►
From YouTube: Antrea Community Meeting 04/12/2021
Description
Antrea Community Meeting, April 12th 2021
A
So
good
morning,
good
afternoon
and
good
evening
and
welcome
to
the
systems
of
the
anterior
community
meeting-
and
today
is
april
tuesday
april
13th
or
if
you
live
on
the
western
side
of
the
atlantic,
that
will
still
be
monday
april,
the
12th
for
you.
But
in
any
case,
so
let's
get
started
as
we
were
just
guessing
before.
A
We
don't
have
any
topic
in
the
agenda
for
today.
But
I
would
just
like
to
take
a
minute
to
celebrate
reaching
the
milestone
of
the
andrea
1.0
release,
and
you
know
giving
my
congratulations
to
to
the
older
team
for
this
milestone.
A
A
Once
this
silent
celebration
has
been
completed
as
this
third
celebration
completes,
so
let's
go
ahead
with
the
agenda
for
today.
So,
as
we
said,
we
don't
have
any
topic
which
has
been
booked
for
discussion
for
today.
Is
there
anything
that
you
like
to
bring
up.
C
D
D
A
C
Yeah,
I'm
actually
I'm.
I
was
about
homeworld
samsung's
china
brought
up,
but
I
was
thinking
if
no
other
topic.
Maybe
today
we
can
talk
about
some
ideas
too.
C
A
No,
I
don't
have
any
for
today.
I
know
that
anna
and
kobe
are
finalizing
the
design
for
flexible
item
and
they
would
like
to
discuss
it
as
well
in
the
next
meeting
occurrence.
You
know
that
that
could
either
be
the
next
community
meeting
or
if
there
are
like
more
open
questions
that
will
be
done
in
the
next
office
house
of
our
office
hours
meeting,
but
still
there
is
something
for
for
the
next
meeting,
not
for
this
one
and
anton.
B
Nothing
really
comes
to
mind.
I
guess
if
I
were
to
bring
up
one
thing:
it's
that,
as
I
was
preparing
the
one
daughter
release,
I
realized
that
there
is
an
issue
in
previous
releases
where,
if
you
enable
entry
native
policies
on
the
on
a
cluster
which
has
windows
nodes,
the
agent
is
going
to
crash
on
all
the
windows.
Notes
is
not
going
to
be
able
to
start,
and
that
was
because
of
an
issue
in
the
implementation
of
the
logging
feature,
as
a
policy
logging
feature.
B
So
that
has
been
solved
in
1.0,
but
I'm
thinking
probably,
we
should
try
to
release
to
to
backport
that
patch,
at
least
to
0.13
and
and
release
0.13.2,
just
in
case
somebody
is
using
using
it
on
windows
and
enables
native
policies.
A
A
And
what
what
we
can
add
there
I
mean,
since
I
just
just
lose
since
we
have
plenty
of
time
to
leverage.
I
can
probably
update
a
little
bit
on
what
is
going
on
with
the
andrea
openshift
certification.
A
A
There
is
also
another
part
about
having
to
support
the
cube
list
having
to
support
cubic,
which
is
a
solution
that
I
believe,
red
dot
is
the
only
one
that
uses
it
that
supports
it,
which
is
basically
pretty
much
running
running
visual
machines
in
a
kubernetes
control
plane.
I
mean
you
might
argue
that
vmware
has
similar
solutions.
Obviously,
but
in
that
case
that
would
be
you
know
that
would
be
a
slightly
different
architecture
based
on
esx.
A
In
that
case,
it's
just
like
a
regular
kubernetes
control
plane
where,
instead
of
deploying
containers
it
deploys
vms,
I
have
inquired.
I
have
inquired
a
little
bit
with
red
hat
and
investigated
a
little
bit
myself
on
how
this
cube,
which
works
and
from
the
entry
perspective,
we
should
be
completely
transparent,
because,
as
long
as
we
configure
the
network
namespace,
then
we
don't
really
care
whether
a
container
or
a
vm
is
attached
to
that.
A
A
The
only
thing
that's
a
little
bit
surprising-
and
I
still
have
to
still
have
to
investigate-
is
that
it
appears
that
when
we
deploy
entry
and
openshift
for
reasons
that
I
still
do
not
understand,
the
agent
is
unable
to
connect
the
controller,
because
it's
asking
it's
feeling
on
violating
the
server
certificate
which
to
me
is
a
little
bit
strange,
because
I
was
thinking
that
you
know
they're
using
by
default
self-signing
certificates
and
therefore
maybe
not
validating
the
certificate
right.
A
Anyway,
this
is
probably
a
minor
configuration
issue
that
will
look
into
it.
A
I
don't
see
any
any
reason
for
the
openshift
control
plane
to
be
different
from
the
kubernetes
one
if
we
exclude
the
the
various
operators
that
are
running
there
and
as
I
was
saying,
it's
a
it's
a
little
bit
less
convoluted
in
the
operator
certification
process,
but
this
in
the
4d
operator
I
mean,
as
you
probably
have
noticed
from
the
from
the
I
mean-
probably
notice
it
from
announcements
or
whatever
the
entry
operator
is
already
on
the
openshift
certified
operator
list.
A
This
is
something
which
might
be
good
for
openshift
customers,
but
for
let's
say
from
a
community
perspective,
we
are
going
to
do
the
same,
adding
the
entry
operator
also
to
the
2d
operator
app,
which
is
a
let's
say,
the
entry
place
for
for
open
source.
A
For
people
who
deploy
operators
from
open
source
and
the
operators
on
the
operator
lab
are
not
only
consumed
by
openshift
users,
but
are
also
consumed
by
any
kubernetes
users.
That
would
like
to
manage
their
solutions
via
by
an
operator,
and
this
is
why
there
are
also
some
team
members
that
are
working
on
making
the
entry
operator
generic
enough
to
work
not
only
on
openshift,
but
also
in
any
kubernetes
distribution
and
and
that's
it.
A
So,
thanks
for
your
attention,
I
mean,
let
me
know
if
you
have
any
question
about.
You
know
the
openshift
integration,
the
operator
and
anything
like
that.
D
Yes,
what
was
your
question
about
the
certificate
qualification.
A
Basically,
we
are
we.
We
are
deploying
again
on
triad
13
with
0.2.2
with
in
openshift,
and
we
are
getting
the
agent
in
its
container,
which
is
filling
because
it
cannot
connect
to
the
controller,
because
it
cannot
verify
the
server
certificate,
and
I
mean
I.
I
did
not
review
the
configuration
in
detail
on
this
setup,
but
I
am
fairly
sure
that
we
are
using
self-signed
certificates.
D
A
D
A
A
A
A
B
B
B
And
then
the
controller
is
in
charge
of
populating
that
that
with
ca
certificate
and
the
agent
can
use
that
to
validate
the
connection
to
the
to
the
control,
onshore
controller
and
we've
had
issues
with
where
some
distributions
of
some
logic,
where
to
make
sure
that
important
objects
don't
get
deleted
by
mistake
by
the
user
or
the
administrator
or
whatever.
B
There
is
that
reconciliation
loop
right
which
keeps
reapplying
the
manifest
in
a
way,
and-
and
in
that
case
you
were
basically
overwriting-
the
the
config
map,
which
was
populated
by
the
controller
with
the
empty
config
map
which
was
defined
in
the
yaml,
so
you
keep
losing
that
a
certificate
and
the
agents
can
never
see
it.
Basically,
I
see
I
see.
Okay,
I'm
not
saying.
A
A
A
No,
that's
that's
a
good
point,
because
if
that
is
the
case,
it
could
be
the
operator
itself
that
it's
been
resetting
it
to
the
original
state
where
it's
empty.
So
yes
thanks.
A
Okay,
so
thanks
thanks
a
lot
for
for
this
for
this
qualification,
and
that
is
all
about
the
operator
I
mean
we
are
probably
turning
these
into
an
office
hours
meeting,
but
that's
completely.
Okay,
I
believe
any
other
question
that
you
would
like
to
bring
up
for
today.
B
I
did
have
a
quick
question
since
you
brought
up
cubevert,
so
you
talked
about
namespace
and
the
fact
that
we
don't
need
to
do
anything.
Does
that
mean
that
somehow
the
vms
like
get
access
to
the
networking
from
the
container
namespace,
because
I'm
no
expert,
but
it
seems
like
vm
networking-
would
be
different
from
container
networking?
A
So
basically,
what
I
believe
is
happening
here
is
that
they're
pretty
much
treating
the
container
networking
as
a
let's
say,
generic
kvm
networking
use
case
if
you
take
as
a
reference
something
that
they
had
before,
which
is
called
the
I
think
it
was
called
openweird
or
something
or
even
or
even
openstack
itself.
The
way
it
works
from
a
networking
perspective
is
very
similar
to
the
container
one
you
create
a
network
namespace,
which
is
not
a
container
network.
A
Namespace
is
just
a
regular
network
name
space
and
that
regular
network
network
names,
basically
you
create
a
viet
pair
and
on
one
side
of
the
viet
on
the
on
one
side
of
the
pair,
there
is
the
vm
interface
on
the
on
the
other
side
of
the
pair.
There
is
the
let's
say
the
side
which
is
on
the
on
the
host
names
based
on
the
namespace
zero.
A
The
the
the
difference
is
that,
with
cube
width,
you
are
not
running
the
cubelet,
so
you
don't
have
a
proper
container
namespace.
So,
basically
the
only
thing
that
I
will
need
to
verify
once
we
run
this
test.
Is
that
and
the
entry
cni
is
not
going
to
you
know
to
go
to
access
some
different
paths
that
don't
work
with
cubavirt?
A
It
seems
that
the
the
there
is
no
special
code
path
for
making
it
work
in
kubernetes,
which
makes
me
think
that,
when
running
kubrick,
the
agent
that
replaces
the
cubelet
creates,
creates
containers
exactly
in
the
same
way.
A
What
I
don't
know
honestly,
because
I
didn't
review
the
inter
intraday
architecture
really
really
thoroughly,
is
whether
there
is
still
some
shim
with
the
cri
with
the
container
runtime
interface
or
whether
the
container
runtime
interface
is
completely
replaced
by
something
else.
I
think
it's
more
the
ladder
the
ladder,
but
that
that
part
I
don't
know
so.
To
summarize,
I
think
that
the
only
thing
that
might
be
feeling
is
that
maybe
some
over
and
operating
some
paths
for
accessing
the
container
namespace
might
be
different.
A
But
apart
from
this,
I
do
not
expect
any
difference,
because
the
logic
at
the
end
of
the
day
is
that
you
create
a
viet
pair,
decide
that
it's
in
the
name
space
it
gets
attached
to
the
vm
and
the
other
side
gets
attached
to
open
with
switch.
A
So,
are
we
failing
the
test
currently?
Are
we
not
failing?
No,
we
still
have
to
run
the
test.
I
mean
know
just
that.
We
just
just
started
doing
this
with
some
colleagues
at
the
end
of
last
week,
so
you
know
it's
it's
very
early.
I
would
be
first
satisfied
to
you
know,
consistently
see
andrea
running
coming
up
in
openshift,
just
passing
the
conformance
test,
and
I
think
there
should
not
be
a
problem
and
then
we'll
move
on
to
cube
rift.
A
Thanks,
hopefully,
just
passes,
I
don't
think
I
mean
every
time
that
I
say.
Hopefully
it
doesn't
happen,
but
I
do
think
that
it
should
just
be
a
matter
of
adjusting
the
namespace
paths
used
by
the
cni,
so
the
srd
agent
anyway.
So
that's
all
anything
else
that
you'd
like
to
chat
about.
C
Yeah,
I'm
thinking,
if
no
other
topic
how
about
we
can
talk
about
the
the
kind
of
version
of
eagles
feature
in
1.000,
even
for
the
new
improvement.
Probably
we
need.
We
need
more
time
to
to
prepare.
I
want
to
talk
about
this
for
the
kind
of
one.
Maybe
we
can
get
some
feedback
from
everyone
here
sounds
good.
Yes,
this
word:
what
do
you
think.
C
C
Okay,
hop
online
me.
Okay,
probably
I
can
give
a
very
high
level
description
feature.
C
C
Yeah,
I
think
it's
mostly
about
actually
this
section
and
the
feature
gates
dock.
Maybe
I
can
quickly
go
through
and
then
the
train
you
can.
You
can
add
this
thing
I
missed
so
you
guys
know
egress
many
it's
about
concerning
s9p
of
the
egress
traffic
from
ports
to
eastern
network.
