Delta npds#1836
Open
jrajahalme wants to merge 4 commits into
Open
Conversation
jrajahalme
requested review from
fristonio and
nezdolik
and removed request for
sayboras
nezdolik
reviewed
Apr 7, 2026
jrajahalme
force-pushed
the
delta-npds
branch
5 times, most recently
from
6ff6c15 to
db12d3e
Compare
jrajahalme
force-pushed
the
delta-npds
branch
2 times, most recently
from
fba7008 to
b337bce
Compare
jrajahalme
added
enhancement
jrajahalme
force-pushed
the
delta-npds
branch
3 times, most recently
from
698f973 to
f2c684a
Compare
Member
Author
|
Changed to clear the resource map on new streams before parsing policies. This forces re-parsing policies that have unchanged to use the current subscription's ConfigSource for Secret watchers. |
nezdolik
reviewed
May 25, 2026
Contributor
nezdolik
left a comment
nezdolik
left a comment
There was a problem hiding this comment.
did one quick pass, will need to do one more round.
jrajahalme
force-pushed
the
delta-npds
branch
2 times, most recently
from
30e03f7 to
2dc2c93
Compare
jrajahalme
force-pushed
the
delta-npds
branch
5 times, most recently
from
541b0fd to
ded3e9f
Compare
Make sure each test case has endpoint ID field in the NetworkPolicy so that we can validate for it. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Replace Config::GrpcMuxImpl wrapper with stream event callback patch on upstream so that new stream detection works on all the needed Mux types for SotW, Delta, and ADS. New stream detection is the means by which we detect Cilium Agent restarts, which generally requires the ipcache bpf map to be reopened. Delta updates also depend on this detection to force synchronization as the restarted agent may not know which resources to remove. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Add Delta rpc to the APIs so that we can run NPDS and NPHDS also via Delta xDS. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Add new cilium/versioned.h generic container for transactional selector updates. Add a new NetworkPolicyResourceDiscoveryService that implements delta (and SotW) updates for policies and selectors, and where policies refer to selectors by their resource name. NPRDS adds a top-level oneof wrapper that wraps either a Selector or a NetworkPolicy. NetworkPolicy definition is shared with NPDS, but PortNetworkPolicyRule adds a new selectors field that is only used with NPRDS. Add 'policy_type' enum to BpfMetadata config to control whether NPDS (default) or NPRDS is used. Store the latest desired ConfigSource in the policy map and use it for: - initial policy map subscription - re-subscription when connection under current subscription is terminated - a healthy network policy stream is not disrupted, unless the desired config is for delta xDS and the current one is not This means that we switch to NPRDS (Delta) mode eagerly when we have evidence that the agent is capable, but we switch to NPDS (SotW) mode only when xDS stream transport had failed to connect or closes. This should work for Cilium Agent upgrades and downgrades, as the agent expresses the desired mode, and listens for both. Clear the resource map on a first update on a new stream. This fixes NACK cases where further updates on the stream would have IP collisions with resources that were kept from the previous stream. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a new NetworkPolicyResourceDiscoveryService that implements delta updates for policies and selectors, and where policies refer to selectors by their resource name.
NPRDS adds a top-level
oneofwrapper that wraps either a Selector or a NetworkPolicy. NetworkPolicy definition is shared with NPDS, but PortNetworkPolicyRule adds a new selectors field that is only used with NPRDS.NetworkPolicyMap switches to delta mode eagerly when there is evidence that the agent is capable (via BpfMetadata listener filter config), but we switch to SotW mode only when xDS stream transport had failed to connect or closes. This should work for Cilium Agent upgrades and downgrades, as the agent
expresses the desired mode, and upgraded agents listen for both SotW NPDS and Delta NPRDS.
Start from an empty network policy resource map on the first update on a new stream. This fixes NACK cases where further updates on the stream would have IP collisions with resources that were kept from the previous stream, originating from the previous instance of the restarted Cilium Agent.
Network policy map maintains a stream generation number for new stream detection purposes. This is implemented using a new stream events callback added to upstream Envoy gRPC Mux classes via a new patch.
NOTE: This includes commits from the following PRs that should be merged first: