Is your feature request related to a problem? Please describe.
Currently, Kuadrant/Limitador only exposes the limit_name label on the limited_calls metric (429 responses). For limited requests, the limited_calls and limited_hits metrics only provide the limitador_namespace.
This creates an observability gap: there is no way to monitor which specific rate limit rules are being applied to "healthy" traffic. If multiple limits are defined (e.g., different tiers for free-user vs premium-user), we cannot see the distribution of traffic across these rules until a limit is actually exceeded.
Describe the solution you'd like
I would like a label field added to the limit definition. When a when predicate resolves to true, this label (or the limit_name itself) should be attached to the resulting authorized_calls and authorized_hits Prometheus metrics.
Proposed Configuration:
premium-user:
# Proposed: adding this label to authorized metrics
labels:
tier: "premium"
counters:
- expression: auth.identity.userid
rates:
- limit: 100
window: 1m
when:
- predicate: 'auth.identity.groups_str.split(",").exists(g, g == "premium-user")'
Desired Outcome:
The ability to query:
authorized_calls{limit_name="premium-user", tier="premium"}
Describe alternatives you've considered
- Post-processing logs: Attempting to map Envoy logs to Limitador rules, which is high-overhead and doesn't scale well for real-time monitoring.
- Meta Data Processing In AuthPolicy: Technically possible but a messy solution when the thing I am interested in is the rule failed by the RateLimitPolicy/TokenRateLimitPolicy
Is your feature request related to a problem? Please describe.
Currently, Kuadrant/Limitador only exposes the
limit_namelabel on thelimited_callsmetric (429 responses). For limited requests, thelimited_callsandlimited_hitsmetrics only provide thelimitador_namespace.This creates an observability gap: there is no way to monitor which specific rate limit rules are being applied to "healthy" traffic. If multiple limits are defined (e.g., different tiers for
free-uservspremium-user), we cannot see the distribution of traffic across these rules until a limit is actually exceeded.Describe the solution you'd like
I would like a
labelfield added to thelimitdefinition. When awhenpredicate resolves to true, this label (or thelimit_nameitself) should be attached to the resultingauthorized_callsandauthorized_hitsPrometheus metrics.Proposed Configuration:
Desired Outcome:
The ability to query:
authorized_calls{limit_name="premium-user", tier="premium"}Describe alternatives you've considered