-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(audit): use a worker pool for Audit policies #10048
Conversation
… return admission response earlier Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
I added stress test results comparing this change to rc.4. |
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Fixed unit tests. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #10048 +/- ##
=========================================
+ Coverage 9.96% 10.10% +0.14%
=========================================
Files 1029 1030 +1
Lines 91686 91722 +36
=========================================
+ Hits 9134 9266 +132
+ Misses 81554 81437 -117
- Partials 998 1019 +21 ☔ View full report in Codecov by Sentry. |
3/4 of PSS load tests failed, did they exceed the threshold? https://github.com/kyverno/kyverno/actions/runs/8660137654/job/23747565640?pr=10048 |
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
…/kyverno into audit-worker-pool
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
e74a6a8
to
e7e20ee
Compare
@realshuting we need to add documentation for the new flags |
Yes, opened kyverno/website#1210. |
/cherry-pick release-1.12 |
Cherry-pick failed with |
* enhancement: split validation logic for enforce and audit policies to return admission response earlier Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add missing file Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: linter issues Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: get latest policy object before updating status Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: remove debug code Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: compare before updates Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: initial reconcile Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: updates Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat(audit): use a worker pool for Audit policies Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * fix: unit test Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix(attempt): spin up go routine Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: add flags maxAuditWorkers, maxAuditCapacity Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: enable debug log on failure Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: wait group panic Signed-off-by: ShutingZhao <shuting@nirmata.com> * load-tests: add stess tests configurations Signed-off-by: ShutingZhao <shuting@nirmata.com> * load-tests: disable admissionreports Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: build policy contexts syncronously Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only run generate and mutate existing go routines when policies are present Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: mutate and verify tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: return early if no audit policy Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: run handlegenerate and mutate existing in all cases Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only test bgapplies in generate test Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: defer wait in tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * enhancement: process validate enforce in a go routine Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>
* enhancement: split validation logic for enforce and audit policies to return admission response earlier * chore: add missing file * fix: unit tests * fix: linter issues * fix: unit tests * fix: get latest policy object before updating status * chore: remove debug code * fix: compare before updates * fix: initial reconcile * fix: updates * feat(audit): use a worker pool for Audit policies * fix: unit test * fix(attempt): spin up go routine * feat: add flags maxAuditWorkers, maxAuditCapacity * fix: enable debug log on failure * fix: wait group panic * load-tests: add stess tests configurations * load-tests: disable admissionreports * fix: build policy contexts syncronously * fix: only run generate and mutate existing go routines when policies are present * fix: mutate and verify tests * fix: return early if no audit policy * fix: run handlegenerate and mutate existing in all cases * fix: only test bgapplies in generate test * fix: defer wait in tests * enhancement: process validate enforce in a go routine --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Explanation
This PR limits the number of goroutines used by Audit policies to 8 to limit contention and scheduling overhead. This should net a nice performance improvement.
Related issue
Milestone of this PR
Documentation (required for features)
My PR contains new or altered behavior to Kyverno.
What type of PR is this
Proposed Changes
Proof Manifests
The following results were tested with settings:
docker update --cpus=2 <node>
Checklist
Further Comments