►
From YouTube: Antrea Community Meeting 01/03/2023
Description
Antrea Community Meeting, January 3rd 2023
A
All
right
so
hello,
good
morning,
good
afternoon,
good
evening
and
thanks
for
joining
the
first
Andrea
committee
meeting
of
the
Year
2023
Happy
New
Year
to
everyone,
and
we
are
therefore
ready
to
start
with
this
meeting
so
for
today.
I
have
on
the
agenda
a
discussion
of
of
net
performance
announcements.
A
I,
don't
know
if
we
have
any
other
topic.
Chan
I
believe
that
the
last
time
you
mentioned
that
you
wanted
to
bring
up
some
discussion
over
outstanding
user
reported
issues.
Is
that
correct.
A
So
maybe,
let's
start
with
the
of
net
announcements,
and
then
you
know
we
can
go
with
the
discussion
of
these
customer
reported
issues
and
if
we
don't
go
through
all
the
issues
today,
we
can
finish
them
in
the
next
community
meeting.
I
believe
that
Ashish
joined
this
meeting
to
present
about
the
ethernet
announcements.
So
I
will
probably
just
end
it
over
to
Ashish
and
please
go
ahead
with
your
presentation.
C
Yeah
hi
I'm
Ashish
I've
been
working
in
the
OBS
team
at
VMware
and
recently
spent
some
time
on
the
the
live
open,
Flow
and
the
of
net
library
of
the
Andrea.
So
I'll
share
my
presentation
now.
C
So
let
me
give
you
just
a
very
brief
background
of
what
we
are
discussing.
So
in
Andrea
we
have
the
OBS,
which
actually
does
the
data
path,
and
this
ovs
is
programmed
by
the
Andrea
agent.
But
if
you
look
down,
it's
actually
a
set
of
libraries
that
we
use.
So
we
have
this
Library
called
live
open,
Flow,
which
majorly
does
the
encoding
decoding
of
the
open,
Flow
messages.
Previously
we
were
using
1.3
and
recently
we
coded
the
1.5
support,
which
is
now
integrated.
C
Apart
from
this,
this
Library
also
has
some
support
for
different
protocol
encoding
decoding
like
like,
like
icmp
and
other
protocols,
and
it
also
provides
some
utility
to
to
read
the
messages
and
buffer
the
messages
over
the
socket.
So
it
talks
to
the
obs,
the
the
module
that
drives
or
uses
this.
This
live
open.
Flow
is
the
of
net
which
actually
implements
the
the
logic.
C
Like
kind
of
you
can
say,
the
the
first
level
of
the
controller
Logic,
the
open,
Flow
controller,
which
so
this
implements
like
a
like
kind
of
a
switch
implementation.
You
can
program
the
of
net
using
some
kind
of
a
like
a
graph
method
where
you
can
program
different
entities.
It
has
an
obstp
driver,
support
for
a
transaction
and
packet
in
handling
and
the
the
the
the
user
of
the
of
net
is
called
an
app
or
an
application.
C
Currently,
the
application
is
Andrea
agent
or
you
can
also
trigger
different
scenarios
using
the
unit
test
which,
like
is,
is
which
acts
as
the
same
level
as
the
app
we'll
discuss
about
this
command
line
a
little
later.
So
when
we
coded
this
and
like
discussing
with
winning,
we
found
that
the
of
net
code
can
has
some
like
few
enhancements.
That
is
possible,
which
will
make
the
whole
code
better.
C
So
I
have
listed
the
points
over
here,
so
the
the
the
way
this
discussion
started
was
that
we
encountered
a
deadlock
bug.
This
was
observed,
I
think,
once
only
as
far
as
I
recall,
this
was
observed
in
some
customer
site,
where
the
the
of
net
code
kind
of
just
blocked
on
certain
load,
condition
by
load
condition.
I
mean
that
there
were
a
lot
of
flows
getting
programmed
at
the
OBS
and
under
certain
condition.
C
We
are
not
sure
we
still
don't
know
the
root
cause,
but
it
kind
of
deadlocked
and
when
he
added
some
code,
but
we
can,
we
can
further.
A
C
So
as
a
part
of
this,
we
obviously
have
to
fix
this
bug
and
but
to
fix
this
bug,
what
we
have
to
do
is
we
have
to
add
some
way
where
we
can
actually
do
some
kind
of
a
load
or
stress
test,
because,
apart
from
being
able
to
reproduce
this
issue,
this
is
it's
a
good
thing
to
have
some
a
test
case
which
can
load
up
the
the
entire
of
net
and
the
and
the
lib
open
floor
code,
the
code,
so
that
we
we
we
can
iron
out
any
other
issues
that
we
encounter.
