Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

policy: Move getNets to selector cache #27670

Merged
merged 2 commits into from Sep 1, 2023
Merged

policy: Move getNets to selector cache #27670

merged 2 commits into from Sep 1, 2023

Conversation

jrajahalme
Copy link
Member

Precompute the most specific subnet for each identity added to the selectorcache so that this computation need not be repeated for each MapStateEntry separately.

To make this possible Endpoint's implementation of GetLabelsLocked() is removed in the first commit.

This should speed up deny policy computation a bit and also makes MapStateEntries a bit smaller.

@jrajahalme jrajahalme added the kind/enhancement This would improve or streamline existing functionality. label Aug 23, 2023
@jrajahalme jrajahalme requested review from a team as code owners August 23, 2023 19:10
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 23, 2023
@jrajahalme jrajahalme added the release-note/misc This PR makes changes that have no direct user impact. label Aug 23, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 23, 2023
@christarazi christarazi added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Aug 23, 2023
@jrajahalme
Copy link
Member Author

/test

@joamaki
Copy link
Contributor

joamaki commented Aug 30, 2023

To add some context: the original cachedNets optimization in getNets is broken (;getNets is called from entryIdentityIsSupersetOf which is passed MapStateEntry by value, so setting cachedNets is a no-op). This needs to be fixed, and this PR is a more elegant way to fix the problem than just changing entryIdentityIsSupersetOf to take MapStateEntry by pointer.

christarazi
christarazi requested changes Aug 31, 2023
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! LGTM, fixes makes sense. Just a few comments.

pkg/policy/mapstate.go Outdated Show resolved Hide resolved
pkg/policy/selectorcache.go Outdated Show resolved Hide resolved
@jrajahalme
endpoint: Remove GetLabelsLocked
75cadc1 
Endpoint.GetLabelsLocked existed on the premise that selector cache could
not be locked while endpoint has been locked, due to selector cache
locking ip cache in some code paths. This does not seem to be correct, as
ip cache calls in to selector cache, not the other way around.

With this the Endpoint.GetLabelsLocked can be removed, and
SelectorCache.GetLabelsLocked can be used instead also when calling from
the Endpoint locked state. This is also in line with the commend on
policy DistillPolicy that states that "PolicyOwner (aka Endpoint) is also
locked during this call", and then within takes the Selector Cache read
lock.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Move GetNets to selectorcache
3980cf8 
Have selector cache precompute the most specific CIDR for an identity
when the identity is added, rathter than computing it when needed for
each MapStateEntry.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 1, 2023
@joamaki joamaki merged commit cb246d7 into cilium:main Sep 1, 2023
59 of 60 checks passed
@joamaki joamaki added needs-backport/1.12 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Sep 5, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.2 Sep 5, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.7 Sep 5, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.12.14 Sep 5, 2023
@michi-covalent michi-covalent added this to Needs backport from main in 1.14.3 Sep 9, 2023
@michi-covalent michi-covalent removed this from Needs backport from main in 1.14.2 Sep 9, 2023
@michi-covalent michi-covalent added this to Needs backport from main in 1.13.8 Sep 9, 2023
@michi-covalent michi-covalent removed this from Needs backport from main in 1.13.7 Sep 9, 2023
@michi-covalent michi-covalent added this to Needs backport from main in 1.12.15 Sep 9, 2023
@michi-covalent michi-covalent removed this from Needs backport from main in 1.12.14 Sep 9, 2023
@gandro
Copy link
Member

gandro commented Sep 12, 2023
edited

Does does not apply cleanly to the stable branches, mostly because of #22625 I don't feel comfortable fixing some of the conflicts myself, since this code seems rather tricky to get right.

@joamaki @jrajahalme I'm adding the backport/author label.

@gandro gandro added the backport/author The backport will be carried out by the author of the PR. label Sep 12, 2023
@gandro gandro mentioned this pull request Sep 12, 2023
Merged
15 tasks
@joamaki joamaki mentioned this pull request Sep 15, 2023
Merged
6 tasks
@joamaki joamaki added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed needs-backport/1.12 labels Sep 26, 2023
@joamaki joamaki mentioned this pull request Oct 5, 2023
Merged
5 tasks
@joamaki joamaki added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Oct 16, 2023
@jrajahalme jrajahalme moved this from Needs backport from main to Backport done to v1.13 in 1.13.8 Oct 17, 2023
@jrajahalme jrajahalme removed this from Needs backport from main in 1.12.15 Oct 17, 2023
@jrajahalme jrajahalme added needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch and removed backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. labels Oct 17, 2023
@jrajahalme
Copy link
Member Author

@joamaki marked again as needs-backport/1.14, as the backport in #28095 was skipped due to conflicts

@jrajahalme jrajahalme added the release-blocker/1.14 This issue will prevent the release of the next version of Cilium. label Oct 17, 2023
@jrajahalme jrajahalme mentioned this pull request Oct 18, 2023
Merged
1 task
@jrajahalme jrajahalme added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch release-blocker/1.14 This issue will prevent the release of the next version of Cilium. labels Oct 18, 2023
@jrajahalme jrajahalme added this to Backport pending to v1.14 in 1.14.4 Oct 18, 2023
@jrajahalme jrajahalme removed this from Needs backport from main in 1.14.3 Oct 18, 2023
@jrajahalme jrajahalme added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Oct 18, 2023
@jrajahalme jrajahalme moved this from Backport pending to v1.14 to Backport done to v1.14 in 1.14.4 Oct 18, 2023
@jrajahalme jrajahalme mentioned this pull request Oct 18, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christarazi christarazi christarazi approved these changes

Assignees
No one assigned
Labels
backport/author The backport will be carried out by the author of the PR. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
No open projects
1.13.8
Backport done to v1.13
1.14.4
Backport done to v1.14
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jrajahalme @joamaki @gandro @christarazi