Rate limit feature implementation in Istio1.9

Question

I have done initial setup of Istio 1.9 and deploy the bookInfo application to replicate the sample provided in Istio site for rate limiting. As we have use case in our application to implement rate limiting. I am project Istio as a solution but i am facing challenges while running the yaml provided in Istio official link itself.

Could anybody help me out? https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/

I have deployed bookinfo sample from the following link

Envoy YAML

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-ratelimit
  namespace: istio-system
spec:
  workloadSelector:
    # select by label in the same namespace
    labels:
      istio: ingressgateway
  configPatches:
    # The Envoy config you want to modify
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
              subFilter:
                name: "envoy.filters.http.router"
      patch:
        operation: INSERT_BEFORE
        # Adds the Envoy Rate Limit Filter in HTTP filter chain.
        value:
          name: envoy.filters.http.ratelimit
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
            # domain can be anything! Match it to the ratelimter service config
            domain: productpage-ratelimit
            failure_mode_deny: true
            rate_limit_service:
              grpc_service:
                envoy_grpc:
                  cluster_name: rate_limit_cluster
                timeout: 10s
              transport_api_version: V3
    - applyTo: CLUSTER
      match:
        cluster:
          service: ratelimit.default.svc.cluster.local
      patch:
        operation: ADD
        # Adds the rate limit service cluster for rate limit service defined in step 1.
        value:
          name: rate_limit_cluster
          type: STRICT_DNS
          connect_timeout: 10s
          lb_policy: ROUND_ROBIN
          http2_protocol_options: {}
          load_assignment:
            cluster_name: rate_limit_cluster
            endpoints:
            - lb_endpoints:
              - endpoint:
                  address:
                     socket_address:
                      address: ratelimit.default.svc.cluster.local
                      port_value: 8081

Error while applying the envoy yaml:

Error from server: error when creating "envoyfilter.yaml": admission webhook "validation.istio.io" denied the request: configuration is invalid: Envoy filter: subfilter match requires filter match with envoy.http_connection_manager

Answer 1

As suspected earlier in the comments the issue is due to using the old version of Istio (1.7) instead of the expected 1.9. The old version was still expecting the deprecated filer names :

• envoy.http_connection_manager instead of envoy.filters.network.http_connection_manager

• envoy.router instead of envoy.filters.http.router

Access Logger, Listener Filter, HTTP Filter, Network Filter, Stats Sink, and Tracer names have been deprecated in favor of the extension name from the envoy build system.

While analyzing your issue I stumbled upon several good sources that you will find useful while learning:

• Docs regarding the filters you plan to use

• Understanding Envoy Filters

• Extending Istio with the EnvoyFilter CRD

• and of course the Istio docs

Answer 2

Istio version was 1.7. Due to which i got above error. i have upgraded to Istio 1.9. then it started working.