Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

endpoint: don't hold the endpoint lock while generating policy #26242

Merged
merged 6 commits into from
Jun 26, 2023
Merged

endpoint: don't hold the endpoint lock while generating policy #26242

merged 6 commits into from
Jun 26, 2023

Commits on Jun 24, 2023

  1. pkg/endpoint: make GetNamedPorts lock-free 

    This function is called deep within the policy generation hierarchy, and
is at a risk of causing deadlocks.

Given that it's just reading a pointer to a never-mutated map, we can
safely stash this behind an atomic Pointer and remove the lock.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
    @squeed
    squeed committed Jun 24, 2023
    Configuration menu
    Copy the full SHA
    e4af331 View commit details
    Browse the repository at this point in the history

  2. pkg/endpoint: make some more accessor methods lock-free 

    It turns out that most of the endpoint identities, e.g. pod name /
namespace, are actually immutable. So, there's no need to grab a lock
before reading them.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
    @squeed
    squeed committed Jun 24, 2023
    Configuration menu
    Copy the full SHA
    9d79792 View commit details
    Browse the repository at this point in the history

  3. pkg/proxy: mechanical: remove unused methods from interface 

    These methods are no longer used; remove them from the
EndpointInfoSource interface.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
    @squeed
    squeed committed Jun 24, 2023
    Configuration menu
    Copy the full SHA
    c9759c7 View commit details
    Browse the repository at this point in the history

  4. endpoint: don't hold the endpoint lock while generating policy 

    As preparation for other refactors of the policy engine, no longer hold
the endpoint lock while calculating policy. This is safe to do, since
the only input is the endpoint's security identity. Furthermore, if,
somehow, policy were to be calculated in parallel, we can reject an
update if its revision is too old.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
    @squeed
    squeed committed Jun 24, 2023
    Configuration menu
    Copy the full SHA
    af47979 View commit details
    Browse the repository at this point in the history

  5. test/MockIdentityAllocator: Sanitize the generated ID 

    This ensures the generated ID works like IDs allocated normally - that
their LabelArray is set.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
    @squeed
    squeed committed Jun 24, 2023
    Configuration menu
    Copy the full SHA
    a301c9c View commit details
    Browse the repository at this point in the history

  6. endpoint: add policy engine race test 

    This adds a small test that ensures incremental updates are never lost,
even in the face of significant identity churn.

It simulates a churning ipcache flinging identities in to the policy
engine, and similarly recalculates policy constantly.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
    @squeed
    squeed committed Jun 24, 2023
    Configuration menu
    Copy the full SHA
    e03ad34 View commit details
    Browse the repository at this point in the history