C
Before
we
have
this
feature,
you
know
we
just
do.
Let's
start
with
the
load
ipm
for
any
external
eagles
traffic
to
external
and
for
the
egress
we
have
is
we
use
the
new
crd?
You
can
see
the
crd
definition
here
here
is
just
the
example
of
the
cld.
Actually
I
think
it's
pretty
simple.
C
Basically,
we
have
this
egress
ip
field
that
allows
you
to
choose
one
snip
for
your
ports
and
you
can
you
can
you
you
have
this
applied
to
field
that
can
select
which
ports
to
you
know
apply
the
egress
jeweler
that
basically
means
water
pores
selected
by
the
ui
crd,
will
be
using
this
egress
ip
to
be
the
extent
for
eagle
traffic,
three
stone
network,
and
in
this
specific
example,
you
can
see
we
have
a
port
standard
namespace
that
I
think
that's
what
we,
what
we
supporting
one
that
have
just
posted
the
name,
serious
letter
like
you're,
just
like
a
no
more
question
policy
with
this.
C
For
with
this
egress,
it
just
means
for
all
the
ports
with
label
zero
equals
wipe
and
the
in,
in
name
space
with
label
environment
equals
port
will
be
using
this
10.0.10.8
iptv.
C
The
cd
is
pretty
simple
for
the
implementation.
Actually,
what
we
do
is
like
that
policy.
We
have
this
controller
to
compute.
The
spawn
of
the
spinal
egress,
based
on
the
apply
to
field,
for
example.
For
this
one
it
will
be,
the
heroes
should
be
applied
to
water
should
be
pushed
to
all
the
notes.
With
with
the
support,
zero
equals
web
label
right
and
then
an
agent
said
once
we
once
again
receive
this
egress,
and
it
knows
this
is
the
local
port.
C
I
don't
know
issue
that
applies
egress
rule.
I
think
there
can
be
two
case.
One
case
in
one
case
on
the
low
quantity
do
have
its
ip
config
on
along
the
loading
interface,
and
then,
in
that
case,
we
just
config
ip
table
rules
on
the
node
to
use
this
ipad
for
snap
and
the
inside
openly
switch
will
mark
all
the
traffic
from
the
from
the
port
to
his
tunnel
with
some.
C
Actually,
we
set
the
pattern
mark
with
some
idea
that
they
were
using
eight
bits
id
for
every
set
ip
and
then
inside
the
openwe
switch.
We
set
the
packed
mark
with
the
id
for
the
slp
here
and
then,
when
the
pass
leaves
openly
switch
and
enters
a
host
ttm
stack
if
tables
has
a
chance
to
either
sell
the
packet
and
based
on
the
python
pad
mark.
It
knows.
C
Which
ipr
should
be
useful
as
that,
for
example,
we
can
say
for
sip
if
it's
on
node
one
and
another
one
for
it
will
allocate
one
id
for
it,
like,
let's
say
maybe
id
two
or
like
I
id
10.,
and
so
we
have
iptv
to
match
the
pad
mark
with
id
10,
for
example,
and
then
apply
the
next
slide
pad
with
this
10.0.10.8
ip.
C
This
is
the
first
case
in
the
second
case.
Let's
say
slip
actually
is
under
remote
node,
it's
not
under
no
connect,
and
in
that
case,
under
source
node,
we'll
just
tunnel
the
packet
to
the
remote
node
with
the
slp
config,
and
then
the
pad
will
be
finally
estimated
under
that
remote
remotely
with
the
sdmp,
but
how
we,
how
we
tunnel
the
packs
to
the
remote
load.
We
choose
very
simple
approach
at
this
moment.
C
Basically,
we
just
when
we
do
overlay
tunnels.
We
just
set
the
tunnel
auto
header,
our
destination
ip
to
be.
The
snappy
in
this
case
will
be
the
10.0.10.8
and
then
so
as
long
as
the
source
node
can
can
can
reach
this
ip
on
the
remote
node.
The
panel
will
be
tunneled
there
and
on
the
remote
node,
based
on
the
again
after
the
calculation,
the
pan
enters
the
open
research
bridge
right
for
the
front.
Open
research
either
flow
to
match
the
tunnel
destination
ip.
C
It
will
be
this
ip
in
this
case
and
then
again
since
that
ips
can
fit
on
node.
It
will
have
a
id
allocated
for
it
in
the
us.
We
just
match
the
station.
I
turn
on
the
station
ip
and
then
set
the
path
as
pad
mark
again
now
with
the
instant,
the
id
of
the
s9p
and
then
again
the
the
pad
will
be
forwarded
to
the
host
network
stack.
The
knife
tables
can
match
the
pad
mark
and
know
which
snip
to
use
for
the
traffic.
C
This
is
how
this
feature
is
represented
today,
so
you
can
see,
there's
some
major
limitations
here.
First
one
we
don't
manage
the
asset
ipm
configuration
on
the
node.
That
means
users
must
manually
configure
ip
on
along
the
node
and
if
that
load
fails
for
some
reason
we
don't
really
have
to
figure
out
the
ip.
C
We
will
not
move
the
ip
to
another.
Node
then
forward
the
port.
We
can
fail
to
use
that
s
type
with
the
egress.
Actually,
the
traffic
will
be
dropped
somewhere
because
on
the
on
the
source
node,
when
we
do
is
tunnel
to
the
s9
here,
the
the
pedal
can
never
be
reached.
It
can
never
reach
the
right
testing
node
with
s9p
somewhere,
and
also
these
are
requirements
that
this
is
an
ipm
when
it
can
fit
on.
C
B
C
Yeah,
as
we
do
can
say
that
I
think
the
reason
we
should
cut
approach
just
because
it's
much
simpler
if
we
go
this
way.
Actually
you
don't
need
to
push
the
snip,
my
ping
as
that
ip
to
know
the
ip
mapping
out
to
every
node
and
we
don't
need
to
discover
the
ipn
report.
C
If
we
go
that
way,
I'll
probably
need
to
discover
ibm
from
node
and
then
for
every
agent
can
it
should
report
the
mapping
to
either
some
crd
or
maybe
to
consumer,
so
can
turner
will
maybe
consumer
can
disseminate
the
mapping
to
to
order
notes,
or
maybe
the
net
can
watch
some
crd
thing
that
might
be?
C
C
That
can
actually,
I
think,
the
channels
channel.
I
also
discount
that
if
then,
you
need
to
reduce
the
mq
again.
C
Right,
I
think
another
reason
we
go
expose
just
because
probably
it's
relevant
to
our
future
improvement
when
we
want
to
do
how
to
ip
configuration
and
then
how
to
fill
over
when
you
have
load
fitting.
C
C
Basically,
in
the
case,
it's
a
service
neural
balance
over
uip
it
input
method
will
be
independent
in
a
very
simple
way.
I
just
run
some
distribute
the
protocol
between
nodes
and
then
a
leader
will
be
elected
for
every
what
other
branch
of
virtual
ip,
I
believe
and
then
with
the
leader
fails.
C
Probably
I'm
I'm
sure
it's
called
the
leader
who
I
just
couldn't
it
just
called
active,
active
advert.
Sorry
things
called
active
advertiser
or
something,
and
but
anyway,
when
that
active
instance
fails
the
distributed
product
will
get
a
new
one.
You
active
instance
automatically.
C
C
Right
right
for
the
far
last
step,
actually
we
are
thinking.
Should
we,
let's
think
about
similar
strategy,
then
again
it's
pretty
simple.
We
can
have
some
existing.
You
know
distributed
election
protocol,
think
they
are
features
in
the
open
source
road
with
golan,
and
you
don't
need
controller
or
you
don't
need
to,
depending
on
any
data
store
for
the
failover
and
the
ip
assignment.
A
Yeah,
but
with
this
approach,
basically,
you
will
have
a
must
say,
a
master
agent
that
is
owning
all
the
ip
addresses
pretty
much
and
when
it
feels
somewhere.
C
No
actually,
if
you
talk
about
metal,
obviously
we
do
that
for
every
ip
for
for
every
you
have
active
instance,.
C
Yeah,
that
is,
I
personally
feel
it
sounds
like
a
very
simple
undercutting
approach
so
that
again
now,
if
it's
instant
idea
and
unless
we
encode
the
ip
into
the
tunnel
header,
then
I
will
require
the
if
we
go
to
counterpost
will
require
the
ip
to
be
reachable
from
from
any
loading.
C
C
Yeah,
probably
in
the
last
meeting
china,
I
can
prepare
more
ideas
to
share
about
our
next
their
plan.
How
to
do
is
ipa
management
and
how
to
handle
failover.
A
A
C
Well,
I
have
anything
else.
I
have
one
more
topic.
Probably
I
can
also
talk
about
how
to
get
your
inputs
no.
A
I
just
have
a.
I
have
actually
a
stupid
question.
It's
just
here
my
memory.
It's
feeling
me
a
couple
of
weeks
ago.
A
few
weeks
ago
we
had
the
discussions
on
andrea,
proclaim,
acuproxy
removal
and
replacing
it
completely
with
entria
proxy
and
then
john
june
had
some
recommendations
for
design
changes
on
top
of
that.
A
But
I
don't
know
if,
if
the
discussion
there
is
completed
or
if
it's
still
going
on.
D
D
D
And
another
thing
I
wanted
to
bring
up
is
whether
it
is
was
to
use
tc
to
redirect
the
traffic
from
host
network
to
the
cluster
ip
service.
Because
previously
we
designed
in
wechat's
design
that
we
use
ibset
to
calculate
to
to
mark
to
to
match
the
cluster
ip
to
the
individual
cluster
ips
and
then
and
mark
them
mark
the
traffic.
D
It
could
be
changed
to
using
the
tc
use
three
two
much
to
match
the
traffic,
but
still
we
need
like
a
we.
We
need
a
filter
for
each
cluster
ip
and
but
if
you
remember,
we
discussed
this
very
earlier
that
maybe
we
could
calculate
the
cluster
ipcider
by
the
by
by
using
the
existing
cluster
eyepiece,
so
that
we
just
need
one
filter,
or
maybe
just
one
loot,
to
loot
the
traffic,
and
this
doesn't
need
to
have
anything
with
ipsec
or
dc
filter.
D
I
wanted
to
check
whether
this
approach
makes
sense
now
because
it
could
simplify
the
the
redirection
huge.
I
think.
C
If
you
mean
we,
we
just
use
alternate
can
be
simpler.
It's
fine,
then
tc.
D
B
C
What
are
you
saying
if
we
go
that
way,
we
don't
need
tcyp
tables
at
all.
We
can
do
everything
with
note.
A
C
But
I
think
it
can
be
easier
to
evaluate
if
we
can.
This
is
two
options
that
no
can
compare
sure
I
I
I
put
it.
Ideally,
we
just
use
one
way
to
to
handle
all
the
redirection
and
I'm
not
sure
if
we
well,
you
said
load.
The
poll
anyway
is
different
right.
So.
C
C
And
actually
I
was
thinking
if
we
decide
to
go
to
tcl
post.
C
C
C
Yeah
I
was
talking
about.
I
I
think.
If
we
do
this
tc
approach,
maybe
you
can
also
consider
an
option
to
use
the
vpf
to
so
no
matter
tc
or
ebpf,
just
very
simple
way,
to
matching
some
try
between
the
host
network
and
the
redirect
to
optimize
switch,
and
maybe
we
can
declare.
We
also
have
evgl
support.
D
A
All
right
so
yeah,
thanks
yeah
that
that's
a
good
idea,
thanks
for
bringing
up
all
these
ideas-
and
I
mean
if
we
end
up
introducing
ebpf-
I
wish
that
you
know
we
will
not
introduce
it
only
for
this
little
thing,
but
we'll
probably
make
a
wider
use
of
it.
But
you
know
that's
something
that
will
surely
evolve
over
time.
So
any
other
question
on
this
topic.
A
C
Yeah
I
plan
to
talk
about
something
since
I
told
to
worry
too
much
today.
A
All
right
I
mean,
and
you
know,
if
you
have
any
any
other-
I
mean
if
you
have
some
topic
that
maybe
deserves
a
longer
discussion
or
you
can.
You
can
surely
bring
it
up
for
the
office
hours
meeting
the
next
week
but
cool
and
therefore
it
seems
that
it
might
be
all
for
today,
and
I
would
like
to
thank
as
usual,
everyone
for
attending
and,
most
importantly,
thank
all
the
community
and
you,
the
developer
and
the
user
community
for
again
for
achieving
the
1.0
milestone.