New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
perf: Update frameworks to use compiler sharding #1900
perf: Update frameworks to use compiler sharding #1900
Conversation
cb066f9
to
bc3b47b
Compare
52efe5b
to
e5c634c
Compare
Codecov Report
@@ Coverage Diff @@
## master #1900 +/- ##
==========================================
+ Coverage 53.23% 53.48% +0.24%
==========================================
Files 100 103 +3
Lines 8986 9092 +106
==========================================
+ Hits 4784 4863 +79
- Misses 3809 3852 +43
+ Partials 393 377 -16
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
5fa93e2
to
989f304
Compare
Fixes #1916 |
Fixes #1916 |
989f304
to
3c91965
Compare
It looks like the External Data tests are failing due to problems calling Match()... unexpected nil values? |
ce14c9d
to
a82edae
Compare
Still need to implement audit-from-cache Signed-off-by: Will Beason <willbeason@google.com>
Signed-off-by: Will Beason <willbeason@google.com>
Signed-off-by: Will Beason <willbeason@google.com>
Change-Id: I862a247815c1dbe7fde90200d4a8ef1e4e27a2c7 Signed-off-by: Will Beason <willbeason@google.com>
Signed-off-by: Will Beason <willbeason@google.com>
Cover many previously-untested cases for matching when Namespace is not available, or when the object to be matched is a Namespace. Also clarify that typos in scope match criteria match everything. Now there is no need for Target to get a cached Namespace for Namespaces. Signed-off-by: Will Beason <willbeason@google.com>
Signed-off-by: Will Beason <willbeason@google.com>
Since changes to frameworks make gatekeeper-specific Rego library unnecessary. Also add many tests for Target. Signed-off-by: Will Beason <willbeason@google.com>
Signed-off-by: Will Beason <willbeason@google.com>
Signed-off-by: Will Beason <willbeason@google.com>
Also add race condition test for Set replacement. Signed-off-by: Will Beason <willbeason@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM after we get a read lock for AssignedStringList in operations.go
Signed-off-by: Will Beason <willbeason@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!!! 🎊
@@ -24,7 +24,8 @@ require ( | |||
github.com/onsi/ginkgo v1.16.5 | |||
github.com/onsi/gomega v1.17.0 | |||
github.com/open-policy-agent/cert-controller v0.2.0 | |||
github.com/open-policy-agent/frameworks/constraint v0.0.0-20220218180203-c2a0d8cdf85a | |||
github.com/open-policy-agent/frameworks/constraint v0.0.0-20220319020711-acd776435a23 | |||
github.com/open-policy-agent/opa v0.37.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where does GK still reference opa directly? I thought everything is moving to framework?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like in two places (target and target test):
pkg/target/target.go: "github.com/open-policy-agent/opa/storage"
pkg/target/target_test.go: "github.com/open-policy-agent/opa/storage"
This is because the TargetHandler interface is currently expecting an OPA path for the storage key. IIRC this is b/c the path object has some formatting methods that are nice, but essentially it's a list of strings otherwise.
If we want to fully remove this dependency again, maybe a follow-on piece of work to remove this from the TargetHandler interface?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah now I remember. it makes sense to address this as a follow up work.
Signed-off-by: Will Beason <willbeason@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @willbeason! 🎉
pending load test results from @sozercan
Yay! |
3a60ac0
to
5231c2a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, seeing around ~1.5x-4x decrease in webhook cpu and memory usage (depending on # of template/constraints)
Integrate Gatekeeper with the compiler sharding frameworks change.
I'm working on measuring performance changes in real clusters.