Add a Kill Request HTTP filter

[qqustc]

Title: Add a Kill Request HTTP filter which can crash Envoy when enabled by a Kill request

Description:

We plan to add a KillRequest HTTP filter which can crash Envoy when receiving a Kill request. It will be used to fault inject kill request to Envoy and measure the blast radius.
The new KillRequest filter will be disabled at build time by default in Envoy by comment out the KillRequest filter extension in extensions_build_config.bzl

KillRequest API

KillRequest filter can be configured through the KillRequest proto:

// Configuration for KillRequest filter.
// [#next-free-field: 2]
message KillRequest {
  // The probability that a Kill request will be triggered.
  type.v3.FractionalPercent probability = 1;
}

Users can specify the probability of Envoy being killed by a Kill request in KillRequest proto. The motivation for the probabilistic feature is to measure how fast the Envoy pool can recover and how many requests will fail during Envoy is down when clients are sending requests to a large Envoy pool with small probability of killing Envoy.

Header Control

The KillRequest filter will be controlled via HTTP header x-envoy-kill-request. The header value must be one of (case-insensitive) ["true", "t", "yes", "y", "1"] in order for the request to be a Kill request.

To summarize, Envoy will be crashed by a Kill request if all of the following conditions are satisfied:

• x-envoy-kill-request header must be present with header value in one of (case-insensitive) ["true", "t", "yes", "y", "1"]
• A random process determines the KillRequest filter is enabled with probability configured in KillRequest proto.

If KillRequest filter is not enabled, the filter does nothing and passes on the request to the next filter.

\cc @htuch

[mattklein123]

I'm a little skeptical this has enough utility to be a standalone filter. Could this be done out of band by just sending an abort signal? Or is the idea that you want it to be in the request path? Alternatively could we add ab abort() function to Lua?

[qqustc]

I'm a little skeptical this has enough utility to be a standalone filter. Could this be done out of band by just sending an abort signal? Or is the idea that you want it to be in the request path? Alternatively could we add ab abort() function to Lua?

Thanks Matt. The reason we want it to be a standalone filter is to be able to easily disable the filter extension at build time so that users don't accidentally turn it on to crash Envoy. Yes, we want it to be in the request path so that we can send requests to a large pool of Envoys with different probability of killing Envoy.

[mattklein123]

With an abort() function in Lua couldn't you do pretty much what you need? You would control the Lua scripts that get run?

If that's not going to work no major objection from me, I'm just skeptical this is going to get very wide use to justify maintaining this in the upstream tree vs. as a private filter.

[qqustc]

Thanks Matt for the note. Another reason to implement it in Envoy is to provide an universal OSS API for our users to inject the kill request.

[htuch]

@mattklein123 we don't run Lua so that's not an option, so this needs to be a C++ filter. The question is whether this is going to be found useful by anyone else or we should maintain this ourselves.

[mattklein123]

Dunno. I don't have a strong opinion. I'm fine either way.

[antoniovicente]

I could see an admin API hook that can be config enabled and provides a way to cause a misbehaving proxy to abort().

Is accepting the request on the serving port instead of the admin port a hard requirement?

[qqustc]

I could see an admin API hook that can be config enabled and provides a way to cause a misbehaving proxy to abort().

Is accepting the request on the serving port instead of the admin port a hard requirement?

Thanks Antonio.
The hard requirement is to simulate a misbehaving users sending a kill request and simulate noisy-neighbor scenarios in a multi-tenent setup so to us it seems the serving port is the ideal way to simulate that. We will ensure that the filer is not built into the binary by default to mitigate the concern of misbehaving admin hook