Skip to content

Add per-host connection limits to DestinationRule #3614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
prashanthjos wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add per-host connection limits to DestinationRule #3614

prashanthjos wants to merge 1 commit into from
+519 −65

Conversation

@prashanthjos
Copy link
Contributor

@prashanthjos prashanthjos commented Dec 13, 2025

Add per-host connection limits to DestinationRule

Description

This PR adds support for per-host connection limits in the API by introducing a new perHostLimits field to ConnectionPoolSettings. This feature aligns with Envoy's per_host_thresholds capability for circuit breakers.

Motivation

Currently, Istio's DestinationRule only allows setting a global connection limit for the entire cluster, independent of the number of endpoints. This makes it difficult to properly manage concurrency for destination services, especially in autoscaling scenarios where the number of replicas changes dynamically.

Per-host connection limits allow controlling connections to each individual endpoint, which:

  • Prevents overload of individual hosts
  • Manages concurrency properly in autoscaling scenarios
  • Maintains healthy connection limits without hitting overloaded applications

The underlying Envoy cluster circuit breaker already has this per_host_thresholds capability. Other Envoy-based tools (Envoy Gateway, Contour) have already added this support.

Example Usage

apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: reviews-per-host-limits
spec:
  host: reviews.prod.svc.cluster.local
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      perHostLimits:
        tcp:
          maxConnections: 10

Limitations

Currently only the maxConnections field is supported for per-host limits, as per Envoy's circuit breaker implementation. Other fields in TCPSettings will be ignored.

Testing

Generated CRD files successfully with make gen
Test case not included due to CRD validation cost limits (will be validated in istio/istio integration)

Fixes #57697

@prashanthjos prashanthjos requested a review from a team as a code owner December 13, 2025 22:38
@istio-policy-bot
Copy link

istio-policy-bot commented Dec 13, 2025

🤔 🐛 You appear to be fixing a bug in Go code, yet your PR doesn't include updates to any test files. Did you forget to add a test?

Courtesy of your friendly test nag.

@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Dec 13, 2025
@prashanthjos
Add per-host connection limits to DestinationRule
326f064 
Add perHostLimits field to ConnectionPoolSettings to enable per-host connection limits for individual endpoints in a cluster.This aligns with Envoy's per_host_thresholds capability and is useful for preventing endpoint overload in autoscaling scenarios.

Currently only maxConnections field is supported per Envoy's implementation.

Fixes #57697
prashanthjos
prashanthjos commented Dec 14, 2025
View reviewed changes
networking/v1alpha3/destination_rule.proto
message PerHostLimits {
// Maximum number of connections to each individual host in the upstream cluster.
// If not specified, there is no per-host limit.
int32 max_connections = 1;
Copy link
Contributor Author

@prashanthjos prashanthjos Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This uses a simplified structure with a single max_connections field rather than reusing TCPSettings to avoid exceeding Kubernetes CRD validation cost limits. The TCPSettings message contains multiple Duration fields with CEL validation rules that would double the validation cost when reused here, causing the total schema validation cost to exceed Kubernetes limits by ~9%. Since Envoy only supports max_connections for per-host limits currently, this simplified structure provides the same functionality while staying within CRD validation budgets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@prashanthjos @istio-policy-bot @istio-testing