Improve CPU consumption by skipping `populateReferencedKubernetesServ…

…ices` logic when egress enforcement is disabled (#538)
otterize · Dec 22, 2024 · 7021dc9 · 7021dc9
1 parent 4e83663
commit 7021dc9
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/src/operator/controllers/intents_reconcilers/networkpolicy/builders/test_base.go b/src/operator/controllers/intents_reconcilers/networkpolicy/builders/test_base.go
@@ -8,6 +8,7 @@ import (
 	mocks "github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers/mocks"
 	"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers/networkpolicy"
 	"github.com/otterize/intents-operator/src/operator/effectivepolicy"
+	"github.com/otterize/intents-operator/src/shared/operatorconfig/enforcement"
 	"github.com/otterize/intents-operator/src/shared/serviceidresolver"
 	"github.com/otterize/intents-operator/src/shared/serviceidresolver/serviceidentity"
 	"github.com/otterize/intents-operator/src/shared/testbase"
@@ -43,6 +44,7 @@ type RulesBuilderTestSuiteBase struct {
 
 func (s *RulesBuilderTestSuiteBase) SetupTest() {
 	logrus.SetLevel(logrus.DebugLevel)
+	viper.Set(enforcement.EnableEgressNetworkPolicyReconcilersKey, true)
 	s.MocksSuiteBase.SetupTest()
 	s.externalNetpolHandler = mocks.NewMockExternalNetpolHandler(s.Controller)
 	restrictToNamespaces := make([]string, 0)

diff --git a/src/operator/effectivepolicy/groupreconciler.go b/src/operator/effectivepolicy/groupreconciler.go
@@ -8,6 +8,7 @@ import (
 	"github.com/otterize/intents-operator/src/operator/controllers/access_annotation"
 	"github.com/otterize/intents-operator/src/shared/errors"
 	"github.com/otterize/intents-operator/src/shared/injectablerecorder"
+	"github.com/otterize/intents-operator/src/shared/operatorconfig/enforcement"
 	"github.com/otterize/intents-operator/src/shared/serviceidresolver"
 	"github.com/otterize/intents-operator/src/shared/serviceidresolver/serviceidentity"
 	"github.com/samber/lo"
@@ -30,6 +31,7 @@ type GroupReconciler struct {
 	Scheme            *runtime.Scheme
 	reconcilers       []reconciler
 	serviceIdResolver *serviceidresolver.Resolver
+	egressEnabled     bool
 	injectablerecorder.InjectableRecorder
 }
 
@@ -39,6 +41,7 @@ func NewGroupReconciler(k8sClient client.Client, scheme *runtime.Scheme, service
 		Scheme:            scheme,
 		serviceIdResolver: serviceIdResolver,
 		reconcilers:       reconcilers,
+		egressEnabled:     enforcement.GetConfig().EnableEgressNetworkPolicyReconcilers,
 	}
 }
 
@@ -183,10 +186,11 @@ func (g *GroupReconciler) buildServiceEffectivePolicy(
 		for _, intent := range clientIntents.GetTargetList() {
 			serversFoundInClientIntents.Add(intent.ToServiceIdentity(clientIntents.Namespace))
 			call := Call{Target: intent, EventRecorder: recorder}
-
-			call, err = g.populateReferencedKubernetesServices(ctx, call, clientIntents, intent)
-			if err != nil {
-				return ServiceEffectivePolicy{}, errors.Wrap(err)
+			if g.egressEnabled {
+				call, err = g.populateReferencedKubernetesServices(ctx, call, clientIntents, intent)
+				if err != nil {
+					return ServiceEffectivePolicy{}, errors.Wrap(err)
+				}
 			}
 			calls = append(calls, call)
 

diff --git a/src/operator/effectivepolicy/types.go b/src/operator/effectivepolicy/types.go
@@ -16,6 +16,8 @@ type ClientCall struct {
 
 type Call struct {
 	v2alpha1.Target
+	// This is here as a workaround to make egress policies work in AWS VPC CNI which requires a rule matching the service's selector exactly in order to allow traffic to ClusterIP.
+	// it will be populated only if egress is enabled
 	ReferencingKubernetesServices []v1.Service
 	EventRecorder                 *injectablerecorder.ObjectEventRecorder
 }