Home Explore Blog CI



kubernetes
7th chunk of `content/en/blog/_posts/2017-10-00-Request-Routing-And-Policy-Management.md`
6a89b208b39ab6be34bea48cdcecf39b08818e344516278d0000000100000cc2
istioctl delete routerule reviews-test-v2
  ```

In the Bookinfo UI, we’ll see that we are now exposing the v2 version of reviews to all users.  


## Policy enforcement
Istio provides policy enforcement functions, such as quotas, precondition checking, and access control. We can demonstrate Istio’s open and extensible framework for policies with an example: rate limiting.  

Let’s pretend that the Bookinfo ratings service is an external paid service--for example, [Rotten Tomatoes®](https://www.rottentomatoes.com/)--with a free quota of 1 request per second (req/sec). To make sure the application doesn’t exceed this limit, we’ll specify an Istio policy to cut off requests once the limit is reached. We’ll use one of Istio’s built-in policies for this purpose.  

To set a 1 req/sec quota, we first configure a **memquota** handler with rate limits:




 ```  
cat \<\<EOF | istioctl create -f -

apiVersion: "config.istio.io/v1alpha2"

kind: memquota

metadata:

 name: handler

 namespace: default

spec:

 quotas:

 - name: requestcount.quota.default

     maxAmount: 5000

     validDuration: 1s

     overrides:

     - dimensions:

             destination: ratings

         maxAmount: 1

         validDuration: 1s

EOF
  ```

Then we create a **quota** instance that maps incoming attributes to quota dimensions, and create a **rule** that uses it with the **memquota** handler:




 ```  
cat \<\<EOF | istioctl create -f -

apiVersion: "config.istio.io/v1alpha2"

kind: quota

metadata:

 name: requestcount

 namespace: default

spec:

 dimensions:

     source: source.labels["app"] | source.service | "unknown"

     sourceVersion: source.labels["version"] | "unknown"

     destination: destination.labels["app"] | destination.service | "unknown"

     destinationVersion: destination.labels["version"] | "unknown"

---

apiVersion: "config.istio.io/v1alpha2"

kind: rule

metadata:

 name: quota

 namespace: default

spec:

 actions:

 - handler: handler.memquota

     instances:

     - requestcount.quota

EOF
  ```

To see the rate limiting in action, we’ll generate some load on the application:




 ```  
wrk -t1 -c1 -d20s http://$BOOKINFO\_URL/productpage
  ```

In the web browser, we’ll notice that while the load generator is running (i.e., generating more than 1 req/sec), browser traffic is cut off. Instead of the black stars next to each review, the page now displays a message indicating that ratings are not currently available.  

Stopping the load generator means the limit will no longer be exceeded: the black stars return when we refresh the page.  


## Summary
We’ve shown you how to introduce advanced features like HTTP request routing and policy injection into a service mesh configured with Istio without restarting any of the services. This lets you develop and deploy without worrying about the ongoing management of the service mesh; service-wide policies can always be added later.  

In the next and last installment of this series, we’ll focus on Istio’s security and authentication capabilities. We’ll discuss how to secure all interservice communications in a mesh, even against insiders with access to the network, without any changes to the application code or the deployment.
Title: Implementing Rate Limiting and Summary of Istio Features
Summary
The text details how to implement rate limiting in Istio by configuring a 'memquota' handler and a 'quota' instance, along with a rule to apply the rate limit. It demonstrates the rate limiting in action by generating load on the Bookinfo application and observing how browser traffic is cut off when the rate limit is exceeded. The text then summarizes the advanced features like HTTP request routing and policy injection that Istio provides, highlighting the ability to manage the service mesh without service restarts. Finally, it previews the next section on Istio's security and authentication capabilities.