feat: Add support for configuring maxConnectionsToAcceptPerSocketEvent in ClientTrafficPolicy

api/v1alpha1/connection_types.go

@@ -36,6 +36,16 @@ type ClientConnection struct {
 	// +optional
 	// +notImplementedHide
 	SocketBufferLimit *resource.Quantity `json:"socketBufferLimit,omitempty"`
+
+	// MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
+	// per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
+	// this threshold will be accepted in later event loop iterations. If no value is provided Envoy will accept
+	// all connections pending accept from the kernel.
+	// It is recommended to lower this value for better overload management and reduced per-event cost.
+	// Setting it to 1 is a viable option with no noticeable impact on performance.
+	//
+	// +optional
+	MaxAcceptPerSocketEvent *uint32 `json:"maxAcceptPerSocketEvent,omitempty"`
 }
 
 // BackendConnection allows users to configure connection-level settings of backend

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -153,6 +153,16 @@ spec:
                     required:
                     - value
                     type: object
+                  maxAcceptPerSocketEvent:
+                    description: |-
+                      MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
+                      per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
+                      this threshold will be accepted in later event loop iterations. If no value is provided Envoy will accept
+                      all connections pending accept from the kernel.
+                      It is recommended to lower this value for better overload management and reduced per-event cost.
+                      Setting it to 1 is a viable option with no noticeable impact on performance.
+                    format: int32
+                    type: integer
                   socketBufferLimit:
                     allOf:
                     - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -152,6 +152,16 @@ spec:
                     required:
                     - value
                     type: object
+                  maxAcceptPerSocketEvent:
+                    description: |-
+                      MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
+                      per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
+                      this threshold will be accepted in later event loop iterations. If no value is provided Envoy will accept
+                      all connections pending accept from the kernel.
+                      It is recommended to lower this value for better overload management and reduced per-event cost.
+                      Setting it to 1 is a viable option with no noticeable impact on performance.
+                    format: int32
+                    type: integer
                   socketBufferLimit:
                     allOf:
                     - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

internal/ir/xds.go

@@ -2966,6 +2966,8 @@ type ClientConnection struct {
 	ConnectionLimit *ConnectionLimit `json:"limit,omitempty" yaml:"limit,omitempty"`
 	// BufferLimitBytes is the maximum number of bytes that can be buffered for a connection.
 	BufferLimitBytes *uint32 `json:"bufferLimit,omitempty" yaml:"bufferLimit,omitempty"`
+	// MaxAcceptPerSocketEvent is the maximum number of connections to accept from the kernel per socket event.
+	MaxAcceptPerSocketEvent *uint32 `json:"maxAcceptPerSocketEvent,omitempty" yaml:"maxAcceptPerSocketEvent,omitempty"`
 }
 
 // ConnectionLimit contains settings for downstream connection limits

internal/xds/translator/listener.go

@@ -197,11 +197,13 @@ func buildXdsTCPListener(
 		return nil, err
 	}
 	bufferLimitBytes := buildPerConnectionBufferLimitBytes(connection)
+	maxAcceptPerSocketEvent := buildMaxAcceptPerSocketEvent(connection)
 	listener := &listenerv3.Listener{
-		Name:                          name,
-		AccessLog:                     al,
-		SocketOptions:                 socketOptions,
-		PerConnectionBufferLimitBytes: bufferLimitBytes,
+		Name:                                 name,
+		AccessLog:                            al,
+		SocketOptions:                        socketOptions,
+		PerConnectionBufferLimitBytes:        bufferLimitBytes,
+		MaxConnectionsToAcceptPerSocketEvent: maxAcceptPerSocketEvent,
 		Address: &corev3.Address{
 			Address: &corev3.Address_SocketAddress{
 				SocketAddress: &corev3.SocketAddress{
@@ -230,6 +232,13 @@ func buildPerConnectionBufferLimitBytes(connection *ir.ClientConnection) *wrappe
 	return wrapperspb.UInt32(tcpListenerPerConnectionBufferLimitBytes)
 }
 
+func buildMaxAcceptPerSocketEvent(connection *ir.ClientConnection) *wrapperspb.UInt32Value {
+	if connection != nil && connection.MaxAcceptPerSocketEvent != nil {
+		return wrapperspb.UInt32(*connection.MaxAcceptPerSocketEvent)
+	}
+	return nil
+}
+
 // buildXdsQuicListener creates a xds Listener resource for quic
 func buildXdsQuicListener(name, address string, port uint32, ipFamily *egv1a1.IPFamily, accesslog *ir.AccessLog) (*listenerv3.Listener, error) {
 	log, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener)

internal/xds/translator/testdata/in/xds-ir/max-conn-per-socket-event.yaml

@@ -0,0 +1,36 @@
+http:
+  - name: "first-listener"
+    address: "::"
+    port: 10080
+    hostnames:
+      - "*"
+    path:
+      mergeSlashes: true
+      escapedSlashesAction: UnescapeAndRedirect
+    routes:
+      - name: "first-route"
+        hostname: "*"
+        destination:
+          name: "first-route-dest"
+          settings:
+            - endpoints:
+                - host: "1.2.3.4"
+                  port: 50000
+              name: "first-route-dest/backend/0"
+    connection:
+      maxAcceptPerSocketEvent: 2
+tcp:
+  - name: "second-listener"
+    address: "::"
+    connection:
+      maxAcceptPerSocketEvent: 3
+    port: 10081
+    routes:
+      - name: "tcp-route-dest"
+        destination:
+          name: "tcp-route-dest"
+          settings:
+            - endpoints:
+                - host: "1.2.3.4"
+                  port: 50000
+              name: "tcp-route-dest/backend/0"

internal/xds/translator/testdata/out/xds-ir/max-conn-per-socket-event.clusters.yaml

