Just wondering if there is any way in ingress-nginx to enforce rate limiting only if the custom health check url is fine.
I have been going searching through, but failed to find a way to do so. Any help will be appreciated.
Just wondering if there is any way in ingress-nginx to enforce rate limiting only if the custom health check url is fine.
I have been going searching through, but failed to find a way to do so. Any help will be appreciated.
2
Answers
Rate-limiting is available in NGINX Ingress by using correct annotations Available options are:
nginx.ingress.kubernetes.io/limit-connections: number of concurrent connections allowed from a single IP address. A 503 error is returned when exceeding this limit.nginx.ingress.kubernetes.io/limit-rps: number of requests accepted from a given IP each second. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, limit-req-status-code default: 503 is returned.nginx.ingress.kubernetes.io/limit-rpm: number of requests accepted from a given IP each minute. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, limit-req-status-code default: 503 is returned.nginx.ingress.kubernetes.io/limit-burst-multiplier: multiplier of the limit rate for burst size. The default burst multiplier is 5, this annotation override the default multiplier. When clients exceed this limit, limit-req-status-code default: 503 is returned.nginx.ingress.kubernetes.io/limit-rate-after: initial number of kilobytes after which the further transmission of a response to a given connection will be rate limited. This feature must be used with proxy-buffering enabled.nginx.ingress.kubernetes.io/limit-rate: number of kilobytes per second allowed to send to a given connection. The zero value disables rate limiting. This feature must be used with proxy-buffering enabled.nginx.ingress.kubernetes.io/limit-whitelist: client IP source ranges to be excluded from rate-limiting. The value is a comma separated list of CIDRsThere are some limitations of rate-limiting with NGINX ingress:
It applies to the whole ingress and is not able to configure exceptions, eg. when you want to exclude a health check path /healthz from your service.
You can read more about NGINX rate limiting in kubernetes in this guide.
If you are using the Ngin plus and want to verify the health check for the Endpoint you can create the whole new ingress object with a custom path.
Annotation :
nginx.com/health-checks: "true"— enables active health checks. The default is false.If you are not on Nginx plus and looking for circuit braking you can explore istio, which will check the endpoint response and you can implement the rate limiting also.
With Nginx ingress, you can use the open-source Lua project and build Nginx ingress and use it. : https://github.com/dream11/lua-circuit-breaker
Ref doc : https://github.com/nginxinc/kubernetes-ingress/blob/main/examples/health-checks/README.md
Creating new ingress with custom path would be better to manage when you apply the annotation to ingress it will get apply to all the path set in ingress.
So if you will apply the rate-limiting it might get applied to another path in the same ingress if the rule is set to
/.Rate limit is straight forward with Nginx, just by adding the few annotations.
As @Fariya Rahmat mentioned it would just matter of adding the annotation and configuration however it won’t be 100% accurate as Nginx does not use any backend Redis to keep track of data.