C
So
that's
the
plan
to
add
this
this
this
test.
Also,
we
found
that
there
are
certain
interfaces
by
interface.
I
mean
that,
like
from
whenever,
whenever
a
packet
in
is
received
at
ofnet,
it's
sent
to
the
application
or
Andrea
agent.
It's
still
like
a
like
a
function
call
we
would
like
to
make
it
like
a
buffered
channel
and
so
that
the
of
net
code
doesn't
get
locked
up
or
delayed,
because
the
application
returns
takes
more
time
than
than
what
is
usually
acceptable.
C
So
so
we
want
to
to
not
block
the
of
net
code.
One
more
thing
that
we
like
that
I
found
is
that
whenever
we
program
a
flow
to
the
ovs
open,
Flow
doesn't
like
provide
a
very
clear
feedback,
whether
the
flow
Edition
was
successful
or
not
so
right
now,
the
way
we
kind
of
account
for
the
flows
programmed
in
the
OBS
is
using
a
flow
stats,
but
OpenFlow
has
like
a
better
way
to
do
this
kind
of
a
monitoring.
C
It's
actually
called
a
flow
monitor,
and
this
the
way
it's
better
is
because
you,
once
you
program
a
flow
monitor
in
the
OBS,
it
will
just
generate
asynchronous
messages
to
the
controller
on
any
flow
Edition
deletion.
So
that
way
you
get
a
feedback
of
what's
happening
at
ovs
in
case
in
case.
For
some
reason,
OBS
decides
to
delete
a
flow.
You
again
get
a
feedback,
so
this
is.
This
is
a
good
way
to
keep
a
check
on
of
of
the
flows,
which
is
there
at
the
obs
one.
C
Other
thing
that
we
found
is
that
the
the
logging
at
the
of
net
is
is
not
like.
It's
really
bad.
So
in
case
now
we
get
any
issue
any
bug.
We
don't
know
where
it
is,
if
it's
in
the
osnet,
which
part
of
the
code
failed,
because
the
logs
are
actually
not
there,
so
this
has
to
be
added
on
a
high
priority
as
well
as
so.
We
we
need
to
add
error
logs
and
debug
log
to
for
obviously
debugging
any
issue.
C
The
documentation
at
the
of
net
level
is
again
can
be
enhanced
further
okay.
Now
this
is
this:
is
this
this
command
line
tool
now
I?
Don't
know
whether
this
this
make
sense
or
not,
but
this
is
something
which
I
thought
so
right
now
to
trigger
this
of
net
code.
C
We
have
the
Andrea
agent,
of
course,
so,
but
or
or
the
unit
test,
but
I
was
just
thinking
of
like
adding
like
a
command
line
to
to
to
to
so
this
command
line
tool
will
trigger
of
net
and
live
open,
Flow,
something
very
similar
to
the
OBS
of
cuttle.
We
can
have
something
called
of
of
net
cutter,
or
something
like
that,
so
that
this
becomes
like
a
standalone
utility
to
program
like
program,
add
or
delete
flows
using
this
code
base.
C
So,
just
just
an
idea,
maybe
not
a
high
priority,
but
like
probably
a
good
utility
to
have
again
right
now
so
coming
to
this
feed.
Just
this
part,
so
right
now,
whatever
is
implemented
in
of
net,
is
obviously
what
is
needed
by
Andrea
agent,
but
maybe
in
future
you
need
more
open,
Flow
features,
which
obviously
is
not
here.
C
So
this
is
kind
of
an
open-ended
thing,
where
probably
the
the
folks
working
at
the
entry
agent
can
think,
like
any
other
feature
that
they
would
be
needing
in
future,
so
that
we
can
plan
it
ahead
of
time
again.
This
is
something
which
is
I'm,
not
sure,
but
do
we
need
to
explore
the
AFX
DP
or
the
dbtk
support
at
OBS?
This
is
more
at
the
obvious
level.
C
Are
we
ever
like?
Are
we
planning
to
move
in
this
direction?
So
again,
getting
to
know
in
advance
would
help
that.
That's
all
I
had
any
any
comment
or
feedback.
B
I
see
you
thanks
for
sharing.
This
I
also
have
some
questions
about
fxdp
and
dbtk
data
parts
of
os
support.
So
I
want
to
take
this
opportunity
to
ask
you
some
questions
for
for
afxdp
I'm,
not
sure
whether
my
understanding
is
correct.
That
is
this
only
about
moving
the
data
path
to
user
space,
and
would
it
affect
the
use
case
of
workloads?
Does
it
require
the
workload
the
application
must
be
developed
for
the
based
on
XDP
or
like
dbtk,
based
application.
C
B
C
So
it's
it's!
Oh,
it's
the
data
path
of
the
OBS
which
will
move
so
right.
Now
we
are
using
the
kernel
module
as
the
data
patch.
C
If
you
move
to
AFX,
DP
or
dpdk,
we
have
a
different
data
path
so,
but
the
the
open
Flow
the
messages,
the
interface
that
doesn't
change,
but
when
we
move
to
AFX,
DP
or
dpdk,
the
the
data
path
code
is
entirely
different,
so
and
I
believe
we
do
support
everything
that
the
the
kernel
module
today
supports
in
the
dpdk
or
the
AFX
DP
data
path.
But
that
could
be
certain
features
which
might
be
missing.
C
I
don't
have
that
list
right
now,
I
can
get
it,
but
mostly
the
interface
will
not
change,
but
the
second
limitation,
of
course,
would
be
that
at
least
for
dpdk
I
know
that
it
doesn't
work
on
like
it
works
on.
Only
certain
specific
Nicks
I
can
tell
you,
I
mean
about
afxtp
that
it
probably
again
may
have
the
same
limitation
but
I'm,
not
very
sure
about
afxtp.
Today,
I
can
I
can
find
it
out.
B
Okay:
okay,
my
my
major
concern
for
moving
to
AFX
DP,
like
whether
it
would
affect
the
application
itself,
because
that
means
whether
the
application
can
continue
use
rely
on
the
TCP
IP
stack
of
its
own
namespace,
whether
it
can
receive
traffic
from
its
network
interface
like
like
before,
or
it
will
have
to
move
to
you.
D
C
Oh
okay,
I
I'm,
not
sure
as
of
now
but
I'll
I'll,
find
it
out
and
tell
it
to
you.
I
I
actually
didn't
work
on
AFX
TP,
so
but
I'll
definitely
find
and
tell
it
to
you.
But
by
application
you
mean
the
container
trying
to
like
bind
to
a
normal
Dev
device
is.
Is
that
what
yes.
B
Yeah
and
I
mean
regular
applications
like
HTTP
server
that,
but
we
see
we
traffic
from
normal
interfaces.
Virtual
interfaces,
oh.
A
C
I
think
it
will
be
some
changes
in
this
Deadlock
bug
logs
and
the
buffered
Channel.
This
will
be
probably
we
are
aiming
for
the
next
release
and
then
we'll
work
on
the
the
stress
test,
documentation
after
that.
A
Awesome,
thank
you
perfect,
and
it
seems
there
are
no
further
questions
for
Ashish.
So
perhaps
we
can
move
to
the
next
topic
for
today's
meeting
and
Chan
I,
don't
know
how
you
want
to
go
ahead
for
discussing
customer
reported
issues
so
I'll,
just
let
you
lead
the
conversation
from
here.
B
I
hope
my
screen
is
visible.
Yes,
yeah.
Currently,
we
we
have
18
open
issues
for
future
requests
and
I
have
opened
the
fields
for
today's
discussion
and
they
are
mainly
about
a
service
external
IP,
egress
and
nail
policies
and
the
sync.
The
the
issues
themselves
are
valuable
and
I
want
to
collect
more
imports
from
the
community.
B
Oh,
this
is
not
a
feature
request
and
removed
the
label
yeah.
Let's
start
from
this
one.
This
is
for
a
feature
request
to
allow
multiple
service
sharing
a
single
IP
and
is
it
use
the
use
case
of
meta
IB
either
in
Lamport
and
I.
Think
this
feature
request
makes
sense
and
I
proposed
to
just
allow
allowing
users
to
specify
the
same
IP
for
different
services
and
when
and
it
could
automatically
mod,
you
will
automatically
work
when
the
services
are
using
different
port
and
if
they
are
using
support,
they
cannot
work.
B
So
we
will
not
report
the
the
requested,
learn
bus
IP
to
the
status
of
the
second
service
and
the
LED
users
to
correct
the
configuration,
and
we
will
generate
events
for
this
service
to
alert
this
warning
a
single.
It
should
basically
work
and
also
got
some
comments
for
Antonio
and
the
shoe
and
the
user.
So
if
we
any
comments
for
this
feature
request,
if
not
I
I
think
it
should
be
clear
under
what
we
need
to
decide
is
whether
we
should
just
include
this
implementation
in
this
or
outcoming
release.
B
A
Foreign
I,
at
least
I,
didn't
have
time
to
think
totally
about
this
problem,
but
I
don't
see
any
problem
with
sharing
the
same
IP
for
multiple
services,
so
it
should
be.
Your
proposal
should
be
good
and
does
anyone
else
tell
me
any
comment
on
on
this
issue.
B
Sure
the
second
one
is
from
Junction
and
I
think
he
wanted
to
this
feature
to
resolve
one
problem
that
for
some
Services
created
automatically
by
some
controllers,
there
is
no
chance
to
update
the
augmentation
to
let
until
allocate
one
robust
IP
for
that
or
even
user
manually
annotated
service.
B
It
will
automatically
cleared
by
the
controller,
who
is
doing
the
model
for
managing
it.
So
his
proposal
was
to
have
an
annotation
on
Wednesday
night
before
and
meaning
that
that
external
IP
poor
will
be
used
for
all
lower
bands
type
of
Services
when
they
are,
they
don't
have
a
separate
annotation
I
didn't
reply
this
issue,
but
I
thought
about
this
through
comment.
B
My
feeling
is
that
it
may
having
a
unified
annotate,
a
unified
external
IP.
Poor
may
not
work
for
all
use
cases,
because
all
services
will
have
to
use
same
instant,
IP,
core
and
and
I
wonder
if
we
could
just
move
the
service
annotation
to
namespace
level,
not
move
to,
but
just
have
another
layer
for
annotation.
B
For
example,
when
the
when
the
name
space
has
a
how,
when
the
service
yourself
has
The
annotation,
the
Android
controller
will
allocate
the
Eastern
IP
phone
that
IP
poor
when
the
services
itself
doesn't
have
The
annotation
until
I
will
check.
The
annotation
on
the
namespace
and
The
annotation
is
in
the
same
format,
just
the
two
layer
of
annotation,
and
if
this,
the
namespace
itself
have
The
annotation,
I'm
sure
we'll
still
use
that
IP
poor
to
allocate
them
IP,
and
there
are
two
benefits
I
can
think
of.
First.
B
Is
that
not
all
services
in
the
cluster
how
to
use
one
instant,
IP,
port
and
I
think
it
may
be
typical
to
use
in
space
as
the
boundary
of
resource
sharing,
and
the
other
benefit
is
that
it
could
also
resolve
the
problem
that
a
user
don't
have
to
annotate
every
service
and.
C
B
Especially
when
the
service
annotation
is
known,
cannot
updated
by
user.
A
B
Have
to
know
another
annotation,
we
could
just
use
the
same
annotation
as
as
before,
just
annotated
on
the
namespace.
A
Yeah
I
mean
I,
don't
have
any
specific
comment
to
just
The
Proposal
from
Junction.
The
only
thing
that
dejection,
the
only
thing
that
happens.
The
only
comment
that
I
have
is
that,
typically,
if
you
have
to
annotate
something
as
being
the
default,
then
we
need
also
some
additional
check
to
make
sure
that
only
one
tool
is
a
noted
as
default
right,
so
that
that's
the
strange
part.
A
B
Sounds
good
and
the
next
one
is
about
egress,
you
know.
Currently,
we
we
can
only
assign
one
Ingress
IP
to
to
to
each
egress
object.
B
That
means
that
if
the
ukras
IP
is
statically
located
support.
B
B
So
if
the
cluster
has
more
than
more
than
one
subnets
in
the
nodes
are
in
different
subnets
is,
is
it
we?
The
only
a
few
of
the
nodes
can
be
used
as
the
external
node
and
when
the
Houston
window
knows
that
are
in
same
subnet
are
all
done.
The
egress
will
no
longer
work,
regardless
of
the
the
which
you
know
that
the
the
traffic
comes
from.
B
So
when
and
it's
very
typical,
it's
a
very
typical
scenario
that
on
cloud,
the
the
the
whole
cluster
stays
in
different
subnets
and
each
subnet
and
maps
maps
to
one
available
Zoom,
and
so
you,
you
know
the
point
of
available
zone-
is
that
the
the
the
they
provide
the
support
as
a
as
a
unit
or
for
availability.
B
B
So
I
I
think
about
this
requirement
and
propose
to
one
approach
to
address
the
limit
is
that
is
allowing
a
secondary
egress
IP
and
a
secondary
egress
IP
port,
a
Eastern
IP
poor,
to
be
used
by
an
egress,
and
that
means
that
you
user
could
request
one
egress,
IP
phone
One
external
IP,
poor
and
locate
a
secondary
eclip
from
just
for
another
instant
IP
port
and
each
using
an
IP
port.
We
are
mapped
to
one
available
Zone,
so
people
could
get
the
address
support.
B
Even
the
whole
is
done
as
long
as
any
of
the
available
song
is
up.
The
request.
Traffic
could
still
go
through
the
available
one
and
that
could
also
adjust
the
limit
of
static
egress,
meaning
that
I
I
could
use
two
different
IPS,
which
is
physically
assigned
to
two
nodes
and
even
I,
don't
use
Keystone
ip4
I
I
could
get
AJ
support
as
long
as
the
two
nodes
are
not
done
at
the
same
time,
yeah
I,
think
user
is
the
the
the
user
who
reportedly
issue
is
fine
with
the
approach.
But
let's
change.
B
A
B
I
will
also
create
and
used
to
for
the
design
and
the
for
the
proposal
and
the
design
of
implementation
and
the
price
perhaps
and
also
need-
and
we
also
need
to
do
some
POC
to
verify
that
this
approach
could
work
on
the
above
scenarios.
Yeah.
B
I
think
the
use
case
is
that
when
in
in
some
this
Choice,
especially
on
cloud,
it's
very
typical
that
the
control
plane
notes
are
not
showing
up
in
the
but
I'm
not
showing
up.
As
kubernetes
knows,
the
control,
plane,
components
run
out
of
the
cluster,
and
we
there
is
no
way
to
select
the
the
IPS
of
the
control
plane
components
as
using
existing
selector.
B
For
example,
you
cannot
use
node
selector,
because
there
are
no
control
plane
nodes
and
you
cannot
use
the
port
selector
because
they
are
not
running
as
ports,
at
least
not
not
in
this
the
class
itself.
So
when
user
want
to
allow
control,
plane
components
to
access
this
service.
B
Currently,
the
only
way
is
that
the
the
master
specify
the
I,
the
the
they
must
figure
out,
the
control,
plane,
components
IP
and
the
specifying
then
either
IP
Block
in
net
policies
so
use
this
user
requests.
This
feature
that
they
want
to
leverage
the
end
point
object
to
get
the
IP
of
control,
plane
components,
for
example.
Typically,
the
there
is
a
service
named
the
kubernetes
in
the
default
namespace
and
is
corresponding
endpoints,
how
all
com,
how
all
control
plane
IPS.
B
So
they
they
propose
to
have
an
endpoint
selector
and
the
the.
C
B
Could
be
adjusted
and
the
name
and
name
space
over
the
end
point
as
form
of
the
Ingress
Rua,
then
that
and
enter
to
get
the
the
IPS
in
the
endpoint
object
itself
and
use
them
as
Source
IP
other
eyes
changing
and
replied.
B
This
is
very
specific
to
one
use
case,
because
that
it
does
not
make
sense
to
use
endpoint
selector
for
for
any
other
use
cases,
especially
actually
the
endpoints
the
mean
for
the
back
end
of
service,
which
is
which
you
usually
means
the
destination
instead
of
the
source,
but
anyway,
I
I
think
the
requirement
itself
makes
sense,
but
just
no
idea.
What's
the
best
approach,
help
to
address
the
requirement.
A
Well,
yeah,
perhaps
do
you
have
any
option,
I
see
that
you
have
been
mentioned
several
times
on
this
VR
yeah.
B
D
Yeah
I
think
I've
must
have
missed
it
a
couple
of
times.
I
will
take
a
more
closer
look
at
this,
but
on
top
of
my
head,
I
agree
with
that.
All
the
things
that
Trend
said
that
this
is
you
know
for
a
very
specific
use
case.
D
It
might
be
good
to
think
of
you
know-
maybe
some
other
API
design
to
solve
this
use
case,
because
I
don't
know
if
that
the
endpoint
selector
will
be
very
confusing
for
the
you
know,
other
users
on
what's
the
what's
the
difference
between
this
and
the
two
services
that
we
provide,
because
they're
gonna
look
exactly
the
same,
and
you
know
it's,
it's
going
to
be
really
tough
to
first
to
explain
that
when
you
use
the
two
Services,
we
will
Leverage
The
intra
proxy
thing,
so
so
that
you
know
we're
actually
filtering
on
something
other
than
IPS,
whereas
if
you're
using
endpoint
selector
we're
actually
filtering
on
the
IP
I
think
both
should
exactly
do
essentially
the
exact
thing.
D
But
you
know
it's
kind
of
it
as
Trend
said,
for
you
know
really
normal
use
cases,
it
feels
really
sort
of
a
redundant
and
confusing
to
me
for
for
normal
use
cases.
So
I
probably
needed
to
think
a
little
bit
more
on
this.
B
E
Ask
there's
a
there's
another
problem
here:
I
think
in
many
cases
the
the
the
and
the
points
IP
for
control
plan
is
actually
a
local
bank's
IP,
so
that
put
it
down
work
for
Ingress
policy.
E
Traffic
well,
for
example,
in
eks,
probably
also
the
case
for
GK
in
AKs,
I,
think
the
control
plan
service
and
the
point
size
charge
with
logo.
The
private
link
IP
engine,
because
other
IPS
is
different
from
the
Source
type.
Here,
when
the
control
panels,
which
ports.
E
B
Then
it
doesn't
sound
like
any
issue
specific
to
answer.
Any
other
thing
like
that
implemented
nail
policy
could
have
this
used
to
right.
E
Using
the
there's,
a
project
called,
let
hook
proxy
could
be.
Could
foreign.
E
E
Yeah
yeah
yeah,
it's
called
API
server
connection
process
or
something.
B
E
Requires
a
with
me,
I
said
we
we
we
looking
into
that
for
uks.
Right,
really
assume
you
always
have
connectivity
from
Japan
nodes
to
Ports
I
need
your
posts
using
public
IPL.
As
my
understanding.
E
B
Okay,
then,
we
need
more
clarification
from
the
user,
whether
how
it
is
guaranteed
that
the
the
traffic
from
control
plane
components
with
the
service
in
the
cluster
yeah.
E
But
but
I
mean
you
just
like
for
a
different
discourse
or
different
measures
may
have
different
implementations,
so
you
will
see
different
Source
type
here
for
the
traffic
I.
Don't
know
if
I
can
figure
out
a
way
to
support
the
water
cases.
B
B
Nasa
is
also
for
Neil
policy,
but
for
auditor
logging.
Currently,
we
don't
have
namespace
and
the
name
information
of
of
the
traffic
traffic
endpoint,
for
example
the
when
the
traffic
comes
from
a
port
or
it's
destinated,
that's
native
to
our
Port.
We
just
look
like
in
the
audit
log,
but
not
the
namespace
and
the
name
of
the
IP.
B
So
the
users
I
think
the
there
are
different
people
asking
something:
maybe
they
are
from
17.
they
they're
asking
for
the
more
more
information
to
be
added
to
the
audit
login,
so
they
so
that
they
can
to
to
meet
their
requirement.
B
I
think
Anthony
is
already
an
energy
already
following
up
this,
you
comment
and
not
sure.
What's
your
latest
thought
about
this
one,
whether
this
is
a
valid
one
or
it
should
be
addressed
in
while
another
mechanism
like
traffic
use,
water.
F
Well,
I
think
it's
it's
a
valid
question
that
they
ask
right,
because
it
would
be
like
useful
to
have
that
information
in
the
local
audit
policy
logs.
But
it's
not
really
possible
for
us
to
add
that
information
without
changing
the
current
architecture.
F
Right,
because
we
don't
really
want
to
have
like
each
agent
monitors
the
full
set
of
pods
in
the
cluster
to
be
able
to
map
IP
addresses
too
two
namespins
and
names
I
think
maybe
that
would
put
too
much
strain
on
the
API
server
and
also
that's
kind
of
like
duplicate
functionality,
with
what
we're
trying
to
do
in
the
flow
exporter
and
wistia.
But
I
do
understand,
like
the
point
of
view
that
some
users
may
not
want
to
deploy
CIA
and
still
be
able
to
have
that
information
in
the
local
policy.
F
C
F
Maybe
we
could
have
a
mechanism
to
have
the
flow
aggregator
generate.
Those
Network
policy
logs
in
in
a
similar
format.
I
think
that
that
could
be
a
solution,
because
the
flow
aggregator
should
already
receive
flow
records
for
all
the
denied
connections,
for
example,
and
it's
already
mapping
AP
addresses
to
pod
namespaces
and
names.
So
we
could
have
the
flow
aggregator
be
able
to
write
those
comprehensive
Network
policy
logs
to
to
disk,
and
then
they
could
be
collected
by
by
the
user
in
a
way
without
having
to
deploy.
F
B
F
F
Oh
sorry,
it
should
not
miss
more
flows
than
the
local
audit
logs,
because
both
of
them
required
are
rely
on
the
packeting
mechanism
from
obs
and
in
both
cases
we
have
meters
to
rate
limit
the
number
of
messages
we
process
in
the
agent
because,
as
you
know,
if
we
have
like
a
network
policy
that
drops
traffic,
otherwise
it
would
be
possible
to
kind
of
like
do
a
Dos
attack
on
the
agent
where
you
generate,
like
you,
keep
generating
the
same
kind
of
UDP
packets,
for
example,
and
all
those
UDP
packets
would
eat
a
network
policy
role
and
and
be
dropped.
