Skip to content

Policy mapstate cleanups redux #35305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 10, 2024
Merged

Policy mapstate cleanups redux #35305

merged 7 commits into from
Oct 10, 2024

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Oct 8, 2024
edited
Loading

Avoid unnecessary iteration for narrower keys when key has no port wildcarding.

Introduce containers/bitlpm explicit iterators that perform better when used from Go 1.23 iterators.

Use Go 1.23 iterators in policy mapstate computation to simplify for better readability.

Note: Go 1.23 iterators in mapstate computation performed poorly when calling the existing bitlpm iteration functions from them. Likely related: golang/go#66469
"Explicit" bitlpm iterators perform much better than the previous ones, and when calling them from Go 1.23 iterators there is no performance degradation

With these changes BenchmarkRegenerateCIDRDenyPolicyRules benchmark does 48% fewer allocations, uses 33% less memory, and performs 23% faster.

denyPreferredInsertWithChanges that contains the main business logic for policy mapstate generation, becomes a lot simpler as result, and is that much easier to understand and maintain in the future.

@jrajahalme jrajahalme added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Oct 8, 2024
@jrajahalme jrajahalme requested review from a team as code owners October 8, 2024 20:06
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 8, 2024
@jrajahalme jrajahalme marked this pull request as draft October 8, 2024 20:06
@jrajahalme jrajahalme added the kind/cleanup This includes no functional changes. label Oct 8, 2024
@jrajahalme jrajahalme force-pushed the policy-mapstate-cleanups-redux branch 2 times, most recently from 5e16ef1 to a70511f Compare October 10, 2024 07:39
@jrajahalme jrajahalme requested review from nathanjsweet and removed request for a team, markpash and doniacld October 10, 2024 07:40
@jrajahalme jrajahalme closed this Oct 10, 2024
@jrajahalme
Copy link
Member Author

ready for review

@jrajahalme jrajahalme reopened this Oct 10, 2024
@jrajahalme jrajahalme marked this pull request as ready for review October 10, 2024 07:41
@jrajahalme
Copy link
Member Author

/test

@jrajahalme
policy: Replace deny all check witch a more generic covered by deny c…
3931e54 
…heck

Deny all check it not necessary when we are already checking for covering
deny entries. Clarify this by factoring out the common code from the
deny/allow branches.

Deny processing paths are now skipped when there are no deny rules, so we
can also skip checking for deny feature.

'newKey' traffic direction sanity check is not needed any more as we no
longer index 'allKey' with the traffic direction of 'newKey' (i.e.,
'allKey[newKey.TrafficDirection()]' is removed by this commit.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Delete covered keys before adding L3/4 keys
11c5f35 
Refactor to delete covered keys first, no functional changes.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Steamline deleteKeyWithChanges
a043946 
Only store a changed entry again in 'deleteKeyWithChanges' if it is not
going to be deleted. Fix comments.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Check for auth feature before calling authPreferredInsert
73bc1bd 
Checking for auth feature before calling authPreferredInsert is faster
than calling it and checking it there when there are no auth rules in the
policy.

No functional changes.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Avoid unnecessary iteration
de2eeee 
A map state key may have narrower keys when the destination port is at
least partially wildcarded. Check for this so that we do not need to try
find narrower keys when there can be none, and also initialize the slice
for the related updates only when needed. This reduces allocations in
cases when there will be no updates.

Refactor authPerferred insert by factoring out common code to
'overrideAuthType()' helper.

No functional changes.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
bitlpm: add explicit Iterators
b56dce8 
Add Iterator interface and implementations that keep state explicitly
instead of relying on Go closures. This form of iteration is faster and
requires less allocations when called from Go 1.23 iterators.

Policy MapState benchmark shows benefit for not preallocating space for
nodes in these new iterators, so the 'nodes[K,T]' slices are left
initially 'nil'.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Use Go 1.23 iterators for mapstate helpers
161fe7c 
It looks like converting mapstate iteration helpers into Go 1.23
iterators has no performance penalty with the new bitlpm explicit
iterators. This change makes the business logic much more readable.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme added the release-note/misc This PR makes changes that have no direct user impact. label Oct 10, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 10, 2024
@jrajahalme jrajahalme force-pushed the policy-mapstate-cleanups-redux branch from a70511f to 161fe7c Compare October 10, 2024 08:22
@jrajahalme
Copy link
Member Author

Rebased to fix merge conflict, fixed gofmt.

@jrajahalme
Copy link
Member Author

/test

@jrajahalme jrajahalme enabled auto-merge October 10, 2024 12:00
@jrajahalme jrajahalme added this pull request to the merge queue Oct 10, 2024
Merged via the queue into cilium:main with commit 853f810 Oct 10, 2024
63 checks passed
@jrajahalme jrajahalme deleted the policy-mapstate-cleanups-redux branch October 10, 2024 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanjsweet nathanjsweet nathanjsweet approved these changes

Assignees
No one assigned
Labels
kind/cleanup This includes no functional changes. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jrajahalme @nathanjsweet