Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

このコンテンツは選択した言語では利用できません。

Configuring and deploying Gateway policies with Connectivity Link

Red Hat Connectivity Link 1.2

Secure, protect, and connect APIs on OpenShift

Red Hat Connectivity Link documentation team

Abstract

This guide explains how to use Connectivity Link policies on OpenShift to secure, protect, and connect an application API exposed by a Gateway based on Kubernetes Gateway API. This includes Gateways deployed on a single OpenShift cluster or distributed across multiple clusters.

Preface
リンクのコピー

Providing feedback on Red Hat documentation

Red Hat appreciates your feedback on product documentation.

To propose improvements, open a Jira issue and describe your suggested changes. Provide as much detail as possible to help the documentation team to address your request quickly.

Prerequisite

  • You have a Red Hat Customer Portal account. This account enables you to log in to the Red Hat Jira Software instance. If you do not have an account, you will be prompted to create one.

Procedure

  1. Click the following link: Create issue.
  2. In the Summary text box, enter a brief description of the issue.

  3. In the Description text box, provide the following information:

    • The URL of the page where you found the issue.
    • A detailed description of the issue. You can leave the information in other fields at their default values.
  4. In the Reporter field, enter your Jira user name.
  5. Click Create to submit the Jira issue to the documentation team.

Thank you for taking the time to provide feedback.

Chapter 1. Secure, protect, and connect APIs on OpenShift with Connectivity Link
リンクのコピー

This guide shows how you can use Connectivity Link on OpenShift to secure, protect, and connect an API exposed by a Gateway that uses Kubernetes Gateway API. This guide applies to the platform engineer and application developer user roles in Connectivity Link.

Note

In multicluster environments, you must perform the following steps in each cluster individually, unless specifically excluded.

1.3. Deployment management tooling
リンクのコピー

The examples in this guide use kubectl commands for simplicity. However, working with multiple clusters is complex, and it is best to use a tool such as OpenShift GitOps, based on Argo CD, to manage the deployment of resources to multiple clusters.

Chapter 2. Check your Connectivity Link installation and permissions
リンクのコピー

This guide expects that you have successfully installed Connectivity Link on at least one OpenShift cluster, and that you have the correct user permissions.

Prerequisites

  • You completed the Connectivity Link installation steps on one or more clusters, as described in Installing Connectivity Link on OpenShift.
  • You have the kubectl or oc command installed.
  • You have write access to the OpenShift namespaces used in this guide.
  • You have an AWS account with Amazon Route 53 and a DNS zone for the examples in this guide. Connectivity Link also supports Google Cloud DNS and Microsoft Azure DNS.

  • Optional:

    • For rate limiting in a multicluster environment, you have installed Connectivity Link on more than one cluster and have a shared accessible Redis-based datastore. For more details, see Installing Connectivity Link on OpenShift.
    • For Observability, OpenShift user workload monitoring is configured to remote write to a central storage system such as Thanos, as described in Connectivity Link Observability Guide.

Chapter 3. Set up your environment
リンクのコピー

This section shows how you can set up your environment variables and deploy the example Toystore application on your OpenShift cluster.

Prerequisites

Procedure

  1. Set the following environment variables, which are used for convenience in this guide: 

    export KUADRANT_GATEWAY_NS=api-gateway
export KUADRANT_GATEWAY_NAME=external
export KUADRANT_DEVELOPER_NS=toystore
export KUADRANT_AWS_ACCESS_KEY_ID=xxxx
export KUADRANT_AWS_SECRET_ACCESS_KEY=xxxx
export KUADRANT_AWS_DNS_PUBLIC_ZONE_ID=xxxx
export KUADRANT_ZONE_ROOT_DOMAIN=example.com
export KUADRANT_CLUSTER_ISSUER_NAME=self-signed
    Copy to Clipboard Toggle word wrap

    These environment variables are described as follows:

    • KUADRANT_GATEWAY_NS: Namespace for your example Gateway in OpenShift.
    • KUADRANT_GATEWAY_NAME: Name of your example Gateway in OpenShift.
    • KUADRANT_DEVELOPER_NS: Namespace for the example toystore app in OpenShift.
    • KUADRANT_AWS_ACCESS_KEY_ID: AWS key ID with access to manage your DNS zone.
    • KUADRANT_AWS_SECRET_ACCESS_KEY: AWS secret access key with permissions to manage your DNS zone.
    • KUADRANT_AWS_DNS_PUBLIC_ZONE_ID: AWS Route 53 zone ID for the Gateway. This is the ID of the hosted zone that is displayed in the AWS Route 53 console.
    • KUADRANT_ZONE_ROOT_DOMAIN: Root domain in AWS Route 53 associated with your DNS zone ID.

