Audit out endpoints and ensure everything has a defined rate limit (even if quite large)
For registry operations, these were the numbers found at time the PR was written: download_blob 108 per second across fleet v2_auth 180 per second across fleet catalog 1 per second across fleet fetch_manifest 205 per second across fleet list_all_tags 150 per second across fleet With an average fleet size of 25. As a result, we went with a registry limit of 10r/s (10 * 25 = 250 requests) to bound even the most prolific puller. Fixes https://jira.coreos.com/browse/QUAY-976
This commit is contained in:
Joseph Schorr
parent
f6ff0d6ca0
commit
1d94e4d605
2 changed files with 13 additions and 3 deletions
|
|
@ -8,7 +8,9 @@ map $http_authorization $registry_bucket {
|
||||||
}
|
}
|
||||||
|
|
||||||
limit_req_zone $proxy_protocol_addr zone=verbs:10m rate=1r/s;
|
limit_req_zone $proxy_protocol_addr zone=verbs:10m rate=1r/s;
|
||||||
|
limit_req_zone $registry_bucket zone=api:10m rate=1r/s;
|
||||||
limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
|
limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
|
||||||
limit_req_zone $registry_bucket zone=catalog:10m rate=10r/m;
|
limit_req_zone $registry_bucket zone=catalog:10m rate=20r/m;
|
||||||
|
limit_req_zone $registry_bucket zone=registry:10m rate=10r/s;
|
||||||
limit_req_status 429;
|
limit_req_status 429;
|
||||||
limit_req_log_level warn;
|
limit_req_log_level warn;
|
||||||
|
|
|
||||||
|
|
@ -49,7 +49,6 @@ location ~ ^/_storage_proxy/([^/]+)/([^/]+)/([^/]+)/(.+) {
|
||||||
proxy_read_timeout 60s;
|
proxy_read_timeout 60s;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
location = /_storage_proxy_auth {
|
location = /_storage_proxy_auth {
|
||||||
proxy_pass http://web_app_server;
|
proxy_pass http://web_app_server;
|
||||||
proxy_pass_request_body off;
|
proxy_pass_request_body off;
|
||||||
|
|
@ -78,7 +77,7 @@ location ~ ^/(v1/repositories|v2/auth)/ {
|
||||||
location ~ ^/v2/_catalog(.*)$ {
|
location ~ ^/v2/_catalog(.*)$ {
|
||||||
proxy_pass http://registry_app_server;
|
proxy_pass http://registry_app_server;
|
||||||
proxy_read_timeout 10;
|
proxy_read_timeout 10;
|
||||||
limit_req zone=catalog;
|
limit_req zone=catalog burst=5;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /secscan/ {
|
location /secscan/ {
|
||||||
|
|
@ -105,6 +104,11 @@ location ~ ^/cnr {
|
||||||
limit_req zone=repositories burst=10;
|
limit_req zone=repositories burst=10;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
location ~ ^/api {
|
||||||
|
proxy_pass http://web_app_server;
|
||||||
|
limit_req zone=api burst=5;
|
||||||
|
}
|
||||||
|
|
||||||
location ~ ^/api/suconfig {
|
location ~ ^/api/suconfig {
|
||||||
proxy_pass http://web_app_server;
|
proxy_pass http://web_app_server;
|
||||||
|
|
||||||
|
|
@ -140,6 +144,8 @@ location ~ ^/v2 {
|
||||||
proxy_temp_path /tmp 1 2;
|
proxy_temp_path /tmp 1 2;
|
||||||
|
|
||||||
client_max_body_size {{ maximum_layer_size }};
|
client_max_body_size {{ maximum_layer_size }};
|
||||||
|
|
||||||
|
limit_req zone=registry burst=100;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^/v1 {
|
location ~ ^/v1 {
|
||||||
|
|
@ -158,6 +164,8 @@ location ~ ^/v1 {
|
||||||
proxy_temp_path /tmp 1 2;
|
proxy_temp_path /tmp 1 2;
|
||||||
|
|
||||||
client_max_body_size {{ maximum_layer_size }};
|
client_max_body_size {{ maximum_layer_size }};
|
||||||
|
|
||||||
|
limit_req zone=registry burst=100;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /v1/_ping {
|
location /v1/_ping {
|
||||||
|
|
|
||||||
Reference in a new issue