Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

perf(rules): add withNegation flag to simplify to policy flow (backport of #13151) #13195

Merged
merged 3 commits into from
Mar 26, 2025
Merged

perf(rules): add withNegation flag to simplify to policy flow (backport of #13151) #13195

merged 3 commits into from
Mar 26, 2025

Conversation

kumahq[bot]
Copy link
Contributor

@kumahq kumahq bot commented Mar 25, 2025

Automatic cherry-pick of #13151 for branch release-2.8

Generated by action

cherry-picked commit c3781d4

⚠️ ⚠️ ⚠️ Conflicts happened when cherry-picking! ⚠️ ⚠️ ⚠️

On branch release-2.8
Your branch is up to date with 'origin/release-2.8'.

You are currently cherry-picking commit c3781d4fe.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   pkg/api-server/testdata/resources/inspect/dataplanes/_rules/overriding_meshtimeout.golden.json
	modified:   pkg/plugins/policies/core/matchers/egress.go
	modified:   pkg/plugins/policies/core/matchers/testdata/matchedpolicies/torules/03.policies.yaml
	modified:   pkg/plugins/policies/core/rules/testdata/rules/to/meshtimeout.golden.yaml
	modified:   pkg/plugins/policies/core/rules/testdata/rules/to/single-to.golden.yaml

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	both modified:   pkg/api-server/testdata/resources/inspect/dataplanes/_rules/meshhttproute.golden.json
	deleted by us:   pkg/api-server/testdata/resources/inspect/dataplanes/_rules/resource_rule_meshtimeout_index.golden.json
	both modified:   pkg/plugins/policies/core/matchers/testdata/matchedpolicies/torules/03.golden.yaml
	both modified:   pkg/plugins/policies/core/rules/rules.go
	deleted by us:   pkg/plugins/policies/core/rules/subsetutils/subset.go

@lukidzi @lobkovilya @kumahq
perf(rules): add withNegation flag to simplify to policy flow (#1…
61418b7 
…3151)

> [!NOTE]
> This is not a problem when using `meshServices.mode: Exclusive` with
policies in a new style

When a user has multiple `to` policies for a single top-level target
reference and a default to Mesh target, CPU usage spikes due to the
expensive matching process.
<img width="2053" alt="Screenshot 2025-03-20 at 18 43 36"
src="https://github.com/user-attachments/assets/259af8fb-357f-4cfe-ae54-257ce0cd36d9"
/>

After analyzing the issue with @lobkovilya, we discovered that for `to`
policies, our logic checks every permutation of tags. However, this is
unnecessary because the only possible tags for `to` policies are
`kuma.io/service`, or no tags at all when the target is `Mesh`.

The only exception is `MeshHTTPRoute`, where we generate the
`__rule-matches-hash__` tag, which points to a hash of the matcher.
Since we don’t need to evaluate all permutations, we decided to iterate
through the subsets and match them directly with the policies. To
optimize further, we first deduplicate entries to avoid redundant
computations.

After implementing these changes, I deployed the update and ran a
performance profile, which showed significant improvements.

![image](https://github.com/user-attachments/assets/db30fc2e-aafe-4e16-a8ef-df8a9401bd25)

fix: #13149

---------

Signed-off-by: Ilya Lobkov <[email protected]>
Signed-off-by: Lukasz Dziedziak <[email protected]>
Co-authored-by: Ilya Lobkov <[email protected]>
@lukidzi
fix conflict
57dce32 
Signed-off-by: Lukasz Dziedziak <[email protected]>
@lukidzi lukidzi removed the conflict label Mar 25, 2025
@lukidzi
remove unused file
5f4711b 
Signed-off-by: Lukasz Dziedziak <[email protected]>
@lukidzi lukidzi marked this pull request as ready for review March 25, 2025 13:42
@lukidzi lukidzi requested a review from a team as a code owner March 25, 2025 13:42
@bartsmykla bartsmykla merged commit 6ebd99d into release-2.8 Mar 26, 2025
15 checks passed
@bartsmykla bartsmykla deleted the chore/backport-release-2.8-13151 branch March 26, 2025 05:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartsmykla bartsmykla bartsmykla approved these changes

@slonka slonka Awaiting requested review from slonka slonka is a code owner automatically assigned from kumahq/kuma-maintainers

@Automaat Automaat Awaiting requested review from Automaat Automaat is a code owner automatically assigned from kumahq/kuma-maintainers

@lobkovilya lobkovilya Awaiting requested review from lobkovilya

Assignees
No one assigned
Labels
release-2.8
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bartsmykla @lukidzi