Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Antrea / Community / 6 Dec 2021
Antrea / Community / 6 Dec 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Antrea Community Meeting 12/06/2021

Description

Antrea Community Meeting, December 6th 2021

A

Good morning, good afternoon or good evening, uh today is uh tuesday december the 7th or, of course, monday uh december, the 6th. uh If you are in the united states- and this is the entry a community meeting the agenda- we have a nice agenda for today we will start with the discussion on the service account selector for entry and network policies led by grayson, and then a conversation on the refactor for the flexible, open flow pipeline led by han liang so and then in the time that will be left for today's meeting.

A

We will have open discussion, therefore, without waiting, uh I would say, let's start with the today's agenda, and I will end over to grayson for the first uh topic of today's agenda. uh Please listen. Go ahead.

B

Okay, thank you salvatore. Let me share my screen. First.

B

Can you guys see my screen.

B

Yeah, yes, okay, uh hey guys, I'm grayson, I'm going to quickly share with you guys about the feature that I'm currently working on, which is service account selector. uh Basically, it will allow users to use service account to select workloads in both applied to and ingress or egress rule in acmp.

B

So this is my agenda first, I will talk about why we need this feature and then the api change proposal and the implementation design at last during the design process. I have some questions that I want to discuss with you guys.

B

Okay for the motivation: first, it can help manage if pods can, access to some resources easily like service account, is basically an identity, so workloads with the same service account will usually have the same permission to access some resources with service account selector. We could easily manage those paths control if they could access any resources like external service or something like that and uh at the same time, in a reverse direction.

B

We also can control it for some specific workloads could talk to those parts with the with this service account and the second, it could help to manage cluster easily. uh The clusters may include a science service accounts for a different class person.

B

Then the clusters mean could use the service account selector to control this person's access permission, for example, like a cluster admin wants to want to restrict workloads created by a person not to reach external ip, so admin can create a network policy that block traffic from the service account that assigned to this person to external ip.

B

So this is the motivation of this feature.

B

Yeah, let's see the api, so, as you can see, uh the service accounts can be used in the apply too, and we also can use it as appear in ingress or egress, but I just used to apply to as an example in this uh sample network policy.

B

um So in this case all part, it can be used as a name and the namespace combination or a label selector like we used in the pod selector and the namespace selector. So in this case, all pause with those service accounts will be selected by the yeah by this service. Account selector.

B

Any questions so far.

B

Okay, um so about the implementation, design of the service account selector.

B

There are two key steps, so first one is while we adding a part, we not only just add the exist labels of this part to our group index, but also we add another label to group index which we, uh which is uh as shown here like. First, we have untreated reserved prefix and about this prefix. We uh I have some questions about it like uh label, conflict issue. I will discuss in the next part of open question.

B

So uh so first is entry reserved prefix and the service account as key label, and then the service account name as the key value. So basically the after the part was add in the group index. It will also have this label added to its related label item.

B

uh So next step is, while we processing the acmp, we need to translate the service accounts field to serve a pod selector and the name space selector.

B

For example. If we have a server we have, we have service account sa-1 and the namespace ns-1.

B

This is a service account. We want to select so after the translate it will become. One part selector with uh start with entry, reserved prefix service account and the label value is sa-1, which is the service account name and uh and and with a namespace selector.

B

We use the namespace name as the label to select this namespace like the kubernetes.io, slash metadata.name and the key. The label value is ns-1. So after these two steps, um all other logic is already existing in entry code. So it can quite um we mostly reuse. The current code base.

B

Yeah go ahead, go ahead.

C

I can understand how this work if the service account is about name and namespace, but how this work, if we use a selector for yeah.

B

So yeah for the selector case, when we translate we'll first use the uh label selector get all service account out like. If we select the lib the label is, we need the level user label. There are several services. You can't like service account, one two three. So all these survey accounts will be retrieved and we translate all these three service accounts to post lecture plus namespace selector.

B

Then it will become.

C

Multiple uh port, selector and plus namespace selector, okay, yes, it's all current code can handle this. That does it occur. Does it handle this.

B

This is during the.

C

Translation.

B

This is during the translation from service accounts to the selector uh to pause, lecture and the name space letter.

B

I it's new, yes, okay, okay,.

B

So the process will hold like if you have selector. First, we translate the selector to service account, name and service accounts namespace and then from service account, name and namespace to the pod selector and the namespace selector.

D

Further, if the select the service can't change, do we also change the labels on namespace and inputs.

B

uh You mean service account, change the name.

