►
From YouTube: Antrea Community Meeting 02/14/2022
Description
Antrea Community Meeting, February 14th 2022
A
So
good
morning,
good
afternoon
or
good
evening,
this
is
the
andrea
community
meeting
and
we
are
back
after
a
break
for
the
spring
festival,
and
so
thanks
for
joining
again
the
meeting
and
for
today
we
have
a
presentation
from
bin
and
rojan
regarding
a
multicast
policy
enforcement.
A
So
without,
let's
not
I
mean,
let's
go
straight
to
this
presentation,
so
yeah
I
will
be
in
russian.
I
don't
know
who's
going
to
present,
but
the
floor
is
yours.
Please
go
ahead.
B
Yes,
we
can
okay.
So
far,
entry
has
implant
even
implemented
multicast
traffic,
but
there
is
no
network
policy
for
multicast,
so
all
packages
will
be
passed
for
the
further
part
for
security.
Consideration
reason:
it
is
better
to
support
multicast
network
policy.
B
Here
is
the
pipeline,
and
I
proposed
our
first
review
how
lmp
table
to
deal
with
ldmp,
query
and
idmp
report
and
later
it
will
deal
with
multicast
egress,
and
then
it
builds
multicast
traffic
and
the
multicast
ingress
for
the
rdmp
table.
We
will
define
rules
to
block
fgmp,
query
and
also
rdmp
report
to
specific
specific
pod
and
yeah,
and
for
the
egress
we
multi-class
egress.
B
We
will
different
rules
to
block
or
allow
the
rules
of
the
traffic
come
out
from
specific
port
and
for
the
ingress
we
will
defend
rule
to
allow
or
drop
the
traffic
to
the
specific
part.
Here.
Is
this
ready?
I
want
to
reuse
the
existing
defined
for
in
smp,
but
extend
with
two
members
in
the
rule.
Here
is
the
multicast
address.
That
means
the
members
to
store
the
multi-class
address.
B
B
Well,
there
is
a
part
to
be
deleted
and
reading
that
will
remove
the
part
from
the
rmb
query
group
and
then,
if
there
is
a
rule
to
block
admp
query
to
specific
part,
for
example,
if
we
use
pod
selector,
which
matches
f
is
f1
and
then
entry
element
will
check
the
metapod
and
and
at
the
same
time
a
trade
interview
also
maintain
a
list
that
the
port
is
using,
which
bucket
in
the
group,
then
we
will
update
the
bucket,
for
example,
for
the
part
which
matches
this
label
will
give
you.
B
We
checked
that
the
body
is
using
the
bucket
advance
and
we
will
add,
drop
actions
on
pakistan
and
then,
if
the
rule
for
to
block
the
smp
query
deleted,
then
we
will
reset
the
ignp
ldmp
rule
to
the
original
one
yeah.
This
is
for
the
identical
query
to
to
block
this
is
the
rule
to
block
idm
bigquery.
B
B
If
it's
from
the
desired
app
address,
then
we
will
check
if
it's
from
the
pod
and
if,
yes,
we
will
submit
this
packet
to
controller
and
then
the
package,
the
agent
and
the
agent
will
check
if
the
package
should
be
blocked
in
in
this
condition,
entry
agent
will
send
view.
We
will
define
a
query
api
to
for
event
to
check
if
the
package
should
be
dropped.
B
If,
yes,
I
trade
interview
not
adds
a
part
to
the
multicast
address
group
and
it
will
have
some
calc.
It
will
calculate
the
packet
dropped
by
this
rule.
If,
yes,
if
it
should
not
be
blocked,
then
an
agent
will
add
a
part
to
the
multicast
group.
B
And
the
for
the
the
last
feature
is
that
to
limit
the
specific
part,
to
send
multi
custom
to
specific
multicast
api
addresses,
which
means
that
we
should
block
the
you
know
from
both
the
source
and
the
destination
and
for
the
ingress.
We
will
check
the
matched
part
and
then
on
the
node.
We
will
defend
several
rules
to
block
the
traffic
multicast
traffic
that
that
comes
in
the
metric
port.
First,
we
will
defend
rule
to,
for
example,
if
we
want
to
block
the
multicast
traffic
from
this
app
address
and
to
225.1.2.3.
B
B
Sorry,
hi,
okay,
I
will
continue
yeah
go
and
then
in
this
table
we
can
also
calculate
the
number
of
packets
dropped
by
the
by
this
rule
and
for
multicast
egress.
