Add documentation for except support in ipBlock #6677
Conversation
Dyanngg
force-pushed
the
ipblock-except-doc
branch
from
328118e
to
2be8a10
Compare
Dyanngg
force-pushed
the
ipblock-except-doc
branch
from
2be8a10
to
59ae490
Compare
|
/skip-all |
There was a problem hiding this comment.
Did we want to include a note about the possible impact of having too many rules with too many excepts? I know this can lead to a rule explosion, but I am not sure it matters too much as there is no constraining cap on the number of flows with the same priority? I don't think there is a significant impact on datapath performance. More flows would increase memory usage.
docs/antrea-network-policy.md
Outdated
| ephemeral and unpredictable. | ||
|
|
||
| Starting with Antrea v2.2, Antrea-native policies now support an `except` field under | ||
| ipBlock, which can be used to carve out specific CIDRs in the base IP range: |
There was a problem hiding this comment.
ipBlock -> ipBlock
I don't think you applied Jiajun's suggestion BTW?
There was a problem hiding this comment.
I did, just forgot to paste it to the other place...
Added a short note, let me know if it is good from your perspective |
Dyanngg
force-pushed
the
ipblock-except-doc
branch
from
59ae490
to
1727c1a
Compare
docs/antrea-network-policy.md
Outdated
| evaluations for lower priority rules. A large number of policy rules with `except` ipBlocks | ||
| can also have negative impacts on Antrea memory usage. |
There was a problem hiding this comment.
It's fine by me. @tnqn do you know if a high number of flows can also impact latency / throughput. I imagine that it is possible with a large number of diverse connections.
There was a problem hiding this comment.
According to my understanding on how the flow classfication runs, the cost is relative to the number of different mask lengths, instead of the number of flows. For example, in the worst case, there could be 31 mask lengths and OVS may have to calculate the masked IP 31 times to see if it matches flows in this table. Even a single policy rule can cause this if well-designed. On the other hand, if a large number of policy rules have the same mask length for their except ipBlocks, they shouldn't really cause much negative impacts. So the cost is kind of consistent regardless of the number of flows.
For the memory usage, I feel it may be not worth emphasizing its memory impact. An IPBlock with an except ipBlock can result in 31 IPNets in the worst case, but a podSelector can result in tens or hundreds of IPs either.
And the implementation of except in Antrea policy is not different from it in K8s policy.
There was a problem hiding this comment.
An IPBlock with an except ipBlock can result in 31 IPNets in the worst case
technically, I can have multiple except cidrs and generate many more IPNets than that
but yes, I agree with the overall statement
docs/antrea-network-policy.md
Outdated
| evaluations for lower priority rules. A large number of policy rules with `except` ipBlocks | ||
| can also have negative impacts on Antrea memory usage. |
There was a problem hiding this comment.
According to my understanding on how the flow classfication runs, the cost is relative to the number of different mask lengths, instead of the number of flows. For example, in the worst case, there could be 31 mask lengths and OVS may have to calculate the masked IP 31 times to see if it matches flows in this table. Even a single policy rule can cause this if well-designed. On the other hand, if a large number of policy rules have the same mask length for their except ipBlocks, they shouldn't really cause much negative impacts. So the cost is kind of consistent regardless of the number of flows.
For the memory usage, I feel it may be not worth emphasizing its memory impact. An IPBlock with an except ipBlock can result in 31 IPNets in the worst case, but a podSelector can result in tens or hundreds of IPs either.
And the implementation of except in Antrea policy is not different from it in K8s policy.
Signed-off-by: Dyanngg <[email protected]>
Dyanngg
force-pushed
the
ipblock-except-doc
branch
from
1727c1a
to
649d6d8
Compare
|
/skip-all |
Documentation for #6658