New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
endpoint: Only perform full synchronization periodically #27693
endpoint: Only perform full synchronization periodically #27693
Conversation
ec7872a
to
61a956e
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing this, I had no idea we were issuing a full dump on each endpoint (policy) regeneration!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joamaki Nice work! just a couple comments...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fix makes sense to me. How do we know that Cilium wasn't relying on this controller running frequently for correct operation?
We know Cilium wasn’t relying on this because we were not seeing the warnings that would be logged if full sync did catch something. Furthermore, @jrajahalme who wrote this originally did not intend this as he expected UpdateController to be a no-op after the first call and not a trigger to run it immediately. |
aff193d
to
8046258
Compare
The UpdateController method performs either a creation, or updating of a controller. If an update is performed the controller is immediately triggered. In some cases we want to create the controller once without triggering or modifying it if it already has been created. Add a CreateController method for those use cases. Signed-off-by: Jussi Maki <jussi@isovalent.com>
Performing a full dump of the policy map on every policy map synchronization is expensive and is only necessary to catch rare cases where the agent's view of the policy map has diverged from the kernel's view which should only happen either due to kernel or other bugs or some other application modifying the endpoint policy map. To reduce the cost of synchronizing large endpoint policy maps perform the full synchronization only periodically. The full synchronization is defaults to 15 minutes. Configurable with the hidden option "--policy-map-full-reconciliation-interval". Fixes: 9dc1350 ("endpoint: Enhance policy map sync") Signed-off-by: Jussi Maki <jussi@isovalent.com>
8046258
to
f005f93
Compare
/test |
ctrlName := fmt.Sprintf("sync-policymap-%d", e.ID) | ||
e.controllers.UpdateController(ctrlName, | ||
e.controllers.CreateController(ctrlName, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Super minor nit but it's odd to return a boolean and ignore it. Looking at the line of code here it's not obvious that the result is being ignored. Ideally the underlying function wouldn't return a boolean if it's unused in production code (I see it's used in tests), but this could at least signal that the result is deliberately ignored with a _ = e.controllers.CreateController(...)
.
Huh, I was pondering why the policy trigger doesn't ratelimit these and then realized that's because the policy trigger is for triggering re-evaluation of the policy, not attempting a fresh synchronization of the synchronized policy to the BPF policymaps. So fair 👍 |
I managed to resolve the conflicts for v1.14, but the conflicts for v1.13 and v1.12 are more complex (i.e. there is no managedController type). Marking as |
Performing a full dump of the policy map on every policy map synchronization
is expensive and is only necessary to catch rare cases where the agent's view
of the policy map has diverged from the kernel's view which should only happen
either due to kernel or other bugs or some other application modifying the
endpoint policy map.
To reduce the cost of synchronizing large endpoint policy maps perform the
full synchronization only periodically. The full synchronization is defaults
to 15 minutes. Configurable with the hidden option
"--policy-map-full-reconciliation-interval".
Fixes: 9dc1350 ("endpoint: Enhance policy map sync")