►
From YouTube: Antrea Community Meeting 12/06/2021
Description
Antrea Community Meeting, December 6th 2021
A
Good
morning,
good
afternoon
or
good
evening,
today
is
tuesday
december
the
7th
or,
of
course,
monday
december,
the
6th.
If
you
are
in
the
united
states-
and
this
is
the
entry
a
community
meeting
the
agenda-
we
have
a
nice
agenda
for
today
we
will
start
with
the
discussion
on
the
service
account
selector
for
entry
and
network
policies
led
by
grayson,
and
then
a
conversation
on
the
refactor
for
the
flexible,
open
flow
pipeline
led
by
han
liang
so
and
then
in
the
time
that
will
be
left
for
today's
meeting.
A
We
will
have
open
discussion,
therefore,
without
waiting,
I
would
say,
let's
start
with
the
today's
agenda,
and
I
will
end
over
to
grayson
for
the
first
topic
of
today's
agenda.
Please
listen.
Go
ahead.
B
Yeah,
yes,
okay,
hey
guys,
I'm
grayson,
I'm
going
to
quickly
share
with
you
guys
about
the
feature
that
I'm
currently
working
on,
which
is
service
account
selector.
Basically,
it
will
allow
users
to
use
service
account
to
select
workloads
in
both
applied
to
and
ingress
or
egress
rule
in
acmp.
B
B
Okay
for
the
motivation:
first,
it
can
help
manage
if
pods
can,
access
to
some
resources
easily
like
service
account,
is
basically
an
identity,
so
workloads
with
the
same
service
account
will
usually
have
the
same
permission
to
access
some
resources
with
service
account
selector.
We
could
easily
manage
those
paths
control
if
they
could
access
any
resources
like
external
service
or
something
like
that
and
at
the
same
time,
in
a
reverse
direction.
B
We
also
can
control
it
for
some
specific
workloads
could
talk
to
those
parts
with
the
with
this
service
account
and
the
second,
it
could
help
to
manage
cluster
easily.
The
clusters
may
include
a
science
service
accounts
for
a
different
class
person.
B
Yeah,
let's
see
the
api,
so,
as
you
can
see,
the
service
accounts
can
be
used
in
the
apply
too,
and
we
also
can
use
it
as
appear
in
ingress
or
egress,
but
I
just
used
to
apply
to
as
an
example
in
this
sample
network
policy.
B
So
in
this
case
all
part,
it
can
be
used
as
a
name
and
the
namespace
combination
or
a
label
selector
like
we
used
in
the
pod
selector
and
the
namespace
selector.
So
in
this
case,
all
pause
with
those
service
accounts
will
be
selected
by
the
yeah
by
this
service.
Account
selector.
B
Okay,
so
about
the
implementation,
design
of
the
service
account
selector.
B
There
are
two
key
steps,
so
first
one
is
while
we
adding
a
part,
we
not
only
just
add
the
exist
labels
of
this
part
to
our
group
index,
but
also
we
add
another
label
to
group
index
which
we,
which
is
as
shown
here
like.
First,
we
have
untreated
reserved
prefix
and
about
this
prefix.
We
I
have
some
questions
about
it
like
label,
conflict
issue.
I
will
discuss
in
the
next
part
of
open
question.
B
So
so
first
is
entry
reserved
prefix
and
the
service
account
as
key
label,
and
then
the
service
account
name
as
the
key
value.
So
basically
the
after
the
part
was
add
in
the
group
index.
It
will
also
have
this
label
added
to
its
related
label
item.
B
B
This
is
a
service
account.
We
want
to
select
so
after
the
translate
it
will
become.
One
part
selector
with
start
with
entry,
reserved
prefix
service
account
and
the
label
value
is
sa-1,
which
is
the
service
account
name
and
and
and
with
a
namespace
selector.
B
We
use
the
namespace
name
as
the
label
to
select
this
namespace
like
the
kubernetes.io,
slash
metadata.name
and
the
key.
The
label
value
is
ns-1.
So
after
these
two
steps,
all
other
logic
is
already
existing
in
entry
code.
So
it
can
quite
we
mostly
reuse.
The
current
code
base.
B
So
yeah
for
the
selector
case,
when
we
translate
we'll
first
use
the
label
selector
get
all
service
account
out
like.
If
we
select
the
lib
the
label
is,
we
need
the
level
user
label.
There
are
several
services.
You
can't
like
service
account,
one
two
three.
So
all
these
survey
accounts
will
be
retrieved
and
we
translate
all
these
three
service
accounts
to
post
lecture
plus
namespace
selector.
C
Multiple
port,
selector
and
plus
namespace
selector,
okay,
yes,
it's
all
current
code
can
handle
this.
That
does
it
occur.
Does
it
handle
this.
B
This
is
during
the
translation
from
service
accounts
to
the
selector
to
pause,
lecture
and
the
name
space
letter.
B
B
That's
a
good
question,
so
you
me,
you
mean
the
service
account
changed
its
label
right.
Do
we
need
to
change
our
okay?
So
if
the
label
we
add
to
the
pod,
use
the
service
account
name,
so
the
pod,
the
relation
between
part
and
the
service
account
is
hasn't
changed.
So,
while
we
processing
the
acmp
we
we
need
tran.
We
need
to
handle
this
label
thing.
So
if
the
service
account
label
has
changed,
we
need
to
catch
this
update
event
and
reprocess.
This
example.
D
Okay,
supposedly,
I
need
something
so
for
for
the
label
on
port.
Do
you
mean
we
don't
really
care
the
service
can't
use
by
ensuring
that
policy
or
not?
We
always
label
water
service,
account
for
a
product
report.
B
D
I'm
just
not
sure
it
looks
strange
to
use
on
all
timing
if
they
never
use
service
called
default
policy
for
the
rewards
either
label.
For
oh.
D
D
B
Oh
okay:
let's
go
to
the
open
question
so
basically,
first
is:
can
service
accounts
be
used
with
other
peers?
B
From
my
own
opinion,
I
think
it
should
be
used
as
a
standalone
peer,
no
matter
you
apply
to
or
in
the
ingress
or
regress
from
or
two
fields
so
and
from
my
understanding
as
if
you
use
a
multiple
field
in
one
pair,
those
fields
should
work
like
an
intersection.
B
For
example,
you
should
use
namespace
letter
and
the
pod
selector.
You
should
select
the
pause
from
those
namespace,
but
service
account
seems
like
it
don't
have
to
work
intersection
with
any
other
field,
so
yeah.
B
I
think
it
should
be
a
standalone
field
in
the
pier
and
also
while
I'm
thinking
about
this
issue,
I
find
that
the
group
in
peer,
which
is,
should
be
a
standalone
peer,
but
the
validation
seems
not
comprehensive
enough
and
I,
which
will
cause
unusual,
for
example,
if
user
use
group
and
fqdn
the
fqd
won't
take
effect,
so
our
the
open.
You
should
track
this
back
and
we'll
open
pr
to
fix
this
yeah
early
tomorrow
in
in
pt
time
zone
yeah.
C
If
I
was
thinking
if
there
is
a
selector
support
in
service
accounts,
so
how
do
we
select?
How
how
do
we
specify
we
want
source
in
specific
namespaces?
I
see
only
selector
in
your
api
definition
right.
There
is
no
e.
Yes,.
B
Oh,
I
know
the
difference
yeah,
I
got
your
I
I
know
what
you
mean
like
we
can
support
name
and
the
namespace
combination,
and
also
namespace
selector
and
a
selector
combination
right.
Something
like
that.
B
Let
me
see
if
it's
so:
if
we
user
don't
provide
the
namespace
letter,
we
select
among
all
namespaces
right,
yeah,
yeah
yeah,
that's
a
great
idea.
I
will.
I
will
add
to
my
pr
and
the
the
design
dock
to
update
the
api
proposal.
Yeah
thanks
tian,
that's
a!
I
think.
