Skip to main content
Version: 2.6.0

Protection

note

The following policy is based on the Service Protection with Average Latency Feedback blueprint.

Overview

The response times of a service start to deteriorate when the service's underlying concurrency limit is surpassed. Consequently, a degradation in response latency can serve as a reliable signal for identifying service overload. This policy is designed to detect overload situations based on latency deterioration. During overload, the request rate is throttled so that latency gets restored back to an acceptable range.

Configuration

This policy monitors the latency of requests processed by the cart-service.prod.svc.cluster.local service. It calculates the deviations in current latency from a baseline historical latency, which serves as an indicator of service overload. A deviation of 1.1 from the baseline is considered as a signal of service overload.

To mitigate service overload, the requests to cart-service.prod.svc.cluster.local service are passed through a load scheduler. The load scheduler reduces the request rate in overload scenarios, temporarily placing excess requests in a queue.

As service latency improves, indicating a return to normal operational state, the request rate is incrementally increased until it matches the incoming request rate. This responsive mechanism helps ensure that service performance is optimized while mitigating the risk of service disruptions due to overload.

# yaml-language-server: $schema=../../../../../../blueprints/policies/service-protection/average-latency/gen/definitions.json
# Generated values file for policies/service-protection/average-latency blueprint
# Documentation/Reference for objects and parameters can be found at:
# https://docs.fluxninja.com/reference/blueprints/policies/service-protection/average-latency

policy:
# Name of the policy.
# Type: string
# Required: True
policy_name: basic-service-protection
service_protection_core:
adaptive_load_scheduler:
load_scheduler:
# The selectors determine the flows that are protected by this policy.
# Type: []aperture.spec.v1.Selector
# Required: True
selectors:
- control_point: ingress
service: cart-service.prod.svc.cluster.local
latency_baseliner:
# Tolerance factor beyond which the service is considered to be in overloaded state. E.g. if EMA of latency is 50ms and if Tolerance is 1.1, then service is considered to be in overloaded state if current latency is more than 55ms.
# Type: float64
latency_tolerance_multiplier: 1.1
# Flux Meter defines the scope of latency measurements.
# Type: aperture.spec.v1.FluxMeter
# Required: True
flux_meter:
selectors:
- control_point: ingress
service: cart-service.prod.svc.cluster.local

Generated Policy

apiVersion: fluxninja.com/v1alpha1
kind: Policy
metadata:
annotations:
fluxninja.com/blueprint-name: policies/service-protection/average-latency
fluxninja.com/blueprints-uri: local
fluxninja.com/values:
'{"policy": {"latency_baseliner": {"flux_meter": {"selectors":
[{"control_point": "ingress", "service": "cart-service.prod.svc.cluster.local"}]},
"latency_tolerance_multiplier": 1.1000000000000001}, "policy_name": "basic-service-protection",
"service_protection_core": {"adaptive_load_scheduler": {"load_scheduler": {"selectors":
[{"control_point": "ingress", "service": "cart-service.prod.svc.cluster.local"}]}}}}}'
labels:
fluxninja.com/validate: "true"
name: basic-service-protection
spec:
circuit:
components:
- flow_control:
adaptive_load_scheduler:
dry_run: false
dry_run_config_key: dry_run
in_ports:
overload_confirmation:
constant_signal:
value: 1
setpoint:
signal_name: SETPOINT
signal:
signal_name: SIGNAL
out_ports:
desired_load_multiplier:
signal_name: DESIRED_LOAD_MULTIPLIER
observed_load_multiplier:
signal_name: OBSERVED_LOAD_MULTIPLIER
parameters:
alerter:
alert_name: Load Throttling Event
gradient:
max_gradient: 1
min_gradient: 0.1
slope: -1
load_multiplier_linear_increment: 0.0025
load_scheduler:
selectors:
- control_point: ingress
service: service1-demo-app.demoapp.svc.cluster.local
max_load_multiplier: 2
- query:
promql:
evaluation_interval: 10s
out_ports:
output:
signal_name: SIGNAL
query_string:
sum(increase(flux_meter_sum{flow_status="OK", flux_meter_name="basic-service-protection"}[30s]))/sum(increase(flux_meter_count{flow_status="OK",
flux_meter_name="basic-service-protection"}[30s]))
- arithmetic_combinator:
in_ports:
lhs:
signal_name: SIGNAL
out_ports:
desired_load_multiplier:
signal_name: DESIRED_LOAD_MULTIPLIER
observed_load_multiplier:
signal_name: OBSERVED_LOAD_MULTIPLIER
parameters:
alerter:
alert_name: Load Throttling Event
gradient:
max_gradient: 1
min_gradient: 0.1
slope: -1
load_multiplier_linear_increment: 0.0025
load_scheduler:
selectors:
- control_point: ingress
service: cart-service.prod.svc.cluster.local
max_load_multiplier: 2
- query:
promql:
evaluation_interval: 10s
out_ports:
output:
signal_name: MAX_EMA
- ema:
in_ports:
input:
signal_name: SIGNAL
max_envelope:
signal_name: MAX_EMA
out_ports:
output:
signal_name: SIGNAL_EMA
parameters:
correction_factor_on_max_envelope_violation: 0.95
ema_window: 1500s
warmup_window: 60s
- arithmetic_combinator:
in_ports:
lhs:
signal_name: SIGNAL_EMA
rhs:
constant_signal:
value: 1.1
operator: mul
out_ports:
output:
signal_name: SETPOINT
evaluation_interval: 10s
resources:
flow_control:
classifiers: []
flux_meters:
basic-service-protection:
selectors:
- control_point: ingress
service: cart-service.prod.svc.cluster.local

info

Circuit Diagram for this policy.

Policy is Action

To see the policy in action, the traffic is generated such that it starts within the service's capacity and then goes beyond the capacity after some time. Such a traffic pattern is repeated periodically. The below dashboard demonstrates that when latency spikes due to high traffic at cart-service.prod.svc.cluster.local, the controller throttles the rate of requests admitted into the service. This approach helps protect the service from becoming unresponsive and maintains the current latency within the tolerance limit (1.1) of historical latency.

Basic Service Protection

Dry Run Mode

You can run this policy in the Dry Run mode by setting the default_config.dry_run option to true. In the Dry Run mode, the policy does not throttle the request rate while still evaluating the decisions it would take in each cycle. This is useful for evaluating the policy without impacting the service.

note

The Dry Run mode can also be toggled dynamically at runtime, without reloading the policy.

Demo Video

The below demo video shows the basic service protection and workload prioritization policy in action within Aperture Playground.

Demo Video