istio
istio copied to clipboard
Published
20 hours ago •
istio
istio
Rate Limiting not working on Istio 1.20
So basically we have a Envoy + istio setup running in vm outside kubernetes and we want to start rate limiting based on domains but no config is working for us.
kind: EnvoyFilter
metadata:
name: listener-http
namespace: envoy
labels:
app: envoy
env: stage
spec:
workloadSelector:
labels:
app: envoy
configPatches:
- applyTo: LISTENER
match:
context: GATEWAY
patch:
operation: ADD
value:
name: "http_listener"
address:
socket_address:
address: "0.0.0.0"
port_value: 80
filter_chains:
- filters:
- name: "envoy.filters.network.http_connection_manager"
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress
use_remote_address: true
normalize_path: true
merge_slashes: true
path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT
http2_protocol_options:
max_concurrent_streams: 100
initial_stream_window_size: 65536
initial_connection_window_size: 1048576
stream_idle_timeout: 1s
request_timeout: 2s
delayed_close_timeout: 1s
generate_request_id: false
access_log:
- name: envoy.access_loggers.file
filter:
status_code_filter:
comparison:
op: LE
value:
default_value: 300
runtime_key: access_log.access_error.status
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: "/var/log/istio/envoy-http-2xx.log"
- name: envoy.access_loggers.file
filter:
status_code_filter:
comparison:
op: GE
value:
default_value: 300
runtime_key: access_log.access_error.status
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: "/var/log/istio/envoy-http-non-2xx.log"
log_format:
json_format:
timestamp: "%START_TIME%"
request_method: "%REQ(:METHOD)%"
request_path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
protocol: "%PROTOCOL%"
response_code: "%RESPONSE_CODE%"
response_flags: "%RESPONSE_FLAGS%"
connection_termination: "%CONNECTION_TERMINATION_DETAILS%"
upstream_failure_reason: "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
bytes_received: "%BYTES_RECEIVED%"
bytes_sent: "%BYTES_SENT%"
duration: "%DURATION%"
rq_tx_duration: "%REQUEST_TX_DURATION%"
upstream_service_time: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
x_forwarded_for: "%REQ(X-FORWARDED-FOR)%"
user_agent: "%REQ(USER-AGENT)%"
request_id: "%REQ(X-REQUEST-ID)%"
authority: "%REQ(:AUTHORITY)%"
upstream_host: "%UPSTREAM_HOST%"
upstream_addr: "%UPSTREAM_LOCAL_ADDRESS%"
rq_server_name: "%REQUESTED_SERVER_NAME%"
route_name: "%ROUTE_NAME%"
content_type: "%REQ(CONTENT-TYPE)%"
content_length: "%REQ(CONTENT-LENGTH)%"
content_encoding: "%REQ(CONTENT-ENCODING)%"
downstream_tcp_failure: "%DOWNSTREAM_TRANSPORT_FAILURE_REASON%"
downstream_handshake_duration: "%DOWNSTREAM_HANDSHAKE_DURATION%"
rtt_duration: "%ROUNDTRIP_DURATION%"
route_config:
name: cluster_route
request_headers_to_add:
- header:
key: X-Client-IP
value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
- header:
key: X-Proxy
value: "%HOSTNAME%"
- header:
key: X-Request-Start
value: "%START_TIME(%s.%3f)%"
append_action: ADD_IF_ABSENT
virtual_hosts:
- name: "client_hosts"
domains:
- test.abc.com
routes:
- match:
prefix: "/"
route:
weighted_clusters:
clusters:
- name: "outbound|7017|service|service.test.svc.cluster.local"
weight: 100
total_weight: 100
rate_limits:
- stage: 0
actions:
- request_headers:
header_name: ":authority"
descriptor_key: "host"
max_stream_duration:
max_stream_duration: 5s
http_filters:
- name: envoy.filters.http.ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
domain: global-rate-limit
stage: 0
rate_limited_as_resource_exhausted: true
failure_mode_deny: false
enable_x_ratelimit_headers: DRAFT_VERSION_03
rate_limit_service:
grpc_service:
envoy_grpc:
cluster_name: rate_limit_service
transport_api_version: V3
- name: "envoy.filters.http.router"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
local_reply_config:
mappers:
- filter:
status_code_filter:
comparison:
op: GE
value:
default_value: 500
runtime_key: "non_2xx_status_code"
status_code: 204
This is the config and problem is envoy is not even trying to call rate limiting service
2025-03-13T07:35:05.037220Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:182 [Tags: "ConnectionId":"15916"] creating stream thread=1030541