D

For example, if you're saying you can use label selectors select service content if the labels of the service contains, when you have a new service count, do you also change your labels on ports and namespace.

B

uh That's a good question, um so you me, you mean the service account changed its label right. Do we need to change our okay? So if uh the label we add to the pod, use the service account name, so the pod, the relation between part and the service account is hasn't changed. So, while we processing the acmp we uh we need tran. We need to handle this label thing. So if the service account label has changed, we need to catch this update event and reprocess. This example.

D

Okay, uh supposedly, I need something so for for the label on port. uh Do you mean um we don't really care the service can't use by ensuring that policy or not? We always label water service, account for a product report.

B

uh I'm sorry.

D

Do we always add the label for all the service con on the port yeah only when the service can't use financial policy.

B

uh We always add this okay, as long as for current design, if you're worrying about like a performance issue or.

D

I'm just not sure it looks strange to use on all timing if they never use service called default policy um for the rewards either label. For oh.

B

This label.

D

Is this.

B

Label is just in inside our group indexes: okay,.

D

Won't show.

B

To the user user won't know that I.

D

Say.

B

Yeah, it's just a four-hour internal spacing.

B

Any other questions.

B

Oh okay: um let's go to the open question um so basically, uh first is: can service accounts be used with other peers?

B

From my own opinion, I think it should be used as a standalone peer, no matter you apply to or in the ingress or regress from or two fields so uh and from my understanding as if you use a multiple field in one pair, uh those fields should work like an intersection.

B

For example, you should use namespace letter and the pod selector. uh You should select the pause from those namespace, uh but service account seems like it don't have to work intersection with any other field, so yeah.

B

I think it should be a standalone field in the pier and also while I'm thinking about this issue, I find that the group in peer, which is, uh should be a standalone peer, but the validation seems not comprehensive enough and I, which will cause unusual, for example, if user use group and fqdn uh the fqd won't take effect, so our the open. You should track this back and we'll open pr to fix this yeah uh early tomorrow in in pt time zone uh yeah.

B

So what do you.

C

Guys think.

B

About go ahead.

C

If I was thinking if there is a selector support in service accounts, so how do we select? uh How how do we specify we want uh source in specific namespaces? I see only selector in your api definition right. There is no e. Yes,.

B

Oh yeah, that's a great question.

C

For you, it will always be o name spaces yeah currently.

B

It is yeah.

C

Do you think it's a.

B

Go ahead.

C

I'm thinking if it is possible to combine the namespace selector field with submission count like the port selector, but.

B

Oh, I know the difference yeah, I got your I I know what you mean like uh we can support name and the namespace uh combination, and also uh uh namespace selector and a selector combination right. Something like that.

B

Yeah, I guess we could do that. Yeah.

B

um Let me see if it's uh uh so: if we user don't provide the namespace letter, we select uh uh among all namespaces right, yeah, yeah uh yeah, that's a great idea. um I will. I will add to my pr and the the design dock to update the api proposal. Yeah thanks tian, that's a! I think. It's a good idea.

C

Okay, thank you. Yeah thanks.

B

uh Yeah, so I guess for using service accounts such as standalone peers, uh we have an agreement, uh anyone has some ideas, feel free to bring up.

B

Okay, so for the label conflict, um as we can see, let me go back.

B

Here we use um until reserved prefix here we could use it like to try to avoid it will generate a label conflict with user there with user owned labels. um I have discussed this with chuan before um we tried to add a kind like an illegal label format for a kubernetes uh server. While we adding the well, we add the label. So basically user cannot use this format label and we can use it inside our group index but turns out that it will still go through the process to validate the label format.

B

So it cannot can work cannot work, so we basically go back to use like reserve. The prefix, for example, like andrea.io, slash, reserved, reserve label, dash service account or other customer label that we want to use in future here. So what do you guys think about this idea?

B

Use this prefix, but it it still could can uh could make generate some label conflict. But would this be an issue or we as long as we uh state this in our documentation, say this label prefix should is reserved by andrea is enough.

B

I think. Definitely we we shouldn't uh sorry. Definitely we shouldn't validate this. If user use illegal or conflict label with central reserve prefix, it will basically will have a really bad effect on our performance.

A

One question from migration: is there only a performance impact or will there should be a way for users to abuse of network policies in this way?

A

Can, for instance, users create another service account label to the violating enforcement of the uh of the network policies? This way.

B

uh I'm sorry, uh I don't think I understand the question.

A

I mean if if the user deliberately creates a label like the one that we see on the screen here, but instead of using their service account name, they use some other service account name with different rights. Are we going also to modify the way in which the andrea network policies are enforced? Then.

B

Oh so you mean, like user, add this label by themselves with uh yeah. That's right.

A

Different.

B

Different service account name that the pod has right, that's right! uh So, basically, if user do this, we should make. While we add this label to the group index, we will rewrite the value of this label user. If user want to get the part, it will still showing that the label is what he wrote. But while we do the uh do the match do the uh to the select, it will use the real one, but the user couldn't use the user use. They wrote, they wrote the one to do the match.

B

So this is yeah. This is a label conflict issue, so we are trying to avoid user use. This label key yeah. It's a it's a really good question. It's a valid issue that we should uh think about.

C

I think, like the native kubernetes namespace name label the you on the on this right command, kubernetes, yeah yeah. I think unless people uh add uh want to confuse entry on purpose purpose.

C

Right, it could just work without any user. For example, you, I think the user can even label a namespace with another name different from its actual name, and it cannot the the namespace with this label selector.

C

But I think this is done on purpose, not by accident right.

B

Yes, um by the way, if we use the like the kubernetes name, space name label, how will the kubernetes react to this.

C

You it will not have any effect unless you are using this namespace selector in in the network policy luas and it will. You will kill some uh surprising result that you want to select one name space, but you match another name. Space yeah got it.

B

um

B

Yeah um yeah. I also think we can use something like this to to do this label in our group index.

B

But as long as we stated clearly in.

C

Our.

B

Documentation, that's enough, I think.

D

uh So it's an internal index right. Could we use something? What.

B

Is the label.

D

Value for that.

B

Oh yeah, that's uh I yeah. I said I tried this before um when we trying to translate the during the during the translation. It will have to new uh requirement struct uh uh during this process, and this requirement struck will do the label format validation. So uh even this in internal index internal level, we still can't do that.

D

Okay, that is done by some kubernetes.

B

Yes,.

B

um Yeah, uh that's uh all from my today's presentation. um If there's no more questions, I will handle the I will hand out the control.

A

Is there a any final question for griezm.

A

All right, then, we can move to the next topic for today's meeting and which is the open flow, flexible pipeline and handling. Please go online. Please go ahead. The floor is yours.

E

Okay, I will sell my screen.

E

Okay, let's just start, can you see my screen? No.

E

Just the motivation, as we can see, consume that this is not a flexible pipeline. This is current pipeline, as we can see assume that we have there are we have file tables and table bcd used for for for function x and which can be a full option here, actually using the config file, no matter how the function x is enabled or not table b c d will be initialized, and if a packet, if a packet from table it will from table a it, will be sent to b c d e well need to resolve.

E

The issue of redundant tables is to modify the accent in table a to let the packet to let the package go to table table e directive, but this, but this requires additional jump, jump.

E

Traditional jumper judgment, new flexible pipeline if function x is not enabled.

E

I'm sorry table b c d will not be initialized.

E

The only table a and table e will be needs to last the next of table a will be table e. In this way, the package can sell sales steps in in pipeline.

E

This is the first motivation to reduce the redundant tables. You know pipeline um the second. Oh sorry, I didn't change the title. The second to the second motivation. uh Now we we can, we can the table id of every tip that you are table in current paper is fixed.

E

If you want to, if you want to add a new table, you need to manually specify the type. For example. You want a table b. Another tip will be like a typical.

E

You need to you need to you need to change the id of table c d e, because you need to you need to reserve. You need to consider consider receiving a certain id interval for adding tables in the future. So we can't so. We can't just just uh specify the table id for new table as six. We need to do. We need to deal with summation and we're using a flexible pattern.

E

According to the order of required tables, table id will be automatically and demand dynamically generated, and we, the table id, will be generated one by one, not not uh not real. Any interval.

E

For example, we need a tick. We just need a table. A and table e. The table audio. The table id will be one two for this one. There will be one two, three, four five, okay and for the next one. Next.

E

We want show the pipeline to be more standard since standardized.

E

um For the flexible pipeline, all tables are divided into 11 stage stages according to their functions and the red ones are related to security. That's with god network policy. The yellow ones are related to to routine success as not denied routine decisions and blood stages are released to contract. The gray ones are related to layer, 2 forwarding.

E

First, what's the stage the stage may has one or more kinds of one or multiple tables.

E

Some some principles over flexible plan. First, a packet from table yesterdays, can jump to can only jump into the first table of another stage.