    • KUADRANT_CLUSTER_ISSUER_NAME: Name of the certificate authority or issuer TLS certificates.

      Note

      This guide uses environment variables for convenience only. Alternatively, if you know the environment variable values, you can set up the required .yaml files to suit your environment.

  2. Create the namespace for the Toystore app as follows: 

    kubectl create ns ${KUADRANT_DEVELOPER_NS}
    Copy to Clipboard Toggle word wrap

  3. Deploy the Toystore app to the developer namespace: 

    kubectl apply -f https://raw.githubusercontent.com/Kuadrant/Kuadrant-operator/main/examples/toystore/toystore.yaml -n ${KUADRANT_DEVELOPER_NS}
    Copy to Clipboard Toggle word wrap

Chapter 4. Set up a DNS provider secret
リンクのコピー

Your DNS provider supplies credentials to access the DNS zones that Connectivity Link can use to set up your DNS configuration. You must ensure that these credentials have access to only the DNS zones that you want Connectivity Link to manage with your DNSPolicy.

Note

You must apply the following Secret resource to each cluster. If you are adding an additional cluster, add it to the new cluster.

Prerequisites

Procedure

  1. Create the namespace that the Gateway will be deployed in as follows: 

    kubectl create ns ${KUADRANT_GATEWAY_NS}
    Copy to Clipboard Toggle word wrap

  2. Create the secret credentials in the same namespace as the Gateway as follows: 

    kubectl -n ${KUADRANT_GATEWAY_NS} create secret generic aws-credentials \
  --type=kuadrant.io/aws \
  --from-literal=AWS_ACCESS_KEY_ID=$KUADRANT_AWS_ACCESS_KEY_ID \
  --from-literal=AWS_SECRET_ACCESS_KEY=$KUADRANT_AWS_SECRET_ACCESS_KEY
    Copy to Clipboard Toggle word wrap

  3. Before adding a TLS certificate issuer, create the secret credentials in the cert-manager namespace as follows: 

    kubectl -n cert-manager create secret generic aws-credentials \
  --type=kuadrant.io/aws \
  --from-literal=AWS_ACCESS_KEY_ID=$KUADRANT_AWS_ACCESS_KEY_ID \
  --from-literal=AWS_SECRET_ACCESS_KEY=$KUADRANT_AWS_SECRET_ACCESS_KEY
    Copy to Clipboard Toggle word wrap

Chapter 5. Add a TLS certificate issuer
リンクのコピー

To secure communication to your Gateways, you must define a certification authority as an issuer for TLS certificates.

Note

This example uses the Let’s Encrypt TLS certificate issuer for simplicity, but you can use any certificate issuer supported by cert-manager. In multicluster environments, you must add your TLS issuer in each OpenShift cluster.

Prerequisites

Procedure

  1. Enter the following command to define a TLS certificate issuer: 

    kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ${KUADRANT_CLUSTER_ISSUER_NAME}
spec:
  selfSigned: {}
EOF
    Copy to Clipboard Toggle word wrap

  2. Wait for the ClusterIssuer to become ready as follows: 

    kubectl wait clusterissuer/${KUADRANT_CLUSTER_ISSUER_NAME} --for=condition=ready=true
    Copy to Clipboard Toggle word wrap

Chapter 6. Create your Gateway instance
リンクのコピー

This section shows how you can deploy a Gateway in your OpenShift cluster. This task is typically performed by platform engineers when setting up the infrastructure to be used by application developers.

Note

In a multicluster environment, for Connectivity Link to balance traffic by using DNS across clusters, you must define a Gateway with a shared hostname. You can define this by using an HTTPS listener with a wildcard hostname based on the root domain. As mentioned previously, you must apply these resources to all clusters.

