search

Ingress: Rate Limit

In production setup it's crucial to setup rate limit. These can be use to mitigate DDoS Attacks.

hashtag
Setup Rate Limit

Nginx ingress have many annotations and few of them can be used for rate limit setup.

  • nginx.ingress.kubernetes.io/limit-rps

    • Number of requests accepted from a given IP each second.

    • Burst limit per second is limit-rps * limit-burst-multiplier.

  • nginx.ingress.kubernetes.io/limit-burst-multiplier

    • Default: 5.

Lets update our ingress definition and add above annotations in metadata.annotations section.

annotations:
  nginx.ingress.kubernetes.io/limit-rps: "1"
  nginx.ingress.kubernetes.io/limit-burst-multiplier: "1"

This annotation will limit request per second to only 1.

Apply the changes and validate using kubectl describe. We should see annotations in the result.

➜ kubectl describe ingress simple-ingress          
Name:             simple-ingress
Labels:           <none>
Namespace:        default
Address:          192.168.49.2
Ingress Class:    nginx
Default backend:  <default>
TLS:
  simple-tls terminates simple-go.mine
Rules:
  Host            Path  Backends
  ----            ----  --------
  simple-go.mine  
                  /   simple-go:8080 (10.244.0.88:8080,10.244.0.89:8080,10.244.0.90:8080)
Annotations:      nginx.ingress.kubernetes.io/limit-burst-multiplier: 1
                  nginx.ingress.kubernetes.io/limit-rps: 1
Events:
  Type    Reason  Age                From                      Message
  ----    ------  ----               ----                      -------
  Normal  Sync    71s (x7 over 27h)  nginx-ingress-controller  Scheduled for sync

Let's test it using curl with consecutive request like this.

Output:

We can see above output that the rate limiting work as expected. It will return response status 503 if the limit exceeded. The second request is allowed because it interpreted as single request in different second.

We might want to change the default response status to 429 Too Many Requests, it is preferred response status to clearly tell the user that rate limit is exceeded.

The 429 status code indicates that the user has sent too many requests in a given amount of time ("rate limiting").

To change the default response status code for exceeding rate limit we need to change the nginx ingress configmap named ingress-nginx-controller in namespace ingress-nginx. We can use kubectl edit command below to edit configmap, it will open a vim editor.

Add this key value pair into data section.

Save and wait few seconds for the ingress to sync with latest configmap. Then let's test it again using same curl command before. We should see the response is changed to 429 Too Many Requests.

We can also exclude certain IP addresses from rate limiting using nginx.ingress.kubernetes.io/limit-whitelist annotation. For list of annotations that supported by nginx ingress you can read further in herearrow-up-right.

hashtag
References

PreviousIngress: TLSNextIngress: Basic Auth

Last updated