This user guide walks you through an example of how to configure rate limiting for an endpoint of an application using Kuadrant.
In this guide, we will rate limit a sample REST API called Toy Store. In reality, this API is just an echo service that echoes back to the user whatever attributes it gets in the request. The API listens to requests at the hostname api.toystore.com, where it exposes the endpoints GET /toys* and POST /toys, respectively, to mimic operations of reading and writing toy records.
We will rate limit the POST /toys endpoint to a maximum of 5rp10s ("5 requests every 10 seconds").
This step uses tooling from the Kuadrant Operator component to create a containerized Kubernetes server locally using Kind, where it installs Istio, Kubernetes Gateway API and Kuadrant itself.
Note: In production environment, these steps are usually performed by a cluster operator with administrator privileges over the Kubernetes cluster.
Clone the project:
git clone https://github.com/Kuadrant/kuadrant-operator && cd kuadrant-operatorSetup the environment:
make local-setupRequest an instance of Kuadrant:
kubectl -n kuadrant-system apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
name: kuadrant
spec: {}
EOFCreate the deployment:
kubectl apply -f examples/toystore/toystore.yamlCreate a HTTPRoute to route traffic to the service via Istio Ingress Gateway:
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: toystore
spec:
parentRefs:
- name: kuadrant-ingressgateway
namespace: gateway-system
hostnames:
- api.toystore.com
rules:
- matches:
- method: GET
path:
type: PathPrefix
value: "/toys"
backendRefs:
- name: toystore
port: 80
- matches: # it has to be a separate HTTPRouteRule so we do not rate limit other endpoints
- method: POST
path:
type: Exact
value: "/toys"
backendRefs:
- name: toystore
port: 80
EOFExport the gateway hostname and port:
export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORTVerify the route works:
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -i
# HTTP/1.1 200 OKNote: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service and accessing over localhost:
kubectl port-forward -n gateway-system service/kuadrant-ingressgateway-istio 9080:80 >/dev/null 2>&1 & export GATEWAY_URL=localhost:9080curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -i # HTTP/1.1 200 OK
Create a Kuadrant RateLimitPolicy to configure rate limiting:
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: RateLimitPolicy
metadata:
name: toystore
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: toystore
limits:
"create-toy":
rates:
- limit: 5
window: 10s
when:
- predicate: "request.method == 'POST'"
EOFNote: It may take a couple of minutes for the RateLimitPolicy to be applied depending on your cluster.
Verify the rate limiting works by sending requests in a loop.
Up to 5 successful (200 OK) requests every 10 seconds to POST /toys, then 429 Too Many Requests:
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -X POST | grep -E --color "\b(429)\b|$"; sleep 1; doneUnlimited successful (200 OK) to GET /toys:
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys | grep -E --color "\b(429)\b|$"; sleep 1; donemake local-cleanup