It's
a
good
idea.
B
B
Okay,
so
for
the
label
conflict,
as
we
can
see,
let
me
go
back.
B
Here
we
use
until
reserved
prefix
here
we
could
use
it
like
to
try
to
avoid
it
will
generate
a
label
conflict
with
user
there
with
user
owned
labels.
I
have
discussed
this
with
chuan
before
we
tried
to
add
a
kind
like
an
illegal
label
format
for
a
kubernetes
server.
While
we
adding
the
well,
we
add
the
label.
So
basically
user
cannot
use
this
format
label
and
we
can
use
it
inside
our
group
index
but
turns
out
that
it
will
still
go
through
the
process
to
validate
the
label
format.
B
B
Use
this
prefix,
but
it
it
still
could
can
could
make
generate
some
label
conflict.
But
would
this
be
an
issue
or
we
as
long
as
we
state
this
in
our
documentation,
say
this
label
prefix
should
is
reserved
by
andrea
is
enough.
B
A
A
I
mean
if
if
the
user
deliberately
creates
a
label
like
the
one
that
we
see
on
the
screen
here,
but
instead
of
using
their
service
account
name,
they
use
some
other
service
account
name
with
different
rights.
Are
we
going
also
to
modify
the
way
in
which
the
andrea
network
policies
are
enforced?
Then.
B
Different
service
account
name
that
the
pod
has
right,
that's
right!
So,
basically,
if
user
do
this,
we
should
make.
While
we
add
this
label
to
the
group
index,
we
will
rewrite
the
value
of
this
label
user.
If
user
want
to
get
the
part,
it
will
still
showing
that
the
label
is
what
he
wrote.
But
while
we
do
the
do
the
match
do
the
to
the
select,
it
will
use
the
real
one,
but
the
user
couldn't
use
the
user
use.
They
wrote,
they
wrote
the
one
to
do
the
match.
B
C
I
think,
like
the
native
kubernetes
namespace
name
label
the
you
on
the
on
this
right
command,
kubernetes,
yeah
yeah.
I
think
unless
people
add
want
to
confuse
entry
on
purpose
purpose.
C
B
Yes,
by
the
way,
if
we
use
the
like
the
kubernetes
name,
space
name
label,
how
will
the
kubernetes
react
to
this.
C
You
it
will
not
have
any
effect
unless
you
are
using
this
namespace
selector
in
in
the
network
policy
luas
and
it
will.
You
will
kill
some
surprising
result
that
you
want
to
select
one
name
space,
but
you
match
another
name.
Space
yeah
got
it.
C
D
B
Oh
yeah,
that's
I
yeah.
I
said
I
tried
this
before
when
we
trying
to
translate
the
during
the
during
the
translation.
It
will
have
to
new
requirement
struct
during
this
process,
and
this
requirement
struck
will
do
the
label
format
validation.
So
even
this
in
internal
index
internal
level,
we
still
can't
do
that.
B
B
A
E
Just
the
motivation,
as
we
can
see,
consume
that
this
is
not
a
flexible
pipeline.
This
is
current
pipeline,
as
we
can
see
assume
that
we
have
there
are
we
have
file
tables
and
table
bcd
used
for
for
for
function
x
and
which
can
be
a
full
option
here,
actually
using
the
config
file,
no
matter
how
the
function
x
is
enabled
or
not
table
b
c
d
will
be
initialized,
and
if
a
packet,
if
a
packet
from
table
it
will
from
table
a
it,
will
be
sent
to
b
c
d
e
well
need
to
resolve.
E
E
This
is
the
first
motivation
to
reduce
the
redundant
tables.
You
know
pipeline
the
second.
Oh
sorry,
I
didn't
change
the
title.
The
second
to
the
second
motivation.
Now
we
we
can,
we
can
the
table
id
of
every
tip
that
you
are
table
in
current
paper
is
fixed.
E
E
You
need
to
you
need
to
you
need
to
change
the
id
of
table
c
d
e,
because
you
need
to
you
need
to
reserve.
You
need
to
consider
consider
receiving
a
certain
id
interval
for
adding
tables
in
the
future.
So
we
can't
so.
We
can't
just
just
specify
the
table
id
for
new
table
as
six.
We
need
to
do.
We
need
to
deal
with
summation
and
we're
using
a
flexible
pattern.
E
E
E
For
the
flexible
pipeline,
all
tables
are
divided
into
11
stage
stages
according
to
their
functions
and
the
red
ones
are
related
to
security.
That's
with
god
network
policy.
The
yellow
ones
are
related
to
to
routine
success
as
not
denied
routine
decisions
and
blood
stages
are
released
to
contract.
The
gray
ones
are
related
to
layer,
2
forwarding.
E
E
And
we
add
a
new
action
called
go
to
station.
Another
principle
is
that
a
package
from
a
table
in
space
can
can
just
can
jump
to
any
table
within
these
days.
For
example,
in
writing.
States
there
are
two:
there
are
three
tables.
The
first
first
table
of
routine
states
can
can
be,
can
be
resubmitted
to
the
third
or
other
or
other
tables,
indeed,
within
these
stages
within
these
days,
but
it
kind
of,
but
the
package
of
this
the
package
in
this
table
can't
be
resumed.
E
Okay,
next
next
is
the
design
of
flexible
pipeline.
Well,
first,
the
concept
of
feature:
the
concept
of
feature
is
a
collection
of
a
series
of
functions.
Now
we
have
now
we
have
file
features
in
the
filter.
We
may
have
more.
The
physical
product
connectivity
is
responsible
for
the
network
connection
between
pawns
and
feature
services
is
responsible
for
service
implementation,
in
pattern
of
virtual
network
policies
responsible
for
network
network
policy
and
and
internal
network
policy
implemented
by
nature.
E
E
The
priority
the
priority
is
the
use
interstructure
member
structure
of
a
table
request
it
to
determine
the
order
of
a
table
in
the
in
each
state
and
the
highest
order
will
become
to
for
the
first
table.
In
this
stage,
a
table
may
be
declared
by
multiple
features
with
different
priorities.
If
so,
the
highest
priority
will
be.
E
Yours,
you
know
it
isn't.
The
the
order
of
stages
are
fixed
like
this.
The
order
of
these
data
is
fixed,
but
the
the
tables,
but
the
tables
within
the
states
is
determined
by
by
its
priority.
E
Well,
first
for
freezer
for
fixer
a
is
a
request.
The
three
table
of
is
one
stage
two
stage,
one
for
a1
priority:
20
a2
priority
30
table
b1
for
rt40
for
fixer
b,
and
it's
a
request.
It's
required
to
table.
Yes,
there's
one
stage:
2
v2c.
E
This
requires
table
b2
c
for
stage
one
for
table
a1
it
has
priority.
40
and
20.
40
is
declined
by
feature.
E
A1
feature
is
a
particular
bar
feature
feature
feature
b:
20
is
declared
by
feature
p3a
table
e2
only
declared
by
feature
feature
v3
for
stage.
2
is
familiar
unless
c3.
E
E
E
For
next
the
next
this
is
the
current.
This
is
the
this
is
already
especially
used
to
decline,
some
tables
by
default
and
some
tables
are
controlled
by
maybe
controlled
by
visual
flags
or
other
conditions,
for
example.
E
Well,
this
one
this
one
for
anti-policy
equalizer
role
table.
If
you
enable
entry
policy,
then
this
table
will
be
declared
and
initialized
by
visual
network
policy.
E
E
For
the
next
current
table
case
to
traffic
traffic
cases,
the
other
two
adapter
to
the
flexible
pipeline,
some
flow
tables
of
enter
has
been
redesigned.
E
This
table
solves
all
traffic
models
on
in-cab
mode
traffic
is
in
divided
into
three
categories:
service,
equalizer
and
general
egress
is
a
is
also
a
subset
of
general.
There
are
four:
there
are
four
sources.
E
The
this
first,
this
means
that
the
packet
is
from.
