You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the new optimized evaluation of allowed connections, a lot of work is done in preprocessing, that is, when building network configs.
This may increase runtime for certain queries, which do not rely on allowed connections (e.g., allCaptured, disjointness).
Moreover, if a network-config is defined but not used, we pay the price for preprocessing its policies.
Suggestions:
Calculate only necessary connections out of { all allowed connections, captured allowed connections, denied connections, pass connections } according to query requirements.
In the NetworkPolicy level, only calculate allowed-connections when needed. That is, initialize the variables storing allowed connections to None, and only when the allowed_connections() function is called for the first time calculate the required HCS.
Possibly, delay parsing a NetworkPolicy to when its allowed connections are actually required.
Store computed allowed-connections at the NetworkConfig level. Use two variables for captured connection and all connections. Populate these variables lazily.
The text was updated successfully, but these errors were encountered:
Comment from @tanyaveksler :
Regarding bullet#2 and bullet#3 above:
their implementation must be consistent with IBM/network-config-analyzer#485:
Initially, during the parsing of network policies, the full domain of peers is set to its default (assuming maximum 10000 number of pods). Later, during queries run, the full domain of peers is updated to all peers in the current config (whose number is necessarily smaller than 10000).
Therefore, if we want to make lazy policy parsing (including calculation of optimized_allow_ingress_props, optimized_deny_ingress_props, etc) and lazy evaluation of policy allowed connections, we should make these lazy calculations while peers domains are set to their default (up to 10000 pods), and then the result of these calculations may be stored and reused by all queries. In order to use these stored connections by some query, we should first reduce them according to that query context (i.e., setting peers domains in DimensionsManager to union of all peers from the configs of the query and running _reduce_active_dimensions for the connections that we need for that query).
In the new optimized evaluation of allowed connections, a lot of work is done in preprocessing, that is, when building network configs.
This may increase runtime for certain queries, which do not rely on allowed connections (e.g.,
allCaptured
,disjointness
).Moreover, if a network-config is defined but not used, we pay the price for preprocessing its policies.
Suggestions:
{ all allowed connections, captured allowed connections, denied connections, pass connections }
according to query requirements.NetworkPolicy
level, only calculate allowed-connections when needed. That is, initialize the variables storing allowed connections toNone
, and only when theallowed_connections()
function is called for the first time calculate the required HCS.NetworkPolicy
to when its allowed connections are actually required.NetworkConfig
level. Use two variables for captured connection and all connections. Populate these variables lazily.The text was updated successfully, but these errors were encountered: