Istio block excessive requests from a single IP

Question

I need to setup a rate limit for number of requests a single IP can trigger.

I followed this tutorial on Istio documentation for global rate limit. https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/

I deployed the rate limit service using this file, shared in above link. https://github.com/istio/istio/blob/release-1.12/samples/ratelimit/rate-limit-service.yaml

The configmap shared below works fine , but it blocks requests from all IP addresses once the limit is reached. I need to block for IPs that try to send more than defined number of requests.

apiVersion: v1
kind: ConfigMap
metadata:
  name: ratelimit-config
data:
  config.yaml: |
    domain: productpage-ratelimit
    descriptors:
      - key: PATH
        value: "/productpage"
        rate_limit:
          unit: minute
          requests_per_unit: 1
      - key: PATH
        rate_limit:
          unit: minute
          requests_per_unit: 100

I updated the above config following example 3 on this link https://github.com/envoyproxy/ratelimit#example-3. I restarted rate limit service and istio pods after that as well. I tried accessing the url after this , but it didn't block my requests.

apiVersion: v1
kind: ConfigMap
metadata:
  name: ratelimit-config
data:
  config.yaml: |
    domain: edge_proxy_per_ip
    descriptors:
      - key: remote_address
        rate_limit:
          requests_per_unit: 1
          unit: minute

Logs of the rate limit service, when i try opening the URL.

Istio Version: 1.12.1 Kubernetes Version: Client Version: v1.22.2 Server Version: v1.21.2-eks-06eac09 –

Answer 1

Looking at the logs, I guess you need to update the envoy filter also to send the descriptor containing the client IP.

rate_limits:
- actions:
  - request_headers:
      header_name: ':path'
      descriptor_key: 'PATH'
  - remote_address: {}