To define a quota rule, follow these steps:

1. Define a quota rule that uses quotahandler defined in the previous step and applies the rule only to users who are not logged in to the system:

# Script : 05-create-quota-rule.yaml

apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: quota
spec:
  # quota only applies if you are not logged in.
  match: match(request.headers["cookie"], "session=*") == false
  actions:
  - handler: quotahandler
    instances:
    - requestcountquota

2. Create the rule:

$ kubectl -n istio-system apply -f 05-create-quota-rule.yaml
rule.config.istio.io/quota created

The rule quota created in the preceding, tells Istio Mixer to invoke the memquota handler and pass the quota instance object, requestcountquota. This maps the dimensions from the quota template to memquota.

Browse to https://bookinfo.istio.io/productpage and refresh the page several times and you will receive the message RESOURCE_EXHAUSTED:Quota is exhausted for requestcountquota intermittently.

Click Sign-in to log in as any user. A session request cookie is set for the logged-in user. Refresh the https://bookinfo.istio.io/productpage page several times, and you will not see any quota exhausted messages as the logged-in user is not subjected to the rate limits. In real life, we would use a JWT for authenticated users instead of a session request cookie, since we have logged-in user information. 

We will now remove the override for productpage to limit five requests per second for the next exercise.

3. Define quotahandler by removing the override for productpage—compare with the 04-create-memquota-handler.yaml script:

# Script : 06-modify-memquota-handler.yaml

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: quotahandler
spec:
  compiledAdapter: memquota
  params:
    quotas:
    - name: requestcountquota.instance.istio-system
      maxAmount: 500
      validDuration: 1s
      overrides:
      - dimensions:
          destination: reviews
        maxAmount: 1
        validDuration: 5s

4. Modify quotahandler and remove the second override:

$ kubectl -n istio-system apply -f 06-modify-memquota-handler.yaml
handler.config.istio.io/quotahandler configured

After learning the three-step process of quota implementation (instance definition, QuotaSpec, QuotaSpecBinding), we will go through the process of controlling access to a service.