[WIP] Admission Control Filter

[tonya11en]

This patch is a starts progress toward #9658. It is still a work in progress, but I'm opening a draft PR because I'd like to to discuss the general approach before writing integration tests, documentation, etc.

A quick summary of the motivation and origin of the idea can be found in the description of #9658.

The filter tracks request success rate for each worker thread and uses the information to reject requests with some probability dictated by the SR (in some rolling window) before forwarding to the upstream.This removes the need for any locks such as those found in the local ratelimit filter and the adaptive concurrency filter.

The per-thread success rate calculation is performed by tracking the total request count and the total number of successes. These values are accumulated each second and inserted into a deque that contains the per-second accumulated values for the entire rolling window. This allows us to efficiently phase out stale SR data as it is no longer in the time window.

There are a few items I'd appreciate some preliminary feedback on. Once there's a consensus, I'll write up documentation and integration tests. The two major items I'd like any feedback/comments on are:

• What would be the best way to configure the definition of a "successful" request? I thought something similar to the retry_on categories would do the trick, but this might not work for grpc.
• Could there be workloads that could see potential problems with this per-thread SR accounting approach?

[tonya11en]

/wait-any

[tonya11en]

Basic HTTP integration test is implemented. Since we're validating probabilities, I ensured it wasn't a flaky test:

± % btd //test/extensions/filters/http/admission_control:admission_control_integration_test --runs_per_test=1000
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/home/tallen/src/envoy/tools/bazel.rc
INFO: Invocation ID: c4325847-2684-473e-8c0a-7ac2ce6ae1c8
INFO: Analyzed target //test/extensions/filters/http/admission_control:admission_control_integration_test (0 packages loaded, 0 targets configured).
INFO: Found 1 test target...
Target //test/extensions/filters/http/admission_control:admission_control_integration_test up-to-date:
  bazel-bin/test/extensions/filters/http/admission_control/admission_control_integration_test
INFO: Elapsed time: 1012.032s, Critical Path: 49.45s
INFO: 1003 processes: 1 remote cache hit, 1002 linux-sandbox.
INFO: Build completed successfully, 1004 total actions
//test/extensions/filters/http/admission_control:admission_control_integration_test PASSED in 24.8s
  Stats over 1000 runs: max = 24.8s, min = 18.4s, avg = 23.5s, dev = 0.7s

Executed 1 out of 1 test: 1 test passes.
There were tests whose specified size is too big. Use the --test_verbose_timeout_warnings command line oINFO: Build completed successfully, 1004 total actions

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[tonya11en]

Actively wrestling with GRPC integration test.

[tonya11en]

Sorry for the delay- it turns out that when sending the local reply 503 in the filter, the GRPC status is not set. This caused the integration client to observe the upstream probabilistically return HTTP 503s with no GRPC status 50% of the time, or HTTP 200 with the “Unknown” GRPC status in the trailer.

I'm foregoing documentation until the general behavior of this filter has ossified. Once that happens, I'll take this PR out of draft along with pushing a bunch of docs.

[tonya11en]

@mattklein123 after you take your first pass through the code, I'll pull this PR out of draft and remove the WIP assuming no major architectural changes are required.

[tonya11en]

It just occurred to me that there are a handful of gRPC success codes. It'll be more performant to just do a sequential search over a vector instead of hashing in an unordered set.

I'll make that change next round.

[mattklein123]

Thanks I left a few comments. In general this looks great but I take back what I said about a single PR. Can we split this into at least 1) the ancillary changes, 2) the controller, and 3) the filter?

Thank you!

/wait

[mattklein123]

Since this PR is so large please split this and associated tests into a different PR (if there is anything else that can be split out please do so)

[mattklein123]

I think I would make this an actual numeric range for flexibility. See Int32Range or similar as something you might potentially use.

[mattklein123]

Bump still needs more verbiage to talk about sliding, etc.

[mattklein123]

What does the not_in 0 do?

[mattklein123]

@lizan does this exist anywhere else? Any thoughts on defining this in our API?

[lizan]

No this doesn't exist. I don't think we should define this as enum but just as int32 (that's what google.rpc.Status does) because in data plane there will be custom defined error codes as well.

[mattklein123]

Yeah given the size of this PR if possible maybe split the controller out into its own PR? If it's a big deal I can do in one review but it would be nice to not have so much code to look at.

[htuch]

Please merge master to pick up #10672. We no longer accept changes to v2 (without explicit exception), so any API modifications should happen in v3. If this PR is adding a new proto, please follow the updated instructions in https://github.com/envoyproxy/envoy/blob/master/api/STYLE.md#adding-an-extension-configuration-to-the-api.

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[stale]

This pull request has been automatically closed because it has not had activity in the last 14 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!