F
F
In
interior
you
can
for
for
job
connections,
you
can
I
think
we
can
lose
the
information
in
both
cases.
B
Okay,
thank
you,
the
next
one.
Is
it
I
think
it's
not
what
we
can
support
for
now
it
wants
to
apply
and
general
policy
to
the
node
itself.
Like
some
other
thing,
I
dance
like
a
cargo
but
I
I,
don't
think
it's
is
very
favorable
today,
because
the
traffic
phone
and
to
the
node
are
not
manage.
B
I
know
the
email
managed
by
and
sure,
unless
using
the
the
flexible
iPad
mode,
which
means
the
the
the
node
the
host
network
is
bridged
by
OS
is
bridge
by
open
with
switch
and
it's
kind
of
similar
to
what
external
external
know
the
future.
That's
today
and
managing
security
for
the
node
itself,
so
I
I,
don't
have
could
upload
a
solution
for
now.
B
Yeah,
if
anyone
has
any
thought
or
any
suggestion,
I
think
we
can
discard
here
otherwise
I
may
have
to
leave.
This
is
to
open
for
I.
A
I
don't
know
you
know,
I,
think
that
my
personal
standpoint
here
is
that
kubernetes
Network
policy
should
stay
away
from
managing
node
traffic.
That's
outside
of
the
scope,
but
I'm
curious
that
you
mentioned
the
Calico
is
a
solution
for
this.
Can
you
share
briefly
how
Calico
they
do
this.
B
Your
unit
Calico
Implement
in
their
policy
atletic,
is
a.
It
is
a
default
mode.
It
use
IB
tables
to
support
the
policy
right
so
for
container
traffic.
It
just
programs
available
in
the
forwarding
forward
chain
and,
of
course,
for
host
net
policies.
I
think
they
just
create
a
applicable
scores
in
input
and
output
chain
instead
of
the
forward
chain.
So
it's
pretty
easy
for
it
to
implement
host
net
policy.
A
A
I
mean
the
pods
that
are
running
in
host
network
mode.
It's
not
like
they
have
dedicated
policies
that
are
are
only
enforced
on
those
spots
in
Austin
network
mode.
So
the
pod,
which
runs
in
US
network
mode
and
the
host
networking
are
the
same
policy
are
enforced
of
both
is
that
yeah
yeah
I.
D
To
be
honest,
I
I
I,
if
you
are
very
similar
to
what
Tran
feel
and
no
this
is
also.
This
is
also
something
that
you
know
when
we
talked
about
I've
been
now
a
policy
we've
been
discussing
upstream
and
in
kubernetes
Upstream.
If
I
remember
correctly,
because
it
has
been,
you
know
a
year
give
or
take
when
we're
still
discussing
the
specifics
of
aluminum
policy
and
if
I
remember
clearly,
you
know
this
was
the
area
where
the
Upstream
kubernetes
people
say
that
we
don't
want
to
touch
this.
So
you
know.
D
But
you
know
given
given
the
given
the
admin
hour
policies
stuff,
we
weren't
even
touching
North
South
traffic.
It
will
won't
be
surprising,
but
still
I.
A
D
Don't
I
don't
feel
like
you
know,
we
have
enough
use
cases
maybe
to
justify.
Maybe
we
wanted
to
bring
this
into
entry
plus
now
policy
for
now
this
is
my
opinion,
got.
E
Actually,
I
forgot
the
details,
I'm
not
sure
it's
either
the
same
or
not,
but
I
think
what
is
the
in
the
the
mic
diagram
by
Cody
I
think
he
also
had
the
item
for
low
level
policy.
Is
that
what
you
remember
to.
B
Fighting
could
happen.
I,
don't
quite
remember
that.
E
Oh,
it's
probably
not
in
GitHub
policemen
or
I'm,
not
sure
seeing
any
document
he
has
or
just
our
you
know,
internal
discussion.
B
B
B
I
I
think
using
ubpf
could
also
do
so,
so
perhaps
Syrian
could
do
that
and
I
didn't
check
that,
but
it
just
think
about
it.
I
think
it's
possible
because
they
have
the
hook
to
handle
Ingress
traffic
and
the
egress
traffic.
So.
E
B
B
The
Nepal
State
status,
API
in
Upstream
I,
think
everything
is
ready.
Just
no
resource
is
located
for
that.
Yeah
yeah.
