Skip to content

[Bug]: Referencing the same RateLimiting Policy on multiple locations in the same VirtualServer #7372

New issue
New issue
Closed
Closed
[Bug]: Referencing the same RateLimiting Policy on multiple locations in the same VirtualServer#7372
Labels
bugAn issue reporting a potential bugneeds triageAn issue that needs to be triaged
@shaun-nx

Description

@shaun-nx
shaun-nx
opened on Feb 17, 2025

Version

edge

What Kubernetes platforms are you running on?

Kind

Steps to reproduce

Actual Behaviour

I have a VirtualServer with 3 routes:

  1. /coffee with a basic rate-limit policy applied
  2. /tea with a basic rate-limit policy applied
  3. /global-rate which has no policy applied, as I want any number of requests to hit this endpoint

With this setup, if /coffee is being hit by more than 1 request per-second, any request to /tea will return a 503.
In order to get around this, I would need to create a separate, identical policy with the same rate limit settings.
This is because the rate limit zones is tied to the Policy itself and not the location that it is supplied to.

Here is an example of the YAML files I am using:

Policy:

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: rate-limit-policy
spec:
  rateLimit:
    rate: 1r/s
    key: ${binary_remote_addr}
    zoneSize: 10M

VirtualServer:

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: webapp
spec:
  host: webapp.example.com
  upstreams:
  - name: webapp
    service: webapp-svc
    port: 80
  routes:
  - path: /coffee
    action:
      pass: webapp
    policies:
      - name: rate-limit
  - path: /tea
    action:
      pass: webapp
   policies:
   - name: rate-limit
  - path: /unlimited
    action:
      pass: webapp

The below command will send a request and sleep for 1 second. This is to simulate the behaviour

while [ 1 ]; do curl --resolve webapp.example.com:8080:127.0.0.1 http://webapp.example.com:8080/coffee; sleep 1; done

If a request is sent to /tea while this loop is running, the endpoint will return 503

curl --resolve webapp.example.com:8080:127.0.0.1 http://webapp.example.com:8080/tea
<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx/1.27.3</center>
</body>
</html>

If I hit the /unlimited endpoint, it will work fine since there is no policy attached:

curl --resolve webapp.example.com:8080:127.0.0.1 http://webapp.example.com:8080/unlimited
Server address: 10.42.0.68:8080
Server name: webapp-8598df94db-6ktq7
Date: 17/Feb/2025:16:25:00 +0000
URI: /unlimited
Request ID: f14399aeec2fdf09198573a6b9b7e298

Expected behaviour

I would expect /coffee and /tea to both have independent rate limiting.
As it is, if one endpoint is overwhelemd, all other endpoints using the same policy will be unavailable

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugAn issue reporting a potential bugneeds triageAn issue that needs to be triaged

    Type

    No type

    Projects

    NGINX Ingress Controller

    Status

    Done 🚀

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions