ROX-33333: Sensor targeted cache invalidation changes

clickboo · clickboo · commit cbd7a3e4293e · 2026-04-02T00:04:54.000+05:30
diff --git a/pkg/centralsensor/caps_list.go b/pkg/centralsensor/caps_list.go
@@ -96,4 +96,9 @@ const (
 	// ComplianceV2TailoredProfiles identifies the capability of Central to handle
 	// tailored profile tracking and scan configurations referencing tailored profiles.
 	ComplianceV2TailoredProfiles = "ComplianceV2TailoredProfiles"
+
+	// TargetedImageCacheInvalidationCap identifies the capability to forward
+	// per-image cache invalidation keys to the admission controller instead of
+	// flushing the entire image cache.
+	TargetedImageCacheInvalidationCap SensorCapability = "TargetedImageCacheInvalidation"
 )
diff --git a/sensor/common/admissioncontroller/management_service.go b/sensor/common/admissioncontroller/management_service.go
@@ -25,8 +25,9 @@ var (
 type managementService struct {
 	sensor.UnimplementedAdmissionControlManagementServiceServer
 
-	settingsStream     concurrency.ReadOnlyValueStream[*sensor.AdmissionControlSettings]
-	sensorEventsStream concurrency.ReadOnlyValueStream[*sensor.AdmCtrlUpdateResourceRequest]
+	settingsStream               concurrency.ReadOnlyValueStream[*sensor.AdmissionControlSettings]
+	sensorEventsStream           concurrency.ReadOnlyValueStream[*sensor.AdmCtrlUpdateResourceRequest]
+	imageCacheInvalidationStream concurrency.ReadOnlyValueStream[*sensor.AdmCtrlImageCacheInvalidation]
 
 	alertHandler AlertHandler
 	admCtrlMgr   SettingsManager
@@ -36,8 +37,9 @@ type managementService struct {
 // to admission control service replicas.
 func NewManagementService(mgr SettingsManager, alertHandler AlertHandler) pkgGRPC.APIService {
 	return &managementService{
-		settingsStream:     mgr.SettingsStream(),
-		sensorEventsStream: mgr.SensorEventsStream(),
+		settingsStream:               mgr.SettingsStream(),
+		sensorEventsStream:           mgr.SensorEventsStream(),
+		imageCacheInvalidationStream: mgr.ImageCacheInvalidationStream(),
 
 		alertHandler: alertHandler,
 		admCtrlMgr:   mgr,
@@ -109,6 +111,7 @@ func (s *managementService) Communicate(stream sensor.AdmissionControlManagement
 		return errors.Wrap(err, "syncing resources")
 	}
 	sensorEventIt := s.sensorEventsStream.Iterator(true)
+	imageCacheInvIt := s.imageCacheInvalidationStream.Iterator(true)
 
 	recvdMsgC := make(chan *sensor.MsgFromAdmissionControl)
 	recvErrC := make(chan error, 1)
@@ -119,6 +122,10 @@ func (s *managementService) Communicate(stream sensor.AdmissionControlManagement
 		if sensorEventIt != nil {
 			sensorEventItrDoneC = sensorEventIt.Done()
 		}
+		var imageCacheInvDoneC <-chan struct{}
+		if imageCacheInvIt != nil {
+			imageCacheInvDoneC = imageCacheInvIt.Done()
+		}
 
 		select {
 		case err := <-recvErrC:
@@ -138,6 +145,11 @@ func (s *managementService) Communicate(stream sensor.AdmissionControlManagement
 			if err := s.sendSensorEvent(stream, sensorEventIt); err != nil {
 				return errors.Wrap(err, "sending sensor events to admission control service")
 			}
+		case <-imageCacheInvDoneC:
+			imageCacheInvIt = imageCacheInvIt.TryNext()
+			if err := s.sendImageCacheInvalidation(stream, imageCacheInvIt); err != nil {
+				return errors.Wrap(err, "sending image cache invalidation to admission control service")
+			}
 
 		case <-stream.Context().Done():
 			return errors.Wrap(stream.Context().Err(), "communicating")
@@ -167,6 +179,22 @@ func (s *managementService) sendSensorEvent(stream sensor.AdmissionControlManage
 	)
 }
 
