perf: [NPM] [LINUX] add NetPols in background (#1969)

* wip: apply dirty NetPols every 500ms in Linux

* only build npm linux image

* fix: check for empty cache

* feat: toggle for netpol interval. default 500 ms

* ci: remove stages "build binaries" and "run windows tests"

* wip: max batched netpols (toggle-specified)

* ci: remove manifest build/push for win npm

* wip: handle ipset deletion properly and max batch for delete too

* fix: correct remove policy

* fix: only remove policy if it was in kernel

* finalize toggles, allowing ability to turn off iptablesInBackground

* ci: conf + cyc use PR's configmaps

* fix: lints

* fix dp toggle: iptablesInBackground

* fix lock typo and config logging

* fix background thread. add comments. only add tmp ref when enabled

* copy pod selector list

* fix: removepolicy needs namespace too

* rename opInfo to event

* fix: fix references and prevent concurrent map read/write

* tmp: debug logging

* fix: missing set references by swap keys and values

* Revert "tmp: debug logging"

This reverts commit 70ed34c.

* fix: add podSelectorList to fake NetPol

* log: do not print error when failing to delete non-existent nft rule

* log: verbose iptables bootup

* log: use fmt.Errorf for clean logging

* log: never return error for iptables in background and fix some lints

* fix: activate/deactivate azure chain rules

* fix: correctly decrement netpols in kernel

* ci: run UTs again

* ci: update profiles. default to placefirst=false

* address comment: rename batch to pendingPolicy

* refactor: make dirty cache  OS-specific

* test: UTs

* test: put UT cfg back to placefirst to not break things

* ci: update cyclonus workflows

* fmt: address comment & lint

* fmt: rename numInKernel to policiesInKernel

* log: switch to fmt.Errorf

* fmt: whitespace

* feat: resiliency to errors while reconciling dirty netpols

* log: temporarily print everything for ipset restore

* fix: remove nomatch from ipset -D for cidr blocks

* test: UTs for non-happy path

* test: fix hns fake

* fix: don't change windows. let it delete ipsets when removing policies

* fix windows lint

* fix: ignore chain doesn't exist errors for iptables -D

* feat: latency and failure metrics

* test: update exit code for UT

* metrics: new metrics should go in node-metrics path

* style: simplify nesting

* style: move identical windows & linux code to shared file

* ci: remove v1 conformance and cyclonus

* feat: add NetPols in background from the DP (revert background code in pMgr)

* style: remove "background" from iptables metrics

* revert changes in ipsetmanager, const.go, and dp.Remove/UpdatePolicy

* style: whitespace

* perf: use len() instead of creating slice from map

* remove verbosity for iptables bootup

* build: add return statement

* style: whitespace

* build: fix variable shadowing

* build: fix more import shadowing

* build: windows pointer issue and UT issue

* test: fix UT for iptables error code 2

* ci: enable linux scale test

* ci: revert to master pipeline.yaml

* revert changes to chain-management. do changes in PR #2012

* log: change wording

* test: UTs for netpol in background

* log: wording

* feat: apply ipsets for each netpol individually

* config: rearrange ConfigMap & update capz yaml

* fix: windows bootup phase logic for addpolicy

* feat: restrict netpol in background to linux + nftables

* test: skip nftables check for UT

* style: netpols[0] instead of loop

* log: address log comments

* style: lint for long line

---------

Co-authored-by: Vamsi Kalapala <[email protected]>

Author: huntergregory

.github/workflows/cyclonus-netpol-extended-nightly-test.yaml

@@ -15,11 +15,10 @@ jobs:
         # run cyclonus tests in parallel for NPM with the given ConfigMaps
         profile:
           [
-            v1-default.yaml,
-            v1-place-azure-chain-first.yaml,
-            v2-default.yaml,
             v2-apply-on-need.yaml,
-            v2-place-azure-after-kube-services.yaml,
+            v2-background.yaml,
+            v2-foreground.yaml,
+            v2-place-first.yaml,
           ]
     steps:
       - name: Checkout

.github/workflows/cyclonus-netpol-test.yaml

@@ -20,7 +20,13 @@ jobs:
     strategy:
       matrix:
         # run cyclonus tests in parallel for NPM with the given ConfigMaps
-        profile: [v1-default.yaml, v1-place-azure-chain-first.yaml, v2-default.yaml, v2-apply-on-need.yaml, v2-place-azure-after-kube-services.yaml]
+        profile:
+          [
+            v2-apply-on-need.yaml,
+            v2-background.yaml,
+            v2-foreground.yaml,
+            v2-place-first.yaml,
+          ]
     steps:
       - name: Checkout
         uses: actions/checkout@v3

