►
From YouTube: Antrea Community Meeting 04/25/2022
Description
Antrea Community Meeting, April 25th 2022
A
All
right,
so,
unless
I'm
mistaken,
welcome
everyone
sorry
welcome
everyone.
Welcome
to
this
entry
community
meeting
today
is
april,
the
25th
in
the
us,
and,
I
guess,
april's
26
in
in
china.
A
B
B
So
it's
it's
too
limited
for
enterprise
networks
and
the
obs
toolkit
already
supports
also
getting
turning
points
using
standard
certificates
and
for
untrue.
We
only
need
to
manage
certificates
and
load
them
to
each
node,
so
the
obs
toolkit
will
be
responsible
for
mounting
and
configuring
as
a
key
dimmer
so
yeah
so
things
for
entry.
We
only
need
to
find
a
way
to
request
and
issue
the
certificates
and
configure
them
to
to
each
node,
and
here
is
the
here
is
the
strictly
format
for
for
for
each
node.
B
So,
as
you
can
see
that
the
the
important
the
in
the
certificate
I
wish,
we
should
pay
attention
to
the
common
name
section
and
and
as
a
the
obvious
muay
thai
aggie
stack
script
will
extract
the
common
name
section
and
configure
the
abisec
except.conf
to
the
academy.
So
it
is,
it
is
critical
and
also
we
can
see
that
for
the
for
the
extension
section
and
we
mark
the
key
usage
to
abstract
panel.
B
B
Yeah
yeah,
basically
this
this
is
a
standard,
x5
tavona
certificate
and
for
obs
configurations
we
need
to
start
the
other
config
fields
of
also
open
the
switch.
Basically,
we
need
three
fields
why
the
certificate
for
the
node
and
this
corresponding
private
key
also,
we
also
need
to.
We
also
need
to
start
the
rule
certificate
for
for
australian
purpose.
B
B
We
configure
a
each
part
with
a
ps
psk
and
under
the
another
act
and
the
exact
pressure
key
in
the
options,
but
by
using
a
certificate
we
only
need
to
start
the
remote
name
of
the
worker
of
the
peer
worker
nodes.
The
roman
name
should
match
the
common
name
in
the
in
the
nodes
certificate.
B
So
so
there
is
a
problem.
Is
that
as
intelligent
parts
can
cannot
bounce
their
own
certificates
individually,
as
they
are
managed
by
demon
set
so
yeah?
So
it's
also
not
scared
to
save
all
the
issues,
certificates
and
their
private
keys
in
in
one
secret
and
loads
them
in
their
demo
set
as
a
volume.
So
I
think
it's
it's
not
secure
and
and
for
most
cases
so
as
we
we
can
use
samsung
certificates
for
for
the
authentication.
B
So
I
think
I
struggle
to
issue
a
new
certificate
without
processing
them
in
the
kubernetes
storage
database
and
also
grenadiers
provide
stable
certificate.
Signing
request
apis.
So
it
fits
nicely
with
the
controller
and
the
agent
title
venture.
So
that
means
the
agent
can
create
a
certificate
sign
request
through
the
coordinated
api
and
the
android
controller
can
approve
and
assign
it
by
the
by
the
cr,
and
then
a
control
agent
can
get
the
certificate
through
the
status
and
save
them
as
files
in
the
node.
B
So
so
for
the
root
certificate,
control
controller
can
generate
a
self-standard
uca
and
save
its
save,
save
it
and
its
private
key
as
a
secret.
Meanwhile,
it
can
also
save
the
certificate
in
your
map.
B
The
volume
so
so
so
so
this
is
what
the
csi
api
looks
like
for
our
use
case
and,
as
you
can
see,
that's
for
the
in
the
specs
section
on
the
left.
So
we
have
the
pm
encoded
csr
and
the
the
certificate
request
contains
the
common
name
of
the
node
and
also,
we
must
also
specify
the
signal
name,
I'm
not
sure
for
for
the
further
for
the
for
the
naming
of
the
center.
So
I
just
name
it
enter
center
here
and
the
the
usage.
As
I
said
before,
is
his
sidestep
tunnel.
B
It's
five
seconds
yeah.
So
once
the
the
service
signing
request
got
approved,
you
can
we
can
see
the
status
in
the
continuum
field
it
studied.
It
was
automatically
approved
by
the
enter.io
standard
and
then
the
next
step,
the
the
the
controller
will
stand
the
certificate
and
and
update
the
certificate
section
in
the
status.
B
So
so
there
is
a
subtle
issue
there
is
that
maybe
it's
not
the
issue,
but
the
part
is
also
the
the
approved.
Denial
of
other
requests
will
be
automatically
deleted
deleted
after
one
hour.
So
so
this
is
a
community
behavior.
So
we
must
pay
attention
to
to
the
to
the
controller
or
the
controller
in
the
android
agent
to
to
make
sure
we
do
not
need
to
issue
new
strategies,
as
this
is
why
it's
still
valid.
B
B
Assign
permission
for
the
approve
and
the
sign
verbs
to
enter
dial
center
yeah
the
sender
name,
as
I
said
earlier,
so
it
will
make
sure
that
the
android
controller
will
only
sign
approve,
understand
the
request
with
the
desired
center
name.
It
would
not
touch
any
other
csrs
with
other
server
name
and
also
as
android
owner
android
controller
need
to
save
its
roots,
lucy
and
private
key
in
the
secret.
B
So
we
need
to
controller
to
create
secrets
and
also
update
the
secrets
with
name
enter,
exact,
ca,
yeah
and
the
foreign
agent.
You
will
need
to
allow,
allow
you
to
create
and
watch
the
watch,
modify
the
the
frequency
request.
B
Yeah,
that's
for
the
back,
and
for
and
nasa
is
for
certificate
renewal,
so
it
so
from
my
understanding.
I
think
there
are
three
cases
so
to
to
renew
the
certificate.
So
why
is
that?
The
the
the
science
of
grid
is
about
this
bar,
so
we
can't
determine
it
from
the
entrance
and
we
can
create
new
csrcrs
and
and
issued
a
new
certificate.
B
Also
it
can
happen
when
the
the
coordinators
know
the
reports.
So
if
we
store
the
private
key
in
the
vargas
folder
on
the
other
node,
so
I
think
it
will
be
deleted
once
the
node
got
rebooted
and
the
last
thing
is
that
the
rule
certificate
might
be
changed,
so
it
can
happen
when
the
research
certificate
is
bar
or
the
secret
controller
controller
manager
was
deleted
manually
or
by
accident.
So
the
certificate
will
will
will
change
once
the
turn
and
enchantment
detects.
The
change
of
research
is
so
it
will.
B
If
not,
I
think
it
will
need
to
request
a
new
certificate
and-
and
during
my
testing
I
found
some
limitations
of
the
obvious
void-
type
stack
script,
so
it
only
works
for
the
obvious
db
changes
instead
of
the
file
content
changes.
So
so
for
starter
reloading,
so
we
can
have
the
the
following
workaround.
B
Unfortunately,
we
can
maybe
generate
a
random
name
for
the
final
certificate
and
and
update
the
other
configurations
so
that
the
the
script
will
detect
the
change
of
the
of
the
certificate
name
and
updates
the
update
and
reload
the
lucky
dimmer,
and
also
we
can
also
the
option
too,
is
that
we
can
use
stack,
pick
names
for
certificates,
but
we
can
add
another
field
to
the
other
config.
For
example,
we
can
compute
a
hash
for
for
the
other
party
roon
circuit
and
the
sensor
trees
and
save
a
hash
to
the
other
config.
B
So
so
the
the
script
also
detects
changes
and
and
updates
the
certificates
later
yeah,
so
that
that
that's
the
that's
the
two
options
for
the
workaround
and
the
yeah.
So
that's
for
the
satellite
and.
B
B
B
And-
and
we
come
on
to
the
same
path
on
the
other
note,
so
the
file
will
be
shared
in
both
containers.
B
So,
if
yes,
so
the
we,
we
must
change
the
the
the
start,
script,
the
starting
script
of
android
stack
container
and
we
may
need
to
to
copy
some
codes
of
the
android
games
and
to
no
no,
no,
not
for
cocky.
B
Sorry,
sorry,
it's
noisy
yeah
yeah,
so
so,
if
yes,
I
think
we
need
to
compile
excessive,
specific
binary
for
the
episode
container
and
it
will
be
responsible
for
issuing
and
managing
certificates
yeah.
So
I'm
not
sure
which
one
is
better.
C
B
I
think
for
for
for
those
certificates
it
will
be
generate
d1.
It
will
be
generated
once
upon
the
upon
the
first
running
of
android
controller,
so
it
will
save
it
as
a
config
map,
so
the
enter
agent
can
mount
it
as
a
volume.
C
Okay,
you
mean
when
it
restarts
it
could
read
the
secret
directly
and
reuse.
It.
B
C
B
Yeah
for
my
format,
design,
I
think
for
for
the
node
certificate
on
each
node,
so
we
we
do
not
need
to
to
save
it
as
a
secret.
So
I
think
it
doesn't
matter.
B
Whether
we
can
reuse
it
or
not,
so
we
can
go,
we
can
create
a
new
certificate
if
it's
a
deleted
bank
system
or
the
node
reports,
so
we
can
always
create
new
certificates
for
each
node.
So
I
don't
think
we
need
to
save
it
as
secret
and
I
I
I
cannot
find
a
clear
way
to
to
to
to
load
the
certificate
individually
to
each
node.
C
B
B
For
the
for
the
csr,
the
the
the
certification
status
only
contains
it
only
contains
the
leave
certificates
of
the
node,
but
but
yeah,
but
we
are
right.
So
we
can
we
can.
We
can
append
the
rule
ca
to
the
certificates
in
status
yeah.
We
can
do
that,
but
but
for
but
for
obvious
confusions.
We
need
a
separate
file
for
the
for
the
lucia.
B
C
And
I
have
another
question:
maybe
the
seventh
page
or
the
eighth-
I'm
not
sure.
Oh
yes,
in
this
page,
this
certificate,
hashi
value,
is
an
os
field
or
some
field.
B
The
other
config
fields
will
trigger
the
reload
of
the
obvious
or
more
interesting
script.
So
I
think
we
can
just
add
a
hash
value
to
it
to
trigger
the
update.
C
Oh,
I
see
thank
you
yeah.
What's
the
original
fill
the
name
for
certificate
file,
it's.
C
Okay,
it
sounds
like
using
this
hashi
would
be
simpler,
because
if.
B
C
Oh
and
sorry,
I
have
another
question.
I
know
that
a
cuban
canadian
controller
manager
has
some
option
to
how
to
upload
csr
and
will
that
conflict
with
our
own
signer.
B
I
don't
think
so,
as
we
define
our
own
center
name
here,
so
the
the
the
control
manager
will
only
approve
the
csr
requests
for
the
specific
assignment,
so
it
will
completely.
It
will
not
complete.
B
B
And
I
won't
get
to
get
your
opinions
about
the
whether
we
we
we,
which
which
container
we
should
put
the
logic
for
and
manual
certificates.
So
if
we
keep
the
android
style
container
as
it
is,
so
we
can
just
mount
the
same
path
of
traffic
and
a
transient
container
and
the
android
agent
can
be
responsible
for
for
managing
the
certificates.
So
if
not,
we
may
need
to
modify
the
the
script
in
the
entire
website
container.
We
can.
We
can
compile
a
dedicated
binary
for
just
minor
certificates
in
the
container.
C
I
assume
currently
enter
agent
already.
Has
some
ipsec
specific
code
right
yeah
code
writing
for
exact?
