Rate limiting

[strekm]

Description

Istio module should support rate limiting. New CRD should be introduced to support rate limiting configuration. User should be able to limit access to given workload based on caller ID, custom header or client certificate. Introduced CRD should hide complexity of EnvoyFilters.

TODO:

• POC local/global rate limiting
• POC memcached/redis rate limit service
• API design
• technical design
• threat modeling
  • [Threat Modeling] Documentation of the potential impact of rate limiting
  • [Threat Modeling] End-to-end testing of Envoy filter creation
• implementation
  • EnvoyFiler builder
  • Feature toggle
• rollout

Reasons

Attachments
https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/
kyma-project/kyma#17572
https://killercoda.com/interactive-kyma/scenario/rate-limit

[strekm]

We are still doing research and POC around Envoy global rate limit service

[strekm]

POC phase is finished, meeting with kyma lead architect happened. During the meeting it was decided to split story into: local rate limiting helping with overload of workloads and global rate limiting. Internally goats decided that at this point local rate limiting will become a part of Istio module. New CRD supporting local rate limiting and then later on global rate limiting will be introduced along with new controller.

[strekm]

working on technical design including CRD proposal.

[strekm]

technical design and API design documented: https://github.com/kyma-project/istio/blob/main/docs/contributor/adr/0008-rate-limit.md
threat modelling performed and documented internally. action items created: #1366, #1367