Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lazy evaluation of policies' allowed connections #496

Closed
1 of 4 tasks
zivnevo opened this issue May 1, 2023 · 2 comments
Closed
1 of 4 tasks

Lazy evaluation of policies' allowed connections #496

zivnevo opened this issue May 1, 2023 · 2 comments
Assignees
@tanyaveksler
Labels
parsers Anything related to processing inputs

Comments

@zivnevo
Copy link
Member

zivnevo commented May 1, 2023
edited by tanyaveksler
Loading

In the new optimized evaluation of allowed connections, a lot of work is done in preprocessing, that is, when building network configs.
This may increase runtime for certain queries, which do not rely on allowed connections (e.g., allCaptured, disjointness).
Moreover, if a network-config is defined but not used, we pay the price for preprocessing its policies.

Suggestions:

  • Calculate only necessary connections out of { all allowed connections, captured allowed connections, denied connections, pass connections } according to query requirements.
  • In the NetworkPolicy level, only calculate allowed-connections when needed. That is, initialize the variables storing allowed connections to None, and only when the allowed_connections() function is called for the first time calculate the required HCS.
  • Possibly, delay parsing a NetworkPolicy to when its allowed connections are actually required.
  • Store computed allowed-connections at the NetworkConfig level. Use two variables for captured connection and all connections. Populate these variables lazily.
@zivnevo zivnevo added the parsers Anything related to processing inputs label May 1, 2023
@zivnevo zivnevo mentioned this issue May 1, 2023
Closed
@tanyaveksler
Copy link
Member

tanyaveksler commented May 16, 2023
edited
Loading

Regarding bullet#2 and bullet#3 above (#496):
their implementation must be consistent with #485:
Initially, during the parsing of network policies, the full domain of peers is set to its default (assuming maximum 10000 number of pods). Later, during queries run, the full domain of peers is updated to all peers in the current config (whose number is necessarily smaller than 10000).
Therefore, if we want to make lazy policy parsing (including calculation of optimized_allow_ingress_props, optimized_deny_ingress_props, etc) and lazy evaluation of policy allowed connections, we should make these lazy calculations while peers domains are set to their default (up to 10000 pods), and then the result of these calculations may be stored and reused by all queries. In order to use these stored connections by some query, we should first reduce them according to that query context (i.e., setting peers domains in DimensionsManager to union of all peers from the configs of the query and running _reduce_active_dimensions for the connections that we need for that query).

@adisos adisos mentioned this issue Jan 14, 2024
Closed
10 tasks
@zivnevo
Copy link
Member Author

zivnevo commented Aug 14, 2024

Moved to NP-Guard repo. See here

@zivnevo zivnevo closed this as not planned Won't fix, can't repro, duplicate, stale Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tanyaveksler tanyaveksler

Labels
parsers Anything related to processing inputs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tanyaveksler @zivnevo