2025-03-13T07:35:05.037249Z debug envoy router external/envoy/source/common/router/upstream_request.cc:563 [Tags: "ConnectionId":"17105","StreamId":"3984706284249986929"] pool ready thread=1030541
2025-03-13T07:35:05.037236Z debug envoy pool external/envoy/source/common/http/conn_pool_base.cc:78 queueing stream due to no available connections (ready=0 busy=0 connecting=0)thread=1030512
2025-03-13T07:35:05.037269Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:291 trying to create new connection thread=1030512
2025-03-13T07:35:05.037271Z debug envoy client external/envoy/source/common/http/codec_client.cc:141 [Tags: "ConnectionId":"15916"] encode complete thread=1030541
2025-03-13T07:35:05.037274Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:145 creating a new connection (connecting=0) thread=1030512
2025-03-13T07:35:05.037292Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:484 [Tags: "ConnectionId":"17222"] client disconnected, failure reason: thread=1030541
2025-03-13T07:35:05.037316Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:454 invoking idle callbacks - is_draining_for_deletion_=false thread=1030541
2025-03-13T07:35:05.037330Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:215 [Tags: "ConnectionId":"17222"] destroying stream: 0 remaining thread=1030541
2025-03-13T07:35:05.037331Z debug envoy connection external/envoy/source/common/network/connection_impl.h:98 [Tags: "ConnectionId":"17224"] current connecting state: true thread=1030512
2025-03-13T07:35:05.037359Z debug envoy client external/envoy/source/common/http/codec_client.cc:57 [Tags: "ConnectionId":"17224"] connecting thread=1030512
2025-03-13T07:35:05.037365Z debug envoy connection external/envoy/source/common/network/connection_impl.cc:1009 [Tags: "ConnectionId":"17224"] connecting to 10.44.59.70:7017 thread=1030512
2025-03-13T07:35:05.037393Z debug envoy connection external/envoy/source/common/network/connection_impl.cc:1028 [Tags: "ConnectionId":"17224"] connection in progress thread=1030512
2025-03-13T07:35:05.037410Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:484 [Tags: "ConnectionId":"17223"] client disconnected, failure reason: thread=1030512
2025-03-13T07:35:05.037417Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:454 invoking idle callbacks - is_draining_for_deletion_=false thread=1030512
2025-03-13T07:35:05.037441Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:215 [Tags: "ConnectionId":"17223"] destroying stream: 0 remaining thread=1030512
2025-03-13T07:35:05.037612Z debug envoy connection external/envoy/source/common/network/connection_impl.cc:746 [Tags: "ConnectionId":"17224"] connected thread=1030512
2025-03-13T07:35:05.037624Z debug envoy client external/envoy/source/common/http/codec_client.cc:88 [Tags: "ConnectionId":"17224"] connected thread=1030512
2025-03-13T07:35:05.037631Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:328 [Tags: "ConnectionId":"17224"] attaching to next stream thread=1030512
2025-03-13T07:35:05.037646Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:182 [Tags: "ConnectionId":"17224"] creating stream thread=1030512
2025-03-13T07:35:05.037654Z debug envoy router external/envoy/source/common/router/upstream_request.cc:563 [Tags: "ConnectionId":"17093","StreamId":"7946817319171554321"] pool ready thread=1030512
2025-03-13T07:35:05.037671Z debug envoy client external/envoy/source/common/http/codec_client.cc:141 [Tags: "ConnectionId":"17224"] encode complete thread=1030512
2025-03-13T07:35:05.037720Z debug envoy client external/envoy/source/common/http/codec_client.cc:128 [Tags: "ConnectionId":"15916"] response complete thread=1030541
2025-03-13T07:35:05.037738Z debug envoy router external/envoy/source/common/router/router.cc:1479 [Tags: "ConnectionId":"17105","StreamId":"3984706284249986929"] upstream headers complete: end_stream=true thread=1030541
2025-03-13T07:35:05.037762Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1863 [Tags: "ConnectionId":"17105","StreamId":"3984706284249986929"] encoding headers via codec (end_stream=true):
as visible in these debug logs , can someone please help with what's wrong?
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2025-03-13. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.
Created by the issue and PR lifecycle manager.
