Containment based queries optimized

nca/Resources/CalicoNetworkPolicy.py

@@ -87,26 +87,26 @@ def _update_opt_props_by_order(self, is_ingress):
         for rule in self.ingress_rules if is_ingress else self.egress_rules:
             props = rule.optimized_props.copy()
             if rule.action == CalicoPolicyRule.ActionType.Allow:
-                props -= self.optimized_deny_ingress_props if is_ingress else self.optimized_deny_egress_props
-                props -= self.optimized_pass_ingress_props if is_ingress else self.optimized_pass_egress_props
+                props -= self._optimized_deny_ingress_props if is_ingress else self._optimized_deny_egress_props
+                props -= self._optimized_pass_ingress_props if is_ingress else self._optimized_pass_egress_props
                 if is_ingress:
-                    self.optimized_allow_ingress_props |= props
+                    self._optimized_allow_ingress_props |= props
                 else:
-                    self.optimized_allow_egress_props |= props
+                    self._optimized_allow_egress_props |= props
             elif rule.action == CalicoPolicyRule.ActionType.Deny:
-                props -= self.optimized_allow_ingress_props if is_ingress else self.optimized_allow_egress_props
-                props -= self.optimized_pass_ingress_props if is_ingress else self.optimized_pass_egress_props
+                props -= self._optimized_allow_ingress_props if is_ingress else self._optimized_allow_egress_props
+                props -= self._optimized_pass_ingress_props if is_ingress else self._optimized_pass_egress_props
                 if is_ingress:
-                    self.optimized_deny_ingress_props |= props
+                    self._optimized_deny_ingress_props |= props
                 else:
-                    self.optimized_deny_egress_props |= props
+                    self._optimized_deny_egress_props |= props
             elif rule.action == CalicoPolicyRule.ActionType.Pass:
-                props -= self.optimized_allow_ingress_props if is_ingress else self.optimized_allow_egress_props
-                props -= self.optimized_deny_ingress_props if is_ingress else self.optimized_deny_egress_props
+                props -= self._optimized_allow_ingress_props if is_ingress else self._optimized_allow_egress_props
+                props -= self._optimized_deny_ingress_props if is_ingress else self._optimized_deny_egress_props
                 if is_ingress:
-                    self.optimized_pass_ingress_props |= props
+                    self._optimized_pass_ingress_props |= props
                 else:
-                    self.optimized_pass_egress_props |= props
+                    self._optimized_pass_egress_props |= props
 
     def sync_opt_props(self):
         """
@@ -169,17 +169,16 @@ def allowed_connections_optimized(self, is_ingress):
         and the peer set of captured peers by this policy.
         :rtype: tuple (ConnectivityProperties, ConnectivityProperties, PeerSet)
         """
-        self.sync_opt_props()
         res_conns = OptimizedPolicyConnections()
         if is_ingress:
-            res_conns.allowed_conns = self.optimized_allow_ingress_props.copy()
-            res_conns.denied_conns = self.optimized_deny_ingress_props.copy()
-            res_conns.pass_conns = self.optimized_pass_ingress_props.copy()
+            res_conns.allowed_conns = self.optimized_allow_ingress_props().copy()
+            res_conns.denied_conns = self.optimized_deny_ingress_props().copy()
+            res_conns.pass_conns = self.optimized_pass_ingress_props().copy()
             res_conns.captured = self.selected_peers if self.affects_ingress else Peer.PeerSet()
         else:
-            res_conns.allowed_conns = self.optimized_allow_egress_props.copy()
-            res_conns.denied_conns = self.optimized_deny_egress_props.copy()
-            res_conns.pass_conns = self.optimized_pass_egress_props.copy()
+            res_conns.allowed_conns = self.optimized_allow_egress_props().copy()
+            res_conns.denied_conns = self.optimized_deny_egress_props().copy()
+            res_conns.pass_conns = self.optimized_pass_egress_props().copy()
             res_conns.captured = self.selected_peers if self.affects_egress else Peer.PeerSet()
         return res_conns
 

nca/Resources/IngressPolicy.py

@@ -72,7 +72,7 @@ def sync_opt_props(self):
             return
         self._init_opt_props()
         for rule in self.egress_rules:
-            self.optimized_allow_egress_props |= rule.optimized_props
+            self._optimized_allow_egress_props |= rule.optimized_props
         self.optimized_props_in_sync = True
 
     def allowed_connections(self, from_peer, to_peer, is_ingress):
@@ -110,13 +110,12 @@ def allowed_connections_optimized(self, is_ingress):
         and the peer set of captured peers by this policy.
         :rtype: tuple (ConnectivityProperties, ConnectivityProperties, PeerSet)
         """
-        self.sync_opt_props()
         res_conns = OptimizedPolicyConnections()
         if is_ingress:
             res_conns.allowed_conns = ConnectivityProperties.make_empty_props()
             res_conns.captured = PeerSet()
         else:
-            res_conns.allowed_conns = self.optimized_allow_egress_props.copy()
+            res_conns.allowed_conns = self.optimized_allow_egress_props().copy()
             res_conns.captured = self.selected_peers if self.affects_egress else PeerSet()
         return res_conns
 

nca/Resources/IstioNetworkPolicy.py

@@ -78,11 +78,11 @@ def sync_opt_props(self):
         self._init_opt_props()
         for rule in self.ingress_rules:
             if self.action == IstioNetworkPolicy.ActionType.Allow:
-                self.optimized_allow_ingress_props |= rule.optimized_props
+                self._optimized_allow_ingress_props |= rule.optimized_props
             elif self.action == IstioNetworkPolicy.ActionType.Deny:
-                self.optimized_deny_ingress_props |= rule.optimized_props
+                self._optimized_deny_ingress_props |= rule.optimized_props
 
