# Ingress: Rate Limit

In production setup it's crucial to setup rate limit. These can be use to mitigate DDoS Attacks.

## Setup Rate Limit

Nginx ingress have many annotations and few of them can be used for rate limit setup.

* `nginx.ingress.kubernetes.io/limit-rps`
  * Number of requests accepted from a given IP each second.
  * Burst limit per second is `limit-rps * limit-burst-multiplier`.
* `nginx.ingress.kubernetes.io/limit-burst-multiplier`
  * Default: `5`.

Lets update our ingress definition and add above annotations in `metadata.annotations` section.

```yaml
annotations:
  nginx.ingress.kubernetes.io/limit-rps: "1"
  nginx.ingress.kubernetes.io/limit-burst-multiplier: "1"
```

This annotation will limit request per second to only `1`.

Apply the changes and validate using `kubectl describe`. We should see annotations in the result.

```bash
➜ kubectl describe ingress simple-ingress          
Name:             simple-ingress
Labels:           <none>
Namespace:        default
Address:          192.168.49.2
Ingress Class:    nginx
Default backend:  <default>
TLS:
  simple-tls terminates simple-go.mine
Rules:
  Host            Path  Backends
  ----            ----  --------
  simple-go.mine  
                  /   simple-go:8080 (10.244.0.88:8080,10.244.0.89:8080,10.244.0.90:8080)
Annotations:      nginx.ingress.kubernetes.io/limit-burst-multiplier: 1
                  nginx.ingress.kubernetes.io/limit-rps: 1
Events:
  Type    Reason  Age                From                      Message
  ----    ------  ----               ----                      -------
  Normal  Sync    71s (x7 over 27h)  nginx-ingress-controller  Scheduled for sync
```

Let's test it using `curl` with consecutive request like this.

```bash
➜ curl --resolve "simple-go.mine:443:127.0.0.1" -i -k \
    https://simple-go.mine \
    https://simple-go.mine \
    https://simple-go.mine
```

Output:

```json
HTTP/2 200 
date: Sat, 01 Feb 2025 06:31:29 GMT
content-type: text/plain; charset=utf-8
content-length: 65

[{"id":1,"content":"Hello!"},{"id":2,"content":"Good Morning!"}]
```

```json
HTTP/2 200 
date: Sat, 01 Feb 2025 06:31:29 GMT
content-type: text/plain; charset=utf-8
content-length: 65

[{"id":1,"content":"Hello!"},{"id":2,"content":"Good Morning!"}]
```

```html
HTTP/2 503 
date: Sat, 01 Feb 2025 06:31:29 GMT
content-type: text/html
content-length: 190

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx</center>
</body>
</html>
```

We can see above output that the rate limiting work as expected. It will return response status `503` if the limit exceeded. The second request is allowed because it interpreted as single request in different `second`.

We might want to change the default response status to `429 Too Many Requests`, it is preferred response status to clearly tell the user that rate limit is exceeded.

> The 429 status code indicates that the user has sent too many requests in a given amount of time ("rate limiting").

To change the default response status code for exceeding rate limit we need to change the nginx ingress `configmap` named `ingress-nginx-controller` in namespace `ingress-nginx`. We can use `kubectl edit` command below to edit configmap, it will open a vim editor.

```bash
➜ kubectl -n ingress-nginx edit configmaps ingress-nginx-controller 
```

Add this key value pair into `data` section.

```yaml
limit-req-status-code: "429"
```

Save and wait few seconds for the ingress to sync with latest configmap. Then let's test it again using same curl command before. We should see the response is changed to `429 Too Many Requests`.

```json
HTTP/2 200 
date: Sat, 01 Feb 2025 07:03:03 GMT
content-type: text/plain; charset=utf-8
content-length: 65

[{"id":1,"content":"Hello!"},{"id":2,"content":"Good Morning!"}]
```

```json
HTTP/2 200 
date: Sat, 01 Feb 2025 07:03:04 GMT
content-type: text/plain; charset=utf-8
content-length: 65

[{"id":1,"content":"Hello!"},{"id":2,"content":"Good Morning!"}]
```

```html
HTTP/2 429 
date: Sat, 01 Feb 2025 07:03:04 GMT
content-type: text/html
content-length: 162

<html>
<head><title>429 Too Many Requests</title></head>
<body>
<center><h1>429 Too Many Requests</h1></center>
<hr><center>nginx</center>
</body>
</html>
```

We can also exclude certain IP addresses from rate limiting using `nginx.ingress.kubernetes.io/limit-whitelist` annotation. For list of annotations that supported by nginx ingress you can read further in [here](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting).

## References

* <https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting>
* <https://datatracker.ietf.org/doc/html/rfc6585#section-4>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bagus-cahyono.gitbook.io/programming-notes/cka/10_ingress_rate_limit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.