Skip to main content
Version: 1.3.x

Rate Limiting

Alpha feature

Rate limit in TSB is Alpha feature and is not recommended for production usage.

Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB demo environment
✓ Deploy the Istio Bookinfo sample app
✓ Create a Tenant
✓ Create a Workspace
✓ Create Config Groups
✓ Setup an Ingress Gateway

TSB allows you to configure rate limiting on Ingress Gateway based on attributes in the request such as headers, URL path/prefixes and client remote address. You can use the TSB built-in rate limit server or bring your own rate limit server

TSB rate limit server

The following scenario uses the TSB demo installation which enables the TSB rate limit server by default. If you are not using the TSB demo installation and want to use the TSB rate limit server, you need to update your Cluster Operator CR to include rate limit server settings

Rate limit based on user agent

In this scenario, you will configure bookinfo Ingress Gateway to allow only 5 requests per minute for every unique value in the user-agent header.

Create the following gateway-ratelimit.yaml

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
Metadata:
  organization: tetrate
  name: bookinfo-gw-ingress
  group: bookinfo-gw
  workspace: bookinfo-ws
  tenant: tetrate
spec:
  workloadSelector:
    namespace: bookinfo
    labels:
      app: tsb-gateway-bookinfo
  http:
    - name: bookinfo
      port: 8443
      hostname: "bookinfo.tetrate.com"
      tls:
        mode: SIMPLE
        secretName: bookinfo-certs
      routing:
        rules:
          - route:
              host: "bookinfo/productpage.bookinfo.svc.cluster.local"
      rateLimiting:
        settings:
          rules:
          - dimensions:
            - header:
                name: user-agent
            limit:
              requestsPerUnit: 5
              unit: MINUTE

Apply with tctl

tctl apply -f gateway-ratelimit.yaml

Testing rate limit based on user agent

To test if your rate limit settings are working as expected, execute the following curl command

GATEWAY IP

The $GATEWAY_IP variable was exported in a previous step. Please make sure to export the variable before executing the following commands.

curl -k -v "http://bookinfo.tetrate.com/productpage" \
    --resolve "bookinfo.tetrate.com:$GATEWAY_IP" | \
    grep -o "<title>.*</title>"

After repeating the above command 5 times, you should get a 429 Too Many Requests response.

You can change the user-agent header to another unique value to get a successful response.

curl -k -v -A "another-agent" \
    "http://bookinfo.tetrate.com/productpage" \
    --resolve "bookinfo.tetrate.com:$GATEWAY_IP" | \
    grep -o "<title>.*</title>"

After 5 requests, you should start getting a 429 Too Many Requests response, until you change the header again.

Rate limit based on request path

In this scenario, you will configure bookinfo Ingress Gateway to allow only 5 requests per minute for requests to the path /productpage and 10 requests per minute to the path /.

Create the following gateway-ratelimit-path.yaml

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
Metadata:
  organization: tetrate
  name: bookinfo-gw-ingress
  group: bookinfo-gw
  workspace: bookinfo-ws
  tenant: tetrate
spec:
  workloadSelector:
    namespace: bookinfo
    labels:
      app: tsb-gateway-bookinfo
  http:
    - name: bookinfo
      port: 8443
      hostname: "bookinfo.tetrate.com"
      tls:
        mode: SIMPLE
        secretName: bookinfo-certs
      routing:
        rules:
          - route:
              host: "bookinfo/productpage.bookinfo.svc.cluster.local"
      rateLimiting:
        settings:
          rules:
          - dimensions:
            - header:
                name: ":path"
                value:
                  prefix: /productpage
            limit:
              requestsPerUnit: 5
              unit: MINUTE
          - dimensions:
            - header:
                name: ":path"
                value:
                  exact: /
            limit:
              requestsPerUnit: 10
              unit: MINUTE

Apply with tctl

tctl apply -f gateway-ratelimit-path.yaml

Testing rate limit based on request path

To test if your rate limit settings are working as expected, execute the following curl command to send requests to /productpage

curl -k -v "http://bookinfo.tetrate.com/productpage" \
    --resolve "bookinfo.tetrate.com:$GATEWAY_IP" | \
    grep -o "<title>.*</title>"

After 5 requests, you should get a 429 Too Many Requests response.

And again, to check if the requests to / are rate limited, execute following command.

curl -k -v "http://bookinfo.tetrate.com" \
    --resolve "bookinfo.tetrate.com:$GATEWAY_IP" | \
    grep -o "<title>.*</title>"

After 10 requests, you should get a 429 Too Many Requests response.