►
From YouTube: Antrea Community Meeting 03/01/2021
Description
Antrea Community Meeting, March 1st 2021
A
A
A
The
topics
are
and
not
necessary
in
this
order
cube
proxy
removal
design
for
linux
and
which
hang
and
hon
liang
will
introduce
this
design.
Then
we
have
a
demo
about
the
flow
aggregator
and
this
demo
will
be
given
by
srikar
and
eo.
A
We
don't
have
a
strict
order
and
therefore
I
would
like
to
ask
you
whether
zurich
neo
would
like
to
go
first
or
whether,
instead,
you
want
to
first
discuss
the
design
of
the
cube
proxy
removal
removal,
if
you
don't
have
any
preference
I'll
pick
a
random
one,
I'll
wait
10
seconds
to
express
if
you
have
any
preference.
A
Sounds
good,
so
I
will
say:
let's
keep
the
demon,
which
is
usually
lighter
and
nicer
to
the
end,
and
let's
start
with
the
reviewing
the
design
proposal
for
the
removal
of
the
cube
proxy.
C
D
D
D
D
D
E
Sorry
to
disrupt,
I
know
you
haven't
attended
that
you
will
rearrange
the
job
order
off
for
components
in
an
agent
right
because
they
rely
on
the
availability,
but
could
answer
controller
depend
on
the
answer
agent
service
ability
as
well?
E
E
Mean
I
mean
you
have
an
item
that
it
says
components
in
anti-agent
will
be
they'll
start
their
bus
drop
order
will
be
re,
arranged
right
so
that
other
services,
other
modules
that
rely
on
android
proxy
will
start.
After
that
I
mean.
Could
this
apply
to
enter
controller
tool
because
enter
controller
can
rely
on
android
agents
to
provide
this
service
access
so
that
it
doesn't
have
to
connect
to
the
api
server
using
the
using
the
iphs.
E
E
I
think
android
agent
doesn't
really
doesn't
especially
entry
proxy
doesn't
rely
on
the
net
policy
connection
to
start
right,
so
android
controller
is
not
running
android
plus
it
can
still
start.
D
D
E
D
D
What
we
expected
is
that
service
traffic
can
bypass
could
be
proxy
and
be
routed
directly
to
oes
pipeline
okay.
Next,
firstly,
we
use
fpsat
to
match
the
cluster
ip
address,
protocol
and
port
the
maximum
time
complexity
is
over.
Since
we
use
an
ipsec
with
a
hashtag
in
copy
proxy.
Once
a
cluster
ip
is
created,
the
related
items
will
be
appended
to
happy
tables
and
its
matching
time.
Complexity
is
all.
D
D
We
add
an
ip
rule
to
make
the
traffic
marked
0x
f2,
go
to
a
specific
routing
table
named
andrea
that
we
added
the
routing
table
of
entry,
has
only
one
default,
unlinked
route
which
forwards
all
traffic
tool
and
to
deduct
zero.
The
traffic
will
be
processed
by
os
pipeline
later
note
that
uos
in
oes
pipeline
table
20.
We
also
need
to
add
a
flow
in
response
to
the
russell
ips
erp
request.
D
In
summary,
we
can
see
that
first,
the
traffic
is
marked
in
mango
table.
Second,
with
an
ip
rule,
the
traffic
will
be
loaded
in
a
specific
routing
table,
not
the
default
routing
table.
Third,
the
specific
routing
table
has
only
one
special
default
load.
The
traffic
is
rotted
the
tool
and
to
dw0
by
this
rod
item
first,
the
packets
are
masqueraded
in
that
table
with
entry,
gw0.
D
D
D
E
Could
you
go
back
to
the
the
happy
tables
and
appear
lure.
E
E
Could
you
go
back
to
the
ivy
tables
and
ip
root
lure
configuration
part,
so
do
it
do
not
help?
I
I
think
yeah?
Yes,
yes,
well,
were
there
were
the
packages
being
added
in
the
host
network.
E
E
I
I
think
this
is
from
localhost
and
not
from
remote
host
right.
This
is
not
for
no
port
traffic.
Sure.
E
Yeah,
but
this
this
is,
this
is
doing
s
net
right.
Yes,
I
just
mean
that
the
source
ip
is
already
this
host
ip
right
and
needs
to
be
mask,
radiate.
G
E
D
I
think
I
think
the
song,
I
think
it
doesn't
matter
what
the
source
ip
address
is,
because
what
whatever
it
is
it
is,
it
will
be
masqueraded
with
the
anti-gw0.
The
ip
address.
H
Yeah
holidays
agree,
so
I
I
think
means
if
the
endpoint
is
is
on
a
host
network.
So
the
endpoint
ip
is
the
node
ip.
H
So
if
we
do
not
do
the
master
rates
on
the
request,
the
reply,
the
the
reply
packed
for
the
ripple
effect,
the
packet
will
be
forwarded
to
the
to
the
client
directory
and
the
source
option
will
not
be
the
service
ip.
E
It
may
be.
My
real
question
is
how
this
society
is
selected
when
it
starts
the
when,
when
the
host
access
the
cluster
ip
service,
why
it's
always
this
node
ip,
not
the
getaway,
app?
I
think
that
that's
I
want
to
figure
out.
Maybe
it's
determined
by
the
a
lot
table,
or
maybe
it's.
D
I
think
I
didn't,
I
didn't
have
a
test
about
the
butter.
I
think,
if
the
destination
is
the
service
ip
address,
I
think
the
holster
will
choose
ip
address
from
from
the
internet,
not
the
entity.0,
but
I
didn't
have
a
tester
to.
H
Okay,
yeah.
I
have
some
experience
on
the
windows
node,
so
for
the
windows.
If
we
don't
buy
the
source
ip
for
for
our
request,
the
source
ip
will
be
chose
to
follow
follower.
Rfc
there
is
rfc
for
the
windows;
basically
it
will.
It
will
choose
source
ft
for,
according
to
the
rule,
table.
E
H
Right
for
the
windows,
we
will
find
the
the
nearest
the
nearest
neighbor
neighbor
of
are
most
match
the
root
table
already
rule
and,
for
example,
if
the,
if
the
that's
ip
match
the
default
rule
deposit,
a
rule,
I
think
it
will
choose
the
node
ip
and
the
source
id.
E
E
C
I
have
one
question:
if
we
either
what
is
iv
table
source
and
I'm
users
do
we
do
we
have
to
stop
kobe
proxy
or
even
could
build
this
running
until
process
still
intercepts
the
the
traffic
the
host
to
service
traffic
and
the
load
points
on
the
low
project.
C
Yeah,
I
I
mean
once
we
add
this
like
tables
and
ip's,
also
rules.
If
we
don't
stop,
could
we
probably
say
what
will
happen?
D
Proxy
first,
I
I
first
repeat
your
question.
I
think
you
want
to
question
that
if
we
stop
for
the
entry
proxy.
C
D
And
it
doesn't
matter
because,
with
you,
the
insert
of
we
use
the
insert
accent
before
the
kuby
proxy
item
could
be
proxy
epitable
items
and
it
won't,
it
won't
be
heated
could
be
probably
could
items.
E
D
C
Probably
we
don't
need
to
disappear,
but
I
wonder
if
we
start
to
add
more
and
more
habitable
zoros.
C
Would
that
be
the
you
know,
approach
we
want
to
go
for
the
long
run,
or
should
we
still
try
to
put
more
forwarding
logic
into
openly
switch?
C
For
example,
is
s
night
singer
she
will
try
to
enhance
our
prevalent
hundreds
in
open
research.
C
C
And
how
could
we
declare,
we
are
openly
switch
based.
C
I
think
in
your
case,
definitely
if
you
want,
we
can
do
doing
openly
switch
for
snap,
but
we
just
need
to
handle
the
limitation
that
you
cannot
do
19
twice
in
openly
switch.
I
think,
anyway,
is
looking
at
some
solution
for
windows.
Maybe
we
should
consider
together
again,
I
I
I
didn't
release
things
through
for
that,
since
I
saw
more
and
more
different
table
rules
reading
I
started
wondering:
should
we
continue
that
out
or
we
should
do,
we
should
reconsider
to
put
more
logic
into
opening
switch.
D
E
I
think,
ideally,
the
society
should
be
the
gateway
ip
directly
right.
C
I
know
people
typically
don't
do
it,
but
if
they
are
actually
ban
live
here,
I
I
I
think
it
will
be
using
the
loadout
with
the
source
type.
E
C
C
I
think
we
talk
about
is
that
I'm
still
thinking
could
the
tc
be
simpler
to
redirect
traffic,
I
mean
we
don't
need
to
add
any
results,
but
we
if
we
have
a
way
to
redirect
traffic
directly
from
the
node
ip
to
the
to
the
openly
switch
interface.
C
Yeah,
but
probably
I
I
can
also
do
science
parents
and
we
can
talk
more.
I
don't
really
tried
anything
yet
so
I'm.
C
C
Tc,
actually
is
a
low
level
things
like
more
like
layer,
2
level.
So,
according
to
recap,
on
the
s3
protocol,
let's
release
all.
C
A
D
A
It
appears
that
you
know
there
is
a
quite
a
lot
of
discussions
going
on
here,
especially
regarding
this
conversation
that
we
had
on
this
recipe
and
I'm
sure
that
the
conversation
will
continue,
probably
on
github,
if
necessary,
if
needed,
we
can
also
bring
it
up
in
the
next
office
hours
meeting,
so
I'm
sure
there
will
be
much
full
of
apps
to
this
design.
So
thanks
a
lot
for
sharing
it
online
and
we
change
and-
and
if
there
is
no
other
point
on
this,
I
think
we
can
move
to
the
next
topic
on
the
agenda.
A
Just
wait,
10
seconds
15
seconds
to
verify
that
we
are
good
on
this
front.
A
All
right,
so
I
think
that
it's
now
time
for
the
flow
aggregator
demo,
so
I
don't
know
what's
going
to
present,
if
sirica
eo
of
both
of
you,
so
please
go
ahead.
B
Yeah,
I
I'll
you
will
be
presenting
the
demo
I'll
just
introduce
give
a
bit
of
context.
So,
a
few
months
back,
we
have
demod
flow
exporter,
which
runs
which
connects
from
every
node
of
every
node
in
android
cluster
to
external
flow
collector.
So
we
developed
a
flow
aggregator,
which
is
which
is
a
which
runs
as
a
deployment
in
the
anterior
cluster.
All
the
nodes
stop
to
flow
aggregator
and
we
do
correlation
and
aggregation
and
then
send
it
to
external
flow
collector.
B
So
if
young
wing
and
you
had
worked
on
the
demo
I'll
give
the
stage
to
them.
J
J
So
we
have
add
a
new
kubernetes
service
which
is
called
flow
aggregator
and
all
the
flow
exporter
as
each
agent
connects
to
the
flow
aggregator
and
send
flow
records
to
it,
and
the
flow
aggregator
will
do
a
combination
and
fill
out.
Some
missing
information
also
add
some
status
statistics
into
the
final
aggregate
flow
records
and
then
flow
aggregator
will
send
the
aggregate
fpfix
records
to
our
external
flow
collector
to
a
further
more
fluid
of
flow
visualization
using
the
erk
flow
collector.
J
J
The
first
part
of
the
aggregator
is
called
is
called
a
collecting
process
which
is
used
to
collect
the
flow
records
come
from
the
flow
exporter.
Then
the
intermediate
process
will
combine
these
flu
records,
fill
out.
Some
missing,
coordinate,
infos
and
also
add
some
statistic:
calculation
into
the
aggregate
flow
records
and
then
using
the
exporting
process
to
send
all
the
aggregate
flow
records
to
the
external
epifix
flow
collector.
J
Also,
some
new
diagrams
and
dashboards
are
added
into
kibana,
which
will
be
shown
in
the
demo.
Soon,
nice
yeah
you,
you
will
give
a
show
of
the
demo
setup
and
also
the
configuration
file.
F
G
Yeah
now
I
will
demo
the
flow
aggregator
and
its
visualization
here
is
a
setup
for
the
demo.
In
the
configuration
file,
we
enabled
flow
exporter
in
entry
agent
and
specify
the
external
flow
collector
in
the
flow
aggregator
tls
in
the
flow
aggregator
and
in
the
entry
agent
and
for
aggregator
are
enabled
by
default,
and
we
we
use
iperf
to
simulate
the
port
to
port
and
portal
service
traffic,
as
shown
in
this
diagram.
This
is
our
demo
setup
for
the
ipv4
cluster.
G
A
Yeah
sorry,
quick
question
regarding
it's
a
very
stupid
question
of
me:
client,
two
one.
There
are
three
of
them.
Are
there
three
pods
on
server
two
or
they
are
running
on
the
nodes,
because.
G
A
G
Yeah,
thank
you
and
the
server
is
actually
a
service
to
expose
the
iperf
server
port.
So
later
in
the
visualization,
you
will
see
server
1-1
in
both
port
to
port
and
port
to
service
traffic.
G
I
also
applied
three
ingress
network
policies
and
three
egress
egress
network
policies
to
the
client
server
ending
with
one
so
server
dash,
1-1,
2-1
3-1
will
have
ingress
and
client
1-1.
2-1
and
3-1
will
have
the
e-grass
network
policies
and
we
have
a
simplified
ipv6
setup.
I
will
show
you
later
yeah.
Let's
move
to
the.
G
G
So
before
we
have
the
sankey
diagram
to
add
some
line
graphs
to
show
how
to
power
flows,
for
example,
I
can
filter
the
flow
by
the
destination
full
name.
If
I
want
to
use
the
server
3-1
and
it
will
show
the
traffic
that
have
server
3-1
as
a
destination
port
and
it's
worthwhile
to
mention
that
in
the
past
we
cannot
resolve
the
remote
destination
information,
unlike
destination,
porn,
name
and
namespace,
but
with
integration
with
flow
aggregator,
the
destination
information
can
be
filled.
G
So,
for
example,
for
this
web
server
1-1
there
are
five
client
sending
traffic
both
internal
and
internal.
