FQDN: preallocate identities for fqdn selectors#39868
Merged
squeed merged 4 commits intocilium:mainfrom Jun 17, 2025
Merged
Conversation
gandro
reviewed
Jun 3, 2025
joamaki
approved these changes
Jun 4, 2025
Contributor
Author
|
As @gandro observed, there is a race between the allocator and ipcache, as both want to own the policy map update lifecycle. I will file a PR shortly that moves updates exclusively to the allocator. Once that merges, we can proceed with this PR. |
Contributor
Author
|
Filed #39970 to refactor identity distribution. Once that merges I'll rebase this, and the race will go away. |
viktor-kurchenko
approved these changes
Jun 10, 2025
d8907f2 to
9fb2b8d
Compare
9fb2b8d to
99214b5
Compare
Contributor
Author
|
/test |
99214b5 to
416ae94
Compare
Contributor
Author
|
Whoops, this triggered an ipcache deadlock. Fortunately the fix was simple. |
Contributor
Author
|
/test |
gandro
requested changes
Jun 16, 2025
416ae94 to
cd25b56
Compare
gandro
approved these changes
Jun 16, 2025
Contributor
Author
|
/test |
The local identity allocator checkpoints its state, and restores it early in daemon startup. However, there may be other users of the allocator that allocate local identities early on startup. We should not permit allocation to happen until checkpoint restoration is complete. Thus, we start the allocator locked, only unlocking when restoration is complete. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
Background: the ToFQDN policy feature works by assigning labels with source `fqdn:` to IP addresses as names are learned. For example, the IP address 1.1.1.1 may have the labels (reserved:world, fqdn:one.one.one.one). Before this change, identities were allocated when the first IP was discovered that matched a selector. Now, identities are allocated when ToFQDN policies are first created. The goal is to reduce tail latency. Because allocating an identity requires a policy update, all endpoints must lock, apply incremental changes, and update envoy *before* the DNS packet can be returned to the requesting pod. By pre-allocating identities, newly learned IPs require only an ipcache write, not a policymap and envoy update. This reduces DNS response latency. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
This just wires up dnsProxy.preAllocateIdentities to the --tofqdns-preallocate-identities flag. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
Now that we require identity allocation to be synchronous, we put ourselves at risk of a deadlock between the ipcache and the NameManager. Specifically, the IPCache holds the metadata lock while it allocates identities, but the allocator depends on the SelectorCache making progress. Unfortunately, the SelectorCache can be blocked on the NameManager, and the NameManager needs to be able to upsert in to the ipcache metadata layer. The fix is to drop the ipcache metadata lock while allocating, which is a good idea anyways. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
cd25b56 to
40a6dea
Compare
Contributor
Author
|
Needed to adjust the Ginkgo test slightly to expect two identities in a command that previously got one. Just some fragile json parsing that needed fixing. |
Contributor
Author
|
/test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Background: the ToFQDN policy feature works by assigning labels with source
fqdn:to IP addresses as names are learned. For example, the IP address 1.1.1.1 may have the labels(reserved:world, fqdn:one.one.one.one). (Note that IPs no longer have per-IP labels unless also selected by toCIDR policies.)Before this change, identities were allocated when the first IP was discovered that matched a selector. Now, identities are allocated when ToFQDN policies are first created.
The goal is to reduce tail latency. Because allocating an identity requires a policy update, all endpoints must lock, apply incremental changes, and update envoy before the DNS packet can be returned to the requesting pod.
By pre-allocating identities, newly learned IPs require only an ipcache write, not a policymap and envoy update. This reduces DNS response latency.