E

And we add a new action called go to station. Another principle is that a package from a table in space can can just can jump to any table within these days. For example, in writing. States there are two: there are three tables. um The first first table of routine states can can be, can be resubmitted to the third or other or other tables, indeed, within these stages within these days, but it kind of, but the package of this the package in this table can't be resumed.

E

We submitted to the last or the second, the third, the third table in any other states.

E

Okay, this is the this is a principle for flexural pipeline or, basically, the principle of flexible pipeline.

E

Okay, next next is the design of flexible pipeline. Well, first, the concept of feature: the concept of feature is a collection of a series of functions. Now we have now we have file features in the filter. We may have more. The physical product connectivity is responsible for the network connection between pawns and feature services is responsible for service implementation, in pattern of virtual network policies responsible for network network policy and and internal network policy implemented by nature.

E

Others, like licorice and cheeseblow a table request a table request. A feature must use tables to implement its functions to install flows. If a feature wants to use a table, then a table request should be made to declare that it requires the table.

E

Multiple features may use the same table to implemented their functions.

E

The priority the priority is the use interstructure member structure of a table request it to determine the order of a table in the in each state and the highest order will become to for the first table. In this stage, a table may be declared by multiple features with different priorities. If so, the highest priority will be.

E

Yours, uh you know it isn't. The the order of stages are fixed um like this. The order of these data is fixed, uh but the the tables, but the tables within the states is determined by by its priority.

E

According to the priorities in our states, the final pipeline will be generated with locating table ids.

E

This is a simple. This is a simple example.

E

Well, first for freezer for fixer a is a request. The three table of is one stage two stage, one for a1 priority: 20 a2 priority 30 um table b1 for rt40 for fixer b, and it's a request. It's required to table. Yes, there's one stage: 2 v2c.

E

This requires table b2 c um for stage one for table a1 it has priority. 40 and 20. 40 is declined by feature.

E

A1 feature is a particular bar feature feature feature b: 20 is declared by feature p3a table e2 uh only declared by feature feature v3 for stage. 2 um is familiar unless c3.

E

Okay, now the the order of state is fixed. So we can see now we need to determine the other within the states for stage one.

E

A a1 has has the highest priority, so this order is the is the first table of the distance and then a2 for stays b.

E

B2 has the has the highest priority, so this is. The first is first, is in first place, then for b b1 and then for c table c. Well, that's the that's! The process of the of a flexible pipeline generation.

E

For next the next this is the current. uh This is the this is already especially used to decline, some tables by default and some tables are controlled by maybe controlled by visual flags or other conditions, for example.

E

Well, this one this one for anti-policy equalizer role table. uh If you enable entry policy, then this table will be declared and initialized by visual network policy.

E

If, if controller is, is a dual stack, then table ipv6 table will be declared and initialized. If on windows platform and the the the uplink table will be declared and initialized.

E

Okay, this is also tables of flexible pipelines.

E

For the next uh current table case to traffic traffic cases, the other two adapter to the flexible pipeline, some flow tables of enter has been redesigned.

E

This table solves all traffic models on in-cab mode traffic is in divided into three categories: uh service, equalizer and general um egress is a is also a subset of general. uh There are four: there are four sources.

E

The also is one of on the file file types of destinations.

E

The this first, this means that the packet is from. uh Take this one, for example, this one uh this one, and this means that the case is only for request and reply package. The package is from gateway, its destination is to local. Then this type of package should go to switching stays directly.

E

If it doesn't need it, don't it doesn't require as net like this one. This one.

E

Dxrtx well, okay, this one.

E

This means that the package is from gateway and its destination is israel is external like another part of load. Balancer is client is from is from this from out of cluster and is testing. This endpoint is a host host network endpoint, and this this package is forced to to be as knighted as this hurricane case, and so it should.

E

It should go to service harpsim. Mark table then go to post routines stays to perform as net.

E

Okay, uh I can't I can't introduce every every traffic case as as time limited and tip time limitation. Okay. This is the note sorry, this is no. You have okay in order to adapt to flexible pipeline and the flow table map in yellow is redesigned in some degrees.

E

Folder three fold.

E

Multiple flow flow, multiple traffic models.

E

In earth's reforming table loading destination, marker resistor operation is added for airflow.

E

This.

E

The advantage of increasing the destination market register is that it's easier to get harping cases or equalize traffic.

E

For next pronunciation, this is this is a new table added by flexible pipeline. It is used to process harpin case.

