Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for cel.@block during policy composition #1056

Merged
merged 5 commits into from
Nov 3, 2024

Conversation

TristonianJones
Copy link
Collaborator

@TristonianJones TristonianJones commented Oct 29, 2024

Support for cel.@block during policy expression composition.

This feature ensures that all variables are lazily evaluated and optimally
planned in a way which minimizes expression recursion. Future enhancements
may further compact or refine expressions by way of common subexpression
elimination.

Block also improves performance across several of the tracked use cases:

                                                                           │             sec/op             │   sec/op     vs base                │
Compile/k8s/invalid/restricted_container-10                                                     2.036µ ± 1%   1.960µ ± 3%   -3.73% (p=0.001 n=10)
Compile/nested_rule/banned/restricted_origin-10                                                 506.1n ± 0%   426.0n ± 1%  -15.84% (p=0.000 n=10)
Compile/nested_rule/banned/by_default-10                                                        413.7n ± 0%   345.8n ± 1%  -16.42% (p=0.000 n=10)
Compile/nested_rule/permitted/valid_origin-10                                                   404.2n ± 4%   335.9n ± 1%  -16.90% (p=0.000 n=10)
Compile/nested_rule2/banned/restricted_origin-10                                                492.2n ± 0%   404.4n ± 0%  -17.86% (p=0.000 n=10)
Compile/nested_rule2/banned/by_default-10                                                       352.8n ± 0%   259.7n ± 1%  -26.39% (p=0.000 n=10)
Compile/nested_rule2/banned/unconfigured_region-10                                              285.2n ± 0%   283.2n ± 1%   -0.70% (p=0.006 n=10)
Compile/nested_rule2/permitted/valid_origin-10                                                  278.8n ± 0%   273.2n ± 5%   -1.97% (p=0.017 n=10)
Compile/nested_rule3/banned/restricted_origin-10                                                623.8n ± 0%   544.5n ± 2%  -12.72% (p=0.000 n=10)
Compile/nested_rule3/banned/by_default-10                                                       488.7n ± 2%   395.1n ± 2%  -19.16% (p=0.000 n=10)
Compile/nested_rule3/banned/unconfigured_region-10                                              411.9n ± 2%   412.7n ± 3%        ~ (p=0.698 n=10)
Compile/nested_rule3/permitted/valid_origin-10                                                  285.3n ± 3%   276.9n ± 1%   -2.96% (p=0.001 n=10)
Compile/context_pb/valid/good_spec-10                                                           808.8n ± 3%   797.6n ± 2%        ~ (p=0.066 n=10)
Compile/context_pb/invalid/bad_spec-10                                                          1.442µ ± 4%   1.428µ ± 1%   -1.01% (p=0.012 n=10)
Compile/pb/valid/good_spec-10                                                                   941.6n ± 2%   942.7n ± 3%        ~ (p=0.565 n=10)
Compile/pb/invalid/bad_spec-10                                                                  1.500µ ± 2%   1.524µ ± 2%   +1.63% (p=0.030 n=10)
Compile/required_labels/valid/matching-10                                                       2.889µ ± 1%   2.558µ ± 2%  -11.47% (p=0.000 n=10)
Compile/required_labels/missing/env-10                                                          2.361µ ± 1%   2.184µ ± 1%   -7.50% (p=0.000 n=10)
Compile/required_labels/missing/experiment-10                                                   2.417µ ± 1%   2.238µ ± 1%   -7.43% (p=0.000 n=10)
Compile/required_labels/invalid/env-10                                                          4.099µ ± 6%   3.818µ ± 6%   -6.87% (p=0.001 n=10)
Compile/restricted_destinations/valid/ip_allowed-10                                             1.614µ ± 1%   1.174µ ± 1%  -27.26% (p=0.000 n=10)
Compile/restricted_destinations/valid/nationality_allowed-10                                    1.598µ ± 1%   1.165µ ± 2%  -27.07% (p=0.000 n=10)
Compile/restricted_destinations/invalid/destination_ip_prohibited-10                           1119.5n ± 3%   679.0n ± 1%  -39.35% (p=0.000 n=10)
Compile/restricted_destinations/invalid/resource_nationality_prohibited-10                     1398.5n ± 2%   969.2n ± 5%  -30.69% (p=0.000 n=10)
Compile/limits/now_after_hours/7pm-10                                                          1146.5n ± 4%   979.6n ± 4%  -14.55% (p=0.000 n=10)
Compile/limits/now_after_hours/8pm-10                                                           1.637µ ± 1%   1.161µ ± 0%  -29.06% (p=0.000 n=10)
Compile/limits/now_after_hours/9pm-10                                                           1.765µ ± 1%   1.258µ ± 1%  -28.73% (p=0.000 n=10)
Compile/limits/now_after_hours/11pm-10                                                          1.854µ ± 2%   1.338µ ± 4%  -27.83% (p=0.000 n=10)
geomean                                                                                         949.6n        808.5n       -14.85%

Depends on #1048

@TristonianJones TristonianJones requested review from seirl and removed request for seirl October 29, 2024 23:11
@TristonianJones
Copy link
Collaborator Author

@seirl FYI -- once cel.@block and this PR are landed, the import of cel-go will fix the recursion depth challenges you encountered with large policies.

@TristonianJones TristonianJones changed the title Compose policy block Support for cel.@block during policy composition Oct 29, 2024
@TristonianJones TristonianJones merged commit 3f12eca into google:master Nov 3, 2024
2 checks passed
@TristonianJones TristonianJones deleted the compose-policy-block branch November 3, 2024 01:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants