Delta npds#1836
Open
jrajahalme wants to merge 7 commits intomainfrom
Open
Conversation
jrajahalme
requested review from
fristonio and
nezdolik
and removed request for
sayboras
nezdolik
reviewed
Apr 7, 2026
jrajahalme
force-pushed
the
delta-npds
branch
5 times, most recently
from
6ff6c15 to
db12d3e
Compare
Refactor policy code in preparation for delta NPDS changes in later commits: - Remove unnecessary PortPolicy.map_ member. - Move NetworkPolicyMapImpl to cilium/network_policy.cc to hide implementation detail. - Add helpers for policy updates to be shared with the delta code later. - Pass Context to secret watcher functions instead of the full NetworkPolicyMap. - Simplify gRPC subscribe() parameters. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Leave enough space after the pass verdict for all the passed rules to fit in before the following rules on the same tier. This is the requirement of the current API for correct behavior. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Handle pass rules during enforcement by skipping past the passed-over rules when a rule with a pass verdict matches. This is more straightforward and gets rid of precedence promotioin altogether, which is made possible by the duplication of wildcard-port rules into the port-specific rulesets, as after that change there is no need to compare precedences between multiple lookups. Since there is no transformation on the rules, the applied rules have the same shape as the imported policy, which makes debugging easier. The implementation skips over the passed-over rules without scanning all of them so the performance should be similar to the previous implementation. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Replace Config::GrpcMuxImpl wrapper with stream event callback patch on upstream so that new stream detection works on all the needed Mux types for SotW, Delta, and ADS. New stream detection is the means by which we detect Cilium Agent restarts, which generally requires the ipcache bpf map to be reopened. Delta updates also depend on this detection to force synchronization as the restarted agent may not know which resources to remove. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Add new cilium/versioned.h generic container for transactional selector updates. Add a new NetworkPolicyResourceDiscoveryService that implements delta updates for policies and selectors, and where policies refer to selectors by their resource name. NPRDS adds a top-level oneof wrapper that wraps either a Selector or a NetworkPolicy. NetworkPolicy definition is shared with NPDS, but PortNetworkPolicyRule adds a new selectors field that is only used with NPRDS. Store the latest desired ConfigSource in the policy map and use it for: - initial policy map subscription - re-subscription when connection under current subscription is terminated - a healthy network policy stream is not disrupted, unless the desired config is for delta xDS and the current one is not This means that we switch to delta mode eagerly when we have evidence that the agent is capable, but we switch to SotW mode only when xDS stream transport had failed to connect or closes. This should work for Cilium Agent upgrades and downgrades, as the agent expresses the desired mode, and listens for both. Clear the resource map on a first update on a new stream. This fixes NACK cases where further updates on the stream would have IP collisions with resources that were kept from the previous stream. We record a stream generation number for new stream detection purposes. This is implemented using the new stream events callback implemented in NetworkPolicyMapImpl, where the stream generation number is stored as a static member that is updated via the stream event callback. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
jrajahalme
added
enhancement
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a new NetworkPolicyResourceDiscoveryService that implements delta updates for policies and selectors, and where policies refer to selectors by their resource name.
NPRDS adds a top-level
oneofwrapper that wraps either a Selector or a NetworkPolicy. NetworkPolicy definition is shared with NPDS, but PortNetworkPolicyRule adds a new selectors field that is only used with NPRDS.NetworkPolicyMap switches to delta mode eagerly when there is evidence that the agent is capable (via BpfMetadata listener filter config), but we switch to SotW mode only when xDS stream transport had failed to connect or closes. This should work for Cilium Agent upgrades and downgrades, as the agent
expresses the desired mode, and upgraded agents listen for both SotW NPDS and Delta NPRDS.
Start from an empty network policy resource map on the first update on a new stream. This fixes NACK cases where further updates on the stream would have IP collisions with resources that were kept from the previous stream, originating from the previous instance of the restarted Cilium Agent.
Network policy map maintains a stream generation number for new stream detection purposes. This is implemented using a new stream events callback added to upstream Envoy gRPC Mux classes via a new patch.
NOTE: This should be merged on main only after the v1.36 branch has been created.