+func (s *managementService) sendImageCacheInvalidation(stream sensor.AdmissionControlManagementService_CommunicateServer, iter concurrency.ValueStreamIter[*sensor.AdmCtrlImageCacheInvalidation]) error {
+	obj := iter.Value()
+	if obj == nil {
+		return nil
+	}
+
+	return errors.Wrap(
+		stream.Send(&sensor.MsgToAdmissionControl{
+			Msg: &sensor.MsgToAdmissionControl_ImageCacheInvalidation{
+				ImageCacheInvalidation: obj,
+			},
+		}),
+		"sending image cache invalidation",
+	)
+}
+
 func (s *managementService) sync(stream sensor.AdmissionControlManagementService_CommunicateServer) error {
 	for _, msg := range s.admCtrlMgr.GetResourcesForSync() {
 		err := stream.Send(&sensor.MsgToAdmissionControl{
diff --git a/sensor/common/admissioncontroller/management_service_test.go b/sensor/common/admissioncontroller/management_service_test.go
@@ -35,11 +35,13 @@ func (s *managementServiceSuite) SetupTest() {
 func (s *managementServiceSuite) createManagementService() {
 	s.mockSettingsManager.EXPECT().SettingsStream().Times(1)
 	s.mockSettingsManager.EXPECT().SensorEventsStream().Times(1)
+	s.mockSettingsManager.EXPECT().ImageCacheInvalidationStream().Times(1)
 	s.service = &managementService{
-		settingsStream:     s.mockSettingsManager.SettingsStream(),
-		sensorEventsStream: s.mockSettingsManager.SensorEventsStream(),
-		alertHandler:       s.mockAlertHandler,
-		admCtrlMgr:         s.mockSettingsManager,
+		settingsStream:               s.mockSettingsManager.SettingsStream(),
+		sensorEventsStream:           s.mockSettingsManager.SensorEventsStream(),
+		imageCacheInvalidationStream: s.mockSettingsManager.ImageCacheInvalidationStream(),
+		alertHandler:                 s.mockAlertHandler,
+		admCtrlMgr:                   s.mockSettingsManager,
 	}
 }
 
diff --git a/sensor/common/admissioncontroller/mocks/settings_manager.go b/sensor/common/admissioncontroller/mocks/settings_manager.go
diff --git a/sensor/common/admissioncontroller/settings_manager.go b/sensor/common/admissioncontroller/settings_manager.go
@@ -18,7 +18,9 @@ type SettingsManager interface {
 	GetResourcesForSync() []*sensor.AdmCtrlUpdateResourceRequest
 
 	FlushCache()
+	InvalidateImageCache(keys []*central.InvalidateImageCache_ImageKey)
 
 	SettingsStream() concurrency.ReadOnlyValueStream[*sensor.AdmissionControlSettings]
 	SensorEventsStream() concurrency.ReadOnlyValueStream[*sensor.AdmCtrlUpdateResourceRequest]
+	ImageCacheInvalidationStream() concurrency.ReadOnlyValueStream[*sensor.AdmCtrlImageCacheInvalidation]
 }
diff --git a/sensor/common/admissioncontroller/settings_manager_impl.go b/sensor/common/admissioncontroller/settings_manager_impl.go
@@ -22,6 +22,7 @@ type settingsManager struct {
 	currSettings                  *sensor.AdmissionControlSettings
 	settingsStream                *concurrency.ValueStream[*sensor.AdmissionControlSettings]
 	sensorEventsStream            *concurrency.ValueStream[*sensor.AdmCtrlUpdateResourceRequest]
+	imageCacheInvalidationStream  *concurrency.ValueStream[*sensor.AdmCtrlImageCacheInvalidation]
 	hasClusterConfig, hasPolicies bool
 	centralEndpoint               string
 	lastClusterLabels             map[string]string
@@ -45,9 +46,10 @@ type clusterIDWaiter interface {
 // NewSettingsManager creates a new settings manager for admission control settings.
 func NewSettingsManager(clusterID clusterIDWaiter, clusterLabels clusterLabelsGetter, deployments store.DeploymentStore, pods store.PodStore, namespaces store.NamespaceStore) SettingsManager {
 	return &settingsManager{
-		settingsStream:     concurrency.NewValueStream[*sensor.AdmissionControlSettings](nil),
-		sensorEventsStream: concurrency.NewValueStream[*sensor.AdmCtrlUpdateResourceRequest](nil),
-		centralEndpoint:    env.CentralEndpoint.Setting(),
+		settingsStream:               concurrency.NewValueStream[*sensor.AdmissionControlSettings](nil),
+		sensorEventsStream:           concurrency.NewValueStream[*sensor.AdmCtrlUpdateResourceRequest](nil),
+		imageCacheInvalidationStream: concurrency.NewValueStream[*sensor.AdmCtrlImageCacheInvalidation](nil),
+		centralEndpoint:              env.CentralEndpoint.Setting(),
 
 		clusterID:     clusterID,
 		clusterLabels: clusterLabels,
@@ -178,6 +180,11 @@ func copyMap(m map[string]string) map[string]string {
 	return result
 }
 
