►
From YouTube: Antrea Community Meeting 12/07/2020
Description
Antrea Community Meeting, December 7th 2020
A
Okay,
so
on
the
agenda
tonight,
arun
and
other
folks
from
intel
are
gonna.
Give
us
some
more
information
about
their
proposal
to
support
cnf
use
cases
in
entria,
and
if
we
have
some
time
remaining
after
that,
we'll
have
like
an
open
discussion
in
case
folks
want
to
bring
up
some
issues
all
right,
our
own
sideloo,
you
guys,
can
take
it
away.
C
C
Sure
hi
good
evening,
everybody,
so
this
is
the
follow
up
discussion
to
have
a
little
more
deep
dive
on
the
cnn
proposal.
We
made
a
few
weeks
back
before
we
start
go
with
this.
I
would
like
to
request
side
loop
to
recap,
a
little
bit
on
the
cnn
of
use
cases
and
stuff
which
we
discussed
last
time
so
sideload.
Would
you
like
to
give
few
words.
B
We
are
going
to
show
the
solution,
how
we
are
going
to
expand
further
on
the
load
balancing
on
when
multiple
service
multiple
function
instances
are
supported,
so
how
we
can
load
balancing
within
that
one.
That
is
what
we
are
going
to
present
today
and
we
start
with
the
use
case.
What
is
the
current
use
case?
How
we
are
looking
it
and
why
multiple
interfaces
interfaces
are
required
to
support
the
service
functional
chain
from
there?
D
E
B
Yeah
sure
stephen
cnf
is
a
cloud
native
function.
Something
vnf
is
like
virtual
native
function.
Example.
If
you
see
firewall,
we
can
have
the
physical
appliance
or
we
can
have
the
vnf
and
cnf
is
a
cloud
native
form
of
the
same
network
function
and
sfc
is
service
functional
chain
how
we
can
shine
together.
All
these
cnfs
and
vnf's,
based
on
the
certain
required
criteria,
and
we
have
details
on
how
showing
up
cnn,
pnf
and
service
functional
chain
in
the
next
slides.
C
C
Here
is
the
cnf
deployment
and
network
function
chaining
support
on
andrea
cni
right
so
to
enable
andrea
to
support
the
cnf
deployment
and
also
service
function
chain
of
cnf
functionalities
not
limited
to,
though,
but
we
say
currently
it's
specific
to
cnf
for
mantria,
while
while
we
use
andreas
a
cni
for
kubernetes
and
obviously
the
one
of
the
main
criteria
for
that
is
multiple
interface
support
on
andrea.
As
all
of
us
know,
it
supports
only
a
default
network
interface
right
now.
C
All
the
communication
goes
through
the
default
interface,
which
is
created
based
on
the
kubernetes
cidr
right,
so
so
to
support
the
chaining.
We
need
more
than
one
interface,
so
we
need
to
add
support
for
that.
Also
in
andrea
actual
requirement
to
achieve
this
is
to
support
dynamic
virtual
network
configuration.
We
will
we'll
see
in
in
a
while
like
what
it
is
exactly
about,
and
a
provider
network
and
multiple
interface
support
per
part.
C
C
C
So
you
take
the
core
network
in
this
case,
and
then
you
have
a
kubernetes
cluster
so
where
you
have
a
bunch
of
micro
services
running,
and
so
you
have
the
network
definitions
like
a
provider
network
that
is
left
right
and
then
you
have
virtual
networks
defined.
So
these
blocks
are
actually
your
cnfs,
so
the
slb
is
the
service
load
balance.
C
This
is
a
next-gen
firewall
and
sd-wan
cnf
right,
so
we
are
not
deep
diving
into
what
these
guys
do.
Basically,
all
I
want
to
communicate
here
is
these
are
the
cnfs
which
we
are
looking
to
add
support
for
right
so
to
to
see
the
actual
traffic
flows?