@@ -0,0 +1,34 @@
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_PREFERRED
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: first-route-dest
+  ignoreHealthOnHostRemoval: true
+  lbPolicy: LEAST_REQUEST
+  name: first-route-dest
+  perConnectionBufferLimitBytes: 32768
+  type: EDS
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_PREFERRED
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: tcp-route-dest
+  ignoreHealthOnHostRemoval: true
+  lbPolicy: LEAST_REQUEST
+  name: tcp-route-dest
+  perConnectionBufferLimitBytes: 32768
+  type: EDS

internal/xds/translator/testdata/out/xds-ir/max-conn-per-socket-event.endpoints.yaml

@@ -0,0 +1,24 @@
+- clusterName: first-route-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 1.2.3.4
+            portValue: 50000
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: first-route-dest/backend/0
+- clusterName: tcp-route-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 1.2.3.4
+            portValue: 50000
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: tcp-route-dest/backend/0

internal/xds/translator/testdata/out/xds-ir/max-conn-per-socket-event.listeners.yaml

@@ -0,0 +1,50 @@
+- address:
+    socketAddress:
+      address: '::'
+      portValue: 10080
+  defaultFilterChain:
+    filters:
+    - name: envoy.filters.network.http_connection_manager
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+        commonHttpProtocolOptions:
+          headersWithUnderscoresAction: REJECT_REQUEST
+        http2ProtocolOptions:
+          initialConnectionWindowSize: 1048576
+          initialStreamWindowSize: 65536
+          maxConcurrentStreams: 100
+        httpFilters:
+        - name: envoy.filters.http.router
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+            suppressEnvoyHeaders: true
+        mergeSlashes: true
+        normalizePath: true
+        pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+        rds:
+          configSource:
+            ads: {}
+            resourceApiVersion: V3
+          routeConfigName: first-listener
+        serverHeaderTransformation: PASS_THROUGH
+        statPrefix: http-10080
+        useRemoteAddress: true
+    name: first-listener
+  maxConnectionsToAcceptPerSocketEvent: 2
+  name: first-listener
+  perConnectionBufferLimitBytes: 32768
+- address:
+    socketAddress:
+      address: '::'
+      portValue: 10081
+  filterChains:
+  - filters:
+    - name: envoy.filters.network.tcp_proxy
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+        cluster: tcp-route-dest
+        statPrefix: tcp-10081
+    name: tcp-route-dest
+  maxConnectionsToAcceptPerSocketEvent: 3
+  name: second-listener
+  perConnectionBufferLimitBytes: 32768

internal/xds/translator/testdata/out/xds-ir/max-conn-per-socket-event.routes.yaml

@@ -0,0 +1,14 @@
+- ignorePortInHostMatching: true
+  name: first-listener
+  virtualHosts:
+  - domains:
+    - '*'
+    name: first-listener/*
+    routes:
+    - match:
+        prefix: /
+      name: first-route
+      route:
+        cluster: first-route-dest
+        upgradeConfigs:
+        - upgradeType: websocket

release-notes/current.yaml

@@ -18,6 +18,7 @@ new features: |
   Added support for setting ownerreference to infra resources when enable gateway namespace mode.
   Added support for configuring hostname in active HTTP healthchecks.
   Added support for GatewayInfrastructure in gateway namespace mode.
+  Added support for configuring maxConnectionsToAcceptPerSocketEvent in listener via ClientTrafficPolicy.
   Added support for setting GatewayClass ownerreference to infra resources when all cases except gateway namespace mode.
   Added support for setting previous priorities retry predicate.
   Added support for using extension server policies to in PostTranslateModify hook.

site/content/en/latest/api/extension_types.md

@@ -678,6 +678,7 @@ _Appears in:_
 | ---   | ---  | ---      | ---     | ---         |
 | `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ |  false  |  | ConnectionLimit defines limits related to connections |
 | `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ |  false  |  | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.<br />BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.<br />For example, 20Mi, 1Gi, 256Ki etc.<br />Note that when the suffix is not provided, the value is interpreted as bytes.<br />Default: 32768 bytes. |
+| `maxAcceptPerSocketEvent` | _integer_ |  false  |  | MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel<br />per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over<br />this threshold will be accepted in later event loop iterations. If no value is provided Envoy will accept<br />all connections pending accept from the kernel.<br />It is recommended to lower this value for better overload management and reduced per-event cost.<br />Setting it to 1 is a viable option with no noticeable impact on performance. |
 
 
 #### ClientIPDetectionSettings

test/helm/gateway-crds-helm/all.out.yaml

@@ -20079,6 +20079,16 @@ spec:
                     required:
                     - value
                     type: object
+                  maxAcceptPerSocketEvent:
+                    description: |-
+                      MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
+                      per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
+                      this threshold will be accepted in later event loop iterations. If no value is provided Envoy will accept
+                      all connections pending accept from the kernel.
+                      It is recommended to lower this value for better overload management and reduced per-event cost.
+                      Setting it to 1 is a viable option with no noticeable impact on performance.
+                    format: int32
+                    type: integer
                   socketBufferLimit:
                     allOf:
                     - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml

@@ -2767,6 +2767,16 @@ spec:
                     required:
                     - value
                     type: object
+                  maxAcceptPerSocketEvent:
+                    description: |-
+                      MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
+                      per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
+                      this threshold will be accepted in later event loop iterations. If no value is provided Envoy will accept
+                      all connections pending accept from the kernel.
+                      It is recommended to lower this value for better overload management and reduced per-event cost.
+                      Setting it to 1 is a viable option with no noticeable impact on performance.
+                    format: int32
+                    type: integer
                   socketBufferLimit:
                     allOf:
                     - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$