projectcalico · nelljerram · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026 · Copilot
@@ -45,8 +45,8 @@ type FelixSender interface {
 type PolicyMatchListener interface {
 	OnPolicyMatch(policyKey model.PolicyKey, endpointKey model.EndpointKey)
 	OnPolicyMatchStopped(policyKey model.PolicyKey, endpointKey model.EndpointKey)
-	OnComputedSelectorMatch(cs string, endpointKey model.EndpointKey)
-	OnComputedSelectorMatchStopped(cs string, endpointKey model.EndpointKey)
+	OnComputedSelectorMatch(cs string, caller any, endpointKey model.EndpointKey)
+	OnComputedSelectorMatchStopped(cs string, caller any, endpointKey model.EndpointKey)
 }
 
 // ActiveRulesCalculator calculates the set of policies and profiles (i.e. the rules) that
@@ -91,9 +91,6 @@ type ActiveRulesCalculator struct {
 	// log out those profiles at the end of the resync.
 	missingProfiles set.Set[string]
 
-	// Tracks components that have called AddExtraComputedSelector.
-	computedSelectorCallers map[string]set.Set[any]
-
 	// Callback objects.
 	RuleScanner           ruleScanner
 	PolicyMatchListeners  []PolicyMatchListener
@@ -102,7 +99,10 @@ type ActiveRulesCalculator struct {
 	OnAlive               func()
 }
 
-type computedSelector string
+type computedSelectorKey struct {
+	selector string
+	caller   any
+}
 
 func NewActiveRulesCalculator() *ActiveRulesCalculator {
 	arc := &ActiveRulesCalculator{
@@ -120,8 +120,6 @@ func NewActiveRulesCalculator() *ActiveRulesCalculator {
 
 		// Cache of profile IDs by local endpoint.
 		endpointKeyToProfileIDs: NewEndpointKeyToProfileIDMap(),
-
-		computedSelectorCallers: make(map[string]set.Set[any]),
 	}
 	arc.labelIndex = labelindex.NewInheritIndex(arc.onMatchStarted, arc.onMatchStopped)
 	return arc
@@ -297,39 +295,30 @@ func (arc *ActiveRulesCalculator) OnUpdate(update api.Update) (_ bool) {
 // OnComputedSelectorMatch and OnComputedSelectorMatchStopped callbacks when that selector
 // matches/stops matching local endpoints, allowing the expensive selector index to be shared.
 //
-// Registration is tracked per caller.  The caller identity must therefore be stable, and the
-// same caller value (including the same inferred type T) must be passed to
-// RemoveExtraComputedSelector to remove that caller's registration.  Repeated adds from the same
-// caller are deduplicated.
+// Registration is tracked per caller.  The caller identity must therefore be stable, and the same
+// caller value must be passed to RemoveExtraComputedSelector to remove that caller's registration.
+// Repeated adds from the same caller are deduplicated.
 //
 // The underlying selector is added to the label index when the first caller registers it, and it
 // is only removed after the last caller removes its registration.  Callbacks for matches/stops
 // matching continue to be delivered to all registered PolicyMatchListeners while the selector is
 // present.
-func AddExtraComputedSelector[T comparable](arc *ActiveRulesCalculator, cs string, caller T) {
-	callers := arc.computedSelectorCallers[cs]
-	if callers == nil {
-		callers = set.New[any]()
-		arc.computedSelectorCallers[cs] = callers
-		sel, err := selector.Parse(cs)
-		if err != nil {
-			log.WithError(err).Panicf("Failed to parse computed selector %#v", cs)
-		}
-		arc.labelIndex.UpdateSelector(computedSelector(cs), sel)
+func (arc *ActiveRulesCalculator) AddExtraComputedSelector(cs string, caller any) {
+	sel, err := selector.Parse(cs)
+	if err != nil {
+		log.WithError(err).Panicf("Failed to parse computed selector %#v", cs)
 	}
-	callers.Add(any(caller))
+	arc.labelIndex.UpdateSelector(computedSelectorKey{
+		selector: cs,
+		caller:   caller,
+	}, sel)
 }
 
-func RemoveExtraComputedSelector[T comparable](arc *ActiveRulesCalculator, cs string, caller T) {
-	callers := arc.computedSelectorCallers[cs]
-	if callers == nil {
-		return
-	}
-	callers.Discard(any(caller))
-	if callers.Len() == 0 {
-		arc.labelIndex.DeleteSelector(computedSelector(cs))
-		delete(arc.computedSelectorCallers, cs)
-	}
+func (arc *ActiveRulesCalculator) RemoveExtraComputedSelector(cs string, caller any) {
+	arc.labelIndex.DeleteSelector(computedSelectorKey{
+		selector: cs,
+		caller:   caller,
+	})
 }
 
 func policyForceProgrammed(policy *model.Policy) bool {
@@ -394,10 +383,10 @@ func (arc *ActiveRulesCalculator) updateEndpointProfileIDs(key model.Key, profil
 }
 
 func (arc *ActiveRulesCalculator) onMatchStarted(selID, labelId any) {
-	if cs, ok := selID.(computedSelector); ok {
+	if key, ok := selID.(computedSelectorKey); ok {
 		for _, l := range arc.PolicyMatchListeners {
 			if labelId, ok := labelId.(model.EndpointKey); ok {
-				l.OnComputedSelectorMatch(string(cs), labelId)
+				l.OnComputedSelectorMatch(key.selector, key.caller, labelId)
 			}
 		}
 		return
@@ -426,10 +415,10 @@ func (arc *ActiveRulesCalculator) onMatchStarted(selID, labelId any) {
 }
 
 func (arc *ActiveRulesCalculator) onMatchStopped(selID, labelId any) {
-	if cs, ok := selID.(computedSelector); ok {
+	if key, ok := selID.(computedSelectorKey); ok {
 		for _, l := range arc.PolicyMatchListeners {
 			if labelId, ok := labelId.(model.EndpointKey); ok {
-				l.OnComputedSelectorMatchStopped(string(cs), labelId)
+				l.OnComputedSelectorMatchStopped(key.selector, key.caller, labelId)
 			}
 		}
 		return

@@ -37,6 +37,7 @@ type policyMatchEvent struct {
 
 type computedSelectorMatchEvent struct {
 	Selector    string
+	Caller      any
 	EndpointKey model.EndpointKey
 }
 
@@ -48,12 +49,12 @@ func (t *testPolicyMatchListener) OnPolicyMatchStopped(policyKey model.PolicyKey
 	t.policyMatchStops = append(t.policyMatchStops, policyMatchEvent{policyKey, endpointKey})
 }
 
-func (t *testPolicyMatchListener) OnComputedSelectorMatch(cs string, endpointKey model.EndpointKey) {
-	t.computedSelectorMatches = append(t.computedSelectorMatches, computedSelectorMatchEvent{cs, endpointKey})
+func (t *testPolicyMatchListener) OnComputedSelectorMatch(cs string, caller any, endpointKey model.EndpointKey) {
+	t.computedSelectorMatches = append(t.computedSelectorMatches, computedSelectorMatchEvent{cs, caller, endpointKey})
 }
 
-func (t *testPolicyMatchListener) OnComputedSelectorMatchStopped(cs string, endpointKey model.EndpointKey) {
-	t.computedSelectorMatchStops = append(t.computedSelectorMatchStops, computedSelectorMatchEvent{cs, endpointKey})
+func (t *testPolicyMatchListener) OnComputedSelectorMatchStopped(cs string, caller any, endpointKey model.EndpointKey) {
+	t.computedSelectorMatchStops = append(t.computedSelectorMatchStops, computedSelectorMatchEvent{cs, caller, endpointKey})
 }
 
 // noopRuleScanner satisfies the ruleScanner interface required by ActiveRulesCalculator.
@@ -95,7 +96,7 @@ func deleteEndpoint(arc *ActiveRulesCalculator, key model.WorkloadEndpointKey) {
 func TestARC_ComputedSelector_MatchOnEndpointAdd(t *testing.T) {
 	arc, listener := createARC()
 
-	AddExtraComputedSelector(arc, "has(foo)", t)
+	arc.AddExtraComputedSelector("has(foo)", t)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",
@@ -120,7 +121,7 @@ func TestARC_ComputedSelector_MatchOnEndpointAdd(t *testing.T) {
 func TestARC_ComputedSelector_MatchStoppedOnEndpointRemove(t *testing.T) {
 	arc, listener := createARC()
 
