitService
.
Attaching labels to requests
There are two ways of setting labels on a request:
You can set labels on an individual
Mapping
. These labels will only apply to requests that use thatMapping
.You can set global labels in the
ambassador
Module
. These labels will apply to every request that goes through Emissary-ingress.If a
Mapping
and the defaults both give label groups for the same domain, the default labels are prepended to each label group from theMapping
. If theMapping
does not give any labels for that domain, the global labels are placed into a new label group named "default" for that domain.
Each label group is a list of labels; each label is a key/value pair. Since the label group is a list rather than a map:
- it is possible to have multiple labels with the same key, and
- the order of labels matters.
Note: The terminology used by the Envoy documentation differs from the terminology used by Emissary-ingress:
Emissary-ingress Envoy label group descriptor label descriptor entry label specifier rate limit action
The Mapping
s' listing of the groups of specifiers have names for the
groups; the group names are useful for humans dealing with the YAML,
but are ignored by Emissary-ingress, all Emissary-ingress cares about are the
contents of the groupings of label specifiers.
There are 5 types of label specifiers in Emissary-ingress:
source_cluster
Sets the label
source_cluster=«Envoy source cluster name»"
. The Envoy source cluster name is the name of the Envoy cluster that the request came in on.The syntax of this label currently requires
source_cluster: {}
.destination_cluster
Sets the label
destination_cluster=«Envoy destination cluster name»"
. The Envoy destination cluster name is the name of the Envoy cluster to which theMapping
routes the request. You can get the name for a cluster from the diagnostics service.The syntax of this label currently requires
destination_cluster: {}
.remote_address
Sets the label
remote_address=«IP address of the client»"
. The IP address of the client will be taken from theX-Forwarded-For
header, to correctly manage situations with L7 proxies. This requires that Emissary-ingress be correctly configured to communicate.The syntax of this label currently requires
remote_address: {}
.request_headers
If a header named
header-name
is present, set the labelmykey=«value of the header»
. If no header namedheader-name
is present, the entire label group is dropped.generic_key
Sets the label
«mykey»=«myval»
. Note that supplying akey
is supported only with the Envoy V3 API: if you are using Envoy V2, thekey
will always be the constantgeneric_key
.
Rate limiting requests based on their labels
This is determined by your RateLimitService
implementation. See the
Basic Rate Limiting tutorial for an
example RateLimitService
implementation for Emissary-ingress.
If you'd rather not write your own RateLimitService
implementation,
Ambassador Edge Stack provides a RateLimitService
implementation that is
configured by a RateLimit
custom resource. See the
Ambassador Edge Stack RateLimit Reference
for more information.