Rate limiting with HAProxy Kubernetes Ingress controller

Click for: original source

DDoS (distributed denial of service) events occur when an attacker or group of attackers flood your application or API with disruptive traffic, hoping to exhaust its resources and prevent it from functioning properly. Bots and scrapers, too, can misbehave, making far more requests than is reasonable. By Jim O’Connell.

In this blog, we cover several ways that you can use overall rate limiting to mitigate the effects of these kinds of events, but the HAProxy Kubernetes Ingress Controller offers even more fine-grained control to fend off DDoS attacks using several annotations that can help you build a powerful first line of defense on an IP-by-IP basis.

The article then describes following together with code examples:

  • Rate limit requests
  • Rate limit period
  • Custom status codes
  • Rate limit size

The most important annotation to understand is rate-limit-requests. This setting is an integer that defines the maximum number of requests that will be accepted from a source IP address during the rate-limit-period, which defaults to one second.


apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: web-ingress
namespace: default
annotations:
  haproxy.org/rate-limit-requests: 10

By adding this annotation to your config, any single IP address is limited to 10 requests per second, after which their requests would be denied with a 403 status code. And more examples in the article. Very good read!

[Read More]

Tags devops cloud kubernetes cio performance