-        self.optimized_allow_egress_props = ConnectivityProperties.get_all_conns_props_per_domain_peers()
+        self._optimized_allow_egress_props = ConnectivityProperties.get_all_conns_props_per_domain_peers()
         self.optimized_props_in_sync = True
 
     def allowed_connections(self, from_peer, to_peer, is_ingress):
@@ -122,15 +122,14 @@ def allowed_connections_optimized(self, is_ingress):
         and the peer set of captured peers by this policy.
         :rtype: tuple (ConnectivityProperties, ConnectivityProperties, PeerSet)
         """
-        self.sync_opt_props()
         res_conns = OptimizedPolicyConnections()
         if is_ingress:
-            res_conns.allowed_conns = self.optimized_allow_ingress_props.copy()
-            res_conns.denied_conns = self.optimized_deny_ingress_props.copy()
+            res_conns.allowed_conns = self.optimized_allow_ingress_props().copy()
+            res_conns.denied_conns = self.optimized_deny_ingress_props().copy()
             res_conns.captured = self.selected_peers
         else:
-            res_conns.allowed_conns = self.optimized_allow_egress_props.copy()
-            res_conns.denied_conns = self.optimized_deny_egress_props.copy()
+            res_conns.allowed_conns = self.optimized_allow_egress_props().copy()
+            res_conns.denied_conns = self.optimized_deny_egress_props().copy()
             res_conns.captured = PeerSet()
         return res_conns
 

nca/Resources/IstioSidecar.py

@@ -59,9 +59,9 @@ def sync_opt_props(self):
         if self.optimized_props_in_sync:
             return
         self._init_opt_props()
-        self.optimized_allow_ingress_props = ConnectivityProperties.get_all_conns_props_per_domain_peers()
+        self._optimized_allow_ingress_props = ConnectivityProperties.get_all_conns_props_per_domain_peers()
         for rule in self.egress_rules:
-            self.optimized_allow_egress_props |= rule.optimized_props
+            self._optimized_allow_egress_props |= rule.optimized_props
         self.optimized_props_in_sync = True
 
     def allowed_connections(self, from_peer, to_peer, is_ingress):
@@ -100,15 +100,14 @@ def allowed_connections(self, from_peer, to_peer, is_ingress):
         return PolicyConnections(True, allowed_conns=ConnectionSet())
 
     def allowed_connections_optimized(self, is_ingress):
-        self.sync_opt_props()
         res_conns = OptimizedPolicyConnections()
         if is_ingress:
-            res_conns.allowed_conns = self.optimized_allow_ingress_props.copy()
-            res_conns.denied_conns = self.optimized_deny_ingress_props.copy()
+            res_conns.allowed_conns = self.optimized_allow_ingress_props().copy()
+            res_conns.denied_conns = self.optimized_deny_ingress_props().copy()
             res_conns.captured = PeerSet()
         else:
-            res_conns.allowed_conns = self.optimized_allow_egress_props.copy()
-            res_conns.denied_conns = self.optimized_deny_egress_props.copy()
+            res_conns.allowed_conns = self.optimized_allow_egress_props().copy()
+            res_conns.denied_conns = self.optimized_deny_egress_props().copy()
             res_conns.captured = self.selected_peers if self.affects_egress else PeerSet()
         return res_conns
 

nca/Resources/K8sNetworkPolicy.py

@@ -48,9 +48,9 @@ def sync_opt_props(self):
             return
         self._init_opt_props()
         for rule in self.ingress_rules:
-            self.optimized_allow_ingress_props |= rule.optimized_props
+            self._optimized_allow_ingress_props |= rule.optimized_props
         for rule in self.egress_rules:
-            self.optimized_allow_egress_props |= rule.optimized_props
+            self._optimized_allow_egress_props |= rule.optimized_props
         self.optimized_props_in_sync = True
 
     def allowed_connections(self, from_peer, to_peer, is_ingress):
@@ -89,13 +89,12 @@ def allowed_connections_optimized(self, is_ingress):
         and the peer set of captured peers by this policy.
         :rtype: tuple (ConnectivityProperties, ConnectivityProperties, PeerSet)
         """
-        self.sync_opt_props()
         res_conns = OptimizedPolicyConnections()
         if is_ingress:
-            res_conns.allowed_conns = self.optimized_allow_ingress_props.copy()
+            res_conns.allowed_conns = self.optimized_allow_ingress_props().copy()
             res_conns.captured = self.selected_peers if self.affects_ingress else Peer.PeerSet()
         else:
-            res_conns.allowed_conns = self.optimized_allow_egress_props.copy()
+            res_conns.allowed_conns = self.optimized_allow_egress_props().copy()
             res_conns.captured = self.selected_peers if self.affects_egress else Peer.PeerSet()
         return res_conns
 

nca/Resources/NetworkPolicy.py

@@ -72,13 +72,45 @@ def __init__(self, name, namespace):
     def _init_opt_props(self):
         """
         The members below are used for lazy evaluation of policy connectivity properties.
+        NOTE: THEY CANNOT BE ACCESSED DIRECTLY, ONLY BY 'GETTER' METHODS BELOW!
         """
-        self.optimized_allow_ingress_props = ConnectivityProperties.make_empty_props()
-        self.optimized_deny_ingress_props = ConnectivityProperties.make_empty_props()
-        self.optimized_pass_ingress_props = ConnectivityProperties.make_empty_props()
-        self.optimized_allow_egress_props = ConnectivityProperties.make_empty_props()
-        self.optimized_deny_egress_props = ConnectivityProperties.make_empty_props()
-        self.optimized_pass_egress_props = ConnectivityProperties.make_empty_props()
+        self._optimized_allow_ingress_props = ConnectivityProperties.make_empty_props()
+        self._optimized_deny_ingress_props = ConnectivityProperties.make_empty_props()
+        self._optimized_pass_ingress_props = ConnectivityProperties.make_empty_props()
+        self._optimized_allow_egress_props = ConnectivityProperties.make_empty_props()
+        self._optimized_deny_egress_props = ConnectivityProperties.make_empty_props()
+        self._optimized_pass_egress_props = ConnectivityProperties.make_empty_props()
+
+    def optimized_allow_ingress_props(self):
+        self.sync_opt_props()
+        return self._optimized_allow_ingress_props
+
+    def optimized_deny_ingress_props(self):
+        self.sync_opt_props()
+        return self._optimized_deny_ingress_props
+
+    def optimized_pass_ingress_props(self):
+        self.sync_opt_props()
+        return self._optimized_pass_ingress_props
+
+    def optimized_allow_egress_props(self):
+        self.sync_opt_props()
+        return self._optimized_allow_egress_props
+
+    def optimized_deny_egress_props(self):
+        self.sync_opt_props()
+        return self._optimized_deny_egress_props
+
+    def optimized_pass_egress_props(self):
+        self.sync_opt_props()
+        return self._optimized_pass_egress_props
+
+    def sync_opt_props(self):
+        """
+        Implemented by derived policies to compute optimized props of the policy according to the optimized props
+        of its rules, in case optimized props are not currently synchronized.
+        """
+        return NotImplemented
 
     def __str__(self):
         return self.full_name()
@@ -93,12 +125,12 @@ def __eq__(self, other):
                 self.selected_peers == other.selected_peers and \
                 self.ingress_rules == other.ingress_rules and \
                 self.egress_rules == other.egress_rules and \
-                self.optimized_allow_ingress_props == other.optimized_allow_ingress_props and \
-                self.optimized_deny_ingress_props == other.optimized_deny_ingress_props and \
-                self.optimized_pass_ingress_props == other.optimized_pass_ingress_props and \
-                self.optimized_allow_egress_props == other.optimized_allow_egress_props and \
-                self.optimized_deny_egress_props == other.optimized_deny_egress_props and \
-                self.optimized_pass_egress_props == other.optimized_pass_egress_props
+                self._optimized_allow_ingress_props == other._optimized_allow_ingress_props and \
+                self._optimized_deny_ingress_props == other._optimized_deny_ingress_props and \
+                self._optimized_pass_ingress_props == other._optimized_pass_ingress_props and \
+                self._optimized_allow_egress_props == other._optimized_allow_egress_props and \
+                self._optimized_deny_egress_props == other._optimized_deny_egress_props and \
+                self._optimized_pass_egress_props == other._optimized_pass_egress_props
         return False
 
     def __lt__(self, other):  # required so we can evaluate the policies according to their order

nca/Utils/ExplTracker.py

@@ -262,10 +262,9 @@ def are_peers_connected(self, src, dst):
             {"src_peers": PeerSet({src_peer}), "dst_peers": PeerSet({dst_peer})}) else False
 
     def add_policy_to_peers(self, policy):
-        policy.sync_opt_props()
         for peer in policy.selected_peers:
-            src_peers, _ = self.extract_peers(policy.optimized_allow_ingress_props)
-            _, dst_peers = self.extract_peers(policy.optimized_allow_egress_props)
+            src_peers, _ = self.extract_peers(policy.optimized_allow_ingress_props())
+            _, dst_peers = self.extract_peers(policy.optimized_allow_egress_props())
             peer_name = peer.full_name()
             self.add_peer_policy(peer_name, policy.name, dst_peers, src_peers)