Set ratelimiting to all cidrs with exceptions

[zetaab]

Description:

I have usecase that I should add ratelimiting to all cidrs EXCEPT few "whitelisted ips". As I see it, it is quite common use case that people want to set rate limits to everything except few internal api ips (whitelist services that should work always, no matter what).

Relevant Links:

https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-ratelimit-action envoy does not support any complex logic in this field. So envoy changes needed as well

[zetaab]

envoy issue envoyproxy/envoy#36442

[avinandi]

@envoyproxy/gateway-maintainers / @zetaab / @arkodg Do you have any idea why this does not work? this is built following the reference here

The idea is to set a lower rate limit for certain CIDR blocks and for rest define a higher limit.

---

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: api--rate-limit-all
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: api--http-route
  rateLimit:
    type: Global
    global:
      rules:
        - limit:
            requests: 100
            unit: Second
        - limit:
            requests: 500
            unit: Minute

---

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: api--limit-whitelist
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: api--http-route
  rateLimit:
    type: Global
    global:
      rules:
        - clientSelectors:
          - sourceCIDR:
              value: x.y.z.r/30
              type: Distinct
          - sourceCIDR:
              value: x.y.x.r/32
          - sourceCIDR:
              value: x.y.y.r/32
          - sourceCIDR:
              value: x.y.r.r/32
          - sourceCIDR:
              value: y.y.x.r/31
              type: Distinct
          limit:
            requests: 10000
            unit: Minute

---

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: api--http-route
spec:
  parentRefs:
    - name: external-gateway
  hostnames:
    - example.com
  rules:
    - matches:
      - path:
          type: PathPrefix
          value: /
      filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: BackendTrafficPolicy
            name: api--limit-whitelist
      backendRefs:
        - name: api--service
          port: 3000
    - matches:
      - path:
          type: PathPrefix
          value: /
      filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: BackendTrafficPolicy
            name: api--rate-limit-all
      backendRefs:
        - name: api--service
          port: 3000

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[zetaab]

still valid

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[zetaab]

not stale

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[avinandi]

Still valid issue