Skip to content

ROX-33328: Avoid cache re-poisoning during coalesced fetches #19600

Draft
clickboo wants to merge 1 commit intoboo-adm-cntrl-targeted-invalidation-foundationfrom
boo-adm-cntr-image-gen-counters
Draft

ROX-33328: Avoid cache re-poisoning during coalesced fetches #19600
clickboo wants to merge 1 commit intoboo-adm-cntrl-targeted-invalidation-foundationfrom
boo-adm-cntr-image-gen-counters

Conversation

@clickboo
Copy link
Contributor

@clickboo clickboo commented Mar 25, 2026
edited
Loading

Description

Adds support for targeted image cache invalidation in the admission controller. Admission controller can now process AdmCtrlImageCacheInvalidation messages that remove only the required entries.

Problem: Today, any image change (re-enrichment, vulnerability deferral, deletion) and reprocessing triggers a full cache purge in the admission controller via the CacheVersion mechanism. This evicts all cached scan results, causing a burst of redundant image fetch calls until the cache repopulates.

Solution: The admission controller now accepts targeted invalidation messages via a new image_cache_invalidation field in MsgToAdmissionControl. For each image key, it removes the specific entry from imageCache, clears the corresponding name mapping in imageNameToImageCacheKey, and resets any in-flight coalesced fetch via Forget.

Generation counter for stale-write prevention: A targeted invalidation can race with an in-flight fetch: the fetch starts before the invalidation, the invalidation clears the cache, then the fetch completes and writes stale data back. To prevent this, a per-key generation counter (imageGenTracker) is incremented on invalidation. In-flight fetches capture a generation snapshot before the fetch call and compare it after — if the generation changed, the result is not cached. This ensures invalidation takes effect immediately rather than being masked for up to 30 minutes (the cache TTL). It is noteworthy that after all the cache optimizations the goal is to increase the TTL to 2 hours.

Stacked on the proto PR #19597 that introduces the AdmCtrlImageCacheInvalidation message type.

AI-assisted.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

  • Unit tests only.
  • e2e flows will be tested as I stack more PRs for messages from Sensor and Central on top.

@clickboo
Copy link
Contributor Author

clickboo commented Mar 25, 2026
edited
Loading

This change is part of the following stack:

Change managed by git-spice.

@openshift-ci
Copy link

openshift-ci bot commented Mar 25, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

sourcery-ai[bot]

This comment was marked as outdated.

Sign in to view

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 25, 2026
edited
Loading

Images are ready for the commit at e994f13.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-443-ge994f13af9.

@codecov
Copy link

codecov bot commented Mar 25, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 66.66667% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.28%. Comparing base (348220e) to head (e994f13).

Files with missing lines Patch % Lines
sensor/admission-control/manager/manager_impl.go 71.69% 15 Missing ⚠️
sensor/admission-control/manager/images.go 0.00% 4 Missing ⚠️
Additional details and impacted files 
@@                               Coverage Diff                               @@
##           boo-adm-cntrl-targeted-invalidation-foundation   #19600   +/-   ##
===============================================================================
  Coverage                                           49.28%   49.28%           
===============================================================================
  Files                                                2735     2735           
  Lines                                              206215   206265   +50     
===============================================================================
+ Hits                                               101636   101666   +30     
- Misses                                              97038    97058   +20     
  Partials                                             7541     7541
Flag Coverage Δ
go-unit-tests 49.28% <66.66%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@clickboo clickboo force-pushed the boo-adm-cntr-image-gen-counters branch from 6836bf6 to 4d98322 Compare March 25, 2026 12:19
@clickboo clickboo changed the title ROX-33328: Adding support for image generation counters for targeted invalidation ROX-33328: Image generation counters for targeted invalidation Mar 25, 2026
@clickboo clickboo changed the title ROX-33328: Image generation counters for targeted invalidation ROX-33328: Avoid cache re-poisoning when image cache is invalidated during coalesced fetches Mar 25, 2026
@clickboo clickboo changed the title ROX-33328: Avoid cache re-poisoning when image cache is invalidated during coalesced fetches ROX-33328: Avoid cache re-poisoning during coalesced fetches Mar 25, 2026
@stackrox stackrox deleted a comment from openshift-ci bot Mar 25, 2026
@stackrox stackrox deleted a comment from openshift-ci bot Mar 25, 2026
@clickboo clickboo force-pushed the boo-adm-cntrl-targeted-invalidation-foundation branch from 4031ed6 to 348220e Compare March 25, 2026 15:00
@clickboo clickboo force-pushed the boo-adm-cntr-image-gen-counters branch from 4d98322 to e994f13 Compare March 25, 2026 15:00
@clickboo clickboo mentioned this pull request Mar 25, 2026
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

ai-review area/admission-controller area/sensor do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@clickboo @rhacs-bot