我已经按照此文档在 Istio 上实施了全局速率限制器 - Istio 的全局速率限制 &
速率限制服务按预期工作,我还可以看到像
istio_requests_totaldescriptor metrics以下是我正在使用的速率限制、redis、应用程序、描述符和操作的配置。
特使率限制过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit
namespace: istio-system
spec:
workloadSelector:
# select by label in the same namespace
labels:
istio: ingressgateway
configPatches:
# The Envoy config you want to modify
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
# Adds the Envoy Rate Limit Filter in HTTP filter chain.
value:
name: envoy.filters.http.ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
# domain can be anything! Match it to the ratelimter service config
domain: catalog-ratelimit
failure_mode_deny: true
timeout: 10s
rate_limit_service:
grpc_service:
envoy_grpc:
cluster_name: outbound|8081||ratelimit.rtlmtr.svc.cluster.local
authority: ratelimit.rtlmtr.svc.cluster.local
transport_api_version: V3
enable_x_ratelimit_headers: 1
disable_x_envoy_ratelimited_header: true
特使率限制动作:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-ratelimit-svc
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: VIRTUAL_HOST
match:
context: GATEWAY
routeConfiguration:
vhost:
name: ""
route:
action: ANY
patch:
operation: MERGE
# Applies the rate limit rules.
value:
rate_limits:
- actions: # any actions in here
- request_headers:
header_name: "Authorization"
descriptor_key: "auth"
- request_headers:
header_name: ":authority"
descriptor_key: "AUTHORITY"
- request_headers:
header_name: ":method"
descriptor_key: "METHOD"
- request_headers:
header_name: ":path"
descriptor_key: "PATH"
# Action for the catalog buy prefix
- actions:
- request_headers:
header_name: "Authorization"
descriptor_key: "auth"
- request_headers:
header_name: ":authority"
descriptor_key: "AUTHORITY"
- request_headers:
header_name: ":method"
descriptor_key: "METHOD"
- header_value_match:
descriptor_value: prefix-catalog-path
headers:
- name: ":path"
prefix_match: "/catalog/buy"
描述符和 statsd-exporter-config
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-config
namespace: rtlmtr
data:
config.yaml: |
domain: catalog-ratelimit
descriptors:
- key: auth
detailed_metric: true
descriptors:
- key: AUTHORITY
value: "localhost:8089"
detailed_metric: true
descriptors:
- key: METHOD
descriptors:
- key: PATH
detailed_metric: true
rate_limit:
name: default
unit: second
requests_per_unit: 1
- key: header_match
value: prefix-catalog-path
detailed_metric: true
rate_limit:
replaces:
- name: default
unit: hour
requests_per_unit: 7
apiVersion: v1
kind: ConfigMap
metadata:
name: statsd-exporter-config
namespace: rtlmtr
data:
config.yaml: |
defaults:
ttl: 1m # Resets the metrics every minute
mappings:
- match:
"ratelimit.service.rate_limit.*.*.near_limit"
name: "ratelimit_service_rate_limit_near_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.over_limit"
name: "ratelimit_service_rate_limit_over_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.total_hits"
name: "ratelimit_service_rate_limit_total_hits"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.within_limit"
name: "ratelimit_service_rate_limit_within_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.*.near_limit"
name: "ratelimit_service_rate_limit_near_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.over_limit"
name: "ratelimit_service_rate_limit_over_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.total_hits"
name: "ratelimit_service_rate_limit_total_hits"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.within_limit"
name: "ratelimit_service_rate_limit_within_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.call.should_rate_limit.*"
name: "ratelimit_service_should_rate_limit_error"
match_metric_type: counter
labels:
err_type: "$1"
- match:
"ratelimit_server.*.total_requests"
name: "ratelimit_service_total_requests"
match_metric_type: counter
labels:
grpc_method: "$1"
- match:
"ratelimit_server.*.response_time"
name: "ratelimit_service_response_time_seconds"
timer_type: histogram
labels:
grpc_method: "$1"
- match:
"ratelimit.service.config_load_success"
name: "ratelimit_service_config_load_success"
match_metric_type: counter
ttl: 3m
- match:
"ratelimit.service.config_load_error"
name: "ratelimit_service_config_load_error"
match_metric_type: counter
ttl: 3m
- match: "."