.pipelines/npm/npm-conformance-tests.yaml

@@ -90,21 +90,21 @@ jobs:
     displayName: "Run Kubernetes Network Policy Test Suite"
     strategy:
       matrix:
-        v1-default:
-          AZURE_CLUSTER: "conformance-v1-default"
-          PROFILE: "v1-default"
+        v2-foreground:
+          AZURE_CLUSTER: "conformance-v2-foreground"
+          PROFILE: "v2-foreground"
           IS_STRESS_TEST: "false"
-        v2-default:
-          AZURE_CLUSTER: "conformance-v2-default"
-          PROFILE: "v2-default"
+        v2-background:
+          AZURE_CLUSTER: "conformance-v2-background"
+          PROFILE: "v2-background"
           IS_STRESS_TEST: "false"
-        v2-default-ws22:
-          AZURE_CLUSTER: "conformance-v2-default-ws22"
+        v2-ws22:
+          AZURE_CLUSTER: "conformance-v2-ws22"
           PROFILE: "v2-default-ws22"
           IS_STRESS_TEST: "false"
-        v2-default-stress:
-          AZURE_CLUSTER: "conformance-v2-default-stress"
-          PROFILE: "v2-default"
+        v2-linux-stress:
+          AZURE_CLUSTER: "conformance-v2-linux-stress"
+          PROFILE: "v2-background"
           IS_STRESS_TEST: "true"
     pool:
       name: $(BUILD_POOL_NAME_DEFAULT)
@@ -117,7 +117,7 @@ jobs:
       TAG: $[ dependencies.setup.outputs['EnvironmentalVariables.TAG'] ]
       FQDN: empty
     steps:
-      - checkout: none
+      - checkout: self
       - download: current
         artifact: Test
 
@@ -200,7 +200,7 @@ jobs:
               fi
 
               az aks get-credentials -n $(AZURE_CLUSTER) -g $(RESOURCE_GROUP) --file ./kubeconfig
-              ./kubectl --kubeconfig=./kubeconfig apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/examples/windows/azure-npm.yaml
+              ./kubectl --kubeconfig=./kubeconfig apply -f $(Pipeline.Workspace)/s/npm/examples/windows/azure-npm.yaml
               ./kubectl --kubeconfig=./kubeconfig set image daemonset/azure-npm-win -n kube-system azure-npm=$IMAGE_REGISTRY/azure-npm:windows-amd64-ltsc2022-$(TAG)
 
             else
@@ -219,13 +219,13 @@ jobs:
               az aks get-credentials -n $(AZURE_CLUSTER) -g $(RESOURCE_GROUP) --file ./kubeconfig
 
               # deploy azure-npm
-              ./kubectl --kubeconfig=./kubeconfig apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/azure-npm.yaml
+              ./kubectl --kubeconfig=./kubeconfig apply -f $(Pipeline.Workspace)/s/npm/azure-npm.yaml
 
               # swap azure-npm image with one built during run
               ./kubectl --kubeconfig=./kubeconfig set image daemonset/azure-npm -n kube-system azure-npm=$IMAGE_REGISTRY/azure-npm:linux-amd64-$(TAG)
 
               # swap NPM profile with one specified as parameter
-              ./kubectl --kubeconfig=./kubeconfig apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/profiles/$(PROFILE).yaml
+              ./kubectl --kubeconfig=./kubeconfig apply -f $(Pipeline.Workspace)/s/npm/profiles/$(PROFILE).yaml
               ./kubectl --kubeconfig=./kubeconfig rollout restart ds azure-npm -n kube-system
             fi
 
@@ -437,7 +437,7 @@ jobs:
             chmod +x kubectl
 
             # deploy azure-npm
-            ./kubectl --kubeconfig=./kubeconfig apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/examples/windows/azure-npm.yaml
+            ./kubectl --kubeconfig=./kubeconfig apply -f $(Pipeline.Workspace)/s/npm/examples/windows/azure-npm.yaml
 
             # swap azure-npm image with one built during run
             ./kubectl --kubeconfig=./kubeconfig set image daemonset/azure-npm-win -n kube-system azure-npm=$IMAGE_REGISTRY/azure-npm:windows-amd64-ltsc2022-$(TAG)

.pipelines/npm/npm-scale-test.yaml

@@ -78,10 +78,10 @@ jobs:
       FQDN: empty
     strategy:
       matrix:
-        # v2-linux:
-        #   PROFILE: "sc-lin"
-        #   NUM_NETPOLS: 800
-        #   INITIAL_CONNECTIVITY_TIMEOUT: 60
+        v2-linux:
+          PROFILE: "sc-lin"
+          NUM_NETPOLS: 800
+          INITIAL_CONNECTIVITY_TIMEOUT: 60
         ws22:
           PROFILE: "sc-ws22"
           NUM_NETPOLS: 50

network/hnswrapper/hnsv2wrapperfake.go

@@ -150,10 +150,12 @@ func (f Hnsv2wrapperFake) ModifyNetworkSettings(network *hcn.HostComputeNetwork,
 			if setpol.PolicyType != hcn.SetPolicyTypeIpSet && setpol.Values != "" {
 				// Check Nested SetPolicy members
 				members := strings.Split(setpol.Values, ",")
-				for _, memberID := range members {
-					_, ok := networkCache.Policies[memberID]
-					if !ok {
-						return newErrorFakeHNS(fmt.Sprintf("Member Policy %s not found for hcn.RequestTypeUpdate", memberID))
+				if setpol.Values != "" {
+					for _, memberID := range members {
+						_, ok := networkCache.Policies[memberID]
+						if !ok {
+							return newErrorFakeHNS(fmt.Sprintf("Member Policy %s not found for hcn.RequestTypeUpdate", memberID))
+						}
 					}
 				}
 			}

npm/azure-npm.yaml

@@ -148,19 +148,22 @@ metadata:
 data:
   azure-npm.json: |
     {
-        "ResyncPeriodInMinutes":       15,
-        "ListeningPort":               10091,
-        "ListeningAddress":            "0.0.0.0",
-        "ApplyMaxBatches":             100,
-        "ApplyIntervalInMilliseconds": 500,
-        "MaxBatchedACLsPerPod":        30,
+        "ResyncPeriodInMinutes":          15,
+        "ListeningPort":                  10091,
+        "ListeningAddress":               "0.0.0.0",
+        "ApplyIntervalInMilliseconds":    500,
+        "ApplyMaxBatches":                100,
+        "MaxBatchedACLsPerPod":           30,
+        "NetPolInvervalInMilliseconds":   500,
+        "MaxPendingNetPols":              100,
         "Toggles": {
             "EnablePrometheusMetrics": true,
             "EnablePprof":             true,
             "EnableHTTPDebugAPI":      true,
             "EnableV2NPM":             true,
-            "PlaceAzureChainFirst":    true,
+            "PlaceAzureChainFirst":    false,
             "ApplyIPSetsOnNeed":       false,
-            "ApplyInBackground":       true
+            "ApplyInBackground":       true,
+            "NetPolInBackground":      true
         }
     }

npm/cmd/start.go

@@ -125,6 +125,19 @@ func start(config npmconfig.Config, flags npmconfig.Flags) error {
 		// update the dataplane config
 		npmV2DataplaneCfg.MaxBatchedACLsPerPod = config.MaxBatchedACLsPerPod
 
+		npmV2DataplaneCfg.NetPolInBackground = config.Toggles.NetPolInBackground
+		if config.NetPolInvervalInMilliseconds > 0 {
+			npmV2DataplaneCfg.NetPolInterval = time.Duration(config.NetPolInvervalInMilliseconds * int(time.Millisecond))
+		} else {
+			npmV2DataplaneCfg.NetPolInterval = time.Duration(npmconfig.DefaultConfig.NetPolInvervalInMilliseconds * int(time.Millisecond))
+		}
+
+		if config.MaxPendingNetPols > 0 {
+			npmV2DataplaneCfg.MaxPendingNetPols = config.MaxPendingNetPols
+		} else {
+			npmV2DataplaneCfg.MaxPendingNetPols = npmconfig.DefaultConfig.MaxPendingNetPols
+		}
+
 		npmV2DataplaneCfg.ApplyInBackground = config.Toggles.ApplyInBackground
 		if config.ApplyMaxBatches > 0 {
 			npmV2DataplaneCfg.ApplyMaxBatches = config.ApplyMaxBatches

npm/config/config.go

@@ -7,6 +7,8 @@ const (
 	defaultApplyMaxBatches      = 100
 	defaultApplyInterval        = 500
 	defaultMaxBatchedACLsPerPod = 30
+	defaultMaxPendingNetPols    = 100
+	defaultNetPolInterval       = 500
 	defaultListeningPort        = 10091
 	defaultGrpcPort             = 10092
 	defaultGrpcServicePort      = 9002
@@ -35,14 +37,20 @@ var DefaultConfig = Config{
 	ApplyIntervalInMilliseconds: defaultApplyInterval,
 	MaxBatchedACLsPerPod:        defaultMaxBatchedACLsPerPod,
 
