Skip to content

Commit d123ec6

Browse files
YutaroHayakawaYutaroHayakawa
committed
Don't merge: Revert "endpoint/bpf: remove change empty condition for updateEnvoy"
This reverts commit cbf536a.
1 parent e8989ad commit d123ec6

1 file changed

Lines changed: 17 additions & 11 deletions

File tree

pkg/endpoint/bpf.go

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1142,6 +1142,9 @@ func (e *Endpoint) ApplyPolicyMapChanges(proxyWaitGroup *completion.WaitGroup) e
11421142
func (e *Endpoint) applyPolicyMapChangesLocked(regenContext *regenerationContext, hasNewPolicy bool) error {
11431143
e.PolicyDebug("applyPolicyMapChanges")
11441144

1145+
// Always update Envoy if policy has changed
1146+
updateEnvoy := hasNewPolicy
1147+
11451148
// Note that after successful endpoint regeneration the desired and realized policies are
11461149
// the same pointer. During the bpf regeneration possible incremental updates are collected
11471150
// on the newly computed desired policy, which is not fully realized yet. This is why we get
@@ -1161,17 +1164,20 @@ func (e *Endpoint) applyPolicyMapChangesLocked(regenContext *regenerationContext
11611164
}
11621165

11631166
hasEnvoyRedirect := e.desiredPolicy.L4Policy.HasEnvoyRedirect()
1164-
// updateEnvoy when policy has changed, if the endpoint has Envoy redirects,
1165-
// or is an Ingress endpoint, which needs to enforce also the full L3/4 policy.
1166-
//
1167-
// Even if there are no changes, we update the proxyWaitGroup for any in-progress
1168-
// NetworkPolicy update to be done if the endpoint has envoy redirects, so that the
1169-
// the expected policy is in place.
1170-
//
1171-
// 'updateEnvoy' is already set to 'true' if policy changed. In that case there can
1172-
// be new redirects and a full policy map update even if there were no incremental
1173-
// updates.
1174-
updateEnvoy := hasNewPolicy || hasEnvoyRedirect || e.isIngress
1167+
if !changes.Empty() {
1168+
// updateEnvoy if there were any mapChanges, but only if the endpoint has Envoy
1169+
// redirects, or is an Ingress endpoint, which needs to enforce also the full L3/4
1170+
// policy.
1171+
//
1172+
// Even if there are no changes, we update the proxyWaitGroup for any in-progress
1173+
// NetworkPolicy update to be done if the endpoint has envoy redirects, so that the
1174+
// the expected policy is in place.
1175+
//
1176+
// 'updateEnvoy' is already set to 'true' if policy changed. In that case there can
1177+
// be new redirects and a full policy map update even if there were no incremental
1178+
// updates.
1179+
updateEnvoy = updateEnvoy || hasEnvoyRedirect || e.isIngress
1180+
}
11751181

11761182
stats := &regenContext.Stats
11771183
datapathRegenCtxt := regenContext.datapathRegenerationContext

0 commit comments

Comments
 (0)