Rate Limit "tiering" by/with api key policy #7383
Description
Allowing rate limiting to be combined together with the API Key policy to allow rate limit tiering by an API Key.
Our goal is to allow rate limiting to be distinguished not only by the header but also by a specific tier for example:
we have 2 api keys:
showcase
prep
When accessing through "showcase" we want to limit by 10r/s but "prep" we can allow 100r/s.
We have managed to accomplish this by using snippets, this allows us to do use this feature but in a quite complicated way which can also break the ingress controller easily.
We would love to see this introduced as a policy/combined policy or even in the rate limit policy as more features.
We have accomplished it as following:
Creating the following secret:
apiVersion: v1
kind: Secret
metadata:
name: apikey-secret
type: nginx.org/apikey
stringData:
client1-platinum: "prep"
client2-gold: "showcase"
Then attaching it to a policy:
apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
name: apikey-policy
spec:
apiKey:
clientSecret: apikey-secret
suppliedIn:
header:
- x-api-key
Then attaching the policy to a virtual server and using the following snippets:
http-snippets: |
map $apikey_auth_client_name_<namespace(with underscores)>_<vs_name(with underscores)>_apikey_policy $GroupName {
default Group1;
"~^(.*-gold)" Group1;
"~^(.*-platinum" Group2;
}
map $GroupName $Zone1Var {
default "";
Group1 gold;
}
map $GroupName $Zone1Var {
default "";
Group2 platinum;
}
limit_req_zone $Zone1Var zone=Zone1:10m rate=10r/s;
limit_req_zone $Zone2var zone=Zone2:10m rate=100r/s;
Then for location snippets:
location-snippets: |
limit_req zone=Zone1;
limit_req zone=Zone2;