FEATURE RELEASE
IP allow/deny on Kubernetes, customizable rate limit responses
Ambassador Edge Stack and Ambassador API Gateway 1.8 available
We’re excited to announce the release of the Ambassador API Gateway and the Ambassador Edge Stack 1.8. This release adds support for IP allow/deny lists and setting rate limiting response bodies, along with several bug fixes.
IP allow/deny
Ambassador can now allow or deny connections based on source IP address. A denied request gets a 403 response with the body that says RBAC: access denied. The specific configuration of IP allow/deny is done in the Ambassador module:
apiVersion: getambassador.io/v2
kind: Module
metadata:
name: ambassador
spec:
config:
ip_allow:
- peer: 127.0.0.1
- remote: 10.16.0.0/16Or, an ip_deny example:
apiVersion: getambassador.io/v2
kind: Module
metadata:
name: ambassador
spec:
config:
ip_deny:
- peer: 99.99.99.0
- remote: 10.16.0.0/16Only one of ip_allow or ip_deny can be used at any time. This feature is supported with both IPv4 and IPv6. As seen above, CIDR ranges are also supported. The prefix part of the CIDR range must be a syntactically valid IP address.
The peer attribute ignores X-Forwarded-For and Proxy, while remote pays attention to both. This means that peer is typically only valid within a cluster.
RateLimit response body
Ambassador Edge Stack’s integrated rate limiting now supports configuring the response body. This is done as part of the RateLimit CRD. A new attribute, errorResponse specifies the headers and body to return. The values of these are specified as Golang templates. For example:
apiVersion: getambassador.io/v2
kind: RateLimit
metadata:
name: ratelimit-with-body
spec:
domain: ambassador
limits:
- pattern: [{generic_key: minute}]
rate: 30
unit: minute
errorResponse:
headers:
- name: "Content-Type"
value: "application/json"
- name: "X-Custom-Ratelimited"
value: "true"
bodyTemplate: |-
{
"httpStatus": "{{ .status_code }}",
"requestId": "{{ .request_id }}",
"message": "Too many requests. Please retry in {{ .RetryAfter }} seconds."
}Note that Content-Type is replaced if you specify the value in the header. Other header values are appended instead of replaced.
Additional Bug Fixes
Ambassador API Gateway and Ambassador Edge Stack
- Ambassador’s health checks don’t claim that Envoy has failed when reconfiguration taking a long time (thanks, Fabrice for contributions here!).
- The
edgectl connectcommand now works properly when using zsh on a Linux platform. - The container no longer exits “successfully” when the Deployment specifies an invalid
command.
Ambassador Edge Stack only
ExternalFiltercan now properly proxy the body to the configuredauth_service- The RBAC for AES now grants permission to “patch”
Events.v1.core(previously it granted “create” but not “patch”)
Get Started Today
The Ambassador Edge Stack is a complete superset of the open-source Ambassador API Gateway, with integrated support for rate limiting, authentication, filter management, and more. You can install the Ambassador Edge Stack in a few steps with the quick start.
Installing and Upgrading to 1.8
The latest versions of Ambassador are now available here:
- Ambassador API Gateway: https://hub.docker.com/r/datawire/ambassador
- Ambassador Edge Stack: https://hub.docker.com/r/datawire/aes
You can also install it with Helm.
# Add repository and create namespace
helm repo add datawire https://www.getambassador.io# Helm 3
kubectl create namespace ambassador && helm install ambassador — namespace ambassador datawire/ambassador# Helm 2
kubectl create namespace ambassador && helm install — name ambassador — namespace ambassador datawire/ambassador
To install the Ambassador Edge Stack, follow the quick start.
