-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add documentation for except support in ipBlock #6677
Conversation
328118e
to
2be8a10
Compare
2be8a10
to
59ae490
Compare
/skip-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did we want to include a note about the possible impact of having too many rules with too many excepts? I know this can lead to a rule explosion, but I am not sure it matters too much as there is no constraining cap on the number of flows with the same priority? I don't think there is a significant impact on datapath performance. More flows would increase memory usage.
docs/antrea-network-policy.md
Outdated
ephemeral and unpredictable. | ||
|
||
Starting with Antrea v2.2, Antrea-native policies now support an `except` field under | ||
ipBlock, which can be used to carve out specific CIDRs in the base IP range: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ipBlock -> ipBlock
I don't think you applied Jiajun's suggestion BTW?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did, just forgot to paste it to the other place...
Added a short note, let me know if it is good from your perspective |
59ae490
to
1727c1a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
docs/antrea-network-policy.md
Outdated
evaluations for lower priority rules. A large number of policy rules with `except` ipBlocks | ||
can also have negative impacts on Antrea memory usage. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's fine by me. @tnqn do you know if a high number of flows can also impact latency / throughput. I imagine that it is possible with a large number of diverse connections.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to my understanding on how the flow classfication runs, the cost is relative to the number of different mask lengths, instead of the number of flows. For example, in the worst case, there could be 31 mask lengths and OVS may have to calculate the masked IP 31 times to see if it matches flows in this table. Even a single policy rule can cause this if well-designed. On the other hand, if a large number of policy rules have the same mask length for their except ipBlocks, they shouldn't really cause much negative impacts. So the cost is kind of consistent regardless of the number of flows.
For the memory usage, I feel it may be not worth emphasizing its memory impact. An IPBlock with an except
ipBlock can result in 31 IPNets in the worst case, but a podSelector can result in tens or hundreds of IPs either.
And the implementation of except
in Antrea policy is not different from it in K8s policy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An IPBlock with an except ipBlock can result in 31 IPNets in the worst case
technically, I can have multiple except cidrs and generate many more IPNets than that
but yes, I agree with the overall statement
docs/antrea-network-policy.md
Outdated
evaluations for lower priority rules. A large number of policy rules with `except` ipBlocks | ||
can also have negative impacts on Antrea memory usage. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to my understanding on how the flow classfication runs, the cost is relative to the number of different mask lengths, instead of the number of flows. For example, in the worst case, there could be 31 mask lengths and OVS may have to calculate the masked IP 31 times to see if it matches flows in this table. Even a single policy rule can cause this if well-designed. On the other hand, if a large number of policy rules have the same mask length for their except ipBlocks, they shouldn't really cause much negative impacts. So the cost is kind of consistent regardless of the number of flows.
For the memory usage, I feel it may be not worth emphasizing its memory impact. An IPBlock with an except
ipBlock can result in 31 IPNets in the worst case, but a podSelector can result in tens or hundreds of IPs either.
And the implementation of except
in Antrea policy is not different from it in K8s policy.
Signed-off-by: Dyanngg <dingyang@vmware.com>
1727c1a
to
649d6d8
Compare
/skip-all |
Documentation for #6658