It
is,
I
think,
nearly
the
same
we
will
define,
we
will
define
the
rule
on
the
node
that
runs
the
source
pod
and
we
will
also
check
the
source
app
address
and
also
destination
api
address,
and
also.
B
A
C
I
do
have
a
quick
question
or
comment
on
the
api
design
for
this,
because
I
know
that
you
know
on
on
the
api.
You
said
this
is
add.
There
are
some
fuse
added
to
the
acmp
or
amp
ingress
or
us
rules,
but
the
way
I
see
it,
I'm
not
sure
like
if
the
rule
would
make
sense.
C
If,
in
a
single
rule,
there
is
actually
a
normal
peer
and
a
multi-cloud
multicast
appear
at
the
same
time,
but
it
actually
makes
sense
and
if
not,
then
maybe
we
could
consider
doing
something
different
here,
for
example,
adding
a
new
type
of
rule,
which
is
ingress,
multicast
rules
or
egrasmatic
class
rules.
Just
to
you
know,
differentiate
them
from
the
current
rules
so
that
we
have
clear
structure
on
how
things
are
gonna
be
enforced.
I
I'm
not
sure
if
I'm
experi
expressing
myself
clearly
here
or
at
least
have
we
actually
considered
this
alternative.
B
D
E
B
B
B
B
D
And
also
for
igmp,
I
probably
need
to
understand
better
if
we
really
want
to
differentiate
rgmp,
I
kind
of
feel
I'm
just
thinking
about.
Should
we
just
use
a
generic
mechanism.
For
example,
we
can
add
a
new
field
for
ip
protocol
and
then,
if
you
want
to
allow
this
on
igmp,
you
can
put
the
protocol
value
2
right.
B
F
So
if
we
we,
we
try
best
to
reuse
the
existing
fields.
So
I
think
if
we
can
do
that,
we
don't
need
to
introduce
a
new
tab,
multi
tab
for
the
rule
right
young.
How
do
you
think.
C
I
mean
this
is
a
little
bit
of
a
personal
preference,
but
from
my
involvement
with
the
you
know,
upstream
kubernetes,
upstream
discussions
on
resources
and
stuff,
it
seems
that
in
most
cases,
if
we
really
really
wanted
a
new
resource,
that's
essentially
built
only
for
a
multicast
type
of
policy
enforcement.
C
Then
usually
what
the
community
would
suggest
is
that
we
sort
of
like
sketch
scratch
out
an
entirely
new
api,
which
is
simply
focused
on
multicast
support,
so
that
we
don't
have
to
reuse
any
sort
of
like
ingress
and
egress
rules
and
add
really
weird
fields
like
it
is
igmp
in
there,
because
you
know
it
it's
it's
a
feud
that
doesn't
really
make
sense
if
you're
defining
a
regular
acmp
and
it's
sitting
there,
so
it
kind
of
like
makes
defining
other
ac
mps
a
little
bit
harder
or
or
it's
not
at
least
it
makes
the
work
done
in
you
know,
validation
web
hooks
a
little
bit
harder,
because
now
you
have
to
invalidate
a
lot
of
illegal
combinations
of
applying
a
couple
of
fields.
C
So
in
that,
in
my
opinion,
it
will
be.
You
know
better
off
to
separate
this
intent
as
as
as
best
as
we
can
so
that
you
know
the
acmp
will
stay
as
is
or
or
we
can
added
some.
You
know
new,
maybe
rule
sets
in
the
is
in
the
acmp,
but
not
to
reuse
the
current
ingress
and
rules.
But
that's
just
my
personal
preference.
A
Young
one
one
question
on
your
comment:
not
clear
to
me:
if
you're
advocating
for
adding
a
different
kind
for
multicast
policies
or
a
different
section
in
entry
and
network
policies,.
C
A
I
understand
I,
I
understand
yeah,
it's
better
to
be
clear
because
yes,
so,
basically
airing
a
completely
different
type
of
object
for
multicast
network
policies.
Is
there
any
case
where
this
could
be
a
bad
user
experience?
Because
I'm
just
talking
thinking
aloud
here,
because
there
could
be
a
policy,
a
security
configuration
which
we
normally
could
express
with
a
single
policy,
but
now
requires
us
to
create
two
different
objects:
yeah.
