-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
policy: Move getNets to selector cache #27670
Conversation
/test |
To add some context: the original |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR! LGTM, fixes makes sense. Just a few comments.
Endpoint.GetLabelsLocked existed on the premise that selector cache could not be locked while endpoint has been locked, due to selector cache locking ip cache in some code paths. This does not seem to be correct, as ip cache calls in to selector cache, not the other way around. With this the Endpoint.GetLabelsLocked can be removed, and SelectorCache.GetLabelsLocked can be used instead also when calling from the Endpoint locked state. This is also in line with the commend on policy DistillPolicy that states that "PolicyOwner (aka Endpoint) is also locked during this call", and then within takes the Selector Cache read lock. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
bb1b878
to
633594b
Compare
Have selector cache precompute the most specific CIDR for an identity when the identity is added, rathter than computing it when needed for each MapStateEntry. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
633594b
to
3980cf8
Compare
/test |
Does does not apply cleanly to the stable branches, mostly because of #22625 I don't feel comfortable fixing some of the conflicts myself, since this code seems rather tricky to get right. @joamaki @jrajahalme I'm adding the |
Precompute the most specific subnet for each identity added to the selectorcache so that this computation need not be repeated for each MapStateEntry separately.
To make this possible Endpoint's implementation of GetLabelsLocked() is removed in the first commit.
This should speed up deny policy computation a bit and also makes MapStateEntries a bit smaller.