ads: support envoy filter local ratelimit.

[yuanqijing]

What type of PR is this?
support local rate limit.

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

[codecov]

Codecov Report

Attention: Patch coverage is 88.57143% with 4 lines in your changes missing coverage. Please review.

Project coverage is 52.17%. Comparing base (1f2940b) to head (6876096).
Report is 130 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/controller/ads/cache.go	0.00%	4 Missing ⚠️

Files with missing lines	Coverage Δ
pkg/controller/ads/extensions/local_ratelimit.go	100.00% <100.00%> (ø)
pkg/utils/test/bpf_map.go	34.04% <100.00%> (-3.11%)	⬇️
pkg/controller/ads/cache.go	47.94% <0.00%> (+0.39%)	⬆️

... and 69 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e5b8028...6876096. Read the comment docs.

[hzxuzhonghu]

why reserve?

[yuanqijing]

reserve for
{
"stat_prefix": ...,
"status": {...},
}
should i start token_bucket with number 1, or keep the number tag ?

[hzxuzhonghu]

You can start from 1

[yuanqijing]

updated.

[hzxuzhonghu]

if other fields not supported, please remove them. Add once we support it

[yuanqijing]

just remove the comments? i copy the definition from envoy api.

[hzxuzhonghu]

First we need a proposal to better understand this implement

[hzxuzhonghu]

can you add a comment about what is this

[yuanqijing]

updated.

[yuanqijing]

First we need a proposal to better understand this implement

hi i have created a proposal pr in #873

[yuanqijing]

@hzxuzhonghu hi, ratelimit use the same way to cut tcp connection as circuit breaker, it can be merged after #570.

[hzxuzhonghu]

please keep consistent with other map name.

[yuanqijing]

updated.

[hzxuzhonghu]

In kmesh, we are a little different, we can only ratelimit on the client side now. So take the example here, though it is http.

https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/#local-rate-limit

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-local-ratelimit-svc
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: productpage
  configPatches:
    - applyTo: NETWORK_FILTER
      match:
        context: SIDECAR_OUTBOUND

It should be applied on each client instance, not on all the instances of a node.

[yuanqijing]

In kmesh, we are a little different, we can only ratelimit on the client side now. So take the example here, though it is http.

https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/#local-rate-limit

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-local-ratelimit-svc
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: productpage
  configPatches:
    - applyTo: NETWORK_FILTER
      match:
        context: SIDECAR_OUTBOUND

It should be applied on each client instance, not on all the instances of a node.

Understood, so the key point here is whether intances in a node share a token bucket.
option 1: client_A->Service_C: 5 token, client_B->Service_C: 6 token
option 2: Service_C: 11 token.

Envoy using option 2, but in kmesh we use option1 ? Is my understanding correct?

[hzxuzhonghu]

Envoy using option 2, but in kmesh we use option1 ? Is my understanding correct?

Envoy can use both, kmesh we can only use option 1

[yuanqijing]

Envoy using option 2, but in kmesh we use option1 ? Is my understanding correct?

Envoy can use both, kmesh we can only use option 1

I have added a new field to distinguish different pods:

struct ratelimit_key {
    union {
        struct {
            __u64 netns;  /* Network namespace. */
            __u32 ipv4;   /* Destination IPv4 address. */
            __u32 port;   /* Destination port. */
            __u32 family; /* Address family (e.g., AF_INET) */
        } sk_skb;
    } key;
};

[yuanqijing]

@hzxuzhonghu Hi I think there are 2 pending Issues:

1. When cleaning up the listener, also clean up the ratelimit configuration. Can I create another PR to fix this?
2. The concurrent issue here may not have been fully discussed yet.

[hzxuzhonghu]

1. When cleaning up the listener, also clean up the ratelimit configuration. Can I create another PR to fix this?

Yes, i think its ok

2. The concurrent issue here may not have been fully discussed yet.

@nlgwcy suggested using atomic update

[yuanqijing]

1. When cleaning up the listener, also clean up the ratelimit configuration. Can I create another PR to fix this?

Yes, i think its ok

2. The concurrent issue here may not have been fully discussed yet.

@nlgwcy suggested using atomic update

suggested atomic updates all addressed. #859 (comment) #859 (comment)

[hzxuzhonghu]

This is not concurrent safe

[yuanqijing]

can this ensue concurent safe ? cause only one progress can add the value.

  topup = (now - value->last_topup) / settings->fill_interval;
  if (topup > 0) {
      topup_time = value->last_topup + topup * settings->fill_interval;
      if (__sync_bool_compare_and_swap(&value->last_topup, value->last_topup, topup_time)) {
          delta = topup * settings->tokens_per_fill;
          if (value->tokens + delta > settings->max_tokens) {
              delta = settings->max_tokens - value->tokens;
          }
          __sync_fetch_and_add(&value->tokens, delta);
      }
  }

[hzxuzhonghu]

@nlgwcy is an expert on this

[yuanqijing]

@nlgwcy hi, could this approach be used to avoid concurrent issues?

[hzxuzhonghu]

why use union here

[yuanqijing]

Using a union in the ratelimit_key structure improves scalability. If we need to limit HTTP connections in the future, we can reuse the same key structure. For example, we can add a structure for HTTP connections like this:

struct ratelimit_key {
    union {
        struct {
            __u64 netns;  /* Network namespace. */
            __u32 ipv4;   /* Destination IPv4 address. */
            __u32 port;   /* Destination port. */
            __u32 family; /* Address family (e.g., AF_INET) */
        } sk_skb;

        struct {
            __u32 http_method;   /* HTTP method (e.g., GET, POST) */
            __u32 http_version;    /* HTTP version (e.g., 1.1, 2) */
            __u32 http_port;         /* HTTP port */
        } http; // New HTTP connection related fields
    } key;
};

[nlgwcy]

/lgtm

[nlgwcy]

It's not needed anymore.

[kmesh-bot]

New changes are detected. LGTM label has been removed.

[lec-bit]

/retest

[nlgwcy]

/approve

[kmesh-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nlgwcy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nlgwcy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment