Check constraints in parallel when review a request

[mozillazg]

Describe the solution you'd like

Support check constraints in parallel when review a request, use this way to speed up review when using External Data feature or using http.send in rego.

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

kube-apiserver is call validating webhooks in parallel too：https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook

Environment:

• Gatekeeper version:
• Kubernetes version: (use kubectl version):

[maxsmythe]

Rego doesn't allow us to modify execution flow, but with the changes @willbeason is working on we will have more control over things like parallel execution.

IIRC his analysis showed that, in general, there wasn't much benefit to parallelizing execution, but IO-limited constraints may be an exception to this. I'm wondering if he has thoughts on how we might handle this case in the future?

I'm guessing infinitely parallel is probably the wrong approach due to possible CPU starvation.

[willbeason]

That makes a lot of sense - under normal circumstances there aren't appreciable gains for running Constraints in parallel.

In this case, it makes a lot of sense since we don't know how long http.send requests will take. This should probably be designed carefully once we're done with the current compiler sharding effort - we'll want to improve this use case without degrading performance for use cases which don't use http.send.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.