Skip to content

fix: bound BackendTrafficPolicy rateLimit requests to uint32 max#8798

Merged
jukie merged 6 commits intoenvoyproxy:mainfrom
PatilHrushikesh:btp-validation
Apr 21, 2026
Merged

fix: bound BackendTrafficPolicy rateLimit requests to uint32 max#8798
jukie merged 6 commits intoenvoyproxy:mainfrom
PatilHrushikesh:btp-validation

Conversation

@PatilHrushikesh
Copy link
Copy Markdown
Contributor

@PatilHrushikesh PatilHrushikesh commented Apr 20, 2026
edited
Loading

What type of PR is this?

api: bound BackendTrafficPolicy rate limit requests to uint32 max

What this PR does / why we need it:

RateLimitValue.Requests is unbounded in the CRD but narrowed with an unchecked uint32(...) cast in the xDS translator. Since the RLS config proto (RateLimitPolicy.requests_per_unit) and Envoy's TokenBucket (max_tokens / tokens_per_fill) are uint32 on the wire, values above 4294967295 get silently truncated modulo 2^32 (e.g. 300000000004230196224, ~14% of intent). This PR adds +kubebuilder:validation:Minimum=1 / Maximum=4294967295 to RateLimitValue.Requests, regenerates the CRDs and helm-template snapshots, and adds CEL validation coverage (boundary, above-max with the 30B repro value, zero, and the local-RL path). The existing uint32(...) narrowings in internal/xds/translator/ratelimit.go and internal/xds/translator/local_ratelimit.go are now safe by construction.

Which issue(s) this PR fixes:

Fixes #8797
Refs envoyproxy/ai-gateway#2012

Release Notes: Yes

@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 20, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 1e56a27
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69e68a1141b7c8000792fc71
😎 Deploy Preview https://deploy-preview-8798--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@nutanix-Hrushikesh
api: bound BackendTrafficPolicy rateLimit requests to uint32 max
c5ee160 
The RLS config proto (RateLimitPolicy.requests_per_unit) and Envoy's
TokenBucket (max_tokens / tokens_per_fill) are uint32 on the wire.
RateLimitValue.Requests was unbounded in the CRD and narrowed with an
unchecked uint32(...) cast in the xDS translator, so values above
4294967295 were silently truncated modulo 2^32 (e.g. 30000000000 -> 4230196224).

Add kubebuilder Minimum=1 / Maximum=4294967295 markers so such values are
rejected at admission with a clear schema error, and regenerate the CRDs
and helm-template snapshots. The existing uint32(...) narrowings are now
safe by construction.

Includes CEL validation coverage for the boundary, the above-max case
(using the 30B repro value), the zero case, and the local rate-limit path.

Fixes envoyproxy#8797
Refs envoyproxy/ai-gateway#2012

Signed-off-by: Hrushikesh Patil <hrushikesh.patil@nutanix.com>
Made-with: Cursor
@PatilHrushikesh PatilHrushikesh marked this pull request as ready for review April 20, 2026 18:26
@PatilHrushikesh PatilHrushikesh requested a review from a team as a code owner April 20, 2026 18:26
@PatilHrushikesh PatilHrushikesh changed the title api: bound BackendTrafficPolicy rateLimit requests to uint32 max fix: bound BackendTrafficPolicy rateLimit requests to uint32 max Apr 20, 2026
jukie
jukie reviewed Apr 20, 2026
View reviewed changes
Comment thread api/v1alpha1/ratelimit_types.go Outdated
@nutanix-Hrushikesh
api: align rate-limit requests with uint32 limits
00b7ec5 
Made-with: Cursor
Signed-off-by: Hrushikesh Patil <hrushikesh.patil@nutanix.com>
Made-with: Cursor
@nutanix-Hrushikesh
test: exercise uint32 max in rate-limit testdata
eae094f 
Bumps one rule in backendtrafficpolicy-with-ratelimit (gatewayapi) and
multiple-rules (xds/translator RLS config) to 4294967295 to confirm the
uint32 boundary renders end-to-end as requests_per_unit: 4294967295
without wraparound. Addresses review feedback on envoyproxy#8798.

Signed-off-by: Hrushikesh Patil <hrushikesh.patil@nutanix.com>
jukie
jukie requested changes Apr 20, 2026
View reviewed changes
Comment thread api/v1alpha1/ratelimit_types.go Outdated
Comment on lines +438 to +442
// The value is bounded by the uint32 range because the upstream rate
// limit service config proto (RateLimitPolicy.requests_per_unit) and
// Envoy's local rate-limit TokenBucket (max_tokens / tokens_per_fill)
// are uint32 on the wire. Values above 4294967295 would otherwise be
// silently truncated modulo 2^32.
Copy link
Copy Markdown
Contributor

@jukie jukie Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be trimmed?

@nutanix-Hrushikesh
api: trim RateLimitValue.Requests docstring
4153baf 
Signed-off-by: Hrushikesh Patil <hrushikesh.patil@nutanix.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 20, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.40%. Comparing base (56cc3f7) to head (1e56a27).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8798      +/-   ##
==========================================
- Coverage   74.43%   74.40%   -0.04%     
==========================================
  Files         245      245              
  Lines       38973    38973              
==========================================
- Hits        29010    28997      -13     
- Misses       7960     7970      +10     
- Partials     2003     2006       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@PatilHrushikesh
xds/translator: drop redundant uint32 casts on RateLimitValue.Requests
2a78c2e 
Signed-off-by: Hrushikesh Patil <hrushi2900@gmail.com>
@PatilHrushikesh
fit lint and minor refactoring
1e56a27 
Signed-off-by: Hrushikesh Patil <hrushi2900@gmail.com>
@jukie jukie requested review from a team April 21, 2026 00:39
@kkk777-7
Copy link
Copy Markdown
Member

kkk777-7 commented Apr 21, 2026

LGTM, thanks!

@jukie
Copy link
Copy Markdown
Contributor

jukie commented Apr 21, 2026

Great, thanks!

@jukie jukie merged commit a7545ce into envoyproxy:main Apr 21, 2026
40 checks passed
@PatilHrushikesh PatilHrushikesh deleted the btp-validation branch April 21, 2026 06:13
skos-ninja pushed a commit to skos-ninja/envoy-gateway that referenced this pull request May 1, 2026
@PatilHrushikesh @nutanix-Hrushikesh @skos-ninja
fix: bound BackendTrafficPolicy rateLimit requests to uint32 max (env…
3e899a2 
…oyproxy#8798)

* api: bound BackendTrafficPolicy rateLimit requests to uint32 max

The RLS config proto (RateLimitPolicy.requests_per_unit) and Envoy's
TokenBucket (max_tokens / tokens_per_fill) are uint32 on the wire.
RateLimitValue.Requests was unbounded in the CRD and narrowed with an
unchecked uint32(...) cast in the xDS translator, so values above
4294967295 were silently truncated modulo 2^32 (e.g. 30000000000 -> 4230196224).

Add kubebuilder Minimum=1 / Maximum=4294967295 markers so such values are
rejected at admission with a clear schema error, and regenerate the CRDs
and helm-template snapshots. The existing uint32(...) narrowings are now
safe by construction.

Includes CEL validation coverage for the boundary, the above-max case
(using the 30B repro value), the zero case, and the local rate-limit path.

Fixes envoyproxy#8797
Refs envoyproxy/ai-gateway#2012

Signed-off-by: Hrushikesh Patil <hrushikesh.patil@nutanix.com>
Made-with: Cursor

* api: align rate-limit requests with uint32 limits

Made-with: Cursor
Signed-off-by: Hrushikesh Patil <hrushikesh.patil@nutanix.com>
Made-with: Cursor

* test: exercise uint32 max in rate-limit testdata

Bumps one rule in backendtrafficpolicy-with-ratelimit (gatewayapi) and
multiple-rules (xds/translator RLS config) to 4294967295 to confirm the
uint32 boundary renders end-to-end as requests_per_unit: 4294967295
without wraparound. Addresses review feedback on envoyproxy#8798.

Signed-off-by: Hrushikesh Patil <hrushikesh.patil@nutanix.com>

* api: trim RateLimitValue.Requests docstring

Signed-off-by: Hrushikesh Patil <hrushikesh.patil@nutanix.com>

* xds/translator: drop redundant uint32 casts on RateLimitValue.Requests

Signed-off-by: Hrushikesh Patil <hrushi2900@gmail.com>

* fit lint and minor refactoring

Signed-off-by: Hrushikesh Patil <hrushi2900@gmail.com>

---------

Signed-off-by: Hrushikesh Patil <hrushikesh.patil@nutanix.com>
Signed-off-by: Hrushikesh Patil <hrushi2900@gmail.com>
Co-authored-by: Hrushikesh Patil <hrushikesh.patil@nutanix.com>
Signed-off-by: Jake Oliver <jake@truelayer.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zirain zirain zirain approved these changes

@jukie jukie jukie approved these changes

@kkk777-7 kkk777-7 kkk777-7 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BackendTrafficPolicy: rate limit requests silently truncated to uint32 (root cause of ai-gateway#2012 / ai-gateway#2066)

5 participants

@PatilHrushikesh @kkk777-7 @jukie @zirain @nutanix-Hrushikesh