Reduce the amount of allocations in policy use by trying a cached resolver first

[smarterclayton]

Simplified RuleResolver to be closer to upstream. Used a cached RuleResolver
in the NoEscalation checks and when fetching the binding on update. Remove a use of deepequal on a common path.

Not passing all tests yet, but @deads2k please take a look at the general structure.

This drops policy pretty far down the list in test-cmd - resolving #11003 for good
hopefully.

[smarterclayton]

Wrinkle is we can no longer give the nice 'reason' for which rule granted us. I noticed upstream doesn't have it - various ways to solve it including returning two lists or adding a source field to PolicyRule or switching to Bindings earlier.

[deads2k]

Clever

[deads2k]

add a scary comment here about not removing this check.

[deads2k]

structure looks reasonable.

[smarterclayton]

[test]

[smarterclayton]

@knobuc @ramr router flake ^

[smarterclayton]

Flake link is https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_integration/6545/consoleFull#191293162556bf4006e4b05b79524e5923

[test]

[smarterclayton]

@derekwaynecarr from https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9552/

/data/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go:134
Sep 30 15:55:55.842: Couldn't delete ns: "e2e-tests-limitrange-7yrtq": namespace e2e-tests-limitrange-7yrtq was not deleted with limit: timed out waiting for the condition, namespace is empty but is not yet removed (&errors.errorString{s:"namespace e2e-tests-limitrange-7yrtq was not deleted with limit: timed out waiting for the condition, namespace is empty but is not yet removed"})
/data/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go:338

[test]

[smarterclayton]

Ok, now this is ready for review.

On Sep 30, 2016, at 7:29 PM, OpenShift Bot notifications@github.com wrote:

continuous-integration/openshift-jenkins/test SUCCESS (
https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9562/)

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#11028 (comment),
or mute
the thread
https://github.com/notifications/unsubscribe-auth/ABG_p1B0tSlPmA9ugzumqAo3VduODFveks5qvZtVgaJpZM4KCRxk
.

[deads2k]

I understand the method, but not the name. Looks like I made the name initially, but it sucks.

[smarterclayton]

Preference?

[deads2k]

roleForEscalationCheck?

[deads2k]

If this is now necessary, it suggests we've gotten slower because the cache on the covers check falls through to live on a miss.

[liggitt]

no, this is waiting for the cache to reflect the role deletion above (before it would have failed the live check immediately). 2 minutes seems egregious, though

[smarterclayton]

I've seen integration tests pause for 30-60 seconds.

[smarterclayton]

AWS broke [test]

On Mon, Oct 3, 2016 at 2:02 PM, OpenShift Bot notifications@github.com
wrote:

continuous-integration/openshift-jenkins/test FAILURE (
https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9586/)

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#11028 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_py--2Q-w3wio-4a-lU3fW-gK8SCEks5qwUM7gaJpZM4KCRxk
.

[smarterclayton]

Finish your review! Or I'll turn on ReallyCrash

On Oct 5, 2016, at 9:17 PM, OpenShift Bot notifications@github.com wrote:

Origin Action Required: Pull request cannot be automatically merged, please
rebase your branch from latest HEAD and push again

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#11028 (comment),
or mute
the thread
https://github.com/notifications/unsubscribe-auth/ABG_p8BG7joaVBJW3-_dxV9xWFdOSItIks5qxGg7gaJpZM4KCRxk
.

[deads2k]

Do you have two of these? I swear I said this looked good.

[smarterclayton]

Hrm, never saw it. Bizarre.

On Oct 7, 2016, at 9:50 AM, David Eads notifications@github.com wrote:

Do you have two of these? I swear I said this looked good.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#11028 (comment),
or mute
the thread
https://github.com/notifications/unsubscribe-auth/ABG_p-Vio-cHJzpmY6GhLSVsEeq3oQRcks5qxmongaJpZM4KCRxk
.

[openshift-bot]

Evaluated for origin test up to 9ea0477

[smarterclayton]

Updated and rebased on top of the change to all the same method signatures...

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9782/)

[smarterclayton]

[merge]

On Sat, Oct 8, 2016 at 10:55 PM, OpenShift Bot notifications@github.com
wrote:

continuous-integration/openshift-jenkins/test SUCCESS (
https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9782/)

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#11028 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_p7RKk3doEZnNMzc18GZf35X-6fgIks5qyFesgaJpZM4KCRxk
.

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9782/) (Image: devenv-rhel7_5156)

[openshift-bot]

Evaluated for origin merge up to 9ea0477