Skip to content

[v1.7]: operator: rate limit GC of security identities#12450

Merged
qmonnet merged 4 commits intov1.7from
pr/do-not-burst-identitiy-gc-1.7
Jul 14, 2020
Merged

[v1.7]: operator: rate limit GC of security identities#12450
qmonnet merged 4 commits intov1.7from
pr/do-not-burst-identitiy-gc-1.7

Conversation

@aanm
Copy link
Copy Markdown
Member

@aanm aanm commented Jul 7, 2020
edited
Loading

To prevent bursts of security identities from being deleted in the
KVStore, possibly causing Cilium agent to have a high CPU usage due
policy calculation, this commit adds a rate limiter for such KVStore
deletes. For example, in case there are 1000 identities to GCed, the
operator will delete 250 every minute until all 1000 identities are
GCed.

$ for pr in 12451; do contrib/backporting/set-labels.py $pr done 1.7; done

@maintainer-s-little-helper maintainer-s-little-helper Bot added the kind/backports This PR provides functionality previously merged into master. label Jul 7, 2020
@aanm aanm mentioned this pull request Jul 7, 2020
Merged
@aanm aanm force-pushed the pr/do-not-burst-identitiy-gc-1.7 branch 4 times, most recently from 1b81693 to a1227b8 Compare July 8, 2020 10:03
aanm added 4 commits July 9, 2020 17:46
@aanm
pkg/kvstore: do not GC keys if they being frequently reused
9d4227a 
[ upstream commit 651199c ]

Some keys can be reused in between GC function calls. To avoid them
being GCed we should not mark them as stale keys and wait for the next
GC call to be executed.

Signed-off-by: André Martins <andre@cilium.io>
@aanm
operator: propagate context for delete identity
9d17fea 
[ upstream commit fe9ca34 ]

Signed-off-by: André Martins <andre@cilium.io>
@aanm
pkg/rate: add rate limiter package to rate limit requests
4bae9a9 
[ upstream commit 0892086 ]

Signed-off-by: André Martins <andre@cilium.io>
@aanm
operator: rate limit GC of security identities
f229dce 
[ upstream commit ea57e36 ]

To prevent bursts of security identities from being deleted in the
KVStore, possibly causing Cilium agent to have a high CPU usage due
policy calculation, this commit adds a rate limiter for such KVStore
deletes. For example, in case there are 1000 identities to GCed, the
operator will delete 250 every minute until all 1000 identities are
GCed.

Signed-off-by: André Martins <andre@cilium.io>
@aanm aanm force-pushed the pr/do-not-burst-identitiy-gc-1.7 branch from a1227b8 to f229dce Compare July 9, 2020 16:47
@aanm
Copy link
Copy Markdown
Member Author

aanm commented Jul 9, 2020

test-backport-1.7

@aanm aanm marked this pull request as ready for review July 9, 2020 16:48
@aanm aanm requested a review from a team as a code owner July 9, 2020 16:48
@maintainer-s-little-helper maintainer-s-little-helper Bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jul 14, 2020
@qmonnet qmonnet merged commit e2227a7 into v1.7 Jul 14, 2020
@qmonnet qmonnet deleted the pr/do-not-burst-identitiy-gc-1.7 branch July 14, 2020 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gandro gandro gandro approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees

No one assigned

Labels

kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aanm @gandro @qmonnet