What
we,
what
we
are
supposed
to
enable
configuration
configuring
through
andrea,
is
like
one
of
the
thing
is
like
from
one
of
the
microservice
you
need
to.
C
C
I
don't
know
it's
some
smart
song
here
yeah,
you
see
that
so
the
next
use
case
is
actually
from
the
core
network
to
one
of
the
micro
service,
pod
and
another
use
case
is
possibly
like,
so
we're
not
even
getting
into
any
of
this
services.
It's
communication
from
the
core
network
to
the
external
world
right.
All
of
all
of
these
communications
has
to
go
through
a
chaining.
C
Mainly
you
want
to
load
balance
it
and
you
want
to
traffic
shape
it
or
or
our
kind
of
firewall
protection
here
right
and
then
the
sd-wan
use
case
is
achieved
at
this
exit
and
it
goes
to
your
right
provider
network
right.
These
are
the
use
cases.
These
are
the
traffic
flow
patterns
which
we
aim
to
support
when
we
climb
andrea,
can
support
these
enough
use
cases.
C
Oh
sure
yeah
so
basically
to
yeah
thanks
cylo,
so
the
virtual
network
support
is
required
here
to
to
enable
chaining
between
the
cnfs
right.
So
when
a
packet
reaches
your
slb,
there
should
be
a
way
for
it
to
communicate
or
go
through
your
further
chains
to
the
external
network
right.
This
flow
is
defined
by
the
crd,
so
we
have
virtual
networks
between
defined
between
cnfs
to
have
your
communication
moving
forward
yeah.
So
any.
B
C
C
C
C
Okay,
let's
move
on
this
is
the
sample
virtual
network
crd.
So,
as
we
saw
here,
these
are
the
virtual
networks
which
we
plan
to
define
right
if
there
is
a
cnf
use
case
not
limited
to
one
or
two
just
we
showed
an
example
here,
so
this
basically
tells
us
the
subnet
right.
So
what
subnet
I'm
belonging
to?
What
is
my
gate
vip
address
in
this
case
right,
so
we
define
virtual
network
one
virtual
network.
True,
and
there
can
be
you
can
you
in
this
flow?
C
You
can
even
use
srov
interface
itself
if
the,
if
the
part
supports
or
the
cnf
the
platform
where
the
cnf
is
running,
it
supports
the
sri
ov.
We
have
a
crd
defined
for
sreob
use
case
as
well
right,
it's
from
the
andrea
point
of
view.
It's
another
network
interface
in
this
case
for
us
right.
So
the
key
point
here
is
the
subnet
information
for
the
virtual
network
is
maintained
in
the
global
ipad
right.
C
So
we
would
expect
the
andrea
controller
to
provide
the
ipl,
provide
the
ipam
for
this
specific
subnet
in
this
case
right.
So,
if
some,
if,
if
a
pod
is
defined
like
when
we
go
through
the
network,
chaining
crd,
it
may
be
a
little
more
clearer.
So
when
some
when,
when
a
pod
or
a
cnf,
is
trying
to
join
network
chain
right,
so
controller
should
realize
that
and
he
should
be
able
to
assign
an
ip
address
using
the
global
life
app
right.
C
So
we're
going
to
use
a
global
ipam
to
to
allocate
ip
address.
So
current
traditional
thing
with
andrea
is
like
we
have
a
local
ipam
right
so
per
per
agent
which
handles
the
agent-specific
communication
for
agent-specific
part
default
network
right
for
service
function.
Chaining,
we
will
be
having
a
global
ipam
which
will
be
used
to
locate
ip
address
on
the
cnf
scope.
F
F
F
C
F
B
C
C
Thank
you.
The
another
main
thing
here
is
like
the
interface
creations
at
the
pod
scope.
We
expect
it
to
be
pushed
through
the
power
annotation
right,
so
assuming
that
this
is
for
your
primary
and
and
the
default
network
based
on
the
kubernetes
crd
right.
So
that's
not.
That
remains
intact
for
the
multiple
interface
and
sfc
use
cases.
