Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SRVCOM-2728: High CPU/memory usage of istio-proxies when adding ksvcs #8

Merged
merged 1 commit into from
Oct 19, 2023
Merged

SRVCOM-2728: High CPU/memory usage of istio-proxies when adding ksvcs #8

merged 1 commit into from
Oct 19, 2023

Conversation

pierDipi
Copy link
Member

@pierDipi pierDipi commented Oct 18, 2023
edited
Loading

Add Sidecar configuration in tenant's namespaces to restrict egress rules and reduce cpu/memory usage.

Documentation https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/service_mesh/service-mesh-2-x#ossm-routing-sidecar_traffic-management

This command will generate these 2 Sidecar resources

helm template ./ --values tests/values.yaml
# ...
---
# Source: knative-istio-authz-onboarding/templates/common-tenant-sidecar.yaml
# Restrict namespace ns1 sidecars egress rules to tenants specific namespaces so that
# application sidecars don't consumer a ton of memory/cpu.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
  name: default
  namespace: ns1
spec:
  egress:
    - hosts:
        - "ns1/*"
        
        - "ns2/*"
        
        - "istio-system/*"
        - "knative-serving/*"
        
        - "knative-eventing/*"
---
# Source: knative-istio-authz-onboarding/templates/common-tenant-sidecar.yaml
---
# Restrict namespace ns2 sidecars egress rules to tenants specific namespaces so that
# application sidecars don't consumer a ton of memory/cpu.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
  name: default
  namespace: ns2
spec:
  egress:
    - hosts:
        - "ns1/*"
        
        - "ns2/*"
        
        - "istio-system/*"
        - "knative-serving/*"
        
        - "knative-eventing/*"

@pierDipi
SRVCOM-2728: High CPU/memory usage of istio-proxies when adding ksvcs
b38b031 
Add `Sidecar` configuration in tenant's namespaces to restrict
egress rules and reduce cpu/memory usage.

Signed-off-by: Pierangelo Di Pilato <[email protected]>
@openshift-ci-robot
Copy link

@pierDipi: This pull request references SRVCOM-2728 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.15.0" version, but no target version was set.

In response to this:

Add Sidecar configuration in tenant's namespaces to restrict egress rules and reduce cpu/memory usage.

This command will generate these 2 rules

helm template ./ --values tests/values.yaml
# ...
---
# Source: knative-istio-authz-onboarding/templates/common-tenant-sidecar.yaml
# Restrict namespace ns1 sidecars egress rules to tenants specific namespaces so that
# application sidecars don't consumer a ton of memory/cpu.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
 name: default
 namespace: ns1
spec:
 egress:
   - hosts:
       - "ns1/*"
       
       - "ns2/*"
       
       - "istio-system/*"
       - "knative-serving/*"
       
       - "knative-eventing/*"
---
# Source: knative-istio-authz-onboarding/templates/common-tenant-sidecar.yaml
---
# Restrict namespace ns2 sidecars egress rules to tenants specific namespaces so that
# application sidecars don't consumer a ton of memory/cpu.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
 name: default
 namespace: ns2
spec:
 egress:
   - hosts:
       - "ns1/*"
       
       - "ns2/*"
       
       - "istio-system/*"
       - "knative-serving/*"
       
       - "knative-eventing/*"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pierDipi
Copy link
Member Author

@maschmid is there any way you can double check this in your tests?

@maschmid
Copy link

Trying it now.

@maschmid
Copy link

/lgtm

It works fine on the 1000 ksvc test. Let's try to merge it and backport, and then we should check all the MT-related SO tests in CI.

@openshift-ci openshift-ci bot added the lgtm label Oct 19, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 19, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maschmid, pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pierDipi
Copy link
Member Author

/cherry-pick release-1.31

@openshift-cherrypick-robot
Copy link
Contributor

@pierDipi: once the present PR merges, I will cherry-pick it on top of release-1.31 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.31

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pierDipi pierDipi changed the title [WIP] SRVCOM-2728: High CPU/memory usage of istio-proxies when adding ksvcs SRVCOM-2728: High CPU/memory usage of istio-proxies when adding ksvcs Oct 19, 2023
@pierDipi pierDipi merged commit defc102 into openshift-knative:main Oct 19, 2023
1 check passed
@pierDipi pierDipi deleted the SRVCOM-2728_Sidecar-egress-restriction branch October 19, 2023 12:01
@openshift-cherrypick-robot
Copy link
Contributor

@pierDipi: new pull request created: #9

In response to this:

/cherry-pick release-1.31

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Oct 19, 2023
Merged
pierDipi added a commit that referenced this pull request Oct 24, 2023
@pierDipi
Revert "SRVCOM-2728: High CPU/memory usage of istio-proxies when addi…
f03b8ad 
…ng ksvcs (#8)"

This reverts commit defc102.
@pierDipi pierDipi mentioned this pull request Oct 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dsimansk dsimansk Awaiting requested review from dsimansk

@mgencur mgencur Awaiting requested review from mgencur

@maschmid maschmid Awaiting requested review from maschmid

@ReToCode ReToCode Awaiting requested review from ReToCode

Assignees

@maschmid maschmid

Labels
approved jira/valid-reference lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pierDipi @openshift-ci-robot @maschmid @openshift-cherrypick-robot