endpoint/policy: Keep internals separate #35372
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
da8a2d0 to
8f9502b
Compare
|
/test |
1709143 to
6294adb
Compare
|
/test |
6294adb to
1b514f7
Compare
|
/test |
1b514f7 to
09bb775
Compare
|
/test |
09bb775 to
5647101
Compare
|
/test |
5647101 to
eba9149
Compare
|
/test |
eba9149 to
5d89f34
Compare
1294849 to
8a6745a
Compare
|
/test |
8a6745a to
0d59c86
Compare
|
/test |
0d59c86 to
5cdafec
Compare
squeed
reviewed
Oct 30, 2024
squeed
reviewed
Oct 30, 2024
9daa380 to
d2fc3be
Compare
|
/test |
Redirects are now created before EndpointPolicy, so all redirects already exist when processing incremental changes for the EndpointPolicy. Hence 'unrealizedRedirectPort' symbol is no longer needed. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Now that proxy redirects are created before mapstate entries, we no longer need the listener name in the MapStateEntry. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Old value must be saved also when overriding an allow entry with a deny. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Change key tests to validate full MapStateEntries by changing from Equals to DeepEquals. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Remove extraneous printing and Use t.Logf() instead of fmt.Printf(). Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Do not export DerivedFromRules member so that we can change the implementation later. Remove from tests where it's value was ignored anyway, and add actual validation for them in the endpoint integration tests. Note that these were ignored there as well before, so there are some missing labels, now in comments. To be fixed in forthcoming commits. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Prepare for hiding internals of MapStateEntry by making ChangeState.Old private. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Remove the following actions in TestMapState_denyPreferredInsertWithSubnets test left unnecessary since the introduction of the transactional selector cache: - insertAWithBProto - insertAasB - insertBWithAProto - insertBWithAProtoAsDeny Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
… entry Remove unused 'incremental' attribute from policy map updates. Store the actual delete entry value rather than the missing empty value in reported mapstate diffs. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Skip updating the realized mapstate when updating bpf policy map, as: 1. Usually the realized mapstate is the same as desired mapstate so there is nothing to update 2. The realized mapstate is ephemeral dump from the datapath, there is no point updating it. 3. When a new policy has been computed, the new desired mapstate will replace the old realized mapstate anyway after the successful policy update. If policy update fails use a full policy map dump for restoring to the last known good policy. Not updating the realized policy also keeps the old realized policy as "the last known good" policy that we can restore to when policy update fails. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
We generally want to add new policy map entries to avoid transient drops. Since policy map size is limited, it is possible that adds fail due to hitting the size limit. In that case it is possible that more space would be available if any entries are deleted, so it makes sense to retry after key deletion. Note that since we no longer update the realized map on successful map updates, we need to do the full map diff again. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Define mapStateEntry to hold the internal bookkeeping and contain MapStateEntry without them. This way the containters used for internal bookkeeping are not exposed to other packages. Remove the MapState interface that was ill-defined due to mixing & matching exported and non-exported methods. Within the policy package use '*mapState' directly, and export the needed functions via 'EndpointPolicy'. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
When an existing entry is updated without changing its IsDeny flag the update can be done on the 'entries' map without delete from the other map, or without sanity checking the key. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Upon reflecting on the iterators used when deleting covered entries, or adding new ones due to precedence, it is safe to add them directly, as the iterators hold enough state for it to be safe to delete entries on descendants, and add entries to existing trie nodes. Simplify insertion of dependent keys with new helpers. Simplify the structure of 'denyPreferredInsertWithChanges' by not returning early on the end of the deny block. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
d2fc3be to
2a8d66a
Compare
|
Rebased in hopes some CI fixes have been merged to main in the meanwhile... |
|
/test |
squeed
reviewed
Oct 30, 2024
|
really really nice. I'm making sure I grok the changes, but these look good to me. |
squeed
approved these changes
Oct 31, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes due to redirects being now created before mapstate is computed:
Fixes: #35350
Save the old entry value when overridden by deny. MapStateEntry merge logic was simplified by only calling merge() if both entries are allows or denies. Now the caller overrides an allow with deny by overwriting it, but that branch missed the storing of the old value.
Fixes: #34437
Keep policy MapState internals private to the policy package. Replace the
MapStateinterface with a limited set of accessor functions onEndpointPolicy. This way the endpoint does need direct access to the MapState map with the policy package internal bookkeeping.Do not update the realized policy from the endpoint package when applying map changes to bpf policy maps. This is possible since the realized policy is either the same as the desired policy (when applying incremental changes) or the pending desired policy from which the changes are being applied is going to replace the old realized policy when the endpoint regeneration succeeds. If the endpoint regeneration fails, we also need to have the prior realized policy intact as the "last known good policy" which can be restored against a fresh dump of the policy map.
This also fixes the problem where MapStateEntries inserted from the endpoint package were missing the internal bookkeeping, like "owners", "derivedFromRules", etc.
Simplify
denyPreferredInsertWithChangesby updating mapstate directly when iterating and simplify insertion of dependent keys with helpers and by using normalif/elsestructure.Removal of the
Listenerfield together with structural changes to keep mapstate internals private speed upBenchmarkRegenerateCIDRDenyPolicyRulesby ~17% (~25% less memory used with ~12% less allocations)