Setting rate limits for public APIs on the management service for a Kubernetes environment

Describes the procedure for setting a rate limit for public APIs on the management service. Rate limits provide protection from DDoS (distributed denial of service) attacks.

Before you begin

Note:
  • This article does not apply to the IBM® DataPower® Gateway component that is a part of the IBM API Connect solution.
  • This article applies to third-party software that IBM does not control. As such, the software may change and this information may become outdated.

These instructions assume you have a working Kubernetes environment with the kubectl command-line tool installed, and that you understand how to manage Kubernetes. For more information, see https://kubernetes.io.

About this task

Rate limits can be set for public APIs on the management service. Rate limits on APIs help provide protection from DDoS (distributed denial of service) attacks. Without a rate limit, API calls from public APIs are unlimited.

The rate limit configuration requires that the header contains the actual client IP address. Any load balancer or proxy (for example, HAProxy) that is installed in front of the management service must be configured to pass the actual client IP address.

This procedure must be performed on a running API Connect deployment.

Rate limits are calculated as requests per seconds per client.

Note: If the rate limit has been reached on the management subsystem, the client will get an HTTP error: 429 Too Many Requests.

Procedure

  • Configure the ingress-nginx-ingress-controller to pass the real client IP address:
    1. Set the use-proxy-protocol parameter to true by entering the following command: 
      kubectl edit ConfigMap -n kube-system ingress-nginx-ingress-controller
    2. In the ConfigMap, set the following: use-proxy-protocol: "true"
  • Set a rate limit:
    1. You can add a template: value in your subsystem CR to provide an override.

      For example, the Management CR template value can be:

      spec:
  ...
  template:
  - name: juhu
    containers:
    - name: juhu
      env:
      - name: RATE_LIMIT_PER_CLIENT
        value: "10"
      - name: LIMIT_REQUEST_OPTION
        value: "burst=10 nodelay"

      Note that the template: entry must be indented two spaces, and must be located in the spec: element.

      In this example, the first option sets the rate to 10 requests per second (10r/s). The second option allows 10 requests boosted without delay within < 1 second. You can customize as needed.

      The rateLimitPerClient property sets rate, and limitRequestOption sets [burst=number] [nodelay | delay=number] in the following nginx configuration:

      limit_req_zone key zone=name:size rate=rate;
limit_req zone=name [burst=number] [nodelay | delay=number];

      Note that zone has been pre-defined and can't be configured. For more details, see the nginx doc http://nginx.org/en/docs/http/ngx_http_limit_req_module.html.

    2. Apply the changes: 
      kubectl -n <namespace> apply -f management_cr.yaml
    3. Validate that the juhu pod has restarted by listing the pods: 
      kubectl get pods -n <namespace> | grep juhu
    4. Check the AGE column to ensure a new juhu pod has started.
    5. If the older juhu pod is still running, delete it with the following command: 
      kubectl delete pods -n <namespace> <old-juhu-pod>
  • Disable a rate limit:
    1. Validate that the juhu pod has restarted by listing the pods: 
      kubectl get pods -n <namespace> | grep juhu
    2. Check the AGE column to ensure a new juhu pod has started.
    3. If the older juhu pod is still running, delete it with the following command: 
      kubectl delete pods -n <namespace> <old-juhu-pod>