我有一个简单的“go”服务器,在容器(K8s 集群内)中运行的端口 8443 上监听 HTTPs 流量。我有一个 istio 入口网关运行在 K8s 集群的边缘(侦听端口 443)。一旦我公开了服务(针对端口 8443 的传入 443)并声明了虚拟服务(匹配要转发到服务的端口 443 的 URL '/testgo')和目标规则(使用 SIMPLE TLS),我就能够访问使用“https://GATEWAY_HOST/testgo”的服务(来自集群外部)。
一旦我将 istio 代理注入到服务中(这样我就可以进行本地速率限制),要继续通过 HTTPs(而不是普通 HTTP)访问后端服务,我必须将“peerAuthentication”设置为“DISABLE”(使用请在 https://github.com/istio/istio/issues/40680)提供建议。
但现在本地 HTTP 速率限制过滤器(使用 https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/ 提供的示例)不起作用。我已在TLS 后端服务的本地 HTTP 速率限制中发布了有关此问题的问题。
由于这不起作用,我尝试了 NETWORK_FILTER,它似乎工作了一段时间,然后就停止工作了。使用的 istio 版本是 1.15。
网络过滤器如下所示:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: go-server-ratelimit
namespace: default
spec:
workloadSelector:
labels:
app: web
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 8443
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.local_ratelimit
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: local_rate_limiter
token_bucket:
max_tokens: 1
tokens_per_fill: 1
fill_interval: 60s
runtime_enabled:
default_value: true
runtime_key: go-server-ratelimit
share_key: go-server-ratelimit
我有一个简单的 shell 脚本,我用它来测试它。
cnt=1
delay=60
while true
do
http_code=`curl -k -o /dev/null -s -w "%{http_code}" "https://GATEWAY_HOST/testgo/"`
if [ $http_code -ne 200 ]
then
echo "HTTP return code is $http_code after $((cnt-1)) tries, sleeping for $delay seconds"
sleep $delay
cnt=1
else
echo "HTTP return code is $http_code on try $cnt"
cnt=$((cnt+1))
fi
done
只有一个服务 POD 正在运行,因此我预计一次不会有超过 1 个 HTTP 请求成功(基于过滤器中的 token_bucket 配置)。它在一段时间内工作正常,但随后允许更多数量的 HTTP 请求通过。脚本输出如下所示:
HTTP return code is 200 on try 1
HTTP return code is 503 after 1 tries, sleeping for 60 seconds
HTTP return code is 200 on try 1
HTTP return code is 503 after 1 tries, sleeping for 60 seconds
HTTP return code is 200 on try 1
HTTP return code is 503 after 1 tries, sleeping for 60 seconds
HTTP return code is 200 on try 1
HTTP return code is 503 after 1 tries, sleeping for 60 seconds
HTTP return code is 200 on try 1
HTTP return code is 503 after 1 tries, sleeping for 60 seconds
HTTP return code is 200 on try 1
HTTP return code is 200 on try 2
HTTP return code is 200 on try 3
HTTP return code is 200 on try 4
HTTP return code is 200 on try 5
HTTP return code is 200 on try 6
HTTP return code is 200 on try 7
HTTP return code is 200 on try 8
HTTP return code is 503 after 8 tries, sleeping for 60 seconds
HTTP return code is 200 on try 1
HTTP return code is 200 on try 2
HTTP return code is 503 after 2 tries, sleeping for 60 seconds
HTTP return code is 200 on try 1
HTTP return code is 200 on try 2
HTTP return code is 200 on try 3
HTTP return code is 200 on try 4
HTTP return code is 200 on try 5
HTTP return code is 200 on try 6
HTTP return code is 200 on try 7
HTTP return code is 200 on try 8
HTTP return code is 200 on try 9
HTTP return code is 200 on try 10
我在特使令牌桶上找不到任何报告的问题。此网络过滤器配置是否有任何问题导致过滤器在一段时间后停止工作?
您是否尝试将补丁应用于 HTTP_FILTER,而不是如文档中所示? https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/#local-rate-limit
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"