mandarjog/cfg3.yml

## cfg3.yml
# vim: ts=2:sw=2
version: "2202"
owner: cluster_admin
cluster:
  rules:
    # selector * can be omitted
    # for particular selector downstream
  - selector: "*"
    aspects:
      factProviders:
      # fact Providers extract facts from
      # request and environment and
      # make it available to processing downstream
      - kind: defaultProvider
        # extracts well known facts from request such as
        # src.IP, src.NAME etc
      - kind: k8sProvider
        # extracts k8s specific info
        # All downstream providers may add new facts or update
        # existing facts
      inputMappers:
      # input Mappers use facts provided by factProviders
      # to map into the input space of adapters
      - kind: defaultMapper
        id: defaultMapper
        # defines a mapping syntax
        # as follows
      - kind: defaultMapper
        id: ipMapper-defaultMapper
        inputs: [ "src.ip", "src.clientID" ]
        mapping:
          source: src.ip || src.clientID
      adapters:
        # defines the available adapters along with config
        # defines how adapters are instantiated
        # Q should they be typed
        # subtypes?  logging, monitorting, stats etc?
        # multiple implementations of statsd?
        report:
        - kind: statsd
          id: statsd-slow
          params:
              addr: "statsd:8125"
        - kind: statsd
          id: statsd-fast
          params:
              addr: "statsdfast:8125"
        - kind: prometheus
        - kind: aws/cloudwatchmetrics
        - kind: mixologist.io/consumers/logsAdapter
          params:
              usedefault: true
              backends:
                  - mixologist.io/loggers/glog
                  - logging.googleapis.com/v2beta1/
                  - aws/cloudwatchlogs
        check:
        - kind: ipwhitelist
          id: ipwhitelist
          params:
            provider_url: http://mywhitelist
        - kind: genericwhitelist
          # checks the source name against
          # a list of regex expressions
          id: namewhitelist
          # defines white list that checks if source
          # is app1 from ns1 or ns2 namespaces
          params:
            whitelist: ["ns1.*.app1", "ns2.*.app1"]
server:
  rules:
  - selector: target.name == "*"
    aspects:
      report:
      - ref: statsd-slow
      - ref: prometheus
      check:
      - ref: ipwhitelist
        mapper: ipMapper-defaultMapper
      - ref: namewhitelist
        mapper: defaultMapper
        inputs: [src.serviceid, src.podname]
        mapping:
          source: src.serviceid || src.podname
  - selector: target.name == "Service.Inventory.1"
    aspects:
      quota:
      - ref: ratelimiter
        id: ratelimiter-region-user
        mapper: defaultMapper
        inputs: [target.region, src.user]
        params:
          limits:
          - key: region=${target.region};user=${src.user}
            rate: 100/s
          - key: region=${target.region}
            rate: 1000/s
      report:
      # everything same except replace adapter of kind statsd with
      # statsd-fast
      - ref: statsd-fast
        oprn: replace   # add(default)| remove | replace
        oprn-selector: kind==statsd  # can be wildcard
    rules:
    - selector: src.name == "Service.Shipping.1"
      aspects:
        quota:
          - ref: ratelimiter-region-user
            params:
              limits:
              - key: region=${target.region};user=${src.user}
                rate: 1000/s
              - key: region=${target.region}
                rate: 10000/s
    - selector: src.name == "purchases.demo"
      aspects:
        check:
        - kind: block
          params:
            message: access denied by policy
client:
  rules:
  - selector: src.name == "Service.Shipping.1"
    rules:
    - selector: target.name == "Service.Inventory.1"
      aspects:
        quota:
          - ref: ratelimiter-region-user
            params:
              limits:
              - key: region=${target.region};user=${src.user}
                rate: 50/s
              - key: region=${target.region}
                rate: 500/s
	# vim: ts=2:sw=2
	version: "2202"
	owner: cluster_admin
	cluster:
	rules:
	# selector * can be omitted
	# for particular selector downstream
	- selector: "*"
	aspects:
	factProviders:
	# fact Providers extract facts from
	# request and environment and
	# make it available to processing downstream
	- kind: defaultProvider
	# extracts well known facts from request such as
	# src.IP, src.NAME etc
	- kind: k8sProvider
	# extracts k8s specific info
	# All downstream providers may add new facts or update
	# existing facts
	inputMappers:
	# input Mappers use facts provided by factProviders
	# to map into the input space of adapters
	- kind: defaultMapper
	id: defaultMapper
	# defines a mapping syntax
	# as follows
	- kind: defaultMapper
	id: ipMapper-defaultMapper
	inputs: [ "src.ip", "src.clientID" ]
	mapping:
	source: src.ip \|\| src.clientID
	adapters:
	# defines the available adapters along with config
	# defines how adapters are instantiated
	# Q should they be typed
	# subtypes? logging, monitorting, stats etc?
	# multiple implementations of statsd?
	report:
	- kind: statsd
	id: statsd-slow
	params:
	addr: "statsd:8125"
	- kind: statsd
	id: statsd-fast
	params:
	addr: "statsdfast:8125"
	- kind: prometheus
	- kind: aws/cloudwatchmetrics
	- kind: mixologist.io/consumers/logsAdapter
	params:
	usedefault: true
	backends:
	- mixologist.io/loggers/glog
	- logging.googleapis.com/v2beta1/
	- aws/cloudwatchlogs
	check:
	- kind: ipwhitelist
	id: ipwhitelist
	params:
	provider_url: http://mywhitelist
	- kind: genericwhitelist
	# checks the source name against
	# a list of regex expressions
	id: namewhitelist
	# defines white list that checks if source
	# is app1 from ns1 or ns2 namespaces
	params:
	whitelist: ["ns1..app1", "ns2..app1"]
	server:
	rules:
	- selector: target.name == "*"
	aspects:
	report:
	- ref: statsd-slow
	- ref: prometheus
	check:
	- ref: ipwhitelist
	mapper: ipMapper-defaultMapper
	- ref: namewhitelist
	mapper: defaultMapper
	inputs: [src.serviceid, src.podname]
	mapping:
	source: src.serviceid \|\| src.podname
	- selector: target.name == "Service.Inventory.1"
	aspects:
	quota:
	- ref: ratelimiter
	id: ratelimiter-region-user
	mapper: defaultMapper
	inputs: [target.region, src.user]
	params:
	limits:
	- key: region=${target.region};user=${src.user}
	rate: 100/s
	- key: region=${target.region}
	rate: 1000/s
	report:
	# everything same except replace adapter of kind statsd with
	# statsd-fast
	- ref: statsd-fast
	oprn: replace # add(default)\| remove \| replace
	oprn-selector: kind==statsd # can be wildcard
	rules:
	- selector: src.name == "Service.Shipping.1"
	aspects:
	quota:
	- ref: ratelimiter-region-user
	params:
	limits:
	- key: region=${target.region};user=${src.user}
	rate: 1000/s
	- key: region=${target.region}
	rate: 10000/s
	- selector: src.name == "purchases.demo"
	aspects:
	check:
	- kind: block
	params:
	message: access denied by policy
	client:
	rules:
	- selector: src.name == "Service.Shipping.1"
	rules:
	- selector: target.name == "Service.Inventory.1"
	aspects:
	quota:
	- ref: ratelimiter-region-user
	params:
	limits:
	- key: region=${target.region};user=${src.user}
	rate: 50/s
	- key: region=${target.region}
	rate: 500/s