Take
this
one,
for
example,
this
one
this
one,
and
this
means
that
the
case
is
only
for
request
and
reply
package.
The
package
is
from
gateway,
its
destination
is
to
local.
Then
this
type
of
package
should
go
to
switching
stays
directly.
E
This
means
that
the
package
is
from
gateway
and
its
destination
is
israel
is
external
like
another
part
of
load.
Balancer
is
client
is
from
is
from
this
from
out
of
cluster
and
is
testing.
This
endpoint
is
a
host
host
network
endpoint,
and
this
this
package
is
forced
to
to
be
as
knighted
as
this
hurricane
case,
and
so
it
should.
E
Okay,
I
can't
I
can't
introduce
every
every
traffic
case
as
as
time
limited
and
tip
time
limitation.
Okay.
This
is
the
note
sorry,
this
is
no.
You
have
okay
in
order
to
adapt
to
flexible
pipeline
and
the
flow
table
map
in
yellow
is
redesigned
in
some
degrees.
E
E
E
No,
we
have
about
three
types:
three
types
of
helping
cases:
first,
the
source
may
be
from
an
external
client
or
our
kunan
is
node,
and
the
destination
and
point
is
on
current
node,
just
the
whole
network
point
or
an
external
point.
E
We
call
this
internal
helping
case
source
mark
source
mark,
and
we
can.
We
can
get
this.
We
can
get
this
connection
by
maximum
destination
and
source
register
mark.
E
E
This
is,
this
is
a
big
change
about
last
night,
now,
first,
first,
the
first
part
of
the
first
row
we
need
to.
We
need
to
match
the
first
packet
of
harping
or
helping
cases.
E
E
E
E
E
For
reply
package
of
hurricane
cases
as
a
heritage
might
be
said
in
iceland
and
system
after
the
package
passing
last
night
contracts,
the
drone
and
the
city
market
can
be
readable,
the
harp
and
the
harpyrack
mark
will
be
and
will
be
set
and,
and
the
earned
package
can
be
outputted
normally
this
this
this.
This,
this
block
can
cannot
only
just
match
the
reply
packet
it
can.
It
can
also
match
the
harping
request,
subsidy
subsequent
package,
exactly
for
the
first
package.
A
Thanks
sonia,
is
there
any
question
for
regarding
this,
this
presentation.
A
E
A
A
Okay,
are
we
is
the
current
plan
to
just
switch
the
new
pipeline
to
the
flexible
pipeline,
or
are
we
going
to
to
allow
for
some
time
to
existing
installations?
To
run
I
mean,
like
you
know,
for
some
time,
maybe
we
will
have
both
the
let's
say
the
old
pipeline
and
the
flexible
pipeline
with
some
feature
gate,
or
are
we
just
going
to
switch
to
flexible
pipeline
once
it's
merged.
A
I'm
sorry
sorry,
I
probably
I
was
I
was
not
explaining
myself
correctly.
I
was
saying
once
the
flexible
pipeline
is
emerging
to
enter
a
code
base.
Will
every
existing
entry
installation
switch
to
the
flexible
pipeline,
or
do
we
need
to
make
some
configuration
changes
to
enable
it.
E
No,
we
will
just
all
write
the
current
pipeline
we
want
to.
I
think
we
want
to
make
any
black
flag
or
any
other
options
to
disable
or
enable
flexible
pipeline.
A
Okay,
that
appears
to
be
all
then
thanks
thanks
a
lot,
as
we
have
still
a
few
minutes
left
into
today's
school.
Is
there
any
other
topic
you
would
like
to
bring
up
for
discussion.
A
Well
then,
I
will
say
that
this
is
that's
all
for
today's
meeting
as
usual.
I
would
like
to
thank
everyone
for
attending
and,
most
importantly,
many
thanks
to
grayson
and
liang
for
preparing
the
presentations
for
today,
which
have
been
really
informative
and
and
great
from
you
know,
both
from
a
discussion
perspective
and
also
for
improvement
in
andrea.