-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RateLimitPolicy conditions don't indicate that the limit is applied #140
Comments
Do you mean "state" when you say "condition"? And if so, is there a way to make that state reflect reality? |
The RLP has this condition and even when the status is "True" and the messages says that
|
And is it theoretically possible to only report true once it is applied (callback?)? |
This usually happens when the limits CR is updated (not created). The associated config map changes and k8s takes a bit to update Limitador's internal config. Currently, the controller sets the condition to "protected" when all the required changes in the cluster have been done. But it is also true that the change sometimes takes a bit to be effective. I do not think this is a critical issue. But the user experience can indeed be improved. The operator could be doing few more checks to make sure the changes are effective. It is open for discussion what can be done. |
A possible mitigation would be force re-sync of mounted configmap content. As the 3scale SaaS operator does, updating pod's annotations will make kubelet to re-sync mounted configmap volumes. https://github.com/3scale-ops/saas-operator/blob/e4b75b0e2e9b44adb594eb15504f745b117bbbc7/controllers/twemproxyconfig_controller.go#L210 Article explaining this: https://ahmet.im/blog/kubernetes-secret-volumes-delay/ That way there is no need to wait for the automatic update which can take up to few minutes (kubelet sync periodic time+ used cache TTL) |
Possibly a different issue. But another status condition that might be useful would be to identify if the RLP is not matching any path method combination so essentially not being applied. IE on HTTPRoute update or RLP update validate that the RLP is valid and going to be applied to "something" within the defined target? I can open a different issue if better there |
* ratelimitpolicy controller: targetref * ratelimitpolicy controller: status conditions * ratelimitpolicy controller: validate targetref namespace and kind * README: remove authenticated rate limit from user guide * ratelimitpolicy_controller: report when target is already referenced * ratelimitpolicy_controller: reconcile HTTPRoute changes and RLP targetRef changes * fix lint issues * resolve rebase conflicts
See this on-going effort |
Reopening as it is still an issue, but it will be fixed as part of Kuadrant/architecture#38 |
Resolved as part of #523 |
RateLimitPolicy
has a condition that says thatHTTPRoute is protected
; however, that condition doesn't mean that the RLP is being applied and you can start making requests. You need to wait an additional minute or so for the limit to be applied.The text was updated successfully, but these errors were encountered: