在 Istio 控制的服务网格中,我想根据以下两个条件限制入站流量:
- 请求路径
- 源标签(例如,
app: an-app
)
每个文档都指导我使用descriptors
,但我无法使用它,因为请求不包含 POST API 的正确标头信息,例如:path
or else。
这是当前 Envoy 过滤器的配置,它可以很好地通过 80 端口限制所有入站流量,但我真正想做的是为每个 API 路径和源标签使用不同的存储桶条件。
是否有任何参考可以根据这些标准限制请求?
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-my-api-local-ratelimit-svc
namespace: myns
spec:
workloadSelector:
labels:
app: my-api
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: http_local_rate_limiter
- applyTo: HTTP_ROUTE
match:
context: SIDECAR_INBOUND
routeConfiguration:
vhost:
name: "inbound|http|80"
route:
action: ANY
patch:
operation: MERGE
value:
typed_per_filter_config:
envoy.filters.http.local_ratelimit:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 3
tokens_per_fill: 3
fill_interval: 60s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
response_headers_to_add:
- append: false
header:
key: x-local-rate-limit
value: 'true'