Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(kuma-cp): improve BuildRules algorithm #6973

Merged
merged 11 commits into from
Jun 12, 2023
Merged

feat(kuma-cp): improve BuildRules algorithm #6973

merged 11 commits into from
Jun 12, 2023

Conversation

lobkovilya
Copy link
Contributor

@lobkovilya lobkovilya commented Jun 8, 2023
edited
Loading

While implementing targetRef.Kind: MeshHTTPRoute I've encountered the problem when BuildRules returns excessive results because I'm adding an artificial tag __route_hash__ to the Subset.

But the problem could be noticed even for the given MeshTrafficPermission policy:

type: MeshTrafficPermission
spec:
  targetRef:
    kind: Mesh
  from:
    - targetRef:
        kind: MeshService
        name: frontend
      default:
        action: Allow
    - targetRef:
        kind: MeshServiceSubset
        name: backend
        tags:
          version: v1
      default:
        action: Deny

the algorithm is going to produce 2 excessive rules:

rules:
  - subset:
      kuma.io/service: frontend
      version: v1
    conf:
      action: Allow
  - subset:
      kuma.io/service: frontend
      version: !v1 # not 'v1'
    conf:
      action: Allow

The algorithm splits frontend service into v1 and not v1 but there is absolutely no reason for that. This happens because the current algorithm assumes that all provided rules could have an intersection. The new algorithm takes this into account. As a result, we're going to produce fewer rules, for example:

type: MeshTrafficPermission
spec:
  targetRef:
    kind: Mesh
  from:
    - targetRef:
        kind: MeshService
        name: frontend_kuma-demo_svc_8080
      default:
        action: Allow
    - targetRef:
        kind: MeshServiceSubset
        name: backend_kuma-demo_svc_3001
        tags:
          team: mesh
          zone: east
          env: dev
      default:
        action: Deny

Old algorithm Inspect API:

image

New algorithm Inspect API:

image

Checklist prior to review

  • Link to relevant issue as well as docs and UI issues --
  • This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as a image registry) and it will work on Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
  • Tests (Unit test, E2E tests, manual test on universal and k8s) --
  • Do you need to update UPGRADE.md? --
  • Does it need to be backported according to the backporting policy? --
  • Do you need to explicitly set a > Changelog: entry here or add a ci/ label to run fewer/more tests?

@lobkovilya lobkovilya marked this pull request as ready for review June 8, 2023 16:58
@lobkovilya lobkovilya requested review from a team, jakubdyszkiewicz and lukidzi and removed request for a team June 8, 2023 16:58
lahabana
lahabana approved these changes Jun 9, 2023
View reviewed changes
go.mod Show resolved Hide resolved
pkg/plugins/policies/core/rules/rules.go Outdated Show resolved Hide resolved
pkg/plugins/policies/core/rules/rules.go Outdated Show resolved Hide resolved
jakubdyszkiewicz
jakubdyszkiewicz reviewed Jun 9, 2023
View reviewed changes
pkg/plugins/policies/core/rules/rules.go Outdated Show resolved Hide resolved
pkg/plugins/policies/core/rules/rules.go Outdated Show resolved Hide resolved
pkg/plugins/policies/core/rules/rules_test.go Outdated Show resolved Hide resolved
@lobkovilya lobkovilya mentioned this pull request Jun 9, 2023
Merged
6 tasks
@lobkovilya lobkovilya merged commit b86b745 into kumahq:master Jun 12, 2023
@lobkovilya lobkovilya deleted the feat/improve-rules-algo branch June 12, 2023 11:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lahabana lahabana lahabana approved these changes

@jakubdyszkiewicz jakubdyszkiewicz jakubdyszkiewicz approved these changes

@michaelbeaumont michaelbeaumont michaelbeaumont approved these changes

@lukidzi lukidzi Awaiting requested review from lukidzi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lobkovilya @lahabana @michaelbeaumont @jakubdyszkiewicz