Skip to content

policy: add new benchmarks for identity updates and large policy repository#43407

Merged
christarazi merged 2 commits intocilium:mainfrom
odinuge:odinuge/policy-benchmarks
Jan 20, 2026
Merged

policy: add new benchmarks for identity updates and large policy repository#43407
christarazi merged 2 commits intocilium:mainfrom
odinuge:odinuge/policy-benchmarks

Conversation

@odinuge
Copy link
Copy Markdown
Member

@odinuge odinuge commented Dec 17, 2025

This adds two distinct new benchmarks. One testing the resolvePolicyLocked function when no/a low number of rules are selected, but when the repository has a lot of rules. The other one tests UpdateIdentities calls when a selector has a lot of identities selected.

These benchmarks are useful for selectorcache refactors and changes like #43376 and #43368.

/mnt/code/pkg/policy# go test -bench="BenchmarkSelectorCacheIdentityUpdates|BenchmarkResolveNoMatchingRules" . -run="^$" -v -count=5

goos: linux
goarch: arm64
pkg: github.com/cilium/cilium/pkg/policy
BenchmarkResolveNoMatchingRules
BenchmarkResolveNoMatchingRules-12                   690           1615507 ns/op          161072 B/op      20025 allocs/op
BenchmarkResolveNoMatchingRules-12                   759           1582734 ns/op          161072 B/op      20025 allocs/op
BenchmarkResolveNoMatchingRules-12                   687           1673607 ns/op          161072 B/op      20025 allocs/op
BenchmarkResolveNoMatchingRules-12                   705           1757171 ns/op          161072 B/op      20025 allocs/op
BenchmarkResolveNoMatchingRules-12                   745           2318819 ns/op          161072 B/op      20025 allocs/op
BenchmarkSelectorCacheIdentityUpdates
BenchmarkSelectorCacheIdentityUpdates-12             580           1994185 ns/op          168811 B/op         51 allocs/op
BenchmarkSelectorCacheIdentityUpdates-12             602           1933765 ns/op          168687 B/op         55 allocs/op
BenchmarkSelectorCacheIdentityUpdates-12             619           1935440 ns/op          168864 B/op         51 allocs/op
BenchmarkSelectorCacheIdentityUpdates-12             624           1934987 ns/op          168968 B/op         51 allocs/op
BenchmarkSelectorCacheIdentityUpdates-12             616           1937497 ns/op          168928 B/op         51 allocs/op
PASS
ok      github.com/cilium/cilium/pkg/policy     57.810s

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 17, 2025
@github-actions github-actions bot added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Dec 17, 2025
@odinuge
Copy link
Copy Markdown
Member Author

odinuge commented Dec 17, 2025

/test

@odinuge
Copy link
Copy Markdown
Member Author

odinuge commented Dec 17, 2025

Looks like tests are failing due to 40f5769. I'll try rebase and rerun

@odinuge-work
policy: add new benchmark to for policy calculation
ebc67ba 
This new benchmark creates 20k rules and then tries to compute the
policies selecting a given identity, where we know non of the rules
match. We do this to test the common case in production where a cluster
has a lot of rules, where only a handful of them will in practice select
each pod.

Signed-off-by: Odin Ugedal <odin@ugedal.com>
Signed-off-by: Odin Ugedal <ougedal@palantir.com>
@odinuge odinuge force-pushed the odinuge/policy-benchmarks branch from a36a602 to 4629342 Compare December 17, 2025 12:29
@odinuge
Copy link
Copy Markdown
Member Author

odinuge commented Dec 17, 2025

/test

This was referenced Dec 17, 2025
Closed
Closed
@odinuge-work
policy: Add benchmark for identity updates
d85b916 
This benchmark adds a single wildcard rule, eg. pretty close to the
'cluster' entity. This results in all identities being selected. We then
benchmark the performance of adding and removing 10k identities. Today
cpu time is heavily spent on sorting the resulting slice.

Signed-off-by: Odin Ugedal <odin@ugedal.com>
Signed-off-by: Odin Ugedal <ougedal@palantir.com>
@odinuge odinuge force-pushed the odinuge/policy-benchmarks branch from 4629342 to d85b916 Compare December 17, 2025 13:02
@odinuge
Copy link
Copy Markdown
Member Author

odinuge commented Dec 17, 2025

/test

@odinuge odinuge marked this pull request as ready for review December 17, 2025 13:02
@odinuge odinuge requested a review from a team as a code owner December 17, 2025 13:02
@odinuge odinuge requested a review from derailed December 17, 2025 13:02
@odinuge odinuge changed the title policy: add new benchmarks policy: add new benchmarks for identity updates and large policy repository Dec 17, 2025
@odinuge
Copy link
Copy Markdown
Member Author

odinuge commented Dec 17, 2025

/ci-ginkgo

derailed
derailed reviewed Dec 22, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@odinuge Thank you for this update!

christarazi
christarazi approved these changes Jan 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@christarazi christarazi added the release-note/misc This PR makes changes that have no direct user impact. label Jan 7, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 7, 2026
@christarazi christarazi added kind/performance There is a performance impact of this. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jan 7, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 7, 2026
@joestringer joestringer added release-note/ci This PR makes changes to the CI. and removed release-note/misc This PR makes changes that have no direct user impact. labels Jan 8, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 9, 2026
@christarazi christarazi enabled auto-merge January 13, 2026 05:50
@christarazi christarazi added this pull request to the merge queue Jan 20, 2026
Merged via the queue into cilium:main with commit 5ab3727 Jan 20, 2026
80 checks passed
@odinuge odinuge deleted the odinuge/policy-benchmarks branch January 20, 2026 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@derailed derailed derailed left review comments

@julianwiedmann julianwiedmann julianwiedmann left review comments

@christarazi christarazi christarazi approved these changes

Assignees

No one assigned

Labels

kind/performance There is a performance impact of this. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@odinuge @derailed @christarazi @julianwiedmann @joestringer @odinuge-work