Skip to content

ROX-33339: Optimized sensor and admission controller image cache operations#19840

Draft
clickboo wants to merge 2 commits intoboo-sensor-refresh-invalidate-reprocessorfrom
boo-central-refresh-ttl-invalidate
Draft

ROX-33339: Optimized sensor and admission controller image cache operations#19840
clickboo wants to merge 2 commits intoboo-sensor-refresh-invalidate-reprocessorfrom
boo-central-refresh-ttl-invalidate

Conversation

@clickboo
Copy link
Copy Markdown
Contributor

@clickboo clickboo commented Apr 6, 2026
edited
Loading

Description

Optimizes Central's short-circuit reprocessor path to reduce unnecessary UpdatedImage message overhead and prevent full Admission Controller cache purges.

Previously, Central sent UpdatedImage for every image during short circuit reprocessing regardless of whether the scan data actually changed. This caused unnecessary proto serialization/deserialization overhead and, combined with the subsequent FlushCache, purged the entire AC cache even when most images were unchanged.

What changed (short-circuit path only):

Central's reprocessor now distinguishes between changed and unchanged images during the short-circuit reprocessing cycle:

  • Changed images (imageUpdated=true): Central sends UpdatedImage as before. Sensor's detector accumulates the image key.
  • Unchanged images (imageUpdated=false): Central skips UpdatedImage entirely and batches the image key for a single RefreshImageCacheTTL message per cluster, keeping Sensor's cache warm without the deserialization cost of full image data.

At the end of the cycle, Central sends ReprocessDeployments with skip_cache_flush=true. Sensor's detector then sends a single batched InvalidateImageCache to the Admission Controller for only the changed images, instead of flushing the entire AC cache. This keeps the Admission controller cache warm for unchanged images, avoiding unnecessary re-fetches on subsequent review requests.

Periodic reprocessor path is untouched: The periodic path (default 4h interval) continues to send UpdatedImage for every image and ReprocessDeployments with skip_cache_flush=false (the proto default). Sensor receives skip_cache_flush=false and performs a full FlushCache() on the admission controller cache, exactly as before.

Version compatibility:

Central Sensor Behavior
New New (with TargetedImageCacheInvalidation capability) Short-circuit path uses RefreshImageCacheTTL for unchanged images, batched targeted invalidation for changed images
New Old (without capability) Central always sends UpdatedImage (capability gate in sendReprocessingMessages). skip_cache_flush defaults to false in proto, so old Sensor calls FlushCache(). Identical to pre-change behavior
Old New Old Central never sends RefreshImageCacheTTL or sets skip_cache_flush. New Sensor sees skip_cache_flush=false and calls FlushCache(). Identical to pre-change behavior

No breaking changes in any version combination.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

Manual testing TBD

@clickboo
Copy link
Copy Markdown
Contributor Author

clickboo commented Apr 6, 2026
edited
Loading

This change is part of the following stack:

Change managed by git-spice.

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 6, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@clickboo clickboo mentioned this pull request Apr 6, 2026
Draft
9 tasks
sourcery-ai[bot]

This comment was marked as off-topic.

Sign in to view

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 6, 2026
edited
Loading

🚀 Build Images Ready

Images are ready for commit eb958d5. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-564-geb958d5521

@clickboo clickboo force-pushed the boo-central-refresh-ttl-invalidate branch from 633958e to 0ea06a1 Compare April 6, 2026 06:54
This was referenced Apr 6, 2026
Draft
Draft
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 6, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 76.22378% with 34 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.60%. Comparing base (a5bd2d1) to head (eb958d5).

Files with missing lines Patch % Lines
central/reprocessor/reprocessor.go 84.92% 15 Missing and 4 partials ⚠️
sensor/common/detector/detector.go 0.00% 14 Missing ⚠️
sensor/kubernetes/eventpipeline/pipeline_impl.go 66.66% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@                            Coverage Diff                             @@
##           boo-sensor-refresh-invalidate-reprocessor   #19840   +/-   ##
==========================================================================
  Coverage                                      49.60%   49.60%           
==========================================================================
  Files                                           2763     2763           
  Lines                                         208363   208426   +63     
==========================================================================
+ Hits                                          103364   103399   +35     
- Misses                                         97330    97354   +24     
- Partials                                        7669     7673    +4
Flag Coverage Δ
go-unit-tests 49.60% <76.22%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

ai-review area/central area/sensor coderabbit-review do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clickboo