istio
istio copied to clipboard
istio
Specific path based rate limiting through EnvoyFilter
Is this the right place to submit this?
- [x] This is not a security vulnerability or a crashing bug
- [x] This is not a question about how to use Istio
Bug Description
Trying to applying local rate limiting on specific paths /foo and boo, similar to explained here in Envoy docs. The EnvoyFilter is not updating the rate limiting information for specific paths. Below is the routing configuration:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ratelimit-rrr-destination-app
namespace: rrr-destination-app
spec:
workloadSelector:
labels:
app: rrr-destination-app
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: http_local_rate_limiter
- applyTo: VIRTUAL_HOST
match:
context: SIDECAR_INBOUND
routeConfiguration:
vhost:
name: rrr-destination-app.rrr-destination-app.svc.cluster.local:80
# portNumber: 80
patch:
operation: MERGE
value:
# virtual_hosts:
# - name: rrr-destination-app.rrr-destination-app.svc.cluster.local:80
# domains: []
routes:
- match:
prefix: "/foo"
# route:
# cluster: outbound|80||rrr-destination-app.rrr-destination-app.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.local_ratelimit:
"@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 2
tokens_per_fill: 2
fill_interval: 10s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
response_headers_to_add:
- append_action: OVERWRITE_IF_EXISTS_OR_ADD
header:
key: x-rrr-rate-limit
value: "true"
- match:
prefix: "/boo"
# route:
# cluster: outbound|80||rrr-destination-app.rrr-destination-app.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.local_ratelimit:
"@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 2
tokens_per_fill: 2
fill_interval: 10s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
response_headers_to_add:
- append_action: OVERWRITE_IF_EXISTS_OR_ADD
header:
key: x-rrr-rate-limit
value: "true"
Version
istioctl version
client version: 1.25.0
control plane version: 1.25.1
data plane version: 1.25.1 (5 proxies)
kubectl version
Client Version: v1.32.0
Kustomize Version: v5.5.0
Server Version: v1.31.6+k3s1
helm version --short
v3.16.4+g7877b45
Additional Information
No response
For people suffer such issues, please enable filter log first by running istioctl pc log <pod_name>.<pod_namespace> --level filter:debug, double check the descriptors generated by filter.
For you question, did you enable descriptions like following:
value:
route:
rateLimits:
- actions:
- headerValueMatch:
descriptorValue: URL|Prefix|/
headers:
- name: :path
stringMatch:
prefix: /
ignoreCase: true
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2025-06-18. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.
Created by the issue and PR lifecycle manager.