-	AddExtraComputedSelector(arc, "has(foo)", t)
+	arc.AddExtraComputedSelector("has(foo)", t)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",
@@ -147,7 +148,7 @@ func TestARC_ComputedSelector_MatchStoppedOnEndpointRemove(t *testing.T) {
 func TestARC_ComputedSelector_NoMatchForNonMatchingEndpoint(t *testing.T) {
 	arc, listener := createARC()
 
-	AddExtraComputedSelector(arc, "has(foo)", t)
+	arc.AddExtraComputedSelector("has(foo)", t)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",
@@ -169,7 +170,7 @@ func TestARC_ComputedSelector_NoMatchForNonMatchingEndpoint(t *testing.T) {
 func TestARC_RemoveComputedSelector(t *testing.T) {
 	arc, listener := createARC()
 
-	AddExtraComputedSelector(arc, "has(foo)", t)
+	arc.AddExtraComputedSelector("has(foo)", t)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",
@@ -184,7 +185,7 @@ func TestARC_RemoveComputedSelector(t *testing.T) {
 	}
 
 	// Remove the computed selector — should fire match-stopped.
-	RemoveExtraComputedSelector(arc, "has(foo)", t)
+	arc.RemoveExtraComputedSelector("has(foo)", t)
 
 	if len(listener.computedSelectorMatchStops) != 1 {
 		t.Fatalf("expected 1 match stop after removing selector, got %d", len(listener.computedSelectorMatchStops))
@@ -221,8 +222,8 @@ func TestARC_MultiCaller_BothGetCallbacks(t *testing.T) {
 	arc.RegisterPolicyMatchListener(listenerB)
 
 	// Two different components register the same selector.
-	AddExtraComputedSelector(arc, "has(foo)", listenerA)
-	AddExtraComputedSelector(arc, "has(foo)", listenerB)
+	arc.AddExtraComputedSelector("has(foo)", listenerA)
+	arc.AddExtraComputedSelector("has(foo)", listenerB)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",
@@ -250,8 +251,8 @@ func TestARC_MultiCaller_RemoveOneStillActive(t *testing.T) {
 	arc.RegisterPolicyMatchListener(listenerA)
 	arc.RegisterPolicyMatchListener(listenerB)
 
-	AddExtraComputedSelector(arc, "has(foo)", listenerA)
-	AddExtraComputedSelector(arc, "has(foo)", listenerB)
+	arc.AddExtraComputedSelector("has(foo)", listenerA)
+	arc.AddExtraComputedSelector("has(foo)", listenerB)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",
@@ -264,7 +265,7 @@ func TestARC_MultiCaller_RemoveOneStillActive(t *testing.T) {
 	listenerB.computedSelectorMatches = nil
 
 	// Remove caller A — B still holds a reference.
-	RemoveExtraComputedSelector(arc, "has(foo)", listenerA)
+	arc.RemoveExtraComputedSelector("has(foo)", listenerA)
 
 	// No match-stopped should fire on either listener because the selector is still active.
 	for name, l := range map[string]*testPolicyMatchListener{"A": listenerA, "B": listenerB} {
@@ -308,8 +309,8 @@ func TestARC_MultiCaller_RemoveBothDeactivates(t *testing.T) {
 	arc.RegisterPolicyMatchListener(listenerA)
 	arc.RegisterPolicyMatchListener(listenerB)
 
-	AddExtraComputedSelector(arc, "has(foo)", listenerA)
-	AddExtraComputedSelector(arc, "has(foo)", listenerB)
+	arc.AddExtraComputedSelector("has(foo)", listenerA)
+	arc.AddExtraComputedSelector("has(foo)", listenerB)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",
@@ -320,8 +321,8 @@ func TestARC_MultiCaller_RemoveBothDeactivates(t *testing.T) {
 	addEndpoint(arc, epKey, map[string]string{"foo": "bar"})
 
 	// Remove both callers.
-	RemoveExtraComputedSelector(arc, "has(foo)", listenerA)
-	RemoveExtraComputedSelector(arc, "has(foo)", listenerB)
+	arc.RemoveExtraComputedSelector("has(foo)", listenerA)
+	arc.RemoveExtraComputedSelector("has(foo)", listenerB)
 
 	// Removing the last caller should fire match-stopped on both listeners.
 	for name, l := range map[string]*testPolicyMatchListener{"A": listenerA, "B": listenerB} {
@@ -357,8 +358,8 @@ func TestARC_MultiCaller_DuplicateAddFromSameCaller(t *testing.T) {
 	arc.RegisterPolicyMatchListener(listener)
 
