Home Explore Blog CI



kubernetes
6th chunk of `content/en/blog/_posts/2016-09-00-High-Performance-Network-Policies-Kubernetes.md`
468317eabeb86746ced88e3f23669b32086b6a1f50a49efd00000001000007f9








What is also interesting in these results is that as the number of policies increases, we notice that larger requests experience a smaller relative (i.e. percentage) performance degradation.



This is because when Romana installs iptables rules, it ensures that packets belonging to established connection are evaluated first. The full list of policies only needs to be traversed for the first packets of a connection. After that, the connection is considered ‘established’ and the connection’s state is stored in a fast lookup table. For larger requests, therefore, most packets of the connection are processed with a quick lookup in the ‘established’ table, rather than a full traversal of all rules. This iptables optimization results in performance that is largely independent of the number of network policies.



Such ‘flow tables’ are common optimizations in network equipment and it seems that iptables uses the same technique quite effectively.



Its also worth noting that in practise, a reasonably complex application may configure a few dozen rules per segment. It is also true that common network optimization techniques like Websockets and persistent connections will improve the performance of network policies even further (especially for small request sizes), since connections are held open longer and therefore can benefit from the established connection optimization.



These tests were performed using Romana as the backend policy provider and other network policy implementations may yield different results. However, what these tests show is that for almost every application deployment scenario, network policies can be applied using Romana as a network back end without any negative impact on performance.



If you wish to try it for yourself, we invite you to check out Romana. In our GitHub repo you can find an easy to use installer, which works with AWS, Vagrant VMs or any other servers. You can use it to quickly get you started with a Romana powered Kubernetes or OpenStack cluster.
Title: Romana's Network Policy Performance and Optimization
Summary
Larger requests experience less performance degradation as network policy count increases because Romana prioritizes established connections using iptables rules. This allows for faster lookups in a 'flow table' for subsequent packets, making performance largely independent of the number of policies. Common network optimizations such as Websockets and persistent connections can further improve performance. While results may vary across network policy implementations, Romana demonstrates that network policies can be applied without significant negative impact on performance in most application deployments. Romana is available on GitHub with an easy-to-use installer for AWS, Vagrant VMs, or other servers.