Istio 速率限制支持 URL 的正则表达式答案

【问题标题】：Istio rate limit support regex for the URLIstio 速率限制支持 URL 的正则表达式
【发布时间】：2021-12-19 06:39:33
【问题描述】：

有没有办法在istio中提到限速的url前缀？

在下面的配置中，我们使用/actuator/info，其中有没有办法提及 URL 的前缀？

说

      - key: PATH_PREFIX
        value: "/actuator/"

要匹配/actuator/*下的所有端点？

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ratelimit-config
  namespace: istio-system
data:
  config.yaml: |
    domain: test-istio-rate-limit.com
    descriptors:
      - key: PATH
        value: "/actuator/info"
        rate_limit:
          unit: minute
          requests_per_unit: 1
      - key: PATH
        rate_limit:
          unit: minute
          requests_per_unit: 100

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-ratelimit
  namespace: istio-system
spec:
  workloadSelector:
    # select by label in the same namespace
    labels:
      istio: ingressgateway
  configPatches:
    # The Envoy config you want to modify
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
              subFilter:
                name: "envoy.filters.http.router"
      patch:
        operation: INSERT_BEFORE
        # Adds the Envoy Rate Limit Filter in HTTP filter chain.
        value:
          name: envoy.filters.http.ratelimit
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
            # domain can be anything! Match it to the ratelimter service config
            domain: test-istio-rate-limit.com
            failure_mode_deny: true
            timeout: 10s
            rate_limit_service:
              grpc_service:
                envoy_grpc:
                  cluster_name: rate_limit_cluster
              transport_api_version: V3
    - applyTo: CLUSTER
      match:
        cluster:
          service: ratelimit.istio-system.svc.cluster.local
      patch:
        operation: ADD
        # Adds the rate limit service cluster for rate limit service defined in step 1.
        value:
          name: rate_limit_cluster
          type: STRICT_DNS
          connect_timeout: 10s
          lb_policy: ROUND_ROBIN
          http2_protocol_options: {}
          load_assignment:
            cluster_name: rate_limit_cluster
            endpoints:
            - lb_endpoints:
              - endpoint:
                  address:
                     socket_address:
                      address: ratelimit.istio-system.svc.cluster.local
                      port_value: 8081
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-ratelimit-svc
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: VIRTUAL_HOST
      match:
        context: GATEWAY
        routeConfiguration:
          vhost:
            name: ""
            route:
              action: ANY
      patch:
        operation: MERGE
        # Applies the rate limit rules.
        value:
          rate_limits:
            - actions: # any actions in here
              - request_headers:
                  header_name: ":path"
                  descriptor_key: "PATH"

【问题讨论】：

看这篇文章：dev.to/tresmonauten/…。向下滚动到“小心陷阱”。有一个查询参数问题的示例，但我认为您可以将其更改为您的路径案例。本质上，它归结为使用特定的 Envoy 过滤器。

标签： istio envoyproxy

【解决方案1】：

使用https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto.html

例如：https://dev.to/tresmonauten/setup-an-ingress-rate-limiter-with-envoy-and-istio-1i9g，向下滚动到“提防陷阱”

【讨论】：

我已经看到这篇文章正在寻找 istio 级别而不是 envoy 级别的东西。由于特使对模式等进行了操作。我基本上看起来像 istio 中的 VirtualService 有prefix, exact, pattern。所以我在这里寻找prefix 选项。
AFAIK 在“Istio”级别没有速率限制。在旧版本