 	// Same caller adds the same selector twice.
-	AddExtraComputedSelector(arc, "has(foo)", listener)
-	AddExtraComputedSelector(arc, "has(foo)", listener)
+	arc.AddExtraComputedSelector("has(foo)", listener)
+	arc.AddExtraComputedSelector("has(foo)", listener)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",
@@ -373,7 +374,7 @@ func TestARC_MultiCaller_DuplicateAddFromSameCaller(t *testing.T) {
 	}
 
 	// A single Remove should be enough since the set deduplicates the caller.
-	RemoveExtraComputedSelector(arc, "has(foo)", listener)
+	arc.RemoveExtraComputedSelector("has(foo)", listener)
 
 	if len(listener.computedSelectorMatchStops) != 1 {
 		t.Fatalf("expected 1 match stop after single remove, got %d", len(listener.computedSelectorMatchStops))
@@ -386,7 +387,7 @@ func TestARC_MultiCaller_RemoveWithoutAdd(t *testing.T) {
 	arc.RegisterPolicyMatchListener(listener)
 
 	// Removing a selector that was never added should be a no-op.
-	RemoveExtraComputedSelector(arc, "has(foo)", listener)
+	arc.RemoveExtraComputedSelector("has(foo)", listener)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",
@@ -411,7 +412,7 @@ func TestARC_MultiCaller_ReAddAfterFullRemoval(t *testing.T) {
 	arc.RegisterPolicyMatchListener(listenerA)
 	arc.RegisterPolicyMatchListener(listenerB)
 
-	AddExtraComputedSelector(arc, "has(foo)", listenerA)
+	arc.AddExtraComputedSelector("has(foo)", listenerA)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",
@@ -422,7 +423,7 @@ func TestARC_MultiCaller_ReAddAfterFullRemoval(t *testing.T) {
 	addEndpoint(arc, epKey, map[string]string{"foo": "bar"})
 
 	// Remove fully.
-	RemoveExtraComputedSelector(arc, "has(foo)", listenerA)
+	arc.RemoveExtraComputedSelector("has(foo)", listenerA)
 	if len(listenerA.computedSelectorMatchStops) != 1 {
 		t.Fatalf("expected 1 match stop on listener A, got %d", len(listenerA.computedSelectorMatchStops))
 	}
@@ -434,7 +435,7 @@ func TestARC_MultiCaller_ReAddAfterFullRemoval(t *testing.T) {
 
 	// Re-add the same selector from a different caller — should re-match the
 	// existing endpoint, and both listeners should see it.
-	AddExtraComputedSelector(arc, "has(foo)", listenerB)
+	arc.AddExtraComputedSelector("has(foo)", listenerB)
 
 	for name, l := range map[string]*testPolicyMatchListener{"A": listenerA, "B": listenerB} {
 		if len(l.computedSelectorMatches) != 1 {
@@ -449,7 +450,7 @@ func TestARC_MultiCaller_ReAddAfterFullRemoval(t *testing.T) {
 func TestARC_ComputedSelector_DoesNotTriggerPolicyCallbacks(t *testing.T) {
 	arc, listener := createARC()
 
-	AddExtraComputedSelector(arc, "has(foo)", t)
+	arc.AddExtraComputedSelector("has(foo)", t)
 
 	epKey := model.WorkloadEndpointKey{
 		Hostname:       "host1",

@@ -67,7 +67,7 @@ func NewIstioCalculator(
 	// IP set.  This will include local and remote endpoints.
 	ipSetCallbacks.OnIPSetAdded(rules.IPSetIDAllIstioWEPs, proto.IPSetUpdate_IP)
 	ipsetMemberIndex.UpdateIPSet(rules.IPSetIDAllIstioWEPs, sel, ipsetmember.ProtocolNone, "")
-	AddExtraComputedSelector(activeRulesCalc, istioSelector, ic)
+	activeRulesCalc.AddExtraComputedSelector(istioSelector, ic)
 	// Piggy-back on the active rules calculator's index of local endpoints
 	// to give us callbacks when a local endpoint is an Istio endpoint. (The
 	// index is expensive so we don't want a second copy here.)
@@ -78,15 +78,15 @@ func NewIstioCalculator(
 func (ic *IstioCalculator) OnPolicyMatch(_ model.PolicyKey, _ model.EndpointKey)        {}
 func (ic *IstioCalculator) OnPolicyMatchStopped(_ model.PolicyKey, _ model.EndpointKey) {}
 