Then
probably
it
is
simpler
to
just
how
the
csr
logic
in
country
agent
as
well,
because
if
you
have
another
go
process
for
this
purpose,
it
will
also
need
to
have
some
certificate.
Some
token
and
connection
with
cuba,
api
right.
D
B
D
D
I
mean
you
can
use
I'm
I
think
it's
called
is
a
this
time
called
empty
dir
when
you
create.
D
C
D
Yeah,
I
think
she
mentioned
that
he
worked.
He
was
just.
He
will
not
process
the
safeguarding.
That's
my
she
could
you
confirm.
B
I
I
think,
I
think,
for
for
the
formative
I
I
want
to
save
the
certificates
to
the
environment
pass
on
the
load,
so,
okay,
so
it
will
help
for
for
the
agent
report
case.
So
we
don't
need
to
issue
new
cell
fields
for
for
the
container,
for
the
portable
research.
B
D
What
I
mean
that,
as
long
as
the
point,
not
the
details,
the
the
the
the
the
empty
actually
exists
right.
C
Okay,
the
case
you
are
talking
about
should
be
the
port
before
it
should
be
the
container
restart
case,
not
a
portrait
style.
Actually,
pod
doesn't
really
restart,
for
example,
the
android
agent
crash
process
crash,
and
only
that
container
is
restarted.
D
Anyway,
but
you're
saying
in
upgraded
case,
it
will
be
a
new
port.
A
I
did
have
one
question:
can
you
go
back
to
the
r
back
slide?
Please?
Oh
yeah
yeah
this
one.
So
for
the
it
seems
that,
on
the
sorry
I
was
looking
yeah
when
it
comes
to
the
certificate
signing
request,
so
the
controller
can
can
approve.
A
It
can
can
update
all
of
them
not
only
the
ones,
not
not
this
entry.
The
entry
about
that.
A
A
I
guess
I'm
trying
to
understand
the
difference
between
I'm
trying
to
understand
what
designers
resources
the
one
below
sorry
the
signers
resource.
Is
it
like
who's,
creating
that
resource.
B
Yeah
so
so
I
think
I
think
so
this
is
this
is
the
standard
drawback
for
for
all
kind
of
series.
Yeah.
We
have
sub
resource
for
approval
and
status,
but
we
still
need
a
additional
verbs
for
the
for
the
for
the
scanner,
so
so
this
this
means
that
the
android
controller
can
only
sign
and
approve
csrs
with
the
specific
server
name.
A
A
I
don't
know
if
it's
a
security
issue,
but
ideally
you
would
only
want
to
be
able
to
create
certificate,
signing
requests
for
the
entry
at
the
dot,
io
signer,
and
I
guess
ideally
you
would
be
able
to
constrain
what
you
can
put
in
the
in
the
common
name,
field
or
san
san
field.
But
I
I
guess
it's
not
possible
because
all
the
entry
agent
pods
in
the
domain
set
of
the
same
permissions.
B
D
And
tell
me:
what's
what's
the
issue
you
saw
here.
A
I
was,
I
was
just
thinking
that
those
permissions
were
a
bit
permissive
because
you
can
create
certificate,
signing
requests
for
other
approvers.
I
don't
know
if
that's
an
issue,
but
I'm
just
thinking
of
a
case
where
a
node
is
compromised
and
the
agent
token
is
is
compromised.
A
If
the
agent
token
is
compromised-
and
I
was
wondering
if
this
is
if
this
is
considered-
like
a
an
important
permission-
the
ability
to
create
csrs
for
or
if
it's
not
really
considered,
like
a
dangerous
permission
to
have.
B
I
can't
check
this
later
to
get
to
see
whether
we
can
set
contrast
for
the
integration
for
for
the
creating
of
csrs.
B
B
B
Yes,
yeah
so
yeah,
so
I
think
for
for
our
center,
we
need
to
make
sure
the
company,
the
content
section,
is
valid
and
we
can
also
check
to
make
sure
the
node
exists
and
also
we
can
check
the
the
substrate
total
name
section,
and
we
can
also
check
for
the
usages.
