apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: filter-ratelimit namespace: istio-system spec: configPatches: - applyTo: HTTP_FILTER match: context: GATEWAY listener: filterChain: filter: name: envoy.filters.network.http_connection_manager subFilter: name: envoy.filters.http.router patch: operation: INSERT_BEFORE value: name: envoy.filters.http.ratelimit typed_config: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit domain: default-ratelimit failure_mode_deny: true rate_limit_service: grpc_service: envoy_grpc: cluster_name: rate_limit_cluster timeout: 10s transport_api_version: V3 - applyTo: CLUSTER match: cluster: service: ratelimit.istio-system.svc.cluster.local patch: operation: ADD value: connect_timeout: 10s http2_protocol_options: {} lb_policy: ROUND_ROBIN load_assignment: cluster_name: rate_limit_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: ratelimit.istio-system.svc.cluster.local port_value: 8081 name: rate_limit_cluster type: STRICT_DNS workloadSelector: labels: istio: ingressgateway