-func (ic *IstioCalculator) OnComputedSelectorMatch(cs string, epKey model.EndpointKey) {
+func (ic *IstioCalculator) OnComputedSelectorMatch(cs string, _ any, epKey model.EndpointKey) {
 	if wepKey, ok := epKey.(model.WorkloadEndpointKey); ok && cs == istioSelector {
 		// Always pass a newly created or cloned `computedData` instance to the handler.
 		// This ensures the dataplane never receives a mutable object shared elsewhere.
 		ic.onEndpointComputedData(wepKey, EPCompDataKindIstio, &ComputedIstioEndpoint{})
 	}
 }
 
-func (ic *IstioCalculator) OnComputedSelectorMatchStopped(cs string, epKey model.EndpointKey) {
+func (ic *IstioCalculator) OnComputedSelectorMatchStopped(cs string, _ any, epKey model.EndpointKey) {
 	if wepKey, ok := epKey.(model.WorkloadEndpointKey); ok && cs == istioSelector {
 		ic.onEndpointComputedData(wepKey, EPCompDataKindIstio, nil)
 	}

@@ -219,7 +219,10 @@ func (lmc *LiveMigrationCalculator) OnUpdate(update api.Update) (_ bool) {
 func (lmc *LiveMigrationCalculator) OnPolicyMatch(_ model.PolicyKey, _ model.EndpointKey)        {}
 func (lmc *LiveMigrationCalculator) OnPolicyMatchStopped(_ model.PolicyKey, _ model.EndpointKey) {}
 
-func (lmc *LiveMigrationCalculator) OnComputedSelectorMatch(cs string, epKey model.EndpointKey) {
+func (lmc *LiveMigrationCalculator) OnComputedSelectorMatch(cs string, caller any, epKey model.EndpointKey) {
+	if caller != lmc {
+		return
+	}
 	if _, ok := lmc.selectorKeys[cs]; !ok {
 		return
 	}
@@ -242,7 +245,10 @@ func (lmc *LiveMigrationCalculator) OnComputedSelectorMatch(cs string, epKey mod
 	}
 }
 
-func (lmc *LiveMigrationCalculator) OnComputedSelectorMatchStopped(cs string, epKey model.EndpointKey) {
+func (lmc *LiveMigrationCalculator) OnComputedSelectorMatchStopped(cs string, caller any, epKey model.EndpointKey) {
+	if caller != lmc {
+		return
+	}
 	if _, ok := lmc.selectorKeys[cs]; !ok {
 		return
 	}
@@ -429,7 +435,7 @@ func (lmc *LiveMigrationCalculator) refSelector(
 	}
 	keys.Add(lmKey)
 	if keys.Len() == 1 {
-		AddExtraComputedSelector(lmc.activeRulesCalc, selector, lmc)
+		lmc.activeRulesCalc.AddExtraComputedSelector(selector, lmc)
 	}
 }
 
@@ -441,7 +447,7 @@ func (lmc *LiveMigrationCalculator) unrefSelector(
 	if keys != nil {
 		keys.Discard(lmKey)
 		if keys.Len() == 0 {
-			RemoveExtraComputedSelector(lmc.activeRulesCalc, selector, lmc)
+			lmc.activeRulesCalc.RemoveExtraComputedSelector(selector, lmc)
 			delete(lmc.selectorKeys, selector)
 		}
 	}

@@ -185,8 +185,8 @@ func (pr *PolicyResolver) OnPolicyMatchStopped(policyKey model.PolicyKey, endpoi
 	pr.dirtyEndpoints.Add(endpointKey)
 }
 
-func (pr *PolicyResolver) OnComputedSelectorMatch(_ string, _ model.EndpointKey)        {}
-func (pr *PolicyResolver) OnComputedSelectorMatchStopped(_ string, _ model.EndpointKey) {}
+func (pr *PolicyResolver) OnComputedSelectorMatch(_ string, _ any, _ model.EndpointKey)        {}
+func (pr *PolicyResolver) OnComputedSelectorMatchStopped(_ string, _ any, _ model.EndpointKey) {}
 
 func (pr *PolicyResolver) Flush() {
 	if !pr.InSync {