Contour · Rate Limits
Contour Rate Limits
Contour itself is a Kubernetes ingress controller; its primary "API surface" is a set of Kubernetes Custom Resource Definitions (HTTPProxy, ContourConfiguration, ExtensionService) consumed in-cluster via the kube-apiserver. There is no Contour-hosted public API that imposes its own per-second request limits. Contour does, however, provide rate-limiting capabilities for the ingress traffic it manages - via local rate limiting (Envoy token-bucket) and global rate limiting (delegated to an external rate-limit service over Envoy's gRPC ratelimit protocol). Those are operator-configured limits applied to incoming HTTP traffic, not limits on the Contour API itself.
3 Limits
EnvoyIngress ControllerKubernetesNetworkingOpen SourceProxyRate Limiting
Limits
Kubernetes API server limits cluster
governed by kube-apiserver
Contour CRDs are read and written via the cluster's kube-apiserver, so the effective limits are whatever the operator's APIServer configures (e.g. priority and fairness, max-mutating-requests-inflight).
Local (per-vhost) rate limiting vhost
operator-configured
Configured on HTTPProxy via spec.virtualhost.rateLimitPolicy.local; uses Envoy's token-bucket filter. Numeric values are set per deployment.
Global rate limiting descriptor
operator-configured
Delegated to an external rate-limit service (e.g. Envoy ratelimit) configured via ExtensionService and HTTPProxy rate-limit descriptors.
Policies
Operator-configured, not hosted
Contour does not enforce per-second limits on its own control-plane APIs. Rate limits are configured by the operator on the data path (Envoy) and apply to ingress HTTP traffic, not to the Contour CRD API.
Local vs Global
Local rate limiting runs in each Envoy proxy with no external dependency; global rate limiting consults a shared rate-limit service so multiple Envoys can share a budget.
Backoff and 429
When an operator-configured limit is hit, Envoy returns HTTP 429; clients should honor the Retry-After header if the rate-limit service emits one.