Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PolicyRepository: index and replace rules by resource. #32703

Merged
merged 3 commits into from
May 30, 2024
Merged

PolicyRepository: index and replace rules by resource. #32703

merged 3 commits into from
May 30, 2024

Commits on May 30, 2024

  1. policy: stop using shared variables in tests 

    The stateful test scaffolding was getting in the way of future changes,
especially surrounding the shared SelectorCache. Tests were adding
identities, which affected other tests. Furthermore, testing the package
with --count=2 reliably failed due to left-behind state.

This mechanical change aggregates all useful variables behind a single
struct. No test logic has been changed.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
    @squeed
    squeed committed May 30, 2024
    Configuration menu
    Copy the full SHA
    dc08da0 View commit details
    Browse the repository at this point in the history

  2. policy: no longer index rules by UID 

    UID is not a safe resource for indexing; multiple rules may have the
same UID, and UID is not guaranteed to be unique across different
resources. Furthermore, informers may coalesce delete + add events in to
an update, thus losing the UID edge regardless.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
    @squeed
    squeed committed May 30, 2024
    Configuration menu
    Copy the full SHA
    96fca48 View commit details
    Browse the repository at this point in the history

  3. policy: track rules by resource, not by labels 

    When upserting a CNP or KNP, we identify existing rules in the
repository by a set of labels. However, evaluating this set of labels is
expensive, especially as we must check against all label selectors every
time we want to add or remove a policy.

Rather than using label selectors internally, track policies by
owning resource, much the way that prefixes are tracked in the ipcache.
Then, when upserting policies, the set of existing rules attached to a
given resource can be easily retrieved.

The existing behavior is preserved, as it is also exposed via the local
gRPC API. However, the k8s handlers no longer use it.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
    @squeed
    squeed committed May 30, 2024
    Configuration menu
    Copy the full SHA
    77b43c5 View commit details
    Browse the repository at this point in the history