Prerequisites

Procedure

  1. Enter the following command to create the Gateway: 

    kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: ${KUADRANT_GATEWAY_NAME}
  namespace: ${KUADRANT_GATEWAY_NS}
  labels:
    kuadrant.io/gateway: "true"
spec:
    gatewayClassName: istio
    listeners:
    - allowedRoutes:
        namespaces:
          from: All
      hostname: "api.${KUADRANT_ZONE_ROOT_DOMAIN}"
      name: api
      port: 443
      protocol: HTTPS
      tls:
        certificateRefs:
        - group: ""
          kind: Secret
          name: api-${KUADRANT_GATEWAY_NAME}-tls
        mode: Terminate
EOF
    Copy to Clipboard Toggle word wrap

  2. Check the status of your Gateway as follows: 

    kubectl get gateway ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Programmed")].message}'
    Copy to Clipboard Toggle word wrap

    Your Gateway should be Accepted and Programmed, which means that it is valid and assigned an external address.

  3. Check the status of your HTTPS listener as follows: 

    kubectl get gateway ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.listeners[0].conditions[?(@.type=="Programmed")].message}'
    Copy to Clipboard Toggle word wrap

    You will see that the HTTPS listener is not yet programmed or ready to accept traffic due to bad TLS configuration. Connectivity Link can help with this by using a TLSPolicy, which is described in the next step.

Chapter 7. Configure your Gateway policies and HTTP route
リンクのコピー

While your Gateway is now deployed, it has no exposed endpoints and your HTTPS listener is not programmed. Next, you can define a TLSPolicy that leverages your CertificateIssuer to set up your HTTPS listener certificates, and define an HTTPRoute for your Gateway to communicate with your backend application API.

You will define an AuthPolicy to set up a default HTTP 403 response for any unprotected endpoints, and a RateLimitPolicy to set up a default artificially low global limit to further protect any endpoints exposed by the Gateway. You will also define a DNSPolicy with a load balancing strategy for your Gateway.

Prerequisites

Note

In multicluster environments, you must perform the following steps in each cluster individually, unless specifically excluded.

7.1. Set the TLS policy
リンクのコピー

Procedure

  1. Set the TLSPolicy for your Gateway as follows: 

    kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: TLSPolicy
metadata:
  name: ${KUADRANT_GATEWAY_NAME}-tls
  namespace: ${KUADRANT_GATEWAY_NS}
spec:
  targetRef:
    name: ${KUADRANT_GATEWAY_NAME}
    group: gateway.networking.k8s.io
    kind: Gateway
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: ${KUADRANT_CLUSTER_ISSUER_NAME}
EOF
    Copy to Clipboard Toggle word wrap

  2. Check that your TLS policy has an Accepted and Enforced status as follows: 

    kubectl get tlspolicy ${KUADRANT_GATEWAY_NAME}-tls -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
    Copy to Clipboard Toggle word wrap

    This may take a few minutes depending on the TLS provider, for example, Let’s Encrypt.

7.2. Create an HTTP route for your application
リンクのコピー

Procedure

  1. Create an HTTPRoute for the example Toystore application as follows: 

    kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: toystore
  namespace: ${KUADRANT_DEVELOPER_NS}
  labels:
    deployment: toystore
    service: toystore
spec:
  parentRefs:
  - name: ${KUADRANT_GATEWAY_NAME}
    namespace: ${KUADRANT_GATEWAY_NS}
  hostnames:
  - "api.${KUADRANT_ZONE_ROOT_DOMAIN}"
  rules:
  - matches:
    - method: GET
      path:
        type: PathPrefix
        value: "/cars"
    - method: GET
      path:
        type: PathPrefix
        value: "/health"
    backendRefs:
    - name: toystore
      port: 80
EOF
    Copy to Clipboard Toggle word wrap

    While the Gateway is deployed, it currently has exposed endpoints. The next steps are defining an AuthPolicy to set up a default HTTP 403 response for any unprotected endpoints, and a RateLimitPolicy to set up a default unrealistic low global limit to further protect any exposed endpoints.

7.3. Set the default AuthPolicy
リンクのコピー

Procedure

  1. Set a default AuthPolicy with a deny-all setting for your Gateway as follows: 

    kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: ${KUADRANT_GATEWAY_NAME}-auth
  namespace: ${KUADRANT_GATEWAY_NS}
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: ${KUADRANT_GATEWAY_NAME}
  defaults:
   when:
     - predicate: "request.path != '/health'"
   rules:
    authorization:
      deny-all:
        opa:
          rego: "allow = false"
    response:
      unauthorized:
        headers:
          "content-type":
            value: application/json
        body:
          value: |
            {
              "error": "Forbidden",
              "message": "Access denied by default by the gateway operator. If you are the administrator of the service, create a specific auth policy for the route."
            }
EOF
    Copy to Clipboard Toggle word wrap

  2. Check that your AuthPolicy has Accepted and Enforced status as follows: 

    kubectl get authpolicy ${KUADRANT_GATEWAY_NAME}-auth -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
    Copy to Clipboard Toggle word wrap

7.4. Set the default RateLimitPolicy
リンクのコピー

Procedure

  1. Set the default RateLimitPolicy with a low-limit setting for your Gateway as follows: 

    kubectl apply -f  - <<EOF
apiVersion: kuadrant.io/v1
kind: RateLimitPolicy
metadata:
  name: ${KUADRANT_GATEWAY_NAME}-rlp
  namespace: ${KUADRANT_GATEWAY_NS}
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: ${KUADRANT_GATEWAY_NAME}
  defaults:
    limits:
      "low-limit":
        rates:
        - limit: 1
          window: 10s
EOF
    Copy to Clipboard Toggle word wrap
    Note

    It might take a few minutes for the RateLimitPolicy to be applied depending on your cluster. The limit in this example is artificially low to show it working easily.

  2. Check that your RateLimitPolicy has Accepted and Enforced status as follows: 

    kubectl get ratelimitpolicy ${KUADRANT_GATEWAY_NAME}-rlp -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
    Copy to Clipboard Toggle word wrap

7.5. Set the DNS policy
リンクのコピー

Procedure

  1. Set the DNSPolicy for your Gateway as follows: 

    kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: DNSPolicy
metadata:
  name: ${KUADRANT_GATEWAY_NAME}-dnspolicy
  namespace: ${KUADRANT_GATEWAY_NS}
spec:
  healthCheck:
    failureThreshold: 3
    interval: 1m
    path: /health
  loadBalancing:
    defaultGeo: true
    geo: GEO-NA
    weight: 120
  targetRef:
    name: ${KUADRANT_GATEWAY_NAME}
    group: gateway.networking.k8s.io
    kind: Gateway
  providerRefs:
  - name: aws-credentials # Secret created earlier
EOF
    Copy to Clipboard Toggle word wrap
    Note

    The DNSPolicy will use the DNS Provider Secret that you defined earlier. The geo in this example is GEO-NA, but you can change this to suit your requirements.

  2. Check that your DNSPolicy has status of Accepted and Enforced as follows: 

    kubectl get dnspolicy ${KUADRANT_GATEWAY_NAME}-dnspolicy -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
    Copy to Clipboard Toggle word wrap

    This might take a few minutes.

  3. Check the status of the DNS health checks that are enabled on your DNSPolicy as follows: 

    kubectl get dnspolicy ${KUADRANT_GATEWAY_NAME}-dnspolicy -n ${KUADRANT_GATEWAY_NS} -
    Copy to Clipboard Toggle word wrap

    These health checks flag a published endpoint as healthy or unhealthy based on defined configuration. When unhealthy, an endpoint will not be published if it has not already been published to the DNS provider. An endpoint will only be unpublished if it is part of a multi-value A record, and in all cases can be observed in the DNSPolicy status.

7.6. Test your default rate limit and auth policies
リンクのコピー

You can use a curl command to test the default low-limit and deny-all policies for your Gateway.

Procedure

  • Enter the following curl command: 

    while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null  "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done
    Copy to Clipboard Toggle word wrap

    You should see a HTTP 403 responses.

Chapter 8. Configure on-premises DNS with CoreDNS (Technology Preview)
リンクのコピー

Important

Red Hat Connectivity Link integration with CoreDNS for on-premises DNS is currently available in Red Hat Connectivity Link as a Technology Preview feature. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Red Hat Connectivity Link uses a DNSPolicy to manage DNS records based on Gateway API resources. For on-premises DNS servers like CoreDNS, direct integration might require custom controllers or elevated permissions, which can be complex and pose security risks.