We
all
have
the
destination
information.
G
G
So
there
are
four
graphs
we
newly
added.
They
are
grouped
by
this
port
to
port
flow
key.
So
the
last
two
graphs
show
the
throughput
and
reverse
throughput
of
each
flow,
and
the
right
part
is
the
cumulative
bandwidth
for
this
to
port
flow.
For
example.
If
I
say
this,
let
me
choose
one
of
this
orange
flow.
You
can
see
that
it's
very
stable
has
a
very
stable
throughput
and
the
corresponding
cumulative
bandwidth
will
show
a
smooth
growth.
G
G
In
the
note,
2
super
dashboard
first,
the
flow
diagrams
are
showing
the
showings
in
a
straightforward
way,
the
traffic
between
the
nodes
or
internal,
and
it
also
has
a
line
line
graph
to
show
the
aggregated
node
throughput.
Over
time.
G
We
introduced
the
heat
map
here
to
visualize
the
aggregated,
total
ingress
and
the
egress
throughput,
which
is
helpful
for
user
to
identify
like
which
node
will
take
a
line
share
of
the
bandwidth,
as
shown
here
on
this
node
anyways.
Two
three
zero
share,
a
line
majority
of
the
traffic
and
the
rest
of
the
the
rest
of
the
notes
are
basically
having
the
similar
traffic
here,
as
you
can
see
from
the
darkness
of
the
color.
G
The
next
network
policy
in
this
sankey
diagram
you
can
see
there
are
different
colors
of
this
flow.
The
the
flows
are
grouped
by
network
policy
here
so
for
these
yellow
ones
you
can.
If
you
hover
over,
it
will
say
that
the
ingress
policy
is
mp1-1
and
all
of
them
are
mp1-1,
and
this
brown
one
will
will
be
the
1-2
instead,
so
they
are
color-coded
and
I
can
filter
the
ingress
and
egress
network
policy
by
its
name
and
namespace.
If
I
only
want
to
know
the
1-1
network
policy,
it
will
fill
out.
G
G
Yeah,
that
is
basically
a
network
policy.
What
to
what
we
need
to
mention
here
that
we
only
support
network
policy
that
will
allow
the
traffic
the
dropped
and
denied
connections
are
planned
to
be
realized
with
pacting
in
the
future
that
is
ipv4
cluster.
We
currently
also
support
the
ipv6
single
stack.
G
A
J
Yeah
thanks
for
the
question
yeah.
Currently
we
found
that
in
the
dual
stack
cluster,
the
flow
exporter
is
failing
to
retrieve
the
service
community
service
information.
So
we
are
still
debugging
on
this,
so
we
market
it
as
working
on
items
right
now,.
J
F
A
quick
question
on
this:
I
know
you
have
mentioned
that
you
know
the
deny
action.
Support
has
not
been
yet
realized
for
for
the
full
aggregator
so
for
for
the
network
policy
that
actually
has
allowed
rules.
Does
this
work
right
now
for
both
the
kubernetes
network
policies
and
the
entry
native
policies
already.
B
B
And
I
just
want
to
add
that
we
plan
to
enhance
the
network
policy
information
with
the
rule
name
and
which,
with
with
granular
information
about
network
policy,
currently
we
can
we
can.
We
are
planning
to
enhance
that
part.
B
F
Yeah,
that's
gonna,
be
really
nice
yeah,
and
also
I
wanted
to
try
to
understand
like
since,
if
we
wanted
to
support
some
sort
of
like
visibility
for
for
the
denial
rules,
how
would
those
like
actually
show
up
on
on
these?
Thank
you
diagrams,
because
for
the
deny
traffic
there
won't
be
any
sort
of
like
load
generated
right
so
like
it
would
be.
Would
it
be
like
a
like
a
very,
very
thin
line
in
terms
of
you
know
how
how
the
traffic
looks
or
are
we
thinking
something
else
here.
A
A
All
right,
I
believe
that
it's
all
for
this
demo,
so
many
thanks
to
you
and
yumming
for
presenting
it
that
have
been
extremely
interesting
and
we
are
now
in
open,
disc,
open
discussion
and.
A
Anything
else
that
we
would
like
to
bring
for
open.
A
A
All
right,
it
appears
then,
that
we
are
at
the
end
of
the
meeting.
I
would
like
to
thank
you.
Thank
you
again,
today's
contributor
contributors,
and
I
think
we
can
stop
the
recording
here
and
we'll
meet
again
in
two
weeks
time.
I
just
want
to
also
give
you
a
reminder
that
we
now
on
tuesdays
at
2
p.m.
Pacific
time
we
have
a
gentria
open
office,
sorry
office
hours,
meeting
where
you
can
attend
to
either
ask
or
answer
any
sort
of
questions
that
community
members
might
have
about
andrea.