New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor policy admission Validator to be lock free #114527
refactor policy admission Validator to be lock free #114527
Conversation
safer in case of panic
/triage accepted |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexzielenski The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission_test.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go
Show resolved
Hide resolved
.../src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go
Outdated
Show resolved
Hide resolved
3ac8349
to
ded7f2f
Compare
ded7f2f
to
536fb5a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold for cool synctrack.Lazy
to merge which will remove polling from this
EDIT: on second thought, not sure this is a good application of that tool.
sync track.Lazy would have Get synchronize if the value was invalidated. We instead want the latest payload to be "delivered" ready to be used to the threads performing validation, and avoid validation threads from taking a lock and waiting on each other.
I think the current solution is good as-is
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go
Show resolved
Hide resolved
.../src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Concurrency looks right to me. cachedPolicies
are set and invalidated behind a lock but are safely copied (1s interval) to an atomic for lock free access during validation.
The introduction of policyController
cleans things up substantially.
.../src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go
Outdated
Show resolved
Hide resolved
.../src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go
Outdated
Show resolved
Hide resolved
/hold cancel |
refresh admission policies up to once per second based upon last known good data
8233fd1
to
5f59f44
Compare
/lgtm Thanks for fixing this up @alexzielenski! |
LGTM label has been added. Git tree hash: e4f07d06e9e7ff437aa0d3cb841dfe5c0d70620c
|
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
for cel admission controller introduced as alpha in 1.26 we have possible contention on a RWLock between calls to
Validate
(called for every operation on a resource), and the controller reconcilers.This refactor adjusts the design so that there is no data sharing between the
Validate
function and the controller loop, and thatValidate
takes no locks in its implementation - it now relies on a pre-baked list of policy definitions provided to it by a worker thread viaatomic.Value
.This PR accomplishes this by first separating all the reconciliation logic out into a separate
policyController
. Then we can spawn a worker thread which polls the policyController up to every 1s for a reconstructed list of definitions, if it has changed./sig api-machinery
/cc @cici37 @jpbetz
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: