►
From YouTube: Antrea Community Meeting 11/07/2022
Description
Antrea Community Meeting, November 7th 2022
A
B
Started
so
good
morning,
good
evening
or
good
afternoon,
thanks
for
joining
the
systems
of
the
entry
accommodating
for
today,
we
have
two
topics
in
our
agenda.
China
will
give
us
an
update
on
follow-up
items
for
the
layer,
7
Network
policy
work
that
is
leading
and
Lan
will
then
give
us
an
overview
of
policy.
Only
support
for
multi-cluster.
C
Thank
you,
everyone
for
joining
this
meeting
and
we
presented
the
closure
of
an
airport
learn7
policy
a
few
weeks
ago,
and
there
were
some
open
items
and
in
written
the
ways
we
did
some
investigation
and
some
results
and
some
still
open
questions
for
this
discussion.
The
first
API
name
currently
in
my
PR
for
the
seven
year
course
API
I
just
use
the
first
name
and
I
sync.
This
we
could
just
discuss
this
in
the
pi
itself.
C
So
let's
go
to
the
second
directory
for
a
second
question:
I
in
my
current
patch
for
the
API
I
didn't
set
the
port
field
and
mainly
because
we
don't
support
traffic
control
to
redirect
or
mirror
ports
specific
traffic
only
it
has
to
be
the
whole
traffic
or
for
a
port
or
not.
So
even
we
have
this
field
in
this
release.
It
will
not
help
the
performance
much
and
it
will
limit
the
protocol.
We
are,
will
only
work.
C
For
example,
I
found
that
for
a
egress
rule,
if
we,
if
we
adjust
the
job,
all
other
protocols
or
all
traffic
of
other
protocols,
the
egress
networks,
layer,
7,
nail
policy,
we
are
not
work
because
when
we
use
the
domain
to
X
to
specify
the
destination
URL,
the
workload
has
to
resolve
the
domain
to
IP.
So
it
has
to
use
DNS
protocol
so,
but
but
if
we
don't
support
DNS
protocol
Universal
release,
basically
the
egress
near
policy
will
make,
with
with
the
the
client,
doesn't
even
have
a
chance
to
send
out
the
HTTP
request.
C
So
previously
I
I,
remember.
My
design
was
that
if
we
we
had,
we
had
a
two
choice:
that
when
user,
specifying
one
protocol
in
the
seminar
policy
what
happens
to
traffic
of
other
protocols,
one
option
is
that
we
ignore
other
protocols,
meaning
that
term.
All
other
protocol
will
be
allowed
by
a
last
seminal
policy,
and
another
option
is
that
we
drop
all
traffic
or
for
other
protocols,
it's
more
like
the
second
choice.
C
So
if
we
go
to,
if
we
go
the
second
option,
it
will
have
this
problem
and
it
has
another
problem
that
even
we
support
DNS
protocol
in
this
release
is
still
the
second
option
is
they
are
not
friendly
when
workload
use
more
than
one
protocol
and
one
protocol
is,
one
of
them
is
supported
by
the
seminal
policy.
Another
one
is
not
supported
by
the
seven
of
nail
policy,
because
with
that
behavior.
C
C
So
that's
the
problem
of
the
second
choice,
but
if
we
go
the
first
choice
that
you
just
ignore
other
protocols
it,
we
don't
have
a
good
solution
to
support
a
scenario
that
user
want
just
to
allow
HTTP
protocol,
but
no
others
yeah
so
I'm.
Thinking
about
two
solutions
to
to
to
fix
the
to
support
to
better
support
the
the
use
cases
for
one.
If,
if
like,
we,
we
go
option
two,
but
we
add
DNS
protocol
support
in
the
first
release,
together
with
HTTP
protocol.
C
But
if
the
second
problem
is
really
a
problem
and
I
have
also
Pro,
I
propose
the
first
option,
because
I'm
thinking
that
either
a
port
should
focus
on
on
a
specific
application.
So
so
you
shouldn't
use
many
protocols
at
the
same
time,
especially
when
it
serves
as
the
server
so
when
it
serves
as
a
server
when
we
Define
the
Ingress,
there
are
seven
policy,
and
just
one
protocol
for
HTTP
to
just
one
one
GDP
protocol
should
be
enough
and
therefore
applications
that
codes
runs
as
client.
C
C
C
At
the
same
time,
it
wants
to
access
some
DB
service,
but
a
deeper
service
is
not
supported
with
ignore
it
will
the
the
DB
traffic
will
will
pass
the
seven,
of
course
automatically,
and
the
user
could
use
layer,
4,
nail
policy,
together
with
layer,
7,
nail
policy
to
limit
to
to
have
some
limit
to
how
some
restriction
about
the
traffic,
whether
which
port
and
which
destination
the
client?
Could
you
could
access?
So
currently
there
are
two
options
to
to
resolve
the
some
of
the
problem.
C
I
think
the
first
one
is
more
kubernetes
net
policy
style
and
it's
simpler,
but
it
would
introduce.
It
may
introduce
some
use
case.
We
cannot
support
until
the
protocol
support.
It's
a
very
is
rich
and
the
second
could
address
all
cases,
but
is
not
this
Theory?
We
don't
have
this
third
in
previous
nail
policy
apis.
So
it's
something
new
and
a
new
one
has
suggestion
or
questions
about
these
two
options.
D
D
D
C
C
Yeah,
so
that's
the
problem
so
and
and
that's
why
I
proposed
another
option
to
which
is
not
similar
to
kubernetes
nail
policy
style
for
Community
Network
say.
Therefore,
then
there
are
only
two
major
three
major
protocols
is
easy
to
enamorate
all,
but
for
level
4
level
7.
There
are
too
many-
and
in
this
case,
if
supported
and
unsupported
protocol
are
used
together
for
workload,
user
cannot
use
the
supported
protocol.
If
we
go
the
first
option,
because
all
unsupported
protocol
will
be
dropped.
D
C
C
Just
use
IP
to
match
the
traffic,
because
this
is
a
blacklist
mode
right
this.
This
is
the
white
list
mode.
Once
the
the
seven
nail
policy
applies
to
a
port.
If
we
go
the
first
option,
there
would
be
a
lure
to
drop
all
IP
packets
to
this
port,
for
example.
If
this
is
ingress,
we
will
we
will
have
a
deny
or
a
job
rule
to
job.
C
D
C
If
we
mix
them,
then
the
therefore
you
you
already
allow
level
for,
for
example,
with
level
say
you,
you
allows
TCP
80
Port
traffic
right.
It's
already.
It
already
allows
the
the
traffic
itself.
So
if
we
we
we
are
not
enforced,
then
the
the
two
kinds
of
laws.
First
and
later
it
doesn't
make
sense
that
the
second
could
drop
the
traffic
right.
So
if
they
they
don't
affect
each
other.
It's
just
a
one
is
enforced
fast,
then
the
next
one.
C
D
D
C
D
No
I,
I
I
think
the
the
problem
is
that
what
I
describe
it
I
think
the
problem
that
for
for
some,
but
for
example,
if
if
just
we
just
talk
about
TCP,
it's
possible,
you
have
both
level
four
traffic
and
they're
selling
traffic,
both
use
TCP
for
the
ones
you
define
there,
some
policy.
Actually,
you
cannot
allow
any
other
long
layer,
7
traffic
to
the
to
the
port,
Al.
C
C
E
Maybe
I
can
think
of
another
option.
For
example,
if
you,
if
we
can
mention
the
TCP
and
UDP
port
in
the
England
and
egress
rules,
and
then
you
can
define
a
policy,
something
like
I
want
to
allow
a
specific,
tsp,
Pro
but
I,
don't
know
the
layer,
7
proxy
and
then
this
is
because
usually
one
TCP
and
udb
product
is
used
for
only
one
kind
of
their
serum
policy.
E
E
C
E
D
A
C
But
anyway,
with
this
Lua
defined,
it
will
only
check
TCP
tsap
to
Port
80
traffic,
and
if
it
match
this
HTTP
attributes,
it
will
be
allowed
any
other
traffic
that
match
TCP,
80
Port
will
be
dropped
right
and
all
other
TCP
Port
traffic
and
the
UDP
traffic
will
not
be
affected
by
this
layer.
7
air
quality
is
that
what
you
means.
E
E
And
then
you
want
to
allow
some
supported
Proto,
you
just
add
another
entry
and
with
only
product
mentioned
without
any
layer,
serum
photographer,
for
example,
TSB,
Port,
403
and
then
sorry,
GSP,
TCP,
Port
22,
and
then
even
we
don't
support
SSH
and
we
can
just
allow
every
protocol
22
and
block
all
the
other
ports.
Yeah.
C
I
understand,
but
that
was
I
tried
to
avoid
it
would
be
a
little
duplicated
with
our
current
foreign
policy,
so
you
need
to
allow
the
same
traffic
the
same
plot.
There
are
four
protocol
and
Port
twice
in
therefore
under
level.
Seven,
so
that
that
was
I
wanted
to
avoid
into
I
would
send
send
me
information
in
the
70
policy.
E
A
C
E
C
C
D
C
Yeah
I
understand
yeah,
okay,
we
couldn't
and
discuss
more
offline
and
or
in
the
pi
itself,
and
let's
see
the
the
this
program
and
for
the
check
sound
of
loading
issues
and
as
I
mentioned
before
the
traffic
once
it
is
handled
handled
by
the
7th
engine
it.
The
traffic
would
be
sent
to
data
data
plane
from
user
Space
by
the
seven
engine,
and
some
is
some
of
the
beats
in
the
package
as
KB
is
changed
and
the
destination.
C
We
are
not
accepted
the
package,
because
the
check
song
it
looks
not
correct
and
we
investigate
another
option
except
the
the
Y
already
is
already
working
but
may
affect
all
poles
and
has
to
be
turned
on
once
the
cluster
is
deployed.
This
then,
the
other
option
is
that
we
could
use
to
say
say
some
action
to
trigger
to
force
recalculate
the
check
sound
of
specific
packets,
and
we
only
need
to
set
the
and
the
this
configuration
in
the
Network
device
used
by
the
layer
7
engine
to
send
send
traffic.
C
C
Oh,
let's
check
this,
the
client
to
only
access
a
specific
web
service.
They
could
use
host
hostname
in
the
near
7
protocol
attribute,
but
not
has
to
specify
the
net
policy
peer
and
it
could
to
be
more
to
to
be
more
safe.
They
could
also
specify
DNS
a
protocol
to
only
allow
the
client
to
ex
to
query
the
same
domain,
but
but
this
is
not
really
needed,
because
if
user
access,
other
domain
names
and
the
traffic
would
have
already
been
dropped,
even
without
the
IP
matching
and
hope
this
makes
sense.
C
C
C
The
address
group
could
refer
to
a
list
of
ips,
but
before
in
surikata
7,
which
is
we
just
released
a
few
two
weeks
ago.
I
think
before
this
release.
There
is
a
limitation
that
the
address
Gene
must
smaller
shorter
than
and
8K
bytes,
and
it
would
only
include
a
five
more
than
500
ipv4
addresses,
and
this
issue
has
been
fixed
by
this
PR
and
the
current
7
release.
C
So
in
the
case
of
no
policy
change
but
just
put
life
cycle
events,
only
the
valuable
file
would
be
updated.
The
signature
will
not
change
and
another
is
performing
issue.
What
what
if
we
have
many
IPS
in
a
single
signature
and
what,
if
we
have
many
signatures,
converted
from
The
Seven
Year
policy,
their
performance
impact
and
Hong
Yang
will
have
will
share
more
information
about
them.
B
F
F
We
don't
need
a
very
long
time
to
to
reloading
our
signatures,
and
but
but
with
the
with
the
increase
of
Society,
is
per
signatures,
the
reload
the
cost
of
reloading
time
or
increases.
We
can
see
that
and
we
can
see
this
line
when
there
are
two
students
and
70
75
IPS
per
second
interest.
It
takes
seven
seconds
to
reload
to
reload
and
all
signal
inference.
C
So
from
this
data,
I
think
is
the
management
performance
is
okay,
because
on
each
node
there
should
be
at
the
most
1000
I
I
feel
because
there
are
only
a
few
ports
running
on
report
and
that
might
be
a
few
numbers
or
for
their
Seminary
policy
applied
to
each
port.
So
a
film,
perhaps
hundreds
of
signatures
is
the
our
all
we
need
and
from
your
data
it
could
be
less
one
less
than
one
second
to
little
all
rules
right,
so
I
think
this.
It
should
be
fine.
F
E
F
F
These
are
the
types
of
environment.
How
does
the
two
parts
they?
They
are
disabled,
which
checks
on
injects
exam
offloading
and
there
is
just
recorded
part
with
host
Network
and
there
are
there.
Are
you
know,
node
I
just
use
the
default
argument
for
every
payload
and
every
test
is
calculated
from
10
wrong
test.
Remove
the
lowest
enhanced
then
get
the
average.
F
Before
the
before
January,
before
this
produce
a
house,
a
house
changed
through
Carter
argument,
so
we
can
anyway
we
can.
We
can
see
that
with
the
authors
record-
and
this
is
the
payload
data
then,
and
also-
and
then
we
can
with
this
Ricardo.
This
is
a
very
small
scale
and
there's
only
102
signature.
This
Thread
is
Auto,
and
this
is
very
important
because
well
it
will
set
it
manually
at
the
one
or
two
some
some
some
tests
is
affected.
Very
it's
affected.
We
can
increase
worry.
F
F
F
F
Another
difference
is
about
the
first
recorder
signals
there
are
for
this
one,
and
there
is
no
significant
can
match
the
any
payload
of
this.
