Contour · Rate Limits

Contour Rate Limits

Contour itself is a Kubernetes ingress controller; its primary "API surface" is a set of Kubernetes Custom Resource Definitions (HTTPProxy, ContourConfiguration, ExtensionService) consumed in-cluster via the kube-apiserver. There is no Contour-hosted public API that imposes its own per-second request limits. Contour does, however, provide rate-limiting capabilities for the ingress traffic it manages - via local rate limiting (Envoy token-bucket) and global rate limiting (delegated to an external rate-limit service over Envoy's gRPC ratelimit protocol). Those are operator-configured limits applied to incoming HTTP traffic, not limits on the Contour API itself.

Contour Rate Limits is the machine-readable rate-limit profile for Contour on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 3 rate-limit definitions, measuring varies and requests_per_second.

The profile also includes 3 backoff/retry policies defined.

Tagged areas include Envoy, Ingress Controller, Kubernetes, Networking, and Open Source.

3 Limits
EnvoyIngress ControllerKubernetesNetworkingOpen SourceProxyRate Limiting

Limits

Kubernetes API server limits cluster
varies
governed by kube-apiserver
Contour CRDs are read and written via the cluster's kube-apiserver, so the effective limits are whatever the operator's APIServer configures (e.g. priority and fairness, max-mutating-requests-inflight).
Local (per-vhost) rate limiting vhost
requests_per_second
operator-configured
Configured on HTTPProxy via spec.virtualhost.rateLimitPolicy.local; uses Envoy's token-bucket filter. Numeric values are set per deployment.
Global rate limiting descriptor
requests_per_second
operator-configured
Delegated to an external rate-limit service (e.g. Envoy ratelimit) configured via ExtensionService and HTTPProxy rate-limit descriptors.

Policies

Operator-configured, not hosted
Contour does not enforce per-second limits on its own control-plane APIs. Rate limits are configured by the operator on the data path (Envoy) and apply to ingress HTTP traffic, not to the Contour CRD API.
Local vs Global
Local rate limiting runs in each Envoy proxy with no external dependency; global rate limiting consults a shared rate-limit service so multiple Envoys can share a budget.
Backoff and 429
When an operator-configured limit is hit, Envoy returns HTTP 429; clients should honor the Retry-After header if the rate-limit service emits one.

Sources