Skip to content

Policy: fix ToServices performance regression #35293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 22, 2024
Merged

Policy: fix ToServices performance regression #35293

merged 2 commits into from
Oct 22, 2024

Conversation

squeed
Copy link
Contributor

@squeed squeed commented Oct 8, 2024

This PR contains two commits:

1: Make service iteration more efficient. It turns out that calling eps.Endpoints() is very allocation-heavy. Before this change, it was called for every service when iterating, which was unnecessary. Instead, leave this to the caller, who can do so only when necessary

2: Skip policy ToServices translation when policy has no ToServices selectors. We already track whether or not policies have a ToServices selector. When one does not, we do not need to try and translate services.

Fixes: #35273

Fixes a performance regression when ingesting network policies in clusters with large numbers of Services.

@squeed squeed added kind/performance There is a performance impact of this. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Oct 8, 2024
@squeed squeed requested review from a team as code owners October 8, 2024 13:41
marseel
marseel reviewed Oct 8, 2024
View reviewed changes
@marseel marseel added the sig/scalability Impacts how well Cilium handles a high rate of events or churn. label Oct 9, 2024
@squeed squeed mentioned this pull request Oct 9, 2024
Merged
squeed added 2 commits October 9, 2024 18:07
@squeed
pkg/policy, pkg/k8s: make ForEachService lazy
fe03658 
It turns out that ForEachService() does a lot of allocation to convert
an EndpointSlices in to an Endpoints; this is wasteful if the caller
does not need the endpoints.

Instead, yield the EndpointSlices directly, so the caller may generate
the endpoints if desired.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed
policy: skip resolving ToServices if no ToServices present
7a9dc08 
We already track whether or not a given CNP / CCNP has a ToServices
selector. We can use this bit to skip resolving ToServices entirely
(and thus iterating over all known services) when no ToServices
selectors are present.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed squeed requested a review from marseel October 9, 2024 16:07
@squeed squeed force-pushed the fix-toservices-churn branch from af57bf7 to 7a9dc08 Compare October 9, 2024 16:07
@squeed
Copy link
Contributor Author

squeed commented Oct 9, 2024

/test

marseel
marseel approved these changes Oct 10, 2024
View reviewed changes
Copy link
Contributor

@marseel marseel left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have no power here, but looks great to me :)

Thanks!

doniacld
doniacld approved these changes Oct 22, 2024
View reviewed changes
Copy link
Contributor

@doniacld doniacld left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 22, 2024
@squeed squeed added this pull request to the merge queue Oct 22, 2024
Merged via the queue into cilium:main with commit e9756ef Oct 22, 2024
63 checks passed
@squeed squeed deleted the fix-toservices-churn branch October 22, 2024 20:03
@tklauser tklauser mentioned this pull request Oct 25, 2024
Merged
7 tasks
@tklauser tklauser added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Oct 25, 2024
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Oct 25, 2024
@cilium-release-bot cilium-release-bot bot mentioned this pull request Nov 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marseel marseel marseel approved these changes

@tommyp1ckles tommyp1ckles tommyp1ckles approved these changes

+1 more reviewer

@doniacld doniacld doniacld approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. kind/performance There is a performance impact of this. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. sig/scalability Impacts how well Cilium handles a high rate of events or churn.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Inefficient resolution of toServices in CNPs
5 participants
@squeed @marseel @tommyp1ckles @doniacld @tklauser