Skip to content

Commit

Permalink
update ratelimitpolicy references to v1beta3 (#932)
Browse files Browse the repository at this point in the history
Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
  • Loading branch information
eguzki authored Oct 10, 2024
1 parent df87130 commit d17aeaa
Show file tree
Hide file tree
Showing 10 changed files with 78 additions and 42 deletions.
51 changes: 35 additions & 16 deletions doc/proposals/rlp-target-gateway-resource.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,30 +38,49 @@ return an OVER_LIMIT response if any of them are over limit.

```yaml
---
apiVersion: kuadrant.io/v1beta1
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: my-rate-limit-policy
spec:
# Reference to an existing networking resource to attach the policy to. REQUIRED.
# It can be a Gateway API HTTPRoute or Gateway resource.
# It can only refer to objects in the same namespace as the RateLimitPolicy.
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute / Gateway
name: myroute / mygateway
rateLimits:
- rules:
- paths: ["/admin/*"]
methods: ["GET"]
hosts: ["example.com"]
configurations:
- actions:
- generic_key:
descriptor_key: admin
descriptor_value: "yes"
limits:
- conditions: ["admin == yes"]
max_value: 500
seconds: 30
variables: []

# The limits definitions to apply to the network traffic routed through the targeted resource.
# Equivalent to if otherwise declared within `defaults`.
limits:
"my_limit":
# The rate limits associated with this limit definition. REQUIRED.
# E.g., to specify a 50rps rate limit, add `{ limit: 50, duration: 1, unit: secod }`
rates: […]

# Counter qualifiers.
# Each dynamic value in the data plane starts a separate counter, combined with each rate limit.
# E.g., to define a separate rate limit for each user name detected by the auth layer, add `metadata.filter_metadata.envoy\.filters\.http\.ext_authz.username`.
# Check out Kuadrant RFC 0002 (https://github.com/Kuadrant/architecture/blob/main/rfcs/0002-well-known-attributes.md) to learn more about the Well-known Attributes that can be used in this field.
counters: […]

# Additional dynamic conditions to trigger the limit.
# Use it for filtering attributes not supported by HTTPRouteRule or with RateLimitPolicies that target a Gateway.
# Check out Kuadrant RFC 0002 (https://github.com/Kuadrant/architecture/blob/main/rfcs/0002-well-known-attributes.md) to learn more about the Well-known Attributes that can be used in this field.
when: […]

# Explicit defaults. Used in policies that target a Gateway object to express default rules to be enforced on
# routes that lack a more specific policy attached to.
# Mutually exclusive with `overrides` and with declaring `limits` at the top-level of the spec.
defaults:
limits: {…}

# Overrides. Used in policies that target a Gateway object to be enforced on all routes linked to the gateway,
# thus also overriding any more specific policy occasionally attached to any of those routes.
# Mutually exclusive with `defaults` and with declaring `limits` at the top-level of the spec.
overrides:
limits: {…}
```
`.spec.rateLimits` holds a list of rate limit configurations represented by the object `RateLimit`.
Expand Down
6 changes: 3 additions & 3 deletions doc/rate-limiting.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ The limit definitions (`limits`) can be declared at the top-level level of the s
#### High-level example and field definition

```yaml
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: my-rate-limit-policy
Expand Down Expand Up @@ -99,7 +99,7 @@ When a RateLimitPolicy targets a HTTPRoute, the policy is enforced to all traffi
Target a HTTPRoute by setting the `spec.targetRef` field of the RateLimitPolicy as follows:

```yaml
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: <RateLimitPolicy name>
Expand Down Expand Up @@ -134,7 +134,7 @@ Inversely, a gateway policy that specify _overrides_ declares a set of rules to
Target a Gateway HTTPRoute by setting the `spec.targetRef` field of the RateLimitPolicy as follows:

```yaml
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: <RateLimitPolicy name>
Expand Down
2 changes: 1 addition & 1 deletion doc/user-guides/authenticated-rl-for-app-developers.md
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ Create a Kuadrant `RateLimitPolicy` to configure rate limiting:

```sh
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: toystore
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -321,7 +321,7 @@ Create a Kuadrant `RateLimitPolicy` to configure rate limiting:

```sh
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: toystore
Expand Down
2 changes: 1 addition & 1 deletion doc/user-guides/gateway-rl-for-cluster-operators.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ Create a Kuadrant `RateLimitPolicy` to configure rate limiting:

```sh
kubectl apply -n gateway-system -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: gw-rlp
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ Set the default `RateLimitPolicy` for your Gateway as follows:

```bash
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: ${gatewayName}-rlp
Expand Down
4 changes: 2 additions & 2 deletions doc/user-guides/secure-protect-connect.md
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ We have a secure communication in place. However, there is nothing limiting user

```sh
kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: infra-ratelimit
Expand Down Expand Up @@ -395,7 +395,7 @@ The gateway limits are a good set of limits for the general case, but as the dev

```sh
kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: toystore
Expand Down
2 changes: 1 addition & 1 deletion doc/user-guides/simple-rl-for-app-developers.md
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ Create a Kuadrant `RateLimitPolicy` to configure rate limiting:
```sh
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: toystore
Expand Down
2 changes: 1 addition & 1 deletion examples/toystore/ratelimitpolicy_gateway.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: toystore-gw
Expand Down
47 changes: 32 additions & 15 deletions examples/toystore/ratelimitpolicy_httproute.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: RateLimitPolicy
metadata:
name: toystore-httproute
Expand All @@ -13,32 +13,49 @@ spec:
- limit: 6
duration: 30
unit: second

"get-toy":
when:
- selector: request.method
operator: eq
value: "GET"
- selector: request.path
operator: eq
value: "/toy"
rates:
- limit: 5
duration: 30
unit: second

"admin-post-or-delete-toy-per-user":
"admin-post-toy-per-user":
rates:
- limit: 2
duration: 30
unit: second
counters:
- metadata.filter_metadata.envoy\.filters\.http\.ext_authz.username
routeSelectors:
- matches:
- path:
type: Exact
value: "/admin/toy"
method: POST
- matches:
- path:
type: Exact
value: "/admin/toy"
method: DELETE
when:
- selector: request.method
operator: eq
value: "GET"
- selector: request.path
operator: eq
value: "/admin/toy"
- selector: metadata.filter_metadata.envoy\.filters\.http\.ext_authz.admin
operator: eq
value: "true"
"admin-delete-per-user":
rates:
- limit: 2
duration: 30
unit: second
counters:
- metadata.filter_metadata.envoy\.filters\.http\.ext_authz.username
when:
- selector: request.method
operator: eq
value: "DELETE"
- selector: request.path
operator: eq
value: "/admin/toy"
- selector: metadata.filter_metadata.envoy\.filters\.http\.ext_authz.admin
operator: eq
value: "true"

0 comments on commit d17aeaa

Please sign in to comment.