For
this
one.
There
are
two
rules.
There
are
two
signatures
which
are
used
to
match
the
payload
of
tsp
stream,
iotp
stream
and
the
TCR
when
they
are
masked
when
they
are
technicians.
With
my
system.
F
B
B
G
G
Yeah,
okay,
thanks
so
and
again
see
my
screen:
yes,
hello,
okay,
cool,
okay!
Maybe
I
can
just
give
a
quick
overview
of
the
current
design
and
okay,
hello.
Everyone
and
before
we
discuss
about
Network
policy,
only
mode
I'd
like
to
show
you
that's
about
some
multi-class
traffic
when
we
using
it
with
the
income
mode,
which
is
the
default
model
we
are
using
for
the
enabling
the
multi-class
feature.
You
know
that
in
hour
and
three
month
cluster,
when
we
have
a
multi-clusters
always
which
exported
in
one
cluster,
for
example
member
cluster.
G
Here
we
have
two
member,
a
three-member
cluster
and
another
core
services,
our
multi-class
service.
We
will
Define
as
always
seeing
the
imported
the
cluster
and
it
will
have
this
kind
of
prefix
and
the
the
special
case
special
point
for
the
multi-class
service
is
that
we
will
no
longer
have
the
part
IP
as
the
endpoint.
We
were
using
the
remote
exported
Services
cluster
IPS
standpoint.
So
if
you
see
here
these
two
eyepiece,
actually,
the
those
cluster
IPS
are
signed
in
their
own
cluster,
for
example,
in
class
B.
This
is
a
1.20
toe
and
okay.
G
G
So
maybe
I
just
give
you
a
view
of
current
income
modes,
and
you
know
that
in
income
mode
we're
managing
our
class
pod,
IP
and
and
also
the
traffic,
we
are
all
go
through
the
tunnel
interface
right.
But
if
we
go
through
the
policy
only
mode,
the
problem
is
that
we
would
have
some
gaps
here.
One
thing
that
so
there's
no
tunnel
interface
because
there
is
no
longer
needed
and
the
other
traffic
or
the
IP
is
managed
by
the
primary
CI
and
also
the
roads
is
set
up
by
the
Privacy.
G
So
our
assumption
is
no
longer
or
I.
I
would
say
that
prerequis
is
no
longer
supported
in
network
policy
only
mode,
for
example,
here
in
one
cluster,
there's
no
longer
have
Channel
interface
and
those
in-class
traffic
is
also
control
the
primaries
and
by
the
cloud
provider.
So
here
the
in-class
tunnel
and
the
universe
is
no
longer
existing
here.
This
is
a
Gap
we
have
in
the
narrow
policy
only
mode,
so
how
we
can
fix
this
Gap.
The
MIM
works
are
actually
in
the
entry
agent.
G
One
thing
that
we
need
the
tunnel
interface,
so
we
need
to
set
up
the
tunnel
interface.
Even
we
run
it
in
the
narrow
policy
only
mode,
and
even
it's
it's
by
default,
there's
no
tunnel
interface.
So
for
we
will
create
a
new
tunnel
interface,
it's
only
for
the
cross-class
traffic.
This
is
one
thing
we
need
to
do
from
the
entry
agent
and
then
otherwise
that
you
know
there's
a
gap,
there's
no
in-class
roads
for
the
part
IP
and
this
out
of
our
control,
because
it's
controlled
by
primary
CI.
G
Okay,
here,
as
you
can
see
that
the
Gap
is
here,
if
you
see
the
first
one
and
the
green
one,
it's
actually
the
income
mode,
so
we
will
have
something
like
the
default
level
through
forwarding
group,
and
this
this
slider
will
be
the
part
cider
right.
Oh
sorry,
okay,
oh
the
okay.
We
think
that
it
will
be
the
power
slider.
Oh
sorry,
this
is
in
cardboard.
Just
so
excited
won't,
be
it's
actually
the
serviceider
remote
service.
This
slider
belongs
to
the
remote
class.
For
example.
G
This
cider
is
from
class
B
and
we
know
that
this
cider
and
as
Florence
Class
B.
So
we
will
forward
this
from
the
gateway
to
forward
the
traffic
to
the
Class
B.
Okay,
when
we
go
to
the
nail
polish,
the
only
modes
and
the
same
rule
will
be
there
and
there's
no
training
for
this
part,
but
to
win
the
class
when
the
traffic
hits
the
class
B
or
we
see
the
cross-cast
traffic
has
reached
the
class
B
in
the
class
B.
G
When
we
write
the
income
mode,
we
will
have
something
for
the
power
IP
and
we
we
know
how
to
root
those
product.
