calicoctl: add optimize sub-command that can optimize GNPs for better efficiency#11104
Open
fasaxc wants to merge 5 commits intoprojectcalico:masterfrom
Open
calicoctl: add optimize sub-command that can optimize GNPs for better efficiency#11104fasaxc wants to merge 5 commits intoprojectcalico:masterfrom
fasaxc wants to merge 5 commits intoprojectcalico:masterfrom
Conversation
marvin-tigera
added
release-note-required
fasaxc
changed the title
fasaxc
force-pushed
the
policy-optimiser
branch
3 times, most recently
from
664ec09 to
1523981
Compare
In this initial version, only global network policies are optimized,
other resources are passed through unaltered. The tool makes several
optimizations to global network policies:
- Hoist selectors up from rules to the top-level subject selector.
- When an **ingress** rule uses a **destination** selector, that
results in rendering an expensive IP set to the dataplane (including
every IP that the selector matches) even though Felix already knows
which workload it is applying the policy to.
- Similarly, **source** selectors in **egress** are inefficient.
- When the tool spots such a selector, it splits the policy into
smaller policies, each with a different selector. Then it hoists
the selector up to the top-level of the policy so that the policy
only applies to that subset of workloads. This removes the IP set,
and, if the top-level selector was previously broad, it reduces the
number of workloads that the sub policy even applies to. Policies
that don't apply to any endpoint on a given node are not even
calculated and do not get rendered to iptables.
- Remove duplicate rules within a policy.
- Remove unreachable rules (rules after an unconditional
Allow/Deny/Pass).
- Normalize policy selectors.
fasaxc
force-pushed
the
policy-optimiser
branch
from
41d6f8a to
aa66ba1
Compare
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new calicoctl optimize sub-command that optimizes Calico Global Network Policies (GNPs) for better performance by canonicalizing selectors, hoisting rule-level selectors to the top-level subject selector when safe, and splitting policies to reduce dataplane overhead.
Key Changes:
- New optimization library in
libcalico-go/lib/optimizewith functions to optimize GNPs by hoisting inefficient selectors and removing duplicate/unreachable rules - New
calicoctl optimizecommand that validates resources offline and outputs optimized YAML - Comprehensive unit and system tests for the optimization logic
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| libcalico-go/lib/optimize/optimize_gnp.go | Core GNP optimization logic including selector canonicalization, rule splitting, and duplicate removal |
| libcalico-go/lib/optimize/optimize_objects.go | High-level API for optimizing runtime.Object slices with support for lists |
| libcalico-go/lib/optimize/optimize_objects_test.go | Unit tests for object optimization pass-through behavior and list handling |
| libcalico-go/lib/optimize/gnp_split_test.go | Comprehensive unit tests for GNP splitting, selector hoisting, and edge cases |
| calicoctl/calicoctl/commands/optimize.go | CLI command implementation that validates and optimizes resources from file/stdin |
| calicoctl/calicoctl/calicoctl.go | Registers the new optimize sub-command in calicoctl |
| calicoctl/tests/st/calicoctl/test_optimize.py | System tests verifying optimize command behavior with various input formats |
| calicoctl/tests/st/manifests/optimize-multidoc.yaml | Test fixture with multi-document YAML for pass-through validation |
| calicoctl/tests/st/manifests/optimize-gnp-split.yaml | Test fixture demonstrating GNP splitting optimization scenarios |
| .semaphore/semaphore.yml | Updates CI trigger paths to include new optimize package |
| .github/copilot-instructions.md | Documentation clarification about test locations and languages |
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
|
This PR is stale because it has been open for 60 days with no activity. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add a new
calicoctl optimizesub-command that takes in one or more Calico resources and emits (possibly) optimized versions to stdout.In this initial version, only global network policies are optimized, other resources are passed through unaltered. The tool makes several optimizations to global network policies:
Hoist selectors up from rules to the top-level subject selector.
Remove duplicate rules within a policy.
Remove unreachable rules (rules after an unconditional Allow/Deny/Pass).
Normalize policy selectors.
Related issues/PRs
CORE-11913
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.