- Updated: March 18, 2026
- 4 min read
Embedding the OpenClaw Rating API Edge Token‑Bucket Limiter into Istio with OPA Policies
# Embedding the OpenClaw Rating API Edge Token‑Bucket Limiter into Istio with OPA Policies
*Published by Senior Engineer – ubos.tech*
—
## Introduction
The OpenClaw Rating API Edge now ships with a **token‑bucket rate‑limiter** and a ready‑to‑use **OPA integration**. This guide walks you through a production‑ready, step‑by‑step deployment that embeds the limiter into an **Istio service mesh**. You’ll get:
* OPA policy templates for the limiter
* Deployment YAML for the OpenClaw sidecar
* Istio `EnvoyFilter` configuration
* Full code snippets and a single contextual internal link to the host‑OpenClaw tutorial.
—
## Prerequisites
| Requirement | Version |
|————-|———|
| Kubernetes | ≥1.22 |
| Istio | ≥1.15 |
| OpenClaw | v2.4+ (Edge token‑bucket release) |
| OPA Gatekeeper | ≥3.9 |
Make sure `kubectl` and `istioctl` are installed and you have cluster admin rights.
—
## 1. Deploy OpenClaw Rating API Edge
Create a namespace and apply the official Helm chart (or the YAML below). The chart includes the new **`rate‑limiter`** container.
yaml
apiVersion: v1
kind: Namespace
metadata:
name: openclaw
—
apiVersion: apps/v1
kind: Deployment
metadata:
name: openclaw-edge
namespace: openclaw
spec:
replicas: 2
selector:
matchLabels:
app: openclaw-edge
template:
metadata:
labels:
app: openclaw-edge
spec:
containers:
– name: openclaw
image: ghcr.io/openclaw/rating-api-edge:latest
ports:
– containerPort: 8080
env:
– name: RATE_LIMITER_MODE
value: “token_bucket”
– name: TOKEN_BUCKET_CAPACITY
value: “1000”
– name: TOKEN_BUCKET_REFILL_RATE
value: “100”
Apply with:
bash
kubectl apply -f openclaw-deployment.yaml
—
## 2. Install OPA Gatekeeper and Load Policy Templates
bash
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
Create a `ConstraintTemplate` that ships the OpenClaw limiter policy (the template is part of the recent OPA integration release):
yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: openclawratelimit
spec:
crd:
spec:
names:
kind: OpenClawRateLimit
targets:
– target: admission.k8s.gatekeeper.sh
rego: |
package openclaw.ratelimit
violation[{“msg”: msg}] {
input.review.object.metadata.annotations[“openclaw.ratelimit”] == “true”
msg := “OpenClaw rate‑limit annotation required”
}
Apply the template:
bash
kubectl apply -f openclaw-constrainttemplate.yaml
Create a `Constraint` that enforces the policy on the `openclaw` namespace:
yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: OpenClawRateLimit
metadata:
name: openclaw‑rate‑limit‑enforce
spec:
match:
kinds:
– apiGroups: [“”]
kinds: [“Pod”]
namespaces: [“openclaw”]
—
## 3. Configure Istio EnvoyFilter to Forward Rate‑Limit Headers
The OpenClaw edge service emits `X-RateLimit-Limit`, `X-RateLimit-Remaining`, and `X-RateLimit-Reset` headers. Add an `EnvoyFilter` so that downstream services can read them.
yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: openclaw-rate-limit-header
namespace: istio-system
spec:
configPatches:
– applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 8080
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: MERGE
value:
typed_config:
‘@type’: type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
request_headers_to_add:
– header:
key: x-ratelimit-limit
value: “%REQ(x-ratelimit-limit)%”
– header:
key: x-ratelimit-remaining
value: “%REQ(x-ratelimit-remaining)%”
– header:
key: x-ratelimit-reset
value: “%REQ(x-ratelimit-reset)%”
Apply the filter:
bash
kubectl apply -f istio-rate-limit-filter.yaml
—
## 4. Verify the End‑to‑End Flow
1. Deploy a test client in the mesh:
yaml
apiVersion: v1
kind: Pod
metadata:
name: curl-client
namespace: demo
spec:
containers:
– name: curl
image: curlimages/curl:latest
command: [“sleep”, “infinity”]
2. Exec into the pod and hit the OpenClaw endpoint:
bash
kubectl exec -n demo -it curl-client — curl -i http://openclaw-edge.openclaw.svc.cluster.local:8080/rate
You should see the rate‑limit headers and a `429` response once the bucket is exhausted.
—
## 5. Publish the Guide
The complete guide, including the OPA policy templates and the Istio `EnvoyFilter`, is now ready for publishing. For a deeper walkthrough of hosting OpenClaw on ubos.tech, see the dedicated article:
[How to Host OpenClaw on ubos.tech]({{“https://ubos.tech/host-openclaw/”}})
—
## Conclusion
By combining **OpenClaw’s token‑bucket limiter**, **OPA Gatekeeper**, and **Istio’s EnvoyFilter**, you gain fine‑grained, policy‑driven rate limiting that scales with your service mesh. The approach is declarative, version‑controlled, and fits naturally into a GitOps workflow.
Feel free to open an issue on the OpenClaw GitHub repo if you run into any challenges.
—
*Happy coding!*