To address this challenge, Connectivity Link supports DNS delegation. Instead of directly managing records on the authoritative on-premises DNS server, you configure that server to delegate a specific subdomain (for example, kuadrant.example.local) to CoreDNS instances managed by Connectivity Link.

The DNSPolicy can then interact with the CoreDNS provider within the OpenShift Container Platform cluster. This CoreDNS instance becomes authoritative for the delegated subdomain and manages the necessary DNS records (A, CNAME, and so on) for Gateways within that subdomain.

The delegate field within the DNSPolicy configuration specifies which DNS provider (in this case, CoreDNS) handles the records for the targeted Gateways.

This guide describes how to set up CoreDNS as a DNS provider for Connectivity Link in a multi-cluster, on-premises environment. This integration allows Connectivity Link to manage DNS entries within your internal network infrastructure.

Prerequisites

  • Red Hat Connectivity Link is installed on two separate OpenShift Container Platform clusters (primary and secondary).
  • The kubectl or oc command-line interface is installed and configured for access to both clusters.
  • You have administrator privileges on both OpenShift Container Platform clusters.
  • Your OpenShift Container Platform clusters have support for the loadbalanced service type that allows UDP traffic on port 53, such as MetalLB. For more information, see Load balancing with MetalLB.
  • You have access to configure your authoritative on-premises DNS server to delegate a subdomain.
  • Kustomize is installed.

Procedure

  1. Set up the primary cluster. Set the following environment variables for your primary cluster context: 

    export CTX_PRIMARY=<primary_cluster_context_name> # e.g., kind-primary
export KUBECONFIG=~/.kube/config # Adjust path if necessary
export PRIMARY_CLUSTER_NAME=<primary_cluster_name> # e.g., primary
export ONPREM_DOMAIN=<your_onprem_domain> # e.g., example.local
export KUADRANT_SUBDOMAIN=kuadrant # Subdomain to delegate
    Copy to Clipboard Toggle word wrap

  2. Install CoreDNS using the Connectivity Link kustomization, which includes the required kuadrant plugin. Apply the following configuration to the primary cluster, replacing <kuadrant-coredns-kustomize-url> with the actual URL for the Kuadrant CoreDNS kustomization. 

    kustomize build --enable-helm github.com/kuadrant/dns-operator/config/coredns?ref=v0.15.0 | kubectl apply --context ${CTX_PRIMARY} -f -
    Copy to Clipboard Toggle word wrap
    Note

    The default CoreDNS Helm chart does not include the kuadrant plugin. You must use the Connectivity Link-provided kustomization which bundles a customized CoreDNS build.

  3. Wait for the CoreDNS service to get an external IP address and store it: 

    export COREDNS_IP_PRIMARY=$(kubectl --context $CTX_PRIMARY -n kuadrant-system get service <coredns-service-name> -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
echo "CoreDNS Primary IP: ${COREDNS_IP_PRIMARY}"
    Copy to Clipboard Toggle word wrap

    You need this IP address later to configure delegation on your authoritative on-premises DNS server.

  4. Create a ConfigMap to define the authoritative zone for CoreDNS on the primary cluster. This minimal configuration enables the kuadrant plugin and GeoIP features. 

    cat | kubectl --context $CTX_PRIMARY apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns-kuadrant-config
  namespace: kuadrant-system
data:
  Corefile: |
    ${KUADRANT_SUBDOMAIN}.${ONPREM_DOMAIN}:53 {
        debug
        errors
        health {
            lameduck 5s
        }
        ready
        log
        geoip GeoLite2-City-demo.mmdb {
            edns-subnet
        }
        metadata
        kuadrant
    }
    Copy to Clipboard Toggle word wrap
    Note

    The geoip plugin in this example uses the GeoLite2-City-demo.mmdb database included for demonstration purposes. For production or accurate GeoIP routing, mount your licensed MaxMind GeoIP database into the CoreDNS pod and update the filename in the Corefile.

