Is there an upper limit when using NetworkPolicy in calico?

[newhuangchuan]

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Hello, calico contributors. I am a newbie who has just started using calico. I have a question and hope to get your answer.

1. When the calico plug-in is in a kubernetes cluster, at what scale will the NetworkPolicy agent cause considerable pressure on Kubernetes control? (For example: node scale or pod scale, etc.)
2. When NetworkPolicy encounters such a bottleneck, what methods should be adopted to solve large-scale problems?

Your Environment

• Calico version v3.28.2
• Calico dataplane (iptables, windows etc.)
• Orchestrator version (e.g. kubernetes, mesos, rkt):
• Operating System and version:
• Link to your project (optional):

[fasaxc]

You should deploy with the operator if you care about scale. It will automatically deploy our "scale out proxy" (Typha) and secure it with TLS. Calico is designed to filter the policy set so that only the policy that is needed on a particular node is rendered there. This way, the load on a node scales with the amount of active policy on your node rather than the total size of the policy set.

Typha is very effective at limiting the impact on the API server. We test to 5k nodes and hundreds of thousands of pods. There are users running at this scale too.