I found the Docker container's veth on the host, and used the following command to limit the ingress bandwidth of the container.

tc qdisc add dev veth root tbf rate 200mbit latency 50ms burst 800000

It works. However, I have another container, both of them are having heavy ingress traffic. My NIC's capacity is 1000m. As I understand, the ingress traffic goes to docker0 bridge first, and then goes into veth then leaves through the peer inside the container(net namespace).

I assume there will be two 500mbps go through each veths(which is the case when not using tc), one of them shrinks to 200mbit due to tbf. I tested it to validate my assumption, but there is one 800mbps traffic and one 200 mbps traffic. I thought the tbf only works after the traffic hits the veth, but apparently I'm wrong. Which part leads to this result?