Istio (envoy) rate limits for matching the absence of a header

1
votes

We'd like to implement envoyFilters that allow us to apply a local rate limit of 20 requests as maximum per minute to all traffic that has not a particular header. Idea is to limit the amount of request to all non-authenticated users which should lack the header x-user-auth: some_value.

All requests are done to the same Kubernetes service and from different/undetermined origins. We are not using any Istio ingressgateway, but all the pods that are part of the circuit of these requests have the Istio sidecar proxy injected into them.

How could this be achieved?

1
istioenvoyproxy

1 Answers

1
votes

Looking over Envoy's Rate Limit Service documentation, there is no obvious way to limit request rates based on headers.

However, such configuration may be possible with Istio's Request Routing and Rate Limits.
Creating route based on user identity matching headers

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
...
spec:
  hosts:
  - foo
  http:
  - match:
    - headers:
        x-user-auth:
          exact: <some_value>
    route:
    - destination:
        host: foo
        subset: bar
  - route:
    - destination:
        host: foo
        subset: baz

and creating services with local rate limiting.

This configuration wil, hopefully, redirect requests with x-user-auth header to non-limited service (bar), and everyone else to a limited one (baz).