+func (p *settingsManager) InvalidateImageCache(keys []*central.InvalidateImageCache_ImageKey) {
+	p.imageCacheInvalidationStream.Push(&sensor.AdmCtrlImageCacheInvalidation{
+		ImageKeys: keys,
+	})
+}
 func (p *settingsManager) SettingsStream() concurrency.ReadOnlyValueStream[*sensor.AdmissionControlSettings] {
 	return p.settingsStream
 }
@@ -186,6 +193,10 @@ func (p *settingsManager) SensorEventsStream() concurrency.ReadOnlyValueStream[*
 	return p.sensorEventsStream
 }
 
+func (p *settingsManager) ImageCacheInvalidationStream() concurrency.ReadOnlyValueStream[*sensor.AdmCtrlImageCacheInvalidation] {
+	return p.imageCacheInvalidationStream
+}
+
 func (p *settingsManager) GetResourcesForSync() []*sensor.AdmCtrlUpdateResourceRequest {
 	var ret []*sensor.AdmCtrlUpdateResourceRequest
 	for _, d := range p.deployments.GetAll() {
diff --git a/sensor/common/reprocessor/handler.go b/sensor/common/reprocessor/handler.go
@@ -62,9 +62,11 @@ func (h *handlerImpl) Stop() {
 func (h *handlerImpl) Notify(common.SensorComponentEvent) {}
 
 func (h *handlerImpl) Capabilities() []centralsensor.SensorCapability {
-	// A new sensor capability to reprocess deployment has not been added. In case of mismatched upgrades,
+	// No capability is advertised for deployment reprocessing. In case of mismatched upgrades,
 	// the re-processing is discarded, which is fine.
-	return nil
+	return []centralsensor.SensorCapability{
+		centralsensor.TargetedImageCacheInvalidationCap,
+	}
 }
 
 func (h *handlerImpl) ProcessReprocessDeployments(req *central.ReprocessDeployment) error {
@@ -86,7 +88,7 @@ func (h *handlerImpl) ProcessInvalidateImageCache(req *central.InvalidateImageCa
 	case <-h.stopSig.Done():
 		return errors.Wrap(h.stopSig.Err(), "could not fulfill invalidate image cache request")
 	default:
-		h.admCtrlSettingsMgr.FlushCache()
+		h.admCtrlSettingsMgr.InvalidateImageCache(req.GetImageKeys())
 
 		keysToDelete := make([]cache.Key, 0, len(req.GetImageKeys()))
 		for _, image := range req.GetImageKeys() {
diff --git a/sensor/common/reprocessor/handler_test.go b/sensor/common/reprocessor/handler_test.go
@@ -34,7 +34,7 @@ func TestProcessInvalidateImageCache_WithoutFlattenImageData(t *testing.T) {
 
 	ctrl := gomock.NewController(t)
 	mockAdmCtrlSettingsMgr := mocks.NewMockSettingsManager(ctrl)
-	mockAdmCtrlSettingsMgr.EXPECT().FlushCache().Times(1)
+	mockAdmCtrlSettingsMgr.EXPECT().InvalidateImageCache(gomock.Any()).Times(1)
 
 	imageCache := expiringcache.NewExpiringCache[cache.Key, cache.Value](1 * time.Hour)
 
@@ -118,7 +118,7 @@ func TestProcessInvalidateImageCache_WithFlattenImageData(t *testing.T) {
 
 	ctrl := gomock.NewController(t)
 	mockAdmCtrlSettingsMgr := mocks.NewMockSettingsManager(ctrl)
-	mockAdmCtrlSettingsMgr.EXPECT().FlushCache().Times(1)
+	mockAdmCtrlSettingsMgr.EXPECT().InvalidateImageCache(gomock.Any()).Times(1)
 
 	imageCache := expiringcache.NewExpiringCache[cache.Key, cache.Value](1 * time.Hour)
 

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,9 @@ type SettingsManager interface {`
`18`	`18`	`GetResourcesForSync() []*sensor.AdmCtrlUpdateResourceRequest`
`19`	`19`
`20`	`20`	`FlushCache()`
	`21`	`+ InvalidateImageCache(keys []*central.InvalidateImageCache_ImageKey)`
`21`	`22`
`22`	`23`	`SettingsStream() concurrency.ReadOnlyValueStream[*sensor.AdmissionControlSettings]`
`23`	`24`	`SensorEventsStream() concurrency.ReadOnlyValueStream[*sensor.AdmCtrlUpdateResourceRequest]`
	`25`	`+ ImageCacheInvalidationStream() concurrency.ReadOnlyValueStream[*sensor.AdmCtrlImageCacheInvalidation]`
`24`	`26`	`}`