  5. Update the CoreDNS deployment to use the new configuration: 

    kubectl --context $CTX_PRIMARY -n kuadrant-system patch deployment <coredns-deployment-name> --patch '{"spec":{"template":{"spec":{"volumes":[{"name":"config-volume","configMap":{"name":"coredns-kuadrant-config","items":[{"key":"Corefile","path":"Corefile"}]}}]}}}}'
    Copy to Clipboard Toggle word wrap

  6. Wait for the deployment rollout to complete: 

    kubectl --context $CTX_PRIMARY -n kuadrant-system rollout status deployment/<coredns-deployment-name>
    Copy to Clipboard Toggle word wrap

  7. Create the Kubernetes Secret that Connectivity Link uses to interact with CoreDNS. This secret specifies the zones this provider instance is authoritative for. 

    kubectl create secret generic coredns-credentials \
  --namespace=kuadrant-system \
  --type=kuadrant.io/coredns \
  --from-literal=ZONES="${KUADRANT_SUBDOMAIN}.${ONPREM_DOMAIN}" \
  --context ${CTX_PRIMARY}
    Copy to Clipboard Toggle word wrap

  8. On your authoritative on-premises DNS server, configure delegation for the ${KUADRANT_SUBDOMAIN}.${ONPREM_DOMAIN} subdomain to the external IP addresses of the CoreDNS services running on your primary and secondary clusters ($COREDNS_IP_PRIMARY and $COREDNS_IP_SECONDARY). The specific steps depend on your DNS server software (for example, BIND, Windows DNS Server). You typically need to add NS (Name Server) records pointing the subdomain to the CoreDNS IP addresses. For example: 

    ; Delegate kuadrant.example.local to CoreDNS instances
$ORIGIN ${KUADRANT_SUBDOMAIN}.${ONPREM_DOMAIN}.
@       IN      SOA     ns1.${ONPREM_DOMAIN}. hostmaster.${ONPREM_DOMAIN}. (
                        2023102601 ; serial
                        7200       ; refresh (2 hours)
                        3600       ; retry (1 hour)
                        1209600    ; expire (2 weeks)
                        3600       ; minimum (1 hour)
                        )
        IN      NS      coredns-primary.${KUADRANT_SUBDOMAIN}.${ONPREM_DOMAIN}.

coredns-primary   IN A ${COREDNS_IP_PRIMARY}
    Copy to Clipboard Toggle word wrap

Verification

After configuring delegation, you can test that DNS resolution for the delegated subdomain works correctly by querying your authoritative DNS server for a record within the kuadrant subdomain. The query should be referred to, and answered by, one of the CoreDNS instances.

Next steps

Create DNSPolicy resources in your OpenShift Container Platform clusters, referencing the coredns-credentials secret as the provider. Connectivity Link manages DNS records within the delegated ${KUADRANT_SUBDOMAIN}.${ONPREM_DOMAIN} zone through the CoreDNS instances.

Chapter 9. Configure token-based rate limiting with TokenRateLimitPolicy
リンクのコピー

Red Hat Connectivity Link provides the TokenRateLimitPolicy custom resource to enforce rate limits based on token consumption rather than the number of requests. This policy extends the Envoy Rate Limit Service (RLS) protocol with automatic token usage extraction. It is particularly useful for protecting Large Language Model (LLM) APIs, where the cost and resource usage correlate more closely with the number of tokens processed.

Unlike the standard RateLimitPolicy which counts requests, TokenRateLimitPolicy counts tokens by extracting usage metrics in the body of the AI inference API call, allowing for finer-grained control over API usage based on actual workload.

9.1. How token rate limiting works
リンクのコピー

The TokenRateLimitPolicy tracks cumulative token usage per client. Before forwarding a request, it checks if the client has already exceeded their limit from previous usage. After the upstream responds, it extracts the actual token cost and updates the client’s counter.

The flow is as follows:

  1. On an incoming request, the gateway evaluates the matching rules and predicates from the TokenRateLimitPolicy resources.
  2. If the request matches, the gateway prepares the necessary rate limit descriptors and monitors the response.
  3. After receiving the response, the gateway extracts the usage.total_tokens field from the JSON response body.
  4. The gateway then sends a RateLimitRequest to Limitador, including the actual token count as a hits_addend.
  5. Limitador tracks the cumulative token usage and responds to the gateway with OK or OVER_LIMIT.

9.2. Key features and use cases
リンクのコピー

  • Enforces limits based on token usage by extracting the usage.total_tokens field from an OpenAI-style inference JSON response body.
  • Suitable for consumption-based APIs such as LLMs where the cost is tied to token counts.
  • Allows defining different limits based on criteria such as user identity, API endpoints, or HTTP methods.
  • Works with AuthPolicy to apply specific limits to authenticated users or groups.
  • Inherits functionalities from RateLimitPolicy, including defining multiple limits with different durations and using Redis for shared counters in multi-cluster environments.