B
F
G
G
C
F
G
Basically,
I
think
markers
I
can.
I
can
draw
something
here:
you
guys
see
it
yeah.
So
let's
say
we
have.
This
is
part
one
part,
and
this
is
another
part,
and
let's
say
this
spot
is
usually
sending
traffic
to
that
part.
So
it
goes
directly
right.
So
the
idea
is
that
the
packets
are
not
going
directly
to
the
other
part
so
that
it
first
goes
to
a
second
port.
It's
intercepted
basically
interceptor
pattern
and
then
goes
to
the
other
part.
G
So
this
this
part
can
do
some
traffic
shaking
that's
just
busy
idea,
but
not
only
for
part-to-part
traffic,
but
also
for
inquiries
and
equals.
So
it's
just
like
let's
say
here's
some
increase
going
to
that
part,
so
it
wouldn't
go
directly
to
that
part.
It
would
also
first
go
through
this
interceptor
and
then
go
into
the
pot
right.
That's
basically
our
use
case
right.
C
Yeah
yeah
yeah
yeah.
Maybe
we
can
deep
dive
on
this.
We
would
really
want
to
discuss
in
detail
also
marcus
on
that
to
understand
if
this
can
be
supported
based
on
the
generic
functionality.
I
know
that
you
guys
are
trying
to.
I
mean,
like
the
hijack
the
flow
from
obs
bridge
right.
Maybe
if
I
understand
this
correctly,
maybe
we.
B
C
Yeah,
thank
you
yeah.
So
this
is
the
network
chain.
Crd.
The
main
point
to
understand
here
is
like,
as
we
discussed,
we
talk
about
the
left
provider
and
then
write
provider
network,
and
then
we
have
a
chaining
attribute
network
chaining
attribute
which
talks
about
chain
between
what
cnfs
the
chain
between
the
cnfs
right.
So
in
this
case
we
take
slb
and
there
is
a
virtual
network
one
in
between
these
two.
C
So
basically
the
slb
and
the
next
hop
is
going
to
be
your
next
gen
firewall
so
connecting
these
two
cnfs,
virtually
through
your
virtual
network
model
right.
Likewise,
your
next-gen
packet,
when
the
when
the
next-gen
functionality
is
done,
the
packet
forwarding
has
to
happen
by
default
to
your
through
your
virtual
network
too.
Ideally,
this
is
actually
virtual
network.
True
sorry
for
the
typo,
this
is
virtual
network
two,
and
then
it
goes
to
your
sd
van
use
case.
C
Of
your
provide
yeah
yeah,
exactly
thanks,
it's
going
to
the
right
provider
network
in
this
case
right.
So
basically,
the
packet
originate
from
here
goes
through
this
chain
of
chain
and
then
goes
out
of
your
right,
broader
network
right.
This
is
what
the
crt
is
about.
So
now
the
andrea
controller
needs
to
understand
this
and
define
the
virtual
network,
create
the
virtual
network
assign
the
specific
parts
into
the
service
function.
Chaining
yeah
anyway,.
B
C
Yeah
so,
and
as
as
we
see
that
we
we
send
the
pod
annotation
to
say
there
is
a
virtual
network,
one
so
we
say
eth1
and
the
e3
interface
for
virtual
network
two
right.
So
if
you
take,
if
you
take
nf,
ng
is
next
in
firewall
right.
So
next
in
firewall
needs
to
be
part
of
your
virtual
network
one,
and
he
needs
to
be
part
of
your
virtual
network
through
as
well
right
he's
going
to
ingress
the
traffic
here.
C
B
C
Sure
yeah
yeah
so
to
have
a
little
more
details
here.
Right
so
provide
a
network.
It
goes
to
the
ngf
and
then
it
goes
to
your
virtual
network,
one
as
we
discussed
it
goes
to
sd-wan
and
goes
to,
though
we
say
sd
van.
Basically,
it's
your
right.