C
That's
true
that
that's
a
that's
a
valid,
that's
a
really
valid
concern,
but
I
mean
in
that
case
something
like
you
know:
you
have
a
you,
have
a
single
applied
to
and
some
egress
rules
and
some
multi-class
multicast
egress
rules.
You
know
something
like
that
would
would
would
be
a
little
bit
clearer,
but.
A
A
Let's
say
the
types
of
traffic
sent
by
an
application
are
completely
distinct
between
unicust
and
multicast
traffic
right.
So
it's
typically
like
like
the
same
the
same
application
it
probably
if
it
sends
it
needs
a
configuration
for
multicast
traffic
and
then
another
configuration
for
unicast
traffic,
so
it
might
actually
make
sense
to
have
them
into
into
distinct
objects.
A
In
any
case,
I
tend
to
agree
with
your
statement
young
that
it
might
be
easier
to
define
such
this
policy
in
a
new
object,
and
it
will
also
require
less,
I
can
say,
less
special
casing
for
anthria
network
policies,
because
we
don't
have
to
worry
about
flags
and
invite
combination
of
invalid
attributes
and
so
on.
A
And
so
there
are
comments
on
the
chat,
so
first
wiki
is
correctly
suggesting
that
we
need
to
open
up
these
for
public
review,
so
the
contents
that
has
been
reported
here
should
be
available
on
the
entry
github
for
allowing
the
whole
community
to
review,
and
then
there
is
also
a
common,
a
comment
from
zhenjun.
He
would
like
to
consider
something
where
you
have
action
deny
protocol
igmp
and
so
that
later
we
can
support
more
protocols
as
well
so
ginger.
So
basically,
you
are
suggesting
to
consider
igmp
another
protocol
in
entry
network
policies.
A
D
Yeah,
I
just
want
to
explain
my
previous
comments
with
this
example.
If
we
are
the
more
generic
way
to
define
protocols-
and
it
can
be
like
something
like
this-
you
have
a
political
field-
individual
that
can
be
igmp
and
later
it
can
be
icmp
and
other
parts
of
support.
C
It
already
has,
I
mean
we
already
have
a
product
called
field
which
can
take
ccp,
udp
or
icmp
right.
So
I
I
I
didn't
know
that
why
we
would
have
to
need
a
sigmp
flag
here.
I
didn't
know
the
context,
so
if,
if
we
can
integrate
this
igmp
protocol
into
the
product
called
field,
that
will
be
the
best
case
scenario.
In
my
mind,.
D
Bing,
maybe
you
can
clarify,
I
think
you
can.
We
want
to
see.
For
example,
we
allow
multicast
for
the
we
block
lgp.
That's
my
idea.
E
Actually,
I
think
the
requirement
is
that
so
the
user
might
configure
the
np
network
policy
to
drop
some
hmp
package
from
the
specified
port.
All
so
I
mean
that's,
maybe
we
don't
drop
all
ignp
packets,
but
only
the
lgmp
reports
from
one
two
three
of
pulse,
but
we
could
allow
the
agmp
report
from
the
port
four
five.
First,
one.
B
So,
for
example,
the
customer
are
using
it
for,
for
the
tv
show,
only
the
paid
customers
can
we
can
access
some
resources,
then
maybe
they
can
define
some
multicultural
address
that
only
specific
users
or
maybe
ap
addresses
can
access.
This
multicast
can
join
this
multicast
address
and
receive
the
tv
shows
from
the
sender,
or
maybe
this
is
a
star.
F
Being
on
the
team,
I
think,
maybe
offline,
we
can
discuss
about
the
the
requirement
whether
it
makes
sense
to
the
multicast
use
case.
So
I
think
it
should
be
a
action
item
to
be
in
to
get
something
clarified,
especially
about
the
requirement,
but
in
general
I
actually
agree
with
tianjin.
I
think
if
we
can't
do
something
generic
in
a
generic
generic
way,
we
do
need
to
introduce
those
specific
fields.
Otherwise,
maybe
we
have
to
yeah.
We
extend
our
entire
network
policy,
but
we
just
unnecessary.
F
A
Thanks
vicky
yeah,
the
only
other
question
that
I
have
is
that
more
from
an
operational
perspective
like
now,
do
you
have
do
we
have?
Do
you
have
a
a
poc
for
lisa?