match_type: "regex"
action: "drop"
name: "dropped"
ratelimiter部署yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ratelimit
namespace: rtlmtr
spec:
replicas: 1
selector:
matchLabels:
app: ratelimit
strategy:
type: Recreate
template:
metadata:
labels:
app: ratelimit
annotations:
proxy.istio.io/config: |-
proxyStatsMatcher:
inclusionRegexps:
- .*ratelimit.*
- .*catalog.*
prometheus.io/scrape: "true"
prometheus.io/scheme: "http"
prometheus.io/path: "/metrics"
prometheus.io/port: "9102"
prometheus.istio.io/merge-metrics: "false"
spec:
containers:
- image: envoyproxy/ratelimit:4c088856 # 2023/03/02
imagePullPolicy: Always
name: ratelimit
command: ["/bin/ratelimit"]
env:
- name: LOG_LEVEL
value: debug
- name: REDIS_SOCKET_TYPE
value: tcp
- name: REDIS_URL
value: redis:6379
- name: USE_STATSD
value: "true"
- name: STATSD_HOST
value: "localhost"
- name: STATSD_PORT
value: "9125"
- name: LOG_FORMAT
value: "json"
- name: RUNTIME_ROOT
value: /data
- name: RUNTIME_SUBDIRECTORY
value: ratelimit
- name: RUNTIME_WATCH_ROOT
value: "false"
- name: RUNTIME_IGNOREDOTFILES
value: "true"
- name: HOST
value: "::"
- name: GRPC_HOST
value: "::"
ports:
- containerPort: 8080
- containerPort: 8081
- containerPort: 6070
readinessProbe:
httpGet:
path: /healthcheck
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 3
volumeMounts:
- name: config-volume
mountPath: /data/ratelimit/config
- name: statsd-exporter
image: docker.io/prom/statsd-exporter:v0.21.0
imagePullPolicy: Always
args: [ "--statsd.mapping-config=/etc/statsd-exporter/config.yaml" ]
ports:
- containerPort: 9125
- containerPort: 9102
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 1
memory: 1Gi
volumeMounts:
- name: statsd-exporter-config
mountPath: /etc/statsd-exporter
volumes:
- name: config-volume
configMap:
name: ratelimit-config
- name: statsd-exporter-config
configMap:
name: statsd-exporter-config
ratelimiter 服务 yaml
apiVersion: v1
kind: Service
metadata:
name: ratelimit
namespace: rtlmtr
labels:
app: ratelimit
spec:
ports:
- name: http-port
port: 8080
targetPort: 8080
protocol: TCP
- name: grpc-port
port: 8081
targetPort: 8081
protocol: TCP
- name: http-debug
port: 6070
targetPort: 6070
protocol: TCP
- name: http-prometheus-metrics
port: 9102
targetPort: 9102
- name: http-statsd-exporter
port: 9125
targetPort: 9125
selector:
app: ratelimit
redis deployment yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: rtlmtr
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
annotations:
proxy.istio.io/config: |-
proxyStatsMatcher:
inclusionRegexps:
- .*ratelimit.*
- .*catalog.*
spec:
containers:
- image: redis:alpine
imagePullPolicy: Always
name: redis
ports:
- name: redis
containerPort: 6379
restartPolicy: Always
serviceAccountName: ""
redis 服务 yaml
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: rtlmtr
labels:
app: redis
spec:
ports:
- name: redis
port: 6379
selector:
app: redis
app deployment yaml -
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: "product-billing-ms"
namespace: analytics
labels:
environment: development
app: "product-billing-ms"
spec:
selector:
matchLabels:
app: "product-billing-ms"
replicas: 1
template:
metadata:
labels:
app: "product-billing-ms"
annotations:
proxy.istio.io/config: |-
proxyStatsMatcher:
inclusionRegexps:
- .*ratelimit.*
- .*catalog.*
spec:
containers:
- image: REDACTED
imagePullPolicy: Always
name: "product-billing-ms"
ports:
- containerPort: 5000
resources:
requests:
cpu: "500m"
limits:
memory: "1024Mi"
livenessProbe:
httpGet:
path: /billing/healthcheck
port: 5000
initialDelaySeconds: 10
readinessProbe:
httpGet:
path: /billing/healthcheck
port: 5000
initialDelaySeconds: 10
env:
- name: REDIS_URL
value: "REDACTED"
envFrom:
- secretRef:
name: product-billing-ms
我检查了现有的公关和问题,看起来它是一个工作组件 - https://github.com/envoyproxy/ratelimit/pull/389/files.
但这对我不起作用
有人可以帮忙吗?