9.3. Integrating with AuthPolicy
リンクのコピー

You can combine TokenRateLimitPolicy with AuthPolicy to apply token limits based on authenticated user identity. When an AuthPolicy successfully authenticates a request, it injects identity information which can then be used by the TokenRateLimitPolicy to select the appropriate limit.

For example, you can define different token limits for users belonging to 'free-tier' versus 'premium-tier' groups, identified using claims in a JWT validated by AuthPolicy.

9.4. Configure token-based rate limiting for LLM APIs
リンクのコピー

This guide shows how to configure TokenRateLimitPolicy to protect a hypothetical LLM API deployed on OpenShift Container Platform, integrated with AuthPolicy for user-specific limits.

Prerequisites

  • Connectivity Link is installed on your OpenShift Container Platform cluster.
  • A Gateway and an HTTPRoute are configured to expose your service.
  • An AuthPolicy is configured for authentication (for example, using API keys or OIDC).
  • Redis is configured for Limitador if running in a multi-cluster setup or requiring persistent counters.
  • Your upstream service is configured to return an OpenAI-compatible JSON response containing a usage.total_tokens field in the response body.

Procedure

  1. Create a TokenRateLimitPolicy resource. This example defines two limits: one for free users on a 10,000 tokens per day request limit, and one for pro users with a 100,000 tokens per day request limit. 

    apiVersion: kuadrant.io/v1alpha1
kind: TokenRateLimitPolicy
metadata:
  name: llm-protection
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: ai-gateway
  limits:
    free-users:
      rates:
        - limit: 10000 # 10k tokens per day for free tier
          window: 24h
      when:
        - predicate: request.path == "/v1/chat/completions" # Inference traffic only
        - predicate: |
            auth.identity.groups.split(",").exists(g, g == "free")
      counters:
        - expression: auth.identity.userid
    pro-users:
      rates:
        - limit: 100000 # 200 tokens per minute for pro users
          window: 24h
      when:
        - predicate: request.path == "/v1/chat/completions" # Inference traffic only
        - predicate: |
            auth.identity.groups.split(",").exists(g, g == "pro")
      counters:
        - expression: auth.identity.userid
    Copy to Clipboard Toggle word wrap

  2. Apply the policy: 

    oc apply -f your-tokenratelimitpolicy.yaml -n my-api-namespace
    Copy to Clipboard Toggle word wrap

  3. Check the status of the policy to ensure it has been accepted and enforced on the target HTTPRoute. Look for conditions with type: Accepted and type: Enforced with status: "True". 

    oc get tokenratelimitpolicy llm-protection -n my-api-namespace -o jsonpath='{.status.conditions}'
    Copy to Clipboard Toggle word wrap

  4. Send requests to your API endpoint, including the required authentication details. 

    curl -H "Authorization: <auth-details>" \
     -d '{"model": "gpt-4", "messages": [{"role": "user", "content": "Hello"}]}' \
     <your-api-endpoint>
    Copy to Clipboard Toggle word wrap

Verification

  • Ensure your upstream service responds with an OpenAI-compatible JSON body containing the usage.total_tokens field.
  • Requests made when the client is within their token limits should receive a 200 OK response or other success status and their token counter will be updated.
  • Requests made when the client has already exceeded their token limits should receive a 429 Too Many Requests response.

Chapter 10. Override your Gateway policies for auth and rate limiting
リンクのコピー

As an application developer, you can override your existing Gateway-level policies to configure your application-level auth and rate limiting requirements.

Prerequisites

10.1. Override the Gateway’s deny-all AuthPolicy
リンクのコピー

You can allow authenticated access to the Toystore API by defining a new AuthPolicy that targets the HTTPRoute resource created in the previous section.

Note

Any new HTTPRoutes will still be affected by the existing Gateway-level policy. Because you want users to now access this API, you must override that Gateway policy. For simplicity, you can use API keys to authenticate the requests, but other options such as OpenID Connect are also available.