E

No, we have about uh three types: three types of helping cases: first, the source may be from an external client or our kunan is node, and the destination and point is on current node, just the whole network point or an external point.

E

We call this uh internal helping case source mark source mark, and we can. We can get this. We can get this connection by maximum destination and source register mark.

E

Another cartoon case is internal internal heart. In case a client is from a port and its destination, and the point is itself we can get this helping case by my assumed source source ip address on the destination ip address.

E

Okay, the ip fpt drdc is nothing different.

E

This is, uh this is a big change about uh last night, now, first, first, uh the first part of the first row we need to. We need to match the first packet of harping or helping cases.

E

And we load a city city mount the ice knighted, as neither dragon rock mark has a switch.

E

We also need another city marker.

E

And then this marker, this stage mark, is on d, naught switch drawn.

E

Then the packet will be formed to this table again and it will be matched back, but the second or the third floor for hyping cases for intra node hurricane cases. This is for internal internal hypothesis. This client is from is from external.

E

It will be marked with a as night with virtual ip for internal the hype. In case it will be marked with as9, with between ip address.

E

uh Why we use them in this case where we use the gateway ip address as a project windows platform?

E

They don't reply to what what's your ip like once. They start this for the user, ips, okay,.

E

For this one, this one is also an important one, because.

E

This this, these three flowers, are just adjusted matching the first package for substitute subsequent package of s90 connections.

E

This flow is used to master.

A

I'm sorry.

E

Okay, for for this blow you to use the tool to perform iceland for for no power or load violence or road violence, service traffic, as we know this, this kind of traffic on these s9- these are nice tool.

E

Okay,.

E

We can see that we open for every query flow to perform the ice net. We also load and load the service city map. This is for this useful bypass service traffic. In contrast, the community table.

E

We can't let the subsequent request package to to match the to be messed up by this, but by this pro, if it is messed by this pro, it will be treated as as as new and attractive and will get.

E

I want you to resound.

E

Or the next, the next another another another city market is: is this one this one and how to reply the how to handle the recline package of hacking or pin connections.

E

For reply package of hurricane cases as a heritage might be said in iceland and system after the package passing last night contracts, the drone and the city market can be readable, the harp and the harpyrack mark will be and will be set and, and the earned package can be outputted normally this this this. This, this block can cannot only just match the reply packet it can. It can also match the harping request, subsidy subsequent package, exactly for the first package.

E

Okay, that's does all of my presentation any questions.

A

Thanks sonia, is there any question for regarding this, uh this presentation.

A

All right, it appears there are no questions on young, so thanks very much for for your presentation and in terms of uh delivery. I think this is something that is already under development. Is that correct.

E

Sorry.

A

So in terms of delivering these in andrea, you are already working on development of the flexible pipeline. Is that correct.

E

Yes, yes, you can, it can work now and.

A

Okay, are we is the current plan to just switch the new pipeline to the flexible pipeline, or are we going to uh to allow for some time to uh existing installations? To run I mean, like you know, for some time, maybe we will have both the let's say the old pipeline and the flexible pipeline with some feature gate, or are we just going to switch to flexible pipeline once it's merged.

E

I might even get one to use. Yes.

A

I'm sorry sorry, I probably I was I was not explaining myself correctly. uh I was saying once the flexible pipeline is emerging to enter a code base. Will every existing entry installation switch to the flexible pipeline, or do we need to make some configuration changes to enable it.

E

um No, we will just all write the current pipeline we want to. I think we want to make any black flag or any other options to disable or enable flexible pipeline.

A

Okay, that makes sense understood thanks.

A

Is there any other question for wrongly any other comment on the flexible pipeline design.

A

Okay, that appears to be all then thanks uh thanks a lot, as we have still a few minutes left into today's school. Is there any other topic you would like to bring up for discussion.

A

Well then, uh I will say that uh this is uh that's all for today's meeting as usual. I would like to thank everyone for attending and, most importantly, many thanks to grayson and liang for uh preparing the presentations for today, which have been uh really informative and uh and great from you know, both from a discussion perspective and also for improvement in andrea.

A

So thanks a lot for for these presentations today and thanks again to all attendees, and I would like to wish everyone a good evening a good morning or a good afternoon, thanks again for joining and uh to see you in two weeks time.

A

The next week meeting will be on december, the 21st, and I don't think that we need to plan any change of schedule for end of year holidays. We should be fine. Next meeting is the on the 21st and then the other meeting will be in the new year.

A

So thanks again- and I wish everyone a good one-.

C

Thank you bye. Thank.

A

You bye.