-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(policy): add HTTPLocalRateLimitPolicy (#13231)
This adds the HTTPLocalRateLimitPolicy CRD, which is indexed by the policy controller and exposed by the inbound API. - 81ebc08: HTTPLocalRateLimitPolicy CRD and related changes - 01afd23: policy controller central changes - b098925: rust tests updates and additions - 2f45597: golden files updates. ## Testing In a cluster with linkerd and emojivoto injected, deploy these resources: ```yaml apiVersion: policy.linkerd.io/v1beta3 kind: Server metadata: namespace: emojivoto name: web-http spec: # permissive policy, so we don't require setting up authz accessPolicy: all-unauthenticated podSelector: matchLabels: app: web-svc port: http proxyProtocol: HTTP/1 ``` ```yaml apiVersion: policy.linkerd.io/v1alpha1 kind: HTTPLocalRateLimitPolicy metadata: namespace: emojivoto name: web-rl spec: targetRef: group: policy.linkerd.io kind: Server name: web-http total: requestsPerSecond: 100 identity: requestsPerSecond: 20 overrides: - requestsPerSecond: 10 clientRefs: - kind: ServiceAccount namespace: emojivoto name: default ``` ```console $ kubectl -n emojivoto get httplocalratelimitpolicies.policy.linkerd.io NAME TARGET_KIND TARGET_NAME TOTAL_RPS IDENTITY_RPS web-rl Server web-http 100 20 ``` Then see how the RL policy is exposed at the inbound API under the protocol section, with `linkerd dg policy -n emojivoto po/web-85f6fb8564-jp67d 8080`: ```yaml ... protocol: Kind: Http1: local_rate_limit: identity: requestsPerSecond: 20 metadata: Kind: Resource: group: policy.linkerd.io kind: httplocalratelimitpolicy name: web-rl overrides: - clients: identities: - name: default.emojivoto.serviceaccount.identity.linkerd.cluster.local limit: requestsPerSecond: 10 total: requestsPerSecond: 100 ... ```
- Loading branch information
Showing
42 changed files
with
1,301 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
147 changes: 147 additions & 0 deletions
147
charts/linkerd-crds/templates/policy/http-local-ratelimit-policy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,147 @@ | ||
| --- | ||
| apiVersion: apiextensions.k8s.io/v1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| name: httplocalratelimitpolicies.policy.linkerd.io | ||
| annotations: | ||
| {{ include "partials.annotations.created-by" . }} | ||
| labels: | ||
| helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} | ||
| linkerd.io/control-plane-ns: {{.Release.Namespace}} | ||
| spec: | ||
| group: policy.linkerd.io | ||
| names: | ||
| kind: HTTPLocalRateLimitPolicy | ||
| listKind: HTTPLocalRateLimitPolicyList | ||
| plural: httplocalratelimitpolicies | ||
| singular: httplocalratelimitpolicy | ||
| shortNames: [] | ||
| scope: Namespaced | ||
| versions: | ||
| - name: v1alpha1 | ||
| served: true | ||
| storage: true | ||
| subresources: | ||
| status: {} | ||
| schema: | ||
| openAPIV3Schema: | ||
| type: object | ||
| required: [spec] | ||
| properties: | ||
| spec: | ||
| type: object | ||
| required: [targetRef] | ||
| properties: | ||
| targetRef: | ||
| description: >- | ||
| TargetRef references a resource to which the rate limit | ||
| policy applies. Only Server is allowed. | ||
| type: object | ||
| required: [kind, name] | ||
| properties: | ||
| group: | ||
| description: >- | ||
| Group is the group of the referent. When empty, the | ||
| Kubernetes core API group is inferred. | ||
| maxLength: 253 | ||
| pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ | ||
| type: string | ||
| kind: | ||
| description: Kind is the kind of the referent. | ||
| maxLength: 63 | ||
| minLength: 1 | ||
| pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ | ||
| type: string | ||
| name: | ||
| description: Name is the name of the referent. | ||
| maxLength: 253 | ||
| minLength: 1 | ||
| type: string | ||
| total: | ||
| description: >- | ||
| Overall rate-limit, which all traffic coming to this | ||
| target should abide. | ||
| If unset no overall limit is applied. | ||
| type: object | ||
| required: [requestsPerSecond] | ||
| properties: | ||
| requestsPerSecond: | ||
| format: int64 | ||
| type: integer | ||
| identity: | ||
| description: >- | ||
| Fairness for individual identities; each separate client, | ||
| grouped by identity, will have this rate-limit. The | ||
| requestsPerSecond value should be less than or equal to the | ||
| total requestsPerSecond (if set). | ||
| type: object | ||
| required: [requestsPerSecond] | ||
| properties: | ||
| requestsPerSecond: | ||
| format: int64 | ||
| type: integer | ||
| overrides: | ||
| description: >- | ||
| Overrides for traffic from a specific client. The | ||
| requestsPerSecond value should be less than or equal to the | ||
| total requestsPerSecond (if set). | ||
| type: array | ||
| items: | ||
| type: object | ||
| required: [requestsPerSecond, clientRefs] | ||
| properties: | ||
| requestsPerSecond: | ||
| format: int64 | ||
| type: integer | ||
| clientRefs: | ||
| type: array | ||
| items: | ||
| type: object | ||
| required: [kind, name] | ||
| properties: | ||
| group: | ||
| description: >- | ||
| Group is the group of the referent. When empty, the | ||
| Kubernetes core API group is inferred. | ||
| maxLength: 253 | ||
| pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ | ||
| type: string | ||
| kind: | ||
| description: Kind is the kind of the referent. | ||
| maxLength: 63 | ||
| minLength: 1 | ||
| pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ | ||
| type: string | ||
| namespace: | ||
| description: >- | ||
| Namespace is the namespace of the referent. | ||
| When unspecified (or empty string), this refers to the | ||
| local namespace of the Policy. | ||
| maxLength: 63 | ||
| minLength: 1 | ||
| pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ | ||
| type: string | ||
| name: | ||
| description: Name is the name of the referent. | ||
| maxLength: 253 | ||
| minLength: 1 | ||
| type: string | ||
| additionalPrinterColumns: | ||
| - name: Target_kind | ||
| description: The resource kind to which the rate-limit applies | ||
| type: string | ||
| jsonPath: .spec.targetRef.kind | ||
| - name: Target_name | ||
| type: string | ||
| description: The resource name to which the rate-limit applies | ||
| jsonPath: .spec.targetRef.name | ||
| - name: Total_RPS | ||
| description: The overall rate-limit | ||
| type: integer | ||
| format: int32 | ||
| jsonPath: .spec.total.requestsPerSecond | ||
| - name: Identity_RPS | ||
| description: The rate-limit per identity | ||
| type: integer | ||
| format: int32 | ||
| jsonPath: .spec.identity.requestsPerSecond |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.