Reworking kube-proxy to only compute endpointChanges on apply

[robscott]

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
Computing EndpointChanges is a relatively expensive operation for kube-proxy when Endpoint Slices are used. This had been computed on every EndpointSlice update which became quite inefficient at high levels of scale when multiple EndpointSlice update events would be triggered before a syncProxyRules call.

Profiling results showed that computing this on each update could consume ~80% of total kube-proxy CPU utilization at high levels of scale. This change reduced that to as little as 3% of total kube-proxy utilization at high levels of scale.

It's worth noting that the difference is minimal when there is a 1:1 relationship between EndpointSlice updates and proxier syncs. This is primarily beneficial when there are many EndpointSlice updates between proxier sync loops.

Does this PR introduce a user-facing change?:

Significant kube-proxy performance improvements when using Endpoint Slices at scale.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

• Enhancement Issue: EndpointSlice API enhancements#752

/sig network
/cc @freehan
/priority important-longterm

[robscott]

/retest

[freehan]

add a unit test for this?

[freehan]

may need a more significant name than getChangesAndMarkApplied. This function essentailly emits the changes in cache and refresh the cache. Plus, maybe other stuff

Naming Idea:
CheckoutChanges

[robscott]

Thanks, CheckoutChanges is a much better name. Added some unit tests for this as well.

[freehan]

It may helped the performance more by not comparing the difference and just trigger sync as always.

But it may not make any difference given the test result.

[robscott]

Unfortunately both the EndpointChangesPending metric and the last change trigger times rely on this being available on EndpointSlice addition (computing at proxier sync would not be helpful). The profiling I've done suggests that the full updatePending function, including this diffing, takes ~3% of total kube-proxy compute time (0.12s of 3.61s scaling to 10k endpoints). The actual esInfoChanged call within that is small enough to not be reported. Given the relative insignificance of that time I think it's worth maintaining the metrics as they exist.

[freehan]

consider moving all these into getChangesAndMarkApplied

[robscott]

I couldn't find a great way to integrate it there, but I did move this into a similarly named function.

[freehan]

Consider putting endpointslicecache.go into a different package (e.g. endpointslice/util or apimachinery), and define the interface better for reuse. Other consumer will need similar logic for this.

[robscott]

/retest

[robscott]

/retest

[freehan]

/assign @freehan

The interface of EndpointSliceCache, EndpointTracker is not too isolated. Hence making the synchronization and locking more unclear. But it seems not changing the existing flow.

[freehan]

nit: consider enclose the critical section into a built in func

func(){
  ect.lock.Lock()
  defer ect.lock.Unlock()

  ...
}()

[freehan]

you have lock in endpointSliceCache already. Do you still need lock here?

[robscott]

After discussing this a bit more I think it makes sense to hold off on any additional changes here until endpointslicecache can be moved into its own package.

[freehan]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: freehan, robscott

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/proxy/OWNERS [freehan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment