Skip to content

Support for cel.@block during policy composition#1056

Merged
TristonianJones merged 5 commits into
cel-expr:masterfrom
TristonianJones:compose-policy-block
Nov 3, 2024
Merged

Support for cel.@block during policy composition#1056
TristonianJones merged 5 commits into
cel-expr:masterfrom
TristonianJones:compose-policy-block

Conversation

@TristonianJones

@TristonianJones TristonianJones commented Oct 29, 2024
edited
Loading

Copy link
Copy Markdown
Collaborator

Support for cel.@block during policy expression composition.

This feature ensures that all variables are lazily evaluated and optimally
planned in a way which minimizes expression recursion. Future enhancements
may further compact or refine expressions by way of common subexpression
elimination.

Block also improves performance across several of the tracked use cases:

                                                                           │             sec/op             │   sec/op     vs base                │
Compile/k8s/invalid/restricted_container-10                                                     2.036µ ± 1%   1.960µ ± 3%   -3.73% (p=0.001 n=10)
Compile/nested_rule/banned/restricted_origin-10                                                 506.1n ± 0%   426.0n ± 1%  -15.84% (p=0.000 n=10)
Compile/nested_rule/banned/by_default-10                                                        413.7n ± 0%   345.8n ± 1%  -16.42% (p=0.000 n=10)
Compile/nested_rule/permitted/valid_origin-10                                                   404.2n ± 4%   335.9n ± 1%  -16.90% (p=0.000 n=10)
Compile/nested_rule2/banned/restricted_origin-10                                                492.2n ± 0%   404.4n ± 0%  -17.86% (p=0.000 n=10)
Compile/nested_rule2/banned/by_default-10                                                       352.8n ± 0%   259.7n ± 1%  -26.39% (p=0.000 n=10)
Compile/nested_rule2/banned/unconfigured_region-10                                              285.2n ± 0%   283.2n ± 1%   -0.70% (p=0.006 n=10)
Compile/nested_rule2/permitted/valid_origin-10                                                  278.8n ± 0%   273.2n ± 5%   -1.97% (p=0.017 n=10)
Compile/nested_rule3/banned/restricted_origin-10                                                623.8n ± 0%   544.5n ± 2%  -12.72% (p=0.000 n=10)
Compile/nested_rule3/banned/by_default-10                                                       488.7n ± 2%   395.1n ± 2%  -19.16% (p=0.000 n=10)
Compile/nested_rule3/banned/unconfigured_region-10                                              411.9n ± 2%   412.7n ± 3%        ~ (p=0.698 n=10)
Compile/nested_rule3/permitted/valid_origin-10                                                  285.3n ± 3%   276.9n ± 1%   -2.96% (p=0.001 n=10)
Compile/context_pb/valid/good_spec-10                                                           808.8n ± 3%   797.6n ± 2%        ~ (p=0.066 n=10)
Compile/context_pb/invalid/bad_spec-10                                                          1.442µ ± 4%   1.428µ ± 1%   -1.01% (p=0.012 n=10)
Compile/pb/valid/good_spec-10                                                                   941.6n ± 2%   942.7n ± 3%        ~ (p=0.565 n=10)
Compile/pb/invalid/bad_spec-10                                                                  1.500µ ± 2%   1.524µ ± 2%   +1.63% (p=0.030 n=10)
Compile/required_labels/valid/matching-10                                                       2.889µ ± 1%   2.558µ ± 2%  -11.47% (p=0.000 n=10)
Compile/required_labels/missing/env-10                                                          2.361µ ± 1%   2.184µ ± 1%   -7.50% (p=0.000 n=10)
Compile/required_labels/missing/experiment-10                                                   2.417µ ± 1%   2.238µ ± 1%   -7.43% (p=0.000 n=10)
Compile/required_labels/invalid/env-10                                                          4.099µ ± 6%   3.818µ ± 6%   -6.87% (p=0.001 n=10)
Compile/restricted_destinations/valid/ip_allowed-10                                             1.614µ ± 1%   1.174µ ± 1%  -27.26% (p=0.000 n=10)
Compile/restricted_destinations/valid/nationality_allowed-10                                    1.598µ ± 1%   1.165µ ± 2%  -27.07% (p=0.000 n=10)
Compile/restricted_destinations/invalid/destination_ip_prohibited-10                           1119.5n ± 3%   679.0n ± 1%  -39.35% (p=0.000 n=10)
Compile/restricted_destinations/invalid/resource_nationality_prohibited-10                     1398.5n ± 2%   969.2n ± 5%  -30.69% (p=0.000 n=10)
Compile/limits/now_after_hours/7pm-10                                                          1146.5n ± 4%   979.6n ± 4%  -14.55% (p=0.000 n=10)
Compile/limits/now_after_hours/8pm-10                                                           1.637µ ± 1%   1.161µ ± 0%  -29.06% (p=0.000 n=10)
Compile/limits/now_after_hours/9pm-10                                                           1.765µ ± 1%   1.258µ ± 1%  -28.73% (p=0.000 n=10)
Compile/limits/now_after_hours/11pm-10                                                          1.854µ ± 2%   1.338µ ± 4%  -27.83% (p=0.000 n=10)
geomean                                                                                         949.6n        808.5n       -14.85%

Depends on #1048

@TristonianJones TristonianJones requested review from seirl and removed request for seirl October 29, 2024 23:11
@TristonianJones

TristonianJones commented Oct 29, 2024

Copy link
Copy Markdown
Collaborator Author

@seirl FYI -- once cel.@block and this PR are landed, the import of cel-go will fix the recursion depth challenges you encountered with large policies.

@TristonianJones TristonianJones changed the title Compose policy block Support for cel.@block during policy composition Oct 29, 2024
@TristonianJones TristonianJones mentioned this pull request Oct 31, 2024
Closed
@TristonianJones TristonianJones merged commit 3f12eca into cel-expr:master Nov 3, 2024
@TristonianJones TristonianJones deleted the compose-policy-block branch November 3, 2024 01:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jcking jcking jcking approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TristonianJones @jcking