policy: Replace versioned with part.Map#42992
Merged
jrajahalme merged 4 commits intocilium:mainfrom Dec 9, 2025
Merged
Conversation
jrajahalme
added
sig/policy
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
jrajahalme
requested review from
aanm,
dylandreimerink and
rgo3
and removed request for
Artyop,
aanm,
bimmlerd,
dylandreimerink,
rgo3 and
sayboras
Member
Author
|
/test |
jrajahalme
force-pushed
the
policy-selectorcache-statedb
branch
from
b9caba5 to
f4e4bc3
Compare
Bump the number of rules in TestRegenerateCIDRDenyPolicyRules to be the same as in BenchmarkRegenerateCIDRDenyPolicyRules and assert the number of mapstate entries is 117515 in both instead of just dumping the number on stdout. The specific number works as the rule generation used is deterministic. This helps catch regressions that may otherwise be left unnoticed. Signed-off-by: Jarno Rajahalme <[email protected]>
Some CachedSelector intereface functions that called for a version handle were always used with the special latest version handle. Simplify by removing the version handle from the following interface functions: - CachedSelector.GetSelections() - a new GetSelectionsAt() is added for explicit version access - CachedSelector.Selects() - DNSProxier.GetRules() CachedSelector.Selects() and DNSProxier.GetRules() were always called with the static "latest version" handle, and most CachedSelector.GetSelections() calls in test code did the same. Implementations of these now internally get a version handle on the latest version and access the selectors with that. Rename local variable 'idSel' as 'sel' for readability. Signed-off-by: Jarno Rajahalme <[email protected]>
Move test package from pkg/proxy to pkg/envoy as that is the only place it is used from. Signed-off-by: Jarno Rajahalme <[email protected]>
jrajahalme
force-pushed
the
policy-selectorcache-statedb
branch
from
600eb65 to
6d5f84a
Compare
jrajahalme
force-pushed
the
policy-selectorcache-statedb
branch
from
6d5f84a to
a17b033
Compare
Member
Author
|
Fixed lint issues |
Member
Author
|
/test |
squeed
reviewed
Dec 8, 2025
Replace versioned.Value with a part.Map as the solution for providing a transactional view on the selector cache for any given SelectorPolicy. Avoid most of the part.Map index overhead by reusing the same transaction for the policy update. Addition of new selectors to the selector cache are pooled into a single write transaction. Whenever the changes need to be observable via CachedSelector.GetSelections[At](), the updater must call the new SelectorCache.Commit() function. Pooling of changes into a single transaction makes this generally a bit faster (~14%) even though part.Map uses more memory (+40%) for updates. The main benefit of this change is the removal of pkg/container/versioned, that had an arcane API. This commit is the minimal change to achieve removal of pkg/container/versioned, with room for improvements like: - Consider using statedb, using statedb indexes for namespace indexing - Add CIDR indexing for (non-namespaced) CIDR selectors - Explore using part.Set for storing the selections instead of a read-only slice. This would likely save some on updates, but would cost more on iteration. Signed-off-by: Jarno Rajahalme <[email protected]>
jrajahalme
force-pushed
the
policy-selectorcache-statedb
branch
from
a17b033 to
ace908f
Compare
Member
Author
|
/test |
squeed
approved these changes
Dec 9, 2025
viktor-kurchenko
approved these changes
Dec 9, 2025
Contributor
|
Fuzzers broken? |
joamaki
approved these changes
Dec 9, 2025
maintainer-s-little-helper
bot
added
the
ready-to-merge
jrajahalme
added a commit
to jrajahalme/cilium
that referenced
this pull request
Dec 10, 2025
Perform sanity checks on the cached selector selections only after the corresponding snapshot is delivered via commit. Fixes: cilium#42992 Signed-off-by: Jarno Rajahalme <[email protected]>
jrajahalme
added a commit
to jrajahalme/cilium
that referenced
this pull request
Dec 11, 2025
Perform sanity checks on the cached selector selections only after the corresponding snapshot is delivered via commit. Fixes: cilium#42992 Signed-off-by: Jarno Rajahalme <[email protected]>
jrajahalme
added a commit
to jrajahalme/cilium
that referenced
this pull request
Dec 11, 2025
Perform sanity checks on the cached selector selections only after the corresponding snapshot is delivered via commit. Fixes: cilium#42992 Signed-off-by: Jarno Rajahalme <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace versioned.Value with a part.Map as the solution for providing a transactional view on the selector cache for any given SelectorPolicy. Avoid most of the part.Map index update overhead by reusing the same transaction for the policy update. Addition of new selectors to the selector cache are pooled into a single write transaction. Whenever the changes need to be observable via
CachedSelector.GetSelections[At](), the updater must call the newSelectorCache.Commit()function.Some interfaces that called for a version handle were always used with the special latest version handle. StateDB does not have a similar concept, so we have removed the version handle from the following interface functions:
CachedSelector.GetSelections()GetSelectionsAt()is added for explicit version accessCachedSelector.Selects()DNSProxier.GetRules()CachedSelector.Selects()andDNSProxier.GetRules()were always called with the static "latest version" handle, and mostCachedSelector.GetSelections()calls in test code did the same. Implementations of these now internally get a read transaction on the latest version and access the selectors with that.The main benefit of this change is the removal of
pkg/container/versioned, that had an arcane API. This commit is the minimal change to achieve removal ofpkg/container/versioned, with room for improvements like:part.Setfor storing the selections instead of a read-only slice. This would likely save some on updates, but would cost more on iteration.