+	MaxPendingNetPols:            defaultMaxPendingNetPols,
+	NetPolInvervalInMilliseconds: defaultNetPolInterval,
+
 	Toggles: Toggles{
 		EnablePrometheusMetrics: true,
 		EnablePprof:             true,
 		EnableHTTPDebugAPI:      true,
 		EnableV2NPM:             true,
-		PlaceAzureChainFirst:    util.PlaceAzureChainFirst,
+		PlaceAzureChainFirst:    util.PlaceAzureChainAfterKubeServices,
 		ApplyIPSetsOnNeed:       false,
-		ApplyInBackground:       true,
+		// ApplyInBackground is currently used in Windows to apply the following in background: IPSets and NetPols for new/updated Pods
+		ApplyInBackground: true,
+		// NetPolInBackground is currently used in Linux to apply NetPol controller Add events in the background
+		NetPolInBackground: true,
 	},
 }
 
@@ -69,8 +77,10 @@ type Config struct {
 	// MaxBatchedACLsPerPod is the maximum number of ACLs that can be added to a Pod at once in Windows.
 	// The zero value is valid.
 	// A NetworkPolicy's ACLs are always in the same batch, and there will be at least one NetworkPolicy per batch.
-	MaxBatchedACLsPerPod int     `json:"MaxBatchedACLsPerPod,omitempty"`
-	Toggles              Toggles `json:"Toggles,omitempty"`
+	MaxBatchedACLsPerPod         int     `json:"MaxBatchedACLsPerPod,omitempty"`
+	MaxPendingNetPols            int     `json:"MaxPendingNetPols,omitempty"`
+	NetPolInvervalInMilliseconds int     `json:"NetPolInvervalInMilliseconds,omitempty"`
+	Toggles                      Toggles `json:"Toggles,omitempty"`
 }
 
 type Toggles struct {
@@ -82,6 +92,8 @@ type Toggles struct {
 	ApplyIPSetsOnNeed       bool
 	// ApplyInBackground applies for Windows only
 	ApplyInBackground bool
+	// NetPolInBackground
+	NetPolInBackground bool
 }
 
 type Flags struct {

npm/examples/windows/azure-npm-capz.yaml

@@ -145,17 +145,17 @@ data:
         "ResyncPeriodInMinutes": 15,
         "ListeningPort":         10091,
         "ListeningAddress":      "0.0.0.0",
+        "ApplyIntervalInMilliseconds":    500,
+        "ApplyMaxBatches":                100,
+        "MaxBatchedACLsPerPod":           30,
         "Toggles": {
             "EnablePrometheusMetrics": true,
             "EnablePprof":             true,
             "EnableHTTPDebugAPI":      true,
             "EnableV2NPM":             true,
             "PlaceAzureChainFirst":    true,
-            "ApplyIPSetsOnNeed":       false
+            "ApplyIPSetsOnNeed":       false,
+            "ApplyInBackground":       true,
+            "NetPolInBackground":      false
         },
-        "Transport": {
-          "Address": "azure-npm.kube-system.svc.cluster.local",
-          "Port": 10092,
-          "ServicePort": 9001
-        }
     }

npm/examples/windows/azure-npm.yaml

@@ -140,19 +140,22 @@ metadata:
 data:
   azure-npm.json: |
     {
-        "ResyncPeriodInMinutes":       15,
-        "ListeningPort":               10091,
-        "ListeningAddress":            "0.0.0.0",
-        "ApplyMaxBatches":             100,
-        "ApplyIntervalInMilliseconds": 500,
-        "MaxBatchedACLsPerPod":        30,
+        "ResyncPeriodInMinutes":          15,
+        "ListeningPort":                  10091,
+        "ListeningAddress":               "0.0.0.0",
+        "ApplyIntervalInMilliseconds":    500,
+        "ApplyMaxBatches":                100,
+        "MaxBatchedACLsPerPod":           30,
+        "NetPolInvervalInMilliseconds":   500,
+        "MaxPendingNetPols":              100,
         "Toggles": {
             "EnablePrometheusMetrics": true,
             "EnablePprof":             true,
             "EnableHTTPDebugAPI":      true,
             "EnableV2NPM":             true,
-            "PlaceAzureChainFirst":    true,
+            "PlaceAzureChainFirst":    false,
             "ApplyIPSetsOnNeed":       false,
-            "ApplyInBackground":       true
+            "ApplyInBackground":       true,
+            "NetPolInBackground":      true
         }
     }