Comments (11)
cc @lambdai
from envoy.
Also want to add that L4 RBAC is likely work with a TLS connection, which is cpu extensive (1ms cpu time)
The delayed deny as a start point of back pressure propogation potentially highly reduce the CPU at both envoy and envoy's downstream
from envoy.
Wouldn't it be better to apply pressure earlier, e.g. by not reading bytes and starting TLS handshakes when there's a flood of connections? A delayed deny would mean Envoy has to maintain the memory structures for the connection when we'd want to shed them quickly.
from envoy.
Wouldn't it be better to apply pressure earlier, e.g. by not reading bytes and starting TLS handshakes when there's a flood of connections? A delayed deny would mean Envoy has to maintain the memory structures for the connection when we'd want to shed them quickly.
@kyessenov I think we will need both. The dealyed deny in RBAC is specific to connections to be closed due to permission error, and will be more effective to reduce the CPU usage on Envoy in some situations, for example, some gRPC clients retry in a busy for-loop when it is closed by RBAC, this creates signigicant number of new connections (e.g. 400 per second per client) on Envoy for more CPU usage (we are not really worried about the memory as it doesn't look to be an issue in either case).
A delayed deny will naturaully reduce how fast the client is to retry, then siginificantly reduce the CPU usage since there is much less new connection being created/closed at the same time.
from envoy.
SG, although this principle of delayed close should probably be applied uniformly: TLS handshake failures, protocol errors, etc all fails in the same error domain. It might be better to handle it at listener or the HCM level.
CC @yanavlasov
from envoy.
"When the RBAC policy evaluation result is DENY. The RBAC network filter will close the TCP connection immediately. This doesn't handle very well for some clients that just retry with a new connection at a very high rate, and that could overload the Envoy proxy to high CPU usage."
1.what's the real reason here for envoy proxy to high CPU usage ? Just for handler some clients DENY and close the tcp connection ? As you had said some clients doesn't handler well and just retry with new connection. So can we think this is client issue ?
2.From Envoy Pov, may be some protection policy or connection limit should be assigned to the same client not just only add connection close delay.
from envoy.
@wufanqqfsc The TLS handshake is CPU intensive. Both client and server. Imagine you have a service behind envoy with huge fan-in.
It is a client issue, but you don't nessessarily have the full control of the clients.
from envoy.
@wufanqqfsc The TLS handshake is CPU intensive. Both client and server. Imagine you have a service behind envoy with huge fan-in.
It is a client issue, but you don't nessessarily have the full control of the clients.
Yes, so i mean may be some connection limit policy can be assigned to the same client to avoid same client retry with the connection & closed by envoy. Such as we can limit the connection frequency for the same client if the RBAC is failed during some time slots. Anyway, add delayed deny may help but also cost memory to keep the connection context.
from envoy.
Yes, so i mean may be some connection limit policy can be assigned to the same client to avoid same client retry with the connection & closed by envoy. Such as we can limit the connection frequency for the same client if the RBAC is failed during some time slots. Anyway, add delayed deny may help but also cost memory to keep the connection context.
yeah, we can definitily enable different protections at multiple layer and places depending on the actual situation, it's not a one for all solution. The memory cost should be very small and the benefit (as compared to not having the delayed deny) is well worth it.
from envoy.
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
from envoy.
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.
from envoy.
Related Issues (20)
- honor connection_pool_per_downstream_connection in tcp conn-pool HOT 2
- configure OTEL of access log to export using HTTP HOT 6
- Feature to enable http host as label in metrics HOT 3
- huge overhead of configuration refreshing effects local rate limit and health checker
- Implement ClientSideWeightedRoundRobin LB policy HOT 1
- Provide a way to receive ORCA load reports from hosts HOT 1
- Implement ares_reinit() to optimally handle the situation where DNS resolver needs to be re-initialized HOT 2
- Why doesn't updating RBAC with hot reload take effect on existing connection HOT 1
- Newer release available `rules_proto`: 6.0.2 (current: 5.3.0-21.7)
- Tried to use the new envoy.resource_monitors.downstream_connections parameter in envoy version 1.30.2 but its failing HOT 6
- Envoy proxy not respecting headers added within Gateway API HOT 2
- BasicAuth HTTP filter: emit metadata containing username HOT 2
- Enable fallback_policy when no healthy host in subset HOT 1
- New CEL convenience function: random() HOT 6
- Newer release available `com_github_c_ares_c_ares`: v1.31.0 (current: cares-1_20_1)
- Perf issue with c-ares DNS resolver HOT 4
- Control Weighted Cluster Weights via Runtime config
- Question about request_mirroring#disable_shadow_host_suffix_append HOT 2
- Garbled characters are displayed when setting cookie attribute HOT 3
- Qus: Does envoy support connecting to upstream Redis with TLS enabled? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from envoy.