Skip to content

Implement Agent Workload API Rate Limiting and fix rootless image builds#6783

Closed
Pittu-Sharma wants to merge 2 commits intospiffe:mainfrom
Pittu-Sharma:agent-ratelimit-fix-5140
Closed

Implement Agent Workload API Rate Limiting and fix rootless image builds#6783
Pittu-Sharma wants to merge 2 commits intospiffe:mainfrom
Pittu-Sharma:agent-ratelimit-fix-5140

Conversation

@Pittu-Sharma
Copy link
Copy Markdown

@Pittu-Sharma Pittu-Sharma commented Mar 24, 2026

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality
Workload API (Agent), Server Middleware, and Image Build process.

Description of change
This PR adds rate limiting to the Agent Workload API and fixes failures when building images in restricted environments (e.g., rootless DinD).

Key updates:

  • Shared Ratelimit: Implementation refactored into a shared pkg/common/ratelimit package. It provides a thread-safe map with background garbage collection for inactive limiters.
  • Agent Middleware: Implemented gRPC interceptors for the Workload API. The middleware extracts caller identity (Pod UID on Linux, falling back to PID) to enforce per-workload limits.
  • Agent Configuration: Added workload_api_rate_limit to the agent configuration (HCL and CLI).
  • Cross-Platform Support: Platform-dependent logic is separated into ratelimit_posix.go and ratelimit_windows.go to ensure consistent builds across Linux and Windows.
  • Makefile Improvements: Updated the container-builder target to check for existing builders and introduced a BUILDX_BUILDER variable. This prevents failures in rootless environments where the default docker-container driver may lack necessary permissions (make images fails for rootless docker in docker #5140).

Which issue this PR fixes
Fixes #5140

@Pittu-Sharma
Implement Agent Workload API Rate Limiting and fix rootless image builds
76a346c 
- Implement shared ratelimit package with Map and GC
- Refactor server and agent middleware to use shared ratelimit
- Add WorkloadAPIRateLimit to agent configuration and CLI
- Update Makefile to support custom BUILDX_BUILDER and rootless DIND (spiffe#5140)
@Pittu-Sharma
Merge branch 'main' into agent-ratelimit-fix-5140
46713d4
@sorindumitru
Copy link
Copy Markdown
Collaborator

sorindumitru commented Mar 24, 2026

Hi @Pittu-Sharma, thanks for opening this PR. There's already one for this issue open, #6724, which is now going through some review cycles. We'll close this one in favour of that one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@sorindumitru sorindumitru Awaiting requested review from sorindumitru sorindumitru is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

make images fails for rootless docker in docker

2 participants

@Pittu-Sharma @sorindumitru