Rate limit feature implementation in Istio1.9

Question

I have done initial setup of Istio 1.9 and deploy the bookInfo application to replicate the sample provided in Istio site for rate limiting. As we have use case in our application to implement rate limiting. I am project Istio as a solution but i am facing challenges while running the yaml provided in Istio official link itself.

Could anybody help me out? https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/

I have deployed bookinfo sample from the following link

Envoy YAML

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-ratelimit
  namespace: istio-system
spec:
  workloadSelector:
    # select by label in the same namespace
    labels:
      istio: ingressgateway
  configPatches:
    # The Envoy config you want to modify
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
              subFilter:
                name: "envoy.filters.http.router"
      patch:
        operation: INSERT_BEFORE
        # Adds the Envoy Rate Limit Filter in HTTP filter chain.
        value:
          name: envoy.filters.http.ratelimit
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
            # domain can be anything! Match it to the ratelimter service config
            domain: productpage-ratelimit
            failure_mode_deny: true
            rate_limit_service:
              grpc_service:
                envoy_grpc:
                  cluster_name: rate_limit_cluster
                timeout: 10s
              transport_api_version: V3
    - applyTo: CLUSTER
      match:
        cluster:
          service: ratelimit.default.svc.cluster.local
      patch:
        operation: ADD
        # Adds the rate limit service cluster for rate limit service defined in step 1.
        value:
          name: rate_limit_cluster
          type: STRICT_DNS
          connect_timeout: 10s
          lb_policy: ROUND_ROBIN
          http2_protocol_options: {}
          load_assignment:
            cluster_name: rate_limit_cluster
            endpoints:
            - lb_endpoints:
              - endpoint:
                  address:
                     socket_address:
                      address: ratelimit.default.svc.cluster.local
                      port_value: 8081

Error while applying the envoy yaml:

Error from server: error when creating "envoyfilter.yaml": admission webhook "validation.istio.io" denied the request: configuration is invalid: Envoy filter: subfilter match requires filter match with envoy.http_connection_manager

Could you please provide more information, your configuration yamls, some details about your environment? Some steps to replicate the issue? — PjoterS, Mar 19 '21 at 13:41
I have deployed bookinfo sample from following link [link](https://raw.githubusercontent.com/istio/istio/release-1.9/samples/bookinfo/platform/kube/bookinfo.yaml) trying to apply following envoy filter yaml: — guru, Mar 22 '21 at 04:43
@PjoterS- I have updated the info in the problem statement. Could you please help? — guru, Mar 22 '21 at 08:57
Hi @guru. Your configs look good but the error message is suspicious. It says that `subfilter match requires filter match with envoy.http_connection_manager` and `envoy.http_connection_manager` is deprecated. So that kind of error would be valid in previous versions of Istio and Envoy. Could you double check their versioning? — Wytrzymały Wiktor, Mar 23 '21 at 15:05
@WytrzymałyWiktor - It was my bad. I have used wrong version of ISTIO. — guru, Mar 31 '21 at 14:38
Thanks @WytrzymałyWiktor for the help. Appreciate it. - Please let me know if you have any good links to understand envoy filters and architecture. I am new to ISTIO so it is taking time to understand the filters and how each request is cascading in ENVOY. — guru, Mar 31 '21 at 14:40

score 2 · Answer 1 · answered Apr 01 '21 at 12:23

As suspected earlier in the comments the issue is due to using the old version of Istio (1.7) instead of the expected 1.9. The old version was still expecting the deprecated filer names:

envoy.http_connection_manager instead of envoy.filters.network.http_connection_manager
envoy.router instead of envoy.filters.http.router

Access Logger, Listener Filter, HTTP Filter, Network Filter, Stats Sink, and Tracer names have been deprecated in favor of the extension name from the envoy build system.

While analyzing your issue I stumbled upon several good sources that you will find useful while learning:

Docs regarding the filters you plan to use
Understanding Envoy Filters
Extending Istio with the EnvoyFilter CRD
and of course the Istio docs

guru · Answer 2 · 2021-03-31T14:47:14.810

0

Istio version was 1.7. Due to which i got above error. i have upgraded to Istio 1.9. then it started working.

edited Mar 31 '21 at 14:47

answered Mar 31 '21 at 14:38

guru

97
1
8

Rate limit feature implementation in Istio1.9

2 Answers2