Fix NetworkPolicy span calculation #5554
Conversation
tnqn
added
area/network-policy
|
/test-all |
tnqn
force-pushed
the
fix-networkpolicy-span
branch
from
7e35bc9
to
3940df1
Compare
|
@tnqn you marked this as as draft, so you no longer need an immediate review? |
Yes, I'm considering another fix, I will mark it as ready after I finalize the solution. |
tnqn
force-pushed
the
fix-networkpolicy-span
branch
2 times, most recently
from
138860d
to
cabc71d
Compare
|
/test-all |
|
@antoninbas it's ready for review now. |
|
|
||
| import "sync" | ||
|
|
||
| // subscriber notifies multiple subscribers about any events that happen to the object they have subscribed. |
| import "sync" | ||
|
|
||
| // subscriber notifies multiple subscribers about any events that happen to the object they have subscribed. | ||
| type subscriber struct { |
There was a problem hiding this comment.
Should we call it something like subscriptionService?
There was a problem hiding this comment.
I feel it's more common in Go to name objects with an -er suffix, but I understand subscriber is somewhat confusing. I have renamed it to notifier, it should make sense to subscribe to a notifier and send a message via a notifier, what do you think?
|
Change LGTM. I'm assuming by the definition of the issue that this only happens for new internalNPs? For internalNPs update events this won't happen as they are already in store |
I considered adding a flag but think it is more complicated and risky than decoupling notification mechanism from the storage:
|
A NetworkPolicy's span is calculated in internalNetworkPolicyWorker, based on the span of the AppliedToGroups it refers to, while the span of AppliedToGroup is calculated in appliedToGroupWorker which runs in parallel with internalNetworkPolicyWorker. It could happen that the calcuated span is out of date if AppliedToGroups' span is updated after internalNetworkPolicyWorker calculates a NetworkPolicy's span, and the NetworkPolicy wouldn't be enqueued for another sync if it's not committed to the storage yet. On the other hand, if we commit the NetworkPolicy to the storage before calculating the NetworkPolicy's span, it would have to use a stale span first and might need to update the NetworkPolicy twice and generate two update events in one sync. To fix the issue without generating extra events, we introduce a separate subscription mechanism that allows subscribing to update of AppliedToGroup for NetworkPolicy. With the subscription, we can still calculate the NetworkPolicy's span first, then commit it to the storage. If any of the subscribed AppliedToGroups are updated, the NetworkPolicy will be notified and resynced. Signed-off-by: Quan Tian <[email protected]>
It could also happen if a NP is updated to use a new AppliedToGroup. |
tnqn
force-pushed
the
fix-networkpolicy-span
branch
from
cabc71d
to
f0b30b4
Compare
|
Your points make sense. @tnqn |
|
/test-all |
A NetworkPolicy's span is calculated in internalNetworkPolicyWorker, based on the span of the AppliedToGroups it refers to, while the span of AppliedToGroup is calculated in appliedToGroupWorker which runs in parallel with internalNetworkPolicyWorker. It could happen that the calcuated span is out of date if AppliedToGroups' span is updated after internalNetworkPolicyWorker calculates a NetworkPolicy's span, and the NetworkPolicy wouldn't be enqueued for another sync if it's not committed to the storage yet.
On the other hand, if we commit the NetworkPolicy to the storage before calculating the NetworkPolicy's span, it would have to use a stale span first and might need to update the NetworkPolicy twice and generate two update events in one sync.
To fix the issue without generating extra events, we introduce a separate subscription mechanism that allows subscribing to update of AppliedToGroup for NetworkPolicy. With the subscription, we can still calculate the NetworkPolicy's span first, then commit it to the storage. If any of the subscribed AppliedToGroups are updated, the NetworkPolicy will be notified and resynced.
Fixes #5553