A
lot
of
traffic
to
the
right
node
right,
because
we
have
some
level
three
forwarding
rule
here
and
we
know
the
remote
or
other
General
nodes
cider
here,
but
in
narrow
policy
elements
we
don't
have
this
kind
of
a
forwarding
rule,
because
the
part
IP
is
not
the
control
managed
by
us
and
The
Roots
is
on
their
own
delay
Network.
So
this
is
one
puzzle.
G
We
need
to
fix,
okay,
so
in
how
we
can
so
when,
when
the
request
or
cross-cluster
traffic
request
is
goes
out
to
another
class,
for
example,
here
we
reach
the
class
B
how
to
get
away
know
how
this
traffic
goes
to
the
right
node.
We
will
add
something
we'll
add
a
new
controller
in
the
entry
agent
to
set
up
a
necessary
part
roads
between
Gateway
and
the
general
node,
but
we
will
only
watch
those
exporting
the
service
back
and
part
and
it's
a
corresponding
endpoints.
G
Only
so
you
will
see
a
new
rule
in
the
level
three
forwarding
and
the
destination
will
be
the
part
IP,
and
we
will
set
up
the
right
tunnel
destination
IP
for
the
for
the
cross-class
traffic.
Sorry
so
before
you
will
see
that
we
have
a
cider
sorry
here
we
have
a
simple
designer
to
control
which
node
this
traffic
should
goes
to.
For
now
we
will
just
set
up
a
necessary
pod
IP
here
in
the
level
34
body
and
okay.
This
is
a
one
puzzle.
G
Another
puzzle
is
that
when
the
traffic-
let's
say
the
traffic
from
class
B,
it's
a
reached
across
B
and
let's
go
back
to
the
class
A
in
the
class
B
we
will
have
in
in
cap
mode.
We
will
have
lowercase
forwarding
and
understand
that
the
traffic
you
know
that
we
have
as
net
so
we
know
that
this
IP
is
from
remote
cluster.
We
know
the
destination
is
matching
the
remote
class
IP.
Then
it
goes
to
the
right.
It
will
go
back
to
the
Gateway
and
I
go
back
to
the
product
lines.
G
Then
there
in
the
network
policy,
only
mode
they're
actually
known
difference
here,
but
so,
when
the
request,
the
reply,
the
package
go
back
to
the
class
A
in
in-cap
mode
as
before
you
you,
we
can
tell
that
the
same
through
the
same
way.
There's
a
level
three
forwarding
power
slider
here
right
and
we
can
just
send
it
back
to
the
based
on
the
power
cider,
but
for
now
you
know
policy
only
mode.
It
has
the
same
problem
here.
G
Okay,
here's
how
we
do
that.
You
know
that
in
reply
Direction
we
will
need
a
way
to
let
the
Gateway
know,
which
general
know
that
the
traffic
should
send
back
right.
So
we
knew
we
use
the
CT
label
a
new
label
here
to
save
the
request
packages
Source
tunnel
IP
when
the
request
arrives
Gateway
at
the
beginning,
and
so
I
will
see
something
like
this.
It
will
match
the
destination
and
also
load
the
necessary
registration
and
also
thus,
we
saved
for
the
source,
IP
tunnel,
Source
IP
to
new
New
Field.
G
Here
and
after
that,
we
will
also,
you
know,
match,
make
sure
the
cross-class
traffic
we
commit
the
source
IP
tunnel
IP
to
the
label
so
that
we
can
use
it
later.
Then,
after
we
save
this.
When
the
request,
when
the
replied
package,
you
come
back
to
the
Gateway
on
the
class
A,
it
will
fit
and
match
based
on
the
city
label.
G
Then
it
will
set
the
right
tunnel
here
tunnel
based
on
the
IP
and,
of
course
in
the
city
label
and
save
or
reload
load
the
rights
tunnel,
so
a
destination
IP
here
to
the
tunnel
destination.
Then
it
will
go
back
to
the
right,
General,
node,
yeah
I
think
that's
all
for
the
core
function
for
core
part
on
the
multi
plaster.
With
the
network
policy.
Only
modes
and
I'll
show
you
there
any
questions.
B
B
B
B
B
B
For
such
good
presentations
and
a
very
good
discussion
and
I'm
looking
forward
to
see
more
more
more
conversation,
both
about
layer,
7,
Network
policies
and
policy,
only
mode
for
multi-cluster,
so
thanks
a
lot
to
everyone
for
attending
and
let's
meet
again
in
two
weeks
time.
Thanks
and
I
wish
everyone
a
good
day
good
afternoon
or
good
night
oil.