Basically,
it's
your
provider
network-
and
this
is
your
left
right
and
network
sorry
right
provider
network.
C
B
E
F
C
B
C
That
yeah,
so
the
the
key
points
to
mention
here
is
like
what
we
look
at
from
the
anterior
point
of
view
right.
So
when
we
talk
about
chaining
in
this
case,
so
any
so
because
we
still
talk
about
cnf
being
part
of
the
same
cluster
right.
So
as
far
as
entry
is
concerned,
any
communication
within
the
cluster
is
going
to
go
through
the
tunnel
right.
C
I
hope
we
are
not
missing
any
use
case,
which
is
not
using
the
tunnel
in
case.
If
you
are
talking
between
parts
or
pardons
enough,
is
only
through
the
tunnel
right
yeah,
so
yeah,
nothing,
oh
sure.
So
the
key
point
here
is
to
say,
like
whenever
you
define
a
new
interface,
we
need
to
configure
the
obs
bridge
as
in
a
way
that
the
service
function
chaining
is
handled
through
your
tunnel.
It's
not
going
to
reach
your
default
gateway.
C
The
default
gateway
is
used
only
for
your
left
and
right
provider
network
right.
Otherwise,
if
you
have
n
number
of
chains,
you
are
not
limited
to
two
or
three
right,
so
we
can
do
n
number
of
chains.
So
all
communication
between
chains
are
going
to
go
through
the
tunnel
as
far
as
your
cnfs
are
bound
to
be
in
two
different
nodes
right.
So
if
your
cnf
network
cnf
is
actually
in
node,
one
and
sd-wan
is
in
node
two.
It's
going
to
go,
use
your
internal
communication.
C
So
if
both
the
cnfs
are
being
a
part
in
the
same
node,
it's
going
to
use
your
typical
in
node
communication
right,
it's
going
to
be
locally
terminated!
It's
not
going
to
go
through
your
it's
not
going
to
exit
your
obs
bridge
right.
It's
a
typical
use
case,
typical
andrea
use
case.
Like
any
part,
two
part
communication
within
a
node
is
local.
A
C
For
example,
let's
say,
let's
say
like
virtual
network
one
right,
both
of
them
owning
an
interface
on
the
same
virtual
network,
one.
So
this
this
is
visualized
by
controller
and
he
assigns
the
interface
ip
and
then
he
has
to
do
a
routing
configuration
as
well
route
configuration
as
well
to
put
the
packet.
Let's
say
you
have
a
ingress
here.
The
egress
of
next-gen
firewall
should
default
to
your
this
interface
right.
As
of
now,
the
andrea
has
the
default
route
towards
your
default
network
right,
for
example,
so
we
are
going
to
have.
B
A
B
C
Yeah
right
side
load,
so
it's
based
on
service
chain
right.
So
this
is
what
we
see.
This
has
to
be
visualized
by
the
controller
now
right.
So
this,
for
example,
if
you
take
an
next-gen
firewall,
he
is
part
of
your
virtual
network
one,
and
he
is
also
part
of
your
virtual
network
too.
Sorry
for
the
typo.
This
is
two
right,
so
he's
also
he's
part
of
two
different.
Do
two
different
subnets
right.
This
is
when,
when
the
controller
reads
about
your
network
chain,
he
he
sees
this
right.
C
A
Not
really
I'm
talking
specifically
about
the
next
gen
firewall
software,
which
is
like
processing
packets,
and
when
it's
done
with
with
a
packet,
how
does
it
send
it
to
the
next
app
yes
yeah?
Who
sets
that
a
destination
ip
address
once
the
destination
ip
address
is
known?
I
understand
how
the
packets
go
to
the
back.
C
F
B
C
C
So
it's
a
typical
example
of
your
anterior
right
so
in
even
in
andrea,
so
any
traffic
which
is
which
is
destined
any
ip
address
right.
So
we
have
a
default
route:
zero,
zero,
zero
right,
it's
by
default
point
towards
the
andrea
zero.