A
B
Yeah,
so
we
we
yeah.
No,
no,
we
don't
know,
we
don't
know
which
node
creates
the
csr,
but
we
can
make
sure
that
we
we
don't.
We
will
not
sign
requests
for
the
north
carolina
which
that
does
exist
in
the
class.
C
C
Not
sure
it's
typical
to
always
automatically
approve
it
by
program,
it
sounds
like
every
node
actually
has
can
have
all
peer
certificates
and
keys
if
they
want,
because
even
even
when
one
agent
can
create
its
own
ssr
and
get
gets
its
certificate.
Another
compromise,
the
agent
may
issue
same
request
and
this
gets
certificated.
C
I'm
not
sure
whether
this
is
a
security
issue,
but
yes,
perhaps
if
we
or
just
optionally
have
a
configuration
to
ask
a
user
to
upload
the
csr
when
they
start
the
when
they
deploy
after
they
deploy
and
share,
could
that
be
an
option
and
could
that
avoid
the
issues,
security
issues
by
automatic
approval
yeah?
I
think
that's
a.
B
That's
that's
a
good
strategic
suggestion,
so
I
think
we
can
disable
the
the
automatically
approved
for
from
a
android
controller
so
so
badly.
Also,
we
can
ask
for
the
users
to
approve
the
csrs.
C
Subtle
issue
yeah.
I
think
that's
understandable,
because
we,
if
we
document
that
the
certificate
will
not
be
will
not
be
persistent
across,
not
restart.
It
should
be
reasonable
to
ask
a
user
to
re-upload
new
csr
after
a
node
restarts-
and
I
remember
cube
control
manager.
Has
this
option
to
to
I
remember
by
default
by
default.
It
doesn't
automatically
upload
csr.
C
A
What
does
cube
controller
manager
sign
csrs
for
the
design
csrs
for
cubelets,
individual
cubelets
or
yeah?
Do
you
know.
A
I
think
that's
a
good
idea,
but
do
you
do
you
think
it's
possible
to
prevent
pods
from
being
scheduled
on
a
node
until
the
csr
has
been
approved?
I'm
just
thinking
of
a
node
reboot,
where
the
node
would
reboot
and
pod
would
be
scheduled
to
the
to
the
node,
but
they
would
not
be
able
to
talk
to
other
pods
on
different
nodes
until
the
csr
is
approved.
So
would
there
be
a
way
for
us
to
mark
the
node
that
not
that's
not
ready
or
something
like
this
or
unscheduled,
or
something
like
this?
D
D
I
have
another
question:
it's
common
name.
You
mean
it's
called
name,
just
a
node
name
right.
B
Yeah,
actually,
we
can
change
it
to
whatever
we
want,
but
it
it
must
match
the
the
the
part
confusions
of
the
also
obvious
bridge
it
must.
It
must
match
the
remote
name
here.
D
But
that
doesn't
mean
the
dns
name.
Wasn't
known
right:
how?
How
could
you,
how
could
you
know
you
validated
the
certificate
if
the
com
name
just
know
them,
I
mean
you:
don't
have
ip
or
dns
name
in
the
certificate.
B
D
D
A
All
right:
well,
I
think
that
was
a
very
comprehensive
presentation,
thanks
to
and
anyone
else
has
any
follow-up
question
on
this
topic.
A
All
right,
thanks
again
to
I
think
that
is
all
we
add
on
the
agenda.
So
now
is
a
good
time
to
speak
up.
If
there
is
any
other
topic,
you
wanna
you
wanna
bring
up
to
today's
meeting
or
any
status
update.
You
wanna
share.
A
Okay
looks
like
there
is
no
new
topic,
in
which
case
everyone's
going
to
get
15
minutes
back
thanks
everyone
for
joining
the
meeting
tonight,
and
thanks
again
to
you
for
your
ipsec
certificate
presentation,
I'm
sure
we
can
follow
up
the
discussion
online.