Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rate limits are not enforced anymore #1144

Closed
averevki opened this issue Jan 29, 2025 · 1 comment · Fixed by #1145
Closed

Rate limits are not enforced anymore #1144

averevki opened this issue Jan 29, 2025 · 1 comment · Fixed by #1145
Assignees
@alexsnaps

Comments

@averevki
Copy link

From the 2024-12-17 kuadrant catalogue nightly builds, we see consistent fails in all of our limitador tests inside the testsuite. Every test shows that everything is Accepted and Enforced but requests return 200 when they should be limited.

limitador operator image: 92de465a0cbd325504327229206e7c84c3758891
limitador image: 8dc09dc62d43ca5dd0e90ca5cb61b2966fdc7faa
wasm-shim image: ff60de9d92916c8e2ab91566d314b032b9b062b3

I see ERROR limitador_server: Failed reloading limit file: Invalid limit file: Couldn't parse: .[0].conditions: couldn't parse limit.1rp10s__881b2a8e == "1": Error parsing: unrecognized token: '.1' at [0:5]->[0:7] at line 2 column 3 errors during the nightly kuadrant reinstallations, but it's probably unrelated

This is the setup from the most basic ratelimit test we have which is failing:

RateLimitPolicy:

apiVersion: kuadrant.io/v1
kind: RateLimitPolicy
metadata:
  name: limit-averevki--gbja
  namespace: kuadrant
spec:
  limits:
    basic:
      rates:
        - limit: 2
          window: 15s
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-averevki--0xvs
Gateway 
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gw-averevki--pzye
  namespace: kuadrant
spec:
  gatewayClassName: istio
  listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      hostname: '*.apps.domain.com'
      name: api
      port: 80
      protocol: HTTP
HTTPRoute 
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: route-averevki--0xvs
  namespace: kuadrant
spec:
  hostnames:
    - hostname-averevki--mla-kuadrant.apps.domain.com
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: gw-averevki--pzye
  rules:
    - backendRefs:
        - group: ''
          kind: Service
          name: httpbin-averevki--wzyd
          namespace: kuadrant
          port: 8080
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /
@alexsnaps alexsnaps transferred this issue from Kuadrant/limitador Jan 29, 2025
@alexsnaps alexsnaps self-assigned this Jan 29, 2025
@alexsnaps
Copy link
Member

alexsnaps commented Jan 29, 2025
edited
Loading

With Limitador v2.0 and PR #396 conditions need to be specific about the variables they are accessing. We need to make the appropriate change in the operator to access descriptors[0]["<id>"] in the condition it writes out to the limitadorv1alpha1.RateLimit to the Limitador resource rather than accessing <id> directly as it isn't set as a root binding anymore.

@alexsnaps alexsnaps mentioned this issue Jan 29, 2025
Merged
@alexsnaps alexsnaps moved this to Ready For Review in Kuadrant Jan 29, 2025
@github-project-automation github-project-automation bot moved this from Ready For Review to Done in Kuadrant Jan 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexsnaps alexsnaps

Labels
None yet
Projects
Kuadrant
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

RateLimit.Conditions need explicit scope Kuadrant/kuadrant-operator
2 participants
@alexsnaps @averevki