Procedure

  1. Ensure that your Connectivity Link system namespace is set correctly as follows: 

    export KUADRANT_SYSTEM_NS=$(kubectl get kuadrant -A -o jsonpath="{.items[0].metadata.namespace}")
    Copy to Clipboard Toggle word wrap

  2. Define API keys for bob and alice users as follows: 

    kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: bob-key
  namespace: ${KUADRANT_SYSTEM_NS}
  labels:
    authorino.kuadrant.io/managed-by: authorino
    app: toystore
  annotations:
    secret.kuadrant.io/user-id: bob
stringData:
  api_key: IAMBOB
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
  name: alice-key
  namespace: ${KUADRANT_SYSTEM_NS}
  labels:
    authorino.kuadrant.io/managed-by: authorino
    app: toystore
  annotations:
    secret.kuadrant.io/user-id: alice
stringData:
  api_key: IAMALICE
type: Opaque
EOF
    Copy to Clipboard Toggle word wrap

  3. Create a new AuthPolicy in a different namespace that overrides the deny-all policy created earlier and accepts the API keys as follows: 

    kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: toystore-auth
  namespace: ${KUADRANT_DEVELOPER_NS}
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  defaults:
   when:
     - predicate: "request.path != '/health'"
   rules:
    authentication:
      "api-key-users":
        apiKey:
          selector:
            matchLabels:
              app: toystore
        credentials:
          authorizationHeader:
            prefix: APIKEY
    response:
      success:
        filters:
          "identity":
            json:
              properties:
                "userid":
                  selector: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id
EOF
    Copy to Clipboard Toggle word wrap

10.2. Override the Gateway’s low-limit RateLimitPolicy for specific users
リンクのコピー

The configured Gateway limits provide a good set of limits for the general case. However, as the developer of the Toystore API, you might want to only allow a certain number of requests for specific users, and a general limit for all other users.

Procedure

  1. Create a new RateLimitPolicy in a different namespace to override the default low-limit policy created previously and set rate limits for specific users as follows: 

    kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: RateLimitPolicy
metadata:
  name: toystore-rlp
  namespace: ${KUADRANT_DEVELOPER_NS}
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  limits:
    "general-user":
      rates:

      - limit: 5
        window: 10s
      counters:
      - expression: auth.identity.userid
      when:
      - predicate: "auth.identity.userid != 'bob'"
    "bob-limit":
      rates:
      - limit: 2
        window: 10s
      when:
      - predicate: "auth.identity.userid == 'bob'"
EOF
    Copy to Clipboard Toggle word wrap
    Note

    It might take a few minutes for the RateLimitPolicy to be applied, depending on your cluster.

  2. Check that the RateLimitPolicy has a status of Accepted and Enforced as follows: 

    kubectl get ratelimitpolicy -n ${KUADRANT_DEVELOPER_NS} toystore-rlp -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
    Copy to Clipboard Toggle word wrap

  3. Check that the status of the HTTPRoute is now affected by the RateLimitPolicy in the same namespace: 

    kubectl get httproute toystore -n ${KUADRANT_DEVELOPER_NS} -o=jsonpath='{.status.parents[0].conditions[?(@.type=="kuadrant.io/RateLimitPolicyAffected")].message}'
    Copy to Clipboard Toggle word wrap

10.3. Test the new Rate limit and Auth policies
リンクのコピー

  1. Send requests as user alice as follows: 

    while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMALICE' "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done
    Copy to Clipboard Toggle word wrap

    You should see HTTP status 200 every second for 5 seconds, followed by HTTP status 429 every second for 5 seconds.

  2. Send requests as user bob as follows: 

    while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMBOB' "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done
    Copy to Clipboard Toggle word wrap

    You should see HTTP status 200 every second for 2 seconds, followed by HTTP status 429 every second for 8 seconds.

Appendix A. Using your Red Hat subscription
リンクのコピー

Red Hat Connectivity Link is provided through a software subscription. To manage your subscriptions, access your account at the Red Hat Customer Portal.

Managing your subscriptions

  1. Go to access.redhat.com.
  2. If you do not already have an account, create one.
  3. Log in to your account.
  4. In the menu bar, click Subscriptions to view and manage your subscriptions.

Revised on 2025-11-05 15:08:43 UTC

Legal Notice
リンクのコピー

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
トップに戻る
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2025 Red Hat