Draft
Conversation
nezdolik
reviewed
Apr 7, 2026
2a2e1ff to
030c9e4
Compare
Signed-off-by: Jarno Rajahalme <[email protected]>
Keep the new map in the stack so that it is not leaked on exception. Move-construct to the heap when exchanging for the old map. Signed-off-by: Jarno Rajahalme <[email protected]>
Refactor policy code in preparation for delta NPDS changes in later commits: - Remove unnecessary PortPolicy.map_ member. - Move NetworkPolicyMapImpl to cilium/network_policy.cc to hide implementation detail. - Add helpers for policy updates to be shared with the delta code later. - Pass Context to secret watcher functions instead of the full NetworkPolicyMap. - Simplify gRPC subscribe() parameters. Signed-off-by: Jarno Rajahalme <[email protected]>
Signed-off-by: Jarno Rajahalme <[email protected]>
Leave enough space after the pass verdict for all the passed rules to fit in before the following rules on the same tier. This is the requirement of the current API for correct behavior. Signed-off-by: Jarno Rajahalme <[email protected]>
Handle pass rules during enforcement by skipping past the passed-over rules when a rule with a pass verdict matches. This is more straightforward and gets rid of precedence promotioin altogether, which is made possible by the duplication of wildcard-port rules into the port-specific rulesets, as after that change there is no need to compare precedences between multiple lookups. Since there is no transformation on the rules, the applied rules have the same shape as the imported policy, which makes debugging easier. The implementation skips over the passed-over rules without scanning all of them so the performance should be similar to the previous implementation. Signed-off-by: Jarno Rajahalme <[email protected]>
Add new cilium/versioned.h generic container for transactional selector updates. Add a new NetworkPolicyResourceDiscoveryService that implements delta updates for policies and selectors, and where policies refer to selectors by their resource name. NPRDS adds a top-level oneof wrapper that wraps either a Selector or a NetworkPolicy. NetworkPolicy definition is shared with NPDS, but PortNetworkPolicyRule adds a new selectors field that is only used with NPRDS. Signed-off-by: Jarno Rajahalme <[email protected]>
Store the latest desired NPDS mode in the policy map and use it for: - initial policy map subscription - re-subscription when connection under current subscription is terminated - a healthy network policy stream is not disrupted This should work for Cilium Agent upgrades and downgrades, as the agent expresses the desired mode, and listens for both. Signed-off-by: Jarno Rajahalme <[email protected]>
Signed-off-by: Jarno Rajahalme <[email protected]>
Clear the resource map on a first update on a new stream. This fixes NACK cases where further updates on the stream would have IP collisions with resources that were kept from the previous stream. Signed-off-by: Jarno Rajahalme <[email protected]>
Do not use the default decoder as NPRDS does not carry a name inside the NetworkPolicyResource type. Signed-off-by: Jarno Rajahalme <[email protected]>
Stream generation accounting has to be shared between NPDS and NPRDS streams, so that the handoff works as designed, but no other xDS protocols (e.g., NPHDS) should interfere with the stream generation accounting. Solve this by defining the stream generation number as a static member of NetworkPolicyMapImpl and updating it from the already established transport connected/closed callbacks. Adjust tests to work with the new shape where the generation numbers do not start from 1 for each NetworkPolicyMapImpl instance, but increase monotonically for each established NPDS/NPRDS stream. Signed-off-by: Jarno Rajahalme <[email protected]>
Use NetworkPolicyResource and NetworkPolicy consistently for the two typeURLs to make grepping logs more meaningful. Signed-off-by: Jarno Rajahalme <[email protected]>
Switch to delta mode more eagerly when we have evidence that the agent is capable, but switch to SotW mode only when xDS stream transport had failed to connect or closes. Signed-off-by: Jarno Rajahalme <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.