Do
you
have
a
working
implementation
just
want
to
figure
out.
You
know
once
this
is
reviewed
by
the
andrea
community?
B
A
Okay,
and
so
ideally,
if
this
is
a
put
for
review-
let's
say
publicly,
then
this
could
be
a
target
for
andrea,
1.7
or
1.8.
What
do
you
think
might
be
the
most
suitable
target.
A
I
was
actually
simply
asking
whether
you
think
this
is
more
an
item
for
on
3i
that
we
can
target
on
301.7
or
that
you
would
like.
Instead,
you
think
it
might
need
more
time
and
therefore
should
be
targeted
for
entry
at
1.8.
F
Yeah,
I
think
the
the
first
thing
is
to
finalize
the
api
the
only
way
to
analyze
api.
Then
we
can
maybe
discuss
the
implementation
based
on
that.
So
I
think
yeah
you
can
move
the
design
document
to
the
github
or
google
or
google
docs
and
share
with
the
community
for
more
discussion.
Then
I
think
at
least
in
entry
1.6.
Let's
finalize
the
api
design.
H
H
And
we
have
two
sections
for
the
multicast
matrix
requirements
and
one
for
parts,
states
and
another
is
what
multicast
group
stands
so
and
and
so
to
show
both
of
the
stats
I
need
to.
I
will
introduce
two
cuddle
commands.
H
The
first
one
is
get
multicast
stats
that
shows
multicast,
that's
in
part
view
and
basically
it
this
command
will
implement
these
four
requirements.
That
is
multicast
package
drop
by
transmitted
by
poi
interface
multicast.
I
can
draw
a
job
by
received
by
the
file
interface
here
here.
The
chest
meet
and
receive
means
ingress
and
egress,
and
also
igmp
package,
discarding
asset
accepted,
and
then
all
of
these
requirements
are
also
shown
by
different
multi
different
network
policies.
H
So
in
the
in
the
json
view,
you
can
see
that
for
each
network
policy
we
also
show
the
stats
here
and
also.
This
is
the
aggregate
aggregate
steps
for
one
part,
and
we
also
have
another
kokado
command
called
multicast
group
called
members
in
this
command.
H
We
show
the
mappings
between
multicast
group
and
the
multicast
parts
in
the
whole
cluster,
so
we
also
have.
We
also
have
these
two
requirements
that
that's
we
don't.
We
don't
need
to
expose
these
stats
in
the
in
the
cluster.
While
we
only
need
to
show
these
two
in
the
per
node,
so
I
will
introduce
another
command
called
multicast.
That's
that
that
shows
the
inbound
and
outbound
stats
for
both
these
inbound
and
r1
multicast
sets
for
that
part.
H
Okay,
that's
the
that's
the
apis!
I
want
to
basically
want
to
implement
so
here
next.
I
will
talk
this
apis
in
detail.
H
So
so
there
is
there's
a
network
policy
reference
here
and
also,
although
these
fields,
I
think
they
are
self-explanatory
for
for
their
network
policy
and
also,
I
will
add,
a
field
called
group
join
this,
and
this
list
is
a
group
of
multicast
ip
address
that
the
pod
join,
and
this
view
is
later
used
by
that
command.
H
H
Also,
so
how
do
we
get
this
stats.
H
Sorry,
there's
something
wrong
with
stuff.
H
Okay,
I
will
so
there's
some.
There
are
some
stats
at
the
final
instruct.
Also
I
need
to
wait
to
I
need
to
describe.
How
can
I
get
this
stats
and
the
ignp
allowed
an
idip
job?
H
H
So
when
when,
when
we
are
processing
ignp
republic
doing
packing,
we
can
create
some
data
structure
to
store
the
stats,
while
processing
ignp
report
message
and
also
a
function
that
created
by
b,
is
that
I
can
create.
By
being
that,
I
can
use
to
query
if
that
is
that
ignp
report
message
will
be
allowed
or
dropped.
H
So
so,
after
this,
after
after
the
process
I
described
the
step
of
the
ign
loud
and
ngmp,
jobs
will
can
be
up
can
be
obtained
by
the
h8
engine
and
also
we
have.
We
need
to
collect
inbound
job
in
our
bank
jobs
along
with
inbound
and
album
in
the
multicast
stats.
This
stats
will
be
created
by
passing
the
passing
the
flows
I
added
in
the
in
the
pipeline.
