Rate limiting in Ambassador Edge Stack is composed of two parts:
RateLimitServicethat tells Ambassador Edge Stack what service to use for rate limiting. (The Ambassador Edge Stack provides a
RateLimitServiceimplementation for you).
- Labels that get attached to requests; a label is basic metadata that
is used by the
RateLimitServiceto decide which limits to apply to the request.
There are two ways of setting labels on a request:
On an individual Mapping. Labels set here will only apply to requests that use that Mapping.---apiVersion: getambassador.io/v2kind: Mappingmetadata:name: foo-appspec:prefix: /foo/service: foolabels:"my_first_label_domain":- "my_first_label_group":- "my_label_specifier_1"- "my_label_specifier_2"- "my_second_label_group":- "my_label_specifier_3"- "my_label_specifier_4""my_second_label_domain":- ...
Globally, in the
ambassadorModule. Labels set here are applied to every single request that goes through Ambassador Edge Stack. This includes requests go through a Mapping that sets more labels; for those requests, the global labels are prepended to each of the Mapping's label groups for the matching domain; otherwise the global labels are put in to a new label group named "default" for that domain.---apiVersion: getambassador.io/v2kind: Modulemetadata:name: ambassadorspec:config:default_labels:"my_first_label_domain":defaults:- "my_label_specifier_a"- "my_label_specifier_b""my_second_label_domain":defaults:- "my_label_specifier_c"- "my_label_specifier_d"
Labels on a request are lists of key/value pairs, organized in to label groups. Because a label group is a list of key/value pairs (rather than a map),
- it is possible to have multiple labels with the same key
- the order of labels matters
Mappings contain label specifiers that tell
Ambassador Edge Stack what labels to set on the request.
Note: The terminology used by the Envoy documentation differs from the terminology used by Ambassador Edge Stack:
Ambassador Edge Stack Envoy label group descriptor label descriptor entry label specifier rate limit action
The Mappings' listing of the groups of specifiers have names for the groups; the group names are useful for humans dealing with the YAML, but are ignored by Ambassador Edge Stack, all Ambassador Edge Stack cares about are the contents of the groupings of label specifiers.
There are 5 types of label specifiers in Ambassador Edge Stack:
|#||Label Specifier||Action, in human terms||Action, in Envoy gRPC terms|
|1||Sets the label "|
|2||Sets the label "|
|3||If the |
|4||Sets the label "|
|5||Sets the label "|
|5 (shorthand)||Shorthand for |
- The Envoy source cluster name is the name of the Envoy listener cluster that the request name in on.
- The Envoy destination cluster is the name of the Envoy cluster that the Mapping routes the request to. Typically, there is a 1:1 correspondence between upstream services (pointed to by Mappings) and clusters. You can get the name for a cluster from the diagnostics service or Edge Policy Console.
- When setting a label from an HTTP request header, be aware that if that header is not set in the request, then the entire label group is skipped.
- The IP address of the HTTP client could be the actual IP of the
client talking directly to $productName, or it could be the IP
X-Forwarded-Forif $productName is configured to trust the
generic_keyallows you to apply a simple string label to requests flowing through that Mapping.
This is determined by your
The Ambassador Edge Stack provides a
RateLimitService implementation that is
configured by a
RateLimit custom resource.
See the AES RateLimit Reference for information on how
RateLimits in Ambassador Edge Stack.
See the Basic Rate Limiting with Emissary-ingress for an
RateLimitService implementation for Emissary-ingress.