The
same
the
same
logic
is
followed
here.
We
just
modify
your
e0
to
the
eighth
one
in
this
case,
for
example,.
A
C
A
A
C
A
A
B
C
B
C
Yeah,
so
we're
going
to
take
a
faced
approach
in
this
implementation
so
before
the
one
one
of
the
base
requirement
for
us
to
support
the
sfc
is
the
multiple
interface
support
right
so
that
we
are
taking
it
as
a
phase
one
implementation
on
andrea
once
that
is
once
that
is
achieved,
so
we
will.
We
will
enable
support
for
sfc
with
single
function
chain.
C
C
C
Functionality
support
multiple
interface
and
sfc
is
achieved
as
far
as
what
we
discussed
in
slide
six
to
eight.
If
this
is
achieved,
which
we
can
safely
climb,
that
multiple
interface
and
sfc
support
is
enabled
in
andrea
for
multiple
service
function.
Chaining,
that's
what
I
said.
We
need
to
have
a
classifier
based
definition,
which
we
are
in
a
very
early
stage
to
define
that
we
are
working
on
a
requirement
to
define
multiple
service
function
in.
C
F
B
Yeah,
yes,
along
with
the
classifier,
we
are
going
to
support
multiple
incest
instances
of
the
single
chain
example
where
next
gen
firewall
you
might
based
on
the
load.
You
may
span
some
more
next
gen
firewalls,
you
can
say
8
or
10
or
15
parts.
You
respond
on
a
next
gen
firewall
load,
balancing
between
them
based
on
the
mac
address.
We
internally
we
defined
the
solution.
Just
we
are
getting.
B
F
B
So
every
every
slb
we
will
have
the
mac
address
based
instances.
We
are
go
example:
you
are
having
the
next
gen
firewall.
Maybe
10
instances
are
running
then,
along
with
the
slb,
we
are
going
to
bring
up
a
kind
of
small
load
balancer
along
that
one.
So
yeah
keep
track
of
all
the
instances
of
the
next
gen
five
volts.
Then.
B
B
C
C
It's
the
same
bridge.
There
is
no
additional
bridges
required
in
this
case.
Maybe
we
need
to
add
sniff
additional
flows,
yeah,
okay,
additional
flows.
Indeed,
the
current
poc
also
targets
your
target,
the
existing
code.
As
far
as
you
give
the
subnet
information,
so
it
would
create
another
via
pair
and
define
the
obs
flows
automatically
for
the
new
set
of
addresses,
but
in
zero
you
can
also
create
another
bridge.
F
B
Yes,
both
we
have
thinking
through
actually
so
at
least
we
are
currently
implementing
with
adding
the
additional
flows
right
and
we
will
think
through
if
anything
is
conflicting
with
the
existing
clause
or
any
problem
we
face.
So
obviously
we
create
the
second
page.
The
work
will
be
the
same
more
or
less
here.
F
Right,
another
thing
that,
since
you
were
connected
to
the
pride
lateral
right,
I
assume
it's
a
villa
network,
then
you
need
to
add
the
uplink
to
the
bridge
right
yeah.
I'm
not
sure
that
we're
impressive
until
you
are
behind
the
bridge
or
not,
if
you
add,
move
any
physical
need
to
the
bridge
in
some
cases
for
you,
you
even
need
to
move
the
ip
to
the
bridge.
So
I
I
I
didn't
sing
solo
attack.
I'm
not
sure
what
will
happen
if
it's
the
same
bridge.
A
C
Yeah
we
can,
as
cylo
said
we
will.
We
will
deep
dive
a
little
more
into
see
like
how
what
benefits
we
may
have
with
two
different
bridges
yeah.
The
currently
like
the
flow
is
defined
as
in
a
way
like
you
are
giving
another
subnet
and
you
go
and
modify
your
obs
flow
that
because
it's
going
to
go
through
the
tunnel
right,
so
you
will
just
mask
your
source
address
and
exactly
the
same
same
kind
of
mechanism
like
how
it
goes
between
node
node
right
now,
yeah.
