PolicyRepository: index and replace rules by resource. #32703
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
squeed
added
release-note/minor
|
/test |
|
Tagging @aanm for review too; you understand this bit of code somewhat. |
doniacld
reviewed
May 28, 2024
doniacld
reviewed
May 28, 2024
doniacld
reviewed
May 28, 2024
doniacld
reviewed
May 28, 2024
doniacld
reviewed
May 28, 2024
christarazi
approved these changes
May 30, 2024
The stateful test scaffolding was getting in the way of future changes, especially surrounding the shared SelectorCache. Tests were adding identities, which affected other tests. Furthermore, testing the package with --count=2 reliably failed due to left-behind state. This mechanical change aggregates all useful variables behind a single struct. No test logic has been changed. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
UID is not a safe resource for indexing; multiple rules may have the same UID, and UID is not guaranteed to be unique across different resources. Furthermore, informers may coalesce delete + add events in to an update, thus losing the UID edge regardless. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
squeed
force-pushed
the
policy-repo-track-resource
branch
from
3dc803d
to
db1df64
Compare
|
/test |
@christarazi I threw together a quick benchmark: Good enough for me :-) |
When upserting a CNP or KNP, we identify existing rules in the repository by a set of labels. However, evaluating this set of labels is expensive, especially as we must check against all label selectors every time we want to add or remove a policy. Rather than using label selectors internally, track policies by owning resource, much the way that prefixes are tracked in the ipcache. Then, when upserting policies, the set of existing rules attached to a given resource can be easily retrieved. The existing behavior is preserved, as it is also exposed via the local gRPC API. However, the k8s handlers no longer use it. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
squeed
force-pushed
the
policy-repo-track-resource
branch
from
db1df64
to
77b43c5
Compare
|
Tests caught a flake -- just some test code that expected a certain ordering. Fixed. |
|
/test |
doniacld
approved these changes
May 30, 2024
aanm
requested changes
May 30, 2024
| slim_metav1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1" | ||
| "github.com/cilium/cilium/pkg/labels" | ||
| "github.com/cilium/cilium/pkg/lock" | ||
| "github.com/cilium/cilium/pkg/option" | ||
| "github.com/cilium/cilium/pkg/policy/api" | ||
| ) | ||
|
|
||
| type ruleKey struct { | ||
| resource ipcachetypes.ResourceID | ||
| idx uint |
There was a problem hiding this comment.
Index in reference to what? A comment here would be good.
There was a problem hiding this comment.
sounds good, I'll add a comment in an incoming PR.
I also ran a local benchmark to compare the PR against current main and I didn't see any regressions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
(Note for reviewers: this also contains a commit fixing some improper use of shared state in tests; it is mostly mechanical but required for this change).
The PolicyRepository is a database of all known network policies (KNP / CNP / CCNP / gRPC Policies). It references policies by Labels, which are an arbitrary set of identifiers for a policy. When an "upstream" policy is updated, a synthetic set of labels is created and used as a key for replacement.
This label-oriented referencing is inefficient. When a policy is upserted, all existing rules must be scanned to se if they are candidates for replacement. Furthermore, this doesn't reflect how policy rules are actually created. Namely, they have an upstream owning resource, which creates one or more downstream rules in the repository.
This change reorients the PolicyRepository to index and replace rules on a per-resource basis. This pattern is already well established within Cilium, most notably the IPCache, and has proven itself. It also means that the standard policy actions do not require a whole-repository scan or evaluating labels.
The existing label-based replacement mechanism must be preserved for policies managed by the local API, so the existing code cannot be entirely removed, but it will seldom be used in the field.
(This PR was inspired by #27163, but takes a different tack).