[NPM] Windows Policy Manager changes for OS22 #1062
Conversation
| for setName := range iMgr.toDeleteCache { | ||
| _, ok := iMgr.toAddOrUpdateCache[setName] | ||
| if ok { | ||
| delete(iMgr.toDeleteCache, setName) |
There was a problem hiding this comment.
do not delete but Log an error to make sure everything is working as expected
huntergregory
left a comment
huntergregory
left a comment
There was a problem hiding this comment.
added nitpicks. might follow up after reading the rest
| } | ||
| } | ||
|
|
||
| if !acl.checkIPSets() { |
There was a problem hiding this comment.
confused what checkIPSets is supposed to do since it looks at more than namedports
There was a problem hiding this comment.
This is checking if any of the unsupported translation features are used for ACL, if so we will ignore applying this policy
There was a problem hiding this comment.
I guess to clarify I'm confused why we return ErrNamedPortsNotSupported when the check looks at more than named ports
huntergregory
left a comment
huntergregory
left a comment
There was a problem hiding this comment.
notes on policymanager
| } | ||
|
|
||
| func (epBuilder *endpointPolicyBuilder) compareAndRemovePolicies(rulesToRemove []*NPMACLPolSettings) error { | ||
| lenOfRulesToRemove := len(rulesToRemove) |
There was a problem hiding this comment.
Should we do this more efficiently? current runtime is O(R A^2) where R is # to remove and A is total # acls. Could also update next iteration
There was a problem hiding this comment.
We could make it O(R A) w/ a linked list for the builder [O(1) removal], or O(R) w/ a set for the builder [O(1) removal and existence check]
There was a problem hiding this comment.
Optimized it to be o(n) now, We will not be using unique ID for all policies, we can get away with using unique for a group of ACL generated from one network policy
| } | ||
| } | ||
| } | ||
| if lenOfRulesToRemove > 0 { |
There was a problem hiding this comment.
can just return an error if it doesn't exist in loop if we don't care about how many don't exist
huntergregory
left a comment
huntergregory
left a comment
There was a problem hiding this comment.
notes on ipsetmanager
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
when do we want to delete ipsets from our overall cache? Curious about the bolded situation below. For ApplyOnNeed ipset mode, should we remove the ipset from the overall cache if references become 0? Since creating an empty ipset basically costs the same as checking if it exists, I think we would work at the same speed with optimal memory usage. Also noticing that if we use the ApplyOnNeed mode, then we would never need to use a CreateIPSet() or DeleteIPSet() call. the contract for DP around policies is:
|
|
@huntergregory As we discussed offline, i am inline with proactively deleting an IPSet when it has no references and no memebers. On a removeFromSets, RemoveFromLists call at the end, we can check for ipset.CanBeDeleted() and if yes add it to delete cache, Anyway when the controller needs this ipsets, it is going to either create, or our AddTo* calls will create ipset if needed. |
| idx := 0 | ||
| policySettingsOrder := []hcn.SetPolicyType{SetPolicyTypeNestedIPSet, hcn.SetPolicyTypeIpSet} | ||
| if operation == hcn.RequestTypeRemove { | ||
| policySettingsOrder = []hcn.SetPolicyType{hcn.SetPolicyTypeIpSet, SetPolicyTypeNestedIPSet} |
There was a problem hiding this comment.
Add comments here
Update to delete from cache when we delete from kernel in another PR |
huntergregory
left a comment
huntergregory
left a comment
There was a problem hiding this comment.
looks good. Can we move some policy checks to generic pMgr? (noted in comments)
| // or a single HNS rule in windows | ||
| type ACLPolicy struct { | ||
| // PolicyID is the rules name with a given network policy | ||
| // PolicyID will be same for all ACLs in a Network Policy |
There was a problem hiding this comment.
do we ever use this back-reference?
There was a problem hiding this comment.
Yes we are using this policyId in policymanager windows, to equate what policies are applied in HNS while updating or removing.
| continue | ||
| } | ||
|
|
||
| epBuilder.compareAndRemovePolicies(rulesToRemove[0].Id, len(rulesToRemove)) |
There was a problem hiding this comment.
just removing the first rule?
There was a problem hiding this comment.
nevermind, I see that they all have the same ID. Perhaps pass in the whole rulesToRemove as an arg instead?
There was a problem hiding this comment.
Yeah i did that first, but there is no reason to send the whole rule set, we just need the ACl Id of one and since all the ACL IDs in a policy are same, we can get away with it. If tomorrow we do add unique ACl Ids then we can send in the full rulesToRemove obj
This PR consists of following changes:
Set Policies:
ACL Policies: