policy: introduce lazy ordered/sorted selections

[odinuge]

This introduces a separate sorted structure that can be used by the components that need it. Previously all selections were sorted. This very cosly in the hotpath of the selection updates, as sorting 10k+ slices is pretty expensive. This still creates a copy of the selections, but it does not sort it.

This can in theory result in higher memory usage since we now keep a set (thats in practice a map), and the sorted slice if asked for. In practice not many things need the sorted version, noteably the dnsproxy as well as some l7/xds configs. Its also not totally sure that those always need it either - and in the cases they need it, they also end up keeping it in memory - so the diff is pretty small in practice. Most of the datapath is also using updates, so its not relying on the sorted version all the time.

Its a bit hard to benchmark this directly without cherry-picking results, but a simple test-case where a single selector selects say 20k identities (eg. the 'cluster' entity), that are updated say 5 times/sec - results in a lot of cpu cycles spent on sorting that slice.

Fixes: #issue-number

n/a

[odinuge]

/test

[odinuge]

/test

[odinuge]

While testing a set of identities changing concurrently, while having a selector that selects the `cluster` entity we see that a lot of time is spent doing this sorting.

[odinuge]

Looking into doing part.Set[identity.NumericIdentity] here as well. That could be useful to reduce the number of allocations - but it will most likely do more allocations that the current version in main, but potentially be faster and allocate less memory.

[odinuge]

Benchmarks using #43407;

pkg: github.com/cilium/cilium/pkg/policy
                                │ /tmp/original.yml │             /tmp/pr.yml              │
                                │      sec/op       │    sec/op     vs base                │
ResolveNoMatchingRules-12              1.848m ± 37%   2.126m ± 48%        ~ (p=0.052 n=10)
SelectorCacheIdentityUpdates-12      2037.77µ ±  9%   10.59µ ±  4%  -99.48% (p=0.000 n=10)
geomean                                1.941m         150.0µ        -92.27%

                                │ /tmp/original.yml │             /tmp/pr.yml              │
                                │       B/op        │     B/op      vs base                │
ResolveNoMatchingRules-12              157.3Ki ± 0%   157.3Ki ± 0%        ~ (p=0.584 n=10)
SelectorCacheIdentityUpdates-12       164.80Ki ± 0%   11.52Ki ± 0%  -93.01% (p=0.000 n=10)
geomean                                161.0Ki        42.57Ki       -73.56%

                                │ /tmp/original.yml │              /tmp/pr.yml               │
                                │     allocs/op     │  allocs/op   vs base                   │
ResolveNoMatchingRules-12               20.02k ± 0%   20.02k ± 0%         ~ (p=1.000 n=10) ¹
SelectorCacheIdentityUpdates-12          51.00 ± 2%   116.00 ± 0%  +127.45% (p=0.000 n=10)
geomean                                 1.011k        1.524k        +50.81%

So it seems like this is much faster at identity updates, but it does have a significantly higher allocation count; but even more significant reduction in cpu time and allocation size.

[odinuge]

/test

[odinuge]

/test

[odinuge]

Seems like we are having conflicts. I'll wait for #42580 to be worked through and merge before rebasing this. 😄

[github-actions]

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

[github-actions]

This pull request has not seen any activity since it was marked stale.
Closing.

[odinuge]

I can't seem to reopen, so I'll open a new one when I get time. I've been busy mitigating other critical bugs like #44328 the past few weeks, and to get v1.17 working so this hasn't been prioritized. So I'm still planning to do this work!