H
So
you
can
see
in
this
flow.
The
network
test
is
for
each
part
in
that
entry
in
in
download
and
create
a
network
test
to
match,
match
it.
H
So
so
after
so
when,
whenever
when
the
multicast
traffic
goes
through,
this
apply,
the
the
traffic
will
go,
will
go
to
go
to
this
network
policy
first
and
and
resubmit
to
the
table.
Multicast
egress
per
par
metric
I
described
and
so
prepared
stats
where
we
collect
based
on
passing,
passing
the
flows.
H
I
I
ended
here
so
after
after
getting
this
stats
in
the
h
engine,
the
this
desk
will
report
to
and
entry
controller
and
aggregate
them.
Finally,
we
define
the
public
apis
for
display
these
stats
through
group
cuddle
and
the
api
group.
I
think
it
will
be
stats
and
tree.
G
H
And
these
are
the
api
endpoints
also,
I
was
considering
commitments,
integration
and
I
have
checked
the
discussion
in
this
thread
and
I
think
committees
is
not
suitable
for
this
kind
of
stats,
so
I
will
not
plan
to
integrate
it
and
that's
that's
the
end
of
my
presentation.
G
G
Because
I
think,
as
it
is
right
now
it
it
makes
sense
because
bin
was
proposing
to
introduce
dedicated
fields
for
multicast
addresses
and
and
igmp
switch
in
the
network
policy
type.
But
if
we
converge
to
something
more
generic,
I
think
we
also
need
something
more
generic
here,
mostly
referring
to
the
part
tied
to
stats
for
multicast
network
policies.
A
That's
correct,
so
we
can
say
that
perhaps
we
want
to
have
first
conversation
about
the
apis
for
multicast
network
policies
and
then
following
the
outcome
of
that
conversation,
the
apis
for
multiple
statistics
will
be
determined.
A
Okay,
it
seems
that
it's
all
in
terms
of
community
questions
for
today.
So
thanks
a
lot
bin
and
lua
chen
for
doing
this
presentation,
we
look
forward
to
seeing
a
specification,
a
proposal
for
multicast
network
policies
on
github
so
that
we
can
finalize
the
api
design
and
proceed
with
the
implementation.
A
A
That's
right,
that
is
right.
We
have
13
minutes
left.
Actually
sorry,
I
you
know
now,
I'm
amused
that
meetings
are
50
minutes
long
to
give
time
for
to
people
to
move
to
the
next
meeting,
but
I
didn't.
I
did
forget
that
the
entry
committee
meeting
is
actually
an
hour
long
scheduled
for
an
hour
so
yeah.
We
have
plenty
of
time
to
discuss
new
topics.
So
if
you
have
anything
to
propose
I'll
wait
for
a
few
seconds
before
closing
the
call.
G
Well,
I
just
wanted
to
make
a
quick
announcement
that
the
the
old
entry
apis,
which
date
back
to
before
the
1.4
release,
have
been
like
officially
removed
and
they
won't
be
present
starting
in
1
1.6.
G
So
those
are
the
apis
ending
in.
I
think
it
was
tenzu.vmware.com
and
we
replace
those
apis
by
entry,
dot,
io,
apis
and
so
yeah.
We
no
longer
serve
the
previous
apis
starting
now,
and
we're
able
to
remove
all
the
mirroring
code
that
was
taking
care
of
mirroring
old
api
resources
to
new
api
resources
for
backwards
compatibility.
G
So
we've
been
supporting
the
old
apis
for
about
a
year
now.
So,
as
per
the
deprecation
policy,
we
can
remove
them.
A
Thanks
antonin
and
for
community
for
developers
of
the
entry
community,
this
simply
means
that
in
case
they
are
still
using
these
apis.
Maybe
they
will
realize
that
the
prs
would
the
code
in
the
ps
will
stop
compiling
right,
so
they
just
need
to
rebase
and
update
their
code.
G
Yeah,
that's
also
a
big
change
for
users
right,
but
that's
why
we
supported
the
old
apis
for
a
year.
G
G
E
A
All
right,
so
it's
all
for
today
thanks
everyone
for
attending,
and
I
wish
the
community
a
good
evening
or
good
night
up
here.
If
you
are
the
united
states
a
good
day
or
a
good
afternoon.
So
thanks
for
joining
again
and
talk
to
you
in
tweaks
time,.