D
I,
don't
I,
don't
know
how
that
fall
under
our
radar.
For
some
reason
I
is
there?
Is
there
anything
related
to
you
know
the
status
of
a
policy
also
merge
in
the
recent
releases.
Is
it
on
the
agent
side
where
you
know
when
you
were
working
on
some
OBS,
realization,
statuses
as
well,
that
got
merged
in
recent
releases?
I.
Remember.
D
B
D
Yeah
I
mean
I
mean
I
I
would
assume
the
the
status
field
is
was
set
out
to
design
to
be
more
generic
than
that,
but
for
the
for
the
Upstream
case,
maybe
right
now
the
only
error
that
can
can
make
a
pop-up
which
makes
sense
is
the
is
that
we
don't
support
the
import,
but
obviously
that
you
know
we
we
do
so
yeah
yeah
I,
you
you
can
you
can
design
me
on
this
as
well,
so
I'll
I'll
keep
it.
A
Thank
you,
I
I,
remember
that
this
is
also
one
of
the
other
topics
where
the
community
will
never
reach
an
agreement
over
the
years.
So
that's
why
there
is
no
no
solution
as
a
part
of
the
network
policy
specification.
Is
that
correct,
Young.
A
Okay,
thanks
thanks
Chan
and
we're
also
reached
the
end
of
the
scheduled
meeting
time.
A
So
before
closing
these
this
meeting,
there
is
a
comment
from
janjun
and
on
the
chart,
as
you
can
read
that
it
might
be
about
the
requirement
to
support
security
policies
on
the
traffic
we
can
probably
according
to
genjun,
we
can
try
and
add
a
new
crd
to
the
differentiate
it
from
Network
policy
for
pod.
So
that's
that's
an
idea
that
we
can
work
on
before
we
finish
today's
meeting.
Is
there
any
other
topic
that
you
would
like
to
bring
up
for
discussion.
D
A
A
B
Have
once
more
comments
that
I
I
recently
I
found
that
Auckland
is
is
out
of
maintenance
for
a
long
time
and
they
haven't,
they
haven't
upgraded
their
kubernetes
Library
dependency
and
there's
no
release
I
think
that
at
least
for
one
one
year
more
than
one
year,
I
guess
that
project
is
not
in
maintenance
anymore.
So
do
we
want
to
move
to
to
to
move
to
another
visible
software
project
for
triple
flow
or
the
other
future
that
you
see
we
currently
have
with
octant.
A
B
A
A
I
mean
I
mean
the
options
are
too
either
we
develop
a
new
UI,
not
based
on
octand,
or
we
take
over
octant
maintenance
and
I.
Think
that
maybe
we
don't
want
to
take
over
to
to
take
over
octanta
maintenance
and
become
maintenance
for
OCTA
I.
Don't
think
we
want
to
do
that
right.
A
Yeah
I
completely
agree
with
you
that
this
is
something
that
was
actually
I
believe
known
for
a
few
months
already.
So
we
need
to
take
action
on
this
front,
but
I
also
believe
that
we
probably
needed
to
get
the
feedback
from
the
developers
that
have
more
experience
with
the
working
on
the
front
end.
B
E
But
do
you
guys
have
any
candidate
solutions
to
replace
octane?
Do
you
want.
E
A
Yeah
I'm
definitely
the
last
person
in
the
world
that
can
make
any
sort
of
comment
really
that
UI
is
a
completely
ignorant
on
this
front.
So,
let's,
let's
bring
it
up
as
a
topic
for
the
next
community
meeting.
D
A
Cool
and
anything
else
for
today.
A
Three
two
one
zero,
so
it
appears
that
it's
all
for
today,
so
thanks
everyone
for
attending
again
happy
New
Year.
The
next
community
meeting
is
should
be
on
January,
the
17th,
which
is
before
the
Chinese
Spring
Festival
vacation.
So
it
should
be
okay,
but
the
one
after
which
is
on
January,
the
31st
I
think
technically.
This
is
a
a
working
day
in
China,
but
I
know
that
many
many
folks
in
China
tend
to
take
two
weeks
off
around
the
New
Year's
Day.
A
So
I
don't
know
if
we
want
to
move
that
meeting
into
the
first
week
of
February
or
whether
we
want
to
still
keep
it
on
January
31st
I
mean
we
can
also
discuss
this
on
the
Andrea
Community
Channel,
just
food
food
for
toot.
A
Okay,
that
sounds
good
and,
and
the
only
thing
left
for
me
is
to
wish
everyone
a
good
evening,
a
good
day
or
a
good
afternoon
and
talk
to
you
in
the
next
community
meeting.