Careful!

You are browsing documentation for a version of Kuma that is not the latest release.

Rate Limit

New to Kuma? Don’t use this policy, check MeshRateLimit instead.

Rate Limit is an inbound policy. Dataplanes whose configuration is modified are in the destinations matcher.

The RateLimit policy leverages Envoy’s local rate limiting to allow for per-instance service request limiting. All HTTP/HTTP2 based requests are supported.

You can configure how many requests are allowed in a specified time period, and how the service responds when the limit is reached.

The policy is applied per service instance. This means that if a service backend has 3 instances rate limited to 100 requests per second, the overall service is rate limited to 300 requests per second.

When rate limiting to an ExternalService, the policy is applied per sending service instance.`

apiVersion: kuma.io/v1alpha1
kind: RateLimit
mesh: default
metadata:
  name: rate-limit-all-to-backend
spec:
  sources:
    - match:
        kuma.io/service: "*"
  destinations:
    - match:
        kuma.io/service: backend_default_svc_80
  conf:
    http:
      requests: 5
      interval: 10s
      onRateLimit:
        status: 423
        headers:
          - key: "x-kuma-rate-limited"
            value: "true"
            append: true

Apply the configuration with kubectl apply -f [..].

type: RateLimit
mesh: default
name: rate-limit-all-to-backend
sources:
  - match:
      kuma.io/service: "*"
destinations:
  - match:
      kuma.io/service: backend
conf:
  http:
    requests: 5
    interval: 10s
    onRateLimit:
      status: 423
      headers:
        - key: "x-kuma-rate-limited"
          value: "true"
          append: true

Apply the configuration with kumactl apply -f [..] or with the HTTP API.

Configuration fields

The conf section of the RateLimit resource provides the following configuration options:

http -
- requests - the number of requests to limit
- interval - the interval for which requests will be limited
- onRateLimit (optional) - actions to take on RateLimit event
  - status (optional) - the status code to return, defaults to 429
  - headers - list of headers which should be added to every rate limited response:
    - key - the name of the header
    - value - the value of the header
    - append (optional) - should the value of the provided header be appended to already existing headers (if present)

Matching sources

This policy is applied on the destination data plane proxy and generates a set of matching rules for the originating service. These matching rules are ordered from the most specific one, to the more generic ones. Given the following RateLimit resources:

apiVersion: kuma.io/v1alpha1
kind: RateLimit
mesh: default
metadata:
  name: rate-limit-all-to-backend
spec:
  sources:
    - match:
        kuma.io/service: "*"
  destinations:
    - match:
        kuma.io/service: backend_default_svc_80
  conf:
    http:
      requests: 5
      interval: 10s
---
apiVersion: kuma.io/v1alpha1
kind: RateLimit
mesh: default
metadata:
  name: rate-limit-frontend
spec:
  sources:
    - match:
        kuma.io/service: "frontend_default_svc_80"
  destinations:
    - match:
        kuma.io/service: backend_default_svc_80
  conf:
    http:
      requests: 10
      interval: 10s
---
apiVersion: kuma.io/v1alpha1
kind: RateLimit
mesh: default
metadata:
  name: rate-limit-frontend-zone-eu
spec:
  sources:
    - match:
        kuma.io/service: "frontend_default_svc_80"
        kuma.io/zone:    "eu"
  destinations:
    - match:
        kuma.io/service: backend_default_svc_80
  conf:
    http:
      requests: 20
      interval: 10s

The service backend is configured with the following rate limiting hierarchy:

rate-limit-frontend-zone-eu
rate-limit-frontend
rate-limit-all-to-backend

Matching destinations

RateLimit, when applied to a dataplane proxy bound Kuma service, is an Inbound Connection Policy.

When applied to an ExternalService, RateLimit is an Outbound Connection Policy. In this case, the only supported value for destinations.match is kuma.io/service.

Builtin Gateway support

Kuma Gateway supports the RateLimit connection policy. Rate limits are configured on each Envoy route by selecting the best Rate Limit policy that matches the source and destination.

All options

$schema: http://json-schema.org/draft-04/schema#

$ref: #/definitions/RateLimit

definitions

RateLimit

## Rate Limit
Type: object
This schema accepts additional properties.
Properties
- sources
  - List of selectors to match dataplanes that rate limit will be applied for
  - Type: array
    - Items
    - $ref: #/definitions/kuma.mesh.v1alpha1.Selector
- destinations
  - List of selectors to match services that need to be rate limited.
  - Type: array
    - Items
    - $ref: #/definitions/kuma.mesh.v1alpha1.Selector
- conf
  - Configuration for RateLimit +required
  - Type: object
  - $ref: #/definitions/kuma.mesh.v1alpha1.RateLimit.Conf
  - This schema accepts additional properties.
  - Properties kuma.mesh.v1alpha1.RateLimit.Conf
## Conf
Type: object
This schema accepts additional properties.
Properties
- http
  - The HTTP RateLimit configuration +optional
  - Type: object
  - $ref: #/definitions/kuma.mesh.v1alpha1.RateLimit.Conf.Http
  - This schema accepts additional properties.
  - Properties kuma.mesh.v1alpha1.RateLimit.Conf.Http
## Http
Type: object
This schema accepts additional properties.
Properties
- requests
  - The number of HTTP requests this RateLimiter allows +required
  - Type: integer
- interval
  - The the interval for which requests will be accounted. +required
  - Type: string
  - String format must be a "regex"
  - The value must match this pattern: ^([0-9]+\.?[0-9]*|\.[0-9]+)s$
- onRateLimit
  - Describes the actions to take on RatelLimiter event +optional
  - Type: object
  - $ref: #/definitions/kuma.mesh.v1alpha1.RateLimit.Conf.Http.OnRateLimit
  - This schema accepts additional properties.
  - Properties kuma.mesh.v1alpha1.RateLimit.Conf.Http.OnRateLimit
## On Rate Limit
Type: object
This schema accepts additional properties.
Properties
- status
  - The HTTP status code to be set on a RateLimit event +optional
  - Type: integer
- headers
  - The Headers to be added to the HTTP response on a RateLimit event +optional
  - Type: array
    - Items
    - $ref: #/definitions/kuma.mesh.v1alpha1.RateLimit.Conf.Http.OnRateLimit.HeaderValue kuma.mesh.v1alpha1.RateLimit.Conf.Http.OnRateLimit.HeaderValue
## Header Value
Type: object
This schema accepts additional properties.
Properties
- key
  - Header name +optional
  - Type: string
- value
  - Header value +optional
  - Type: string
- append
  - Should the header be appended +optional
  - Type: boolean kuma.mesh.v1alpha1.Selector
## Selector
Selector defines structure for selecting tags for given dataplane
Type: object
This schema accepts additional properties.
Properties
- match
  - Tags to match, can be used for both source and destinations
  - Type: object
  - This schema accepts additional properties.
  - Properties

Generated with json-schema-md-doc Thu Apr 10 2025 03:25:34 GMT+0000 (Coordinated Universal Time)