B
C
C
E
B
C
Yeah,
basically,
the
cnn
will
be
your
gateway
right.
Just
take
a
take
a
home
home
use
case
right,
so
we
all
have
home
devices
connected
and
then
there
is
a
gateway
router
at
our
home,
so
assume
that
gateway
router
is
your
cnf
right.
So
all
the
communication
has
to
go
through
your
gateway.
In
this
case,
your
cnf
right,
like
like
how
I
talk
between
my
device,
one
two
device,
two
at
home
right
through
my
home
gateway,
router
right.
C
B
G
Not
necessarily
redirect
so
it's
more
like
a
filter,
so
it
should
end
up
at
the
same
pot
right
so
this
like,
if
we
have
now,
let's
just
draw
this
cnf
here
right,
so
it's
definitely
connected
here
to
the
network
and
it
will
have
traffic
sending
from
that
part.
Now,
let's
say
like
traffic.
That's
going
from
that
point
to
this
part
here
should
be
intercepted
by
another
part,
so,
basically
like
a
filter
so
but
that
network
function
is
then
not
rewriting
the
packet.
So
we're
not.
G
F
F
F
G
C
G
C
Okay,
so
this
can
be
in
one
one
way.
This
may
be
a
bottleneck
right
or
unless
you
have
some
ways
to
overcome
that
just
trying
to
understand
more,
it
means
basically,
the
expectation
here
is:
every
traffic
must
hit
through
and
cnn
right,
exactly
yeah.
So
it's
between
part
it's
within
the
node
or
across
nodes.
It
has
to
go
through
your
cnf,
exactly
yeah.
G
B
G
C
Yeah
so
silo.
The
key
difference
I
see
here
is
like
the
actual
service
function.
Chaining
will
be
handled
based
on
the
route
modifications
as
well
right.
So
in
this
case
it
should
be
seamless
for
this
use
case.
If
I
understand
this
correctly
right
so
part,
a
to
part
b
should
be
seamless.
I
mean
like.
We
cannot
modify
the
routing
table
of
pod
to
divert
the
traffic
through
cnf.
It
may.
B
B
F
F
Want
to
insert
some
service-
and
in
our
case
we
saw
some
service-
can
be
some
physical
network
service,
for
example,
a
platform
that
you
want
to
insert
service
for
specific
traffic
for
the
once
the
service
being
enforced.
We
want
to
continue
the
folding
parts
yeah,
let's
smile
and
something
with
the
problem.
C
G
So
istio
is
like,
so
it's
a
very,
very
similar
light
idea,
just
like,
instead
of
doing
it
it
still
because
he
has
just
for
those
who
don't
know
have
like
there's
a
layer,
seven
boxy
for
each
part,
and
then
the
communication
between
each
bot
is
then
always
ejected
by
by
the
side
car
who
could
also
do
weight
limiting
or
could
also
decide
to
drop
the
traffic
right.
Just
like,
I
think,
it's
more
elegant
to
solve
that
problem
on
the
a3.
G
B
C
F
Actually,
I
I
was
thinking
about
I'm
just
thinking
a
lot,
I'm
just
actually
I'm
thinking.
If
we
take
your
service
training
approach,
what
we
what
can
happen,
we
can
still
define
a
chain
and
then
for
the
classifier.
We
just
need
to
define
some
way
to
say
for
given
traffic,
for
example,
from
port
one
to
port.
F
Two
using
this
traffic
should
enter
the
chain
and
then
also
she
will
have
some
flower
in
the
os
bridge
to
to
capture
the
packets
and
then
redirect
your
searching
and,
of
course,
in
a
specific
case,
marcus
one
in
his
chain.
He
has
only
one
service,
and
that
is
some
shipping
service,
but
to
make
it
more
generic,
we
can
still
use
your
chain
definition.