►
From YouTube: Antrea Community Meeting 05/23/2022
Description
Antrea Community Meeting, May 23rd 2022
A
So
good
morning,
good
afternoon
and
good
evening,
thanks
for
joining
this
instance
of
the
andrea
community
meeting,
this
is
the
last
meeting
for
the
month
of
may
2022
and
in
the
agenda.
For
today
we
have
a
presentation
of
a
design
for
a
proposal
for
virtual
machine
support
from
running
mnd.
A
So
I
will
probably
just
let
them
present
and
yeah
and
then
maybe
after
that,
we'll
have
some
conversation
and
open
discussion.
So
I
don't
know
if
who's
going
to
present
whether
waiting
on
mandy
but
please
go
ahead.
B
B
Here
is
the
example
use
case,
and
we
have
defined
and
entered
network
policy
with
stack
like
this,
and
we
want
to
apply
this
enter
network
policy
to
the
external
entity,
which
has
labels
rho,
equals
db,
and
in
this
graph
it
is
vm1.
It
has.
The
label
matches
the
external
entity
selector,
and
I
need
to
mention
that
this
part
is
sorry.
This
part
of
angel
network
policy
change
is
not
supported
right
now
and
it
it
is
the
new
feature
we
want
to
add
it
to
the
entire
network
policy
and
in
the
e-bras
there
are
two
rules.
B
The
the
we
want
to
follow
the
same
same
behavior
for
as
the
pre
as
the
current
entry
in
our
policy,
so
we
will
support
actions
of
allow
drop
and
reject
and
the
two
and
from
field
of
the
anp
rule
it
can
be
epi
block
external
entity
and
part
of
qdm
for
the
egress,
and
this
is
for
the.
B
It
is
the
background
information
for
this
feature,
and
if
this
there
is
no
question
for
this
part,
I
will
go
through
the
the
two
api
changes
we
proposed
for
this
feature
and
the
first
one
is.
B
We
want
to
introduce
a
new
crd
called
external
node
to
represent
the
virtual
machine
or
the
benelmetal
server,
which
is
not
a
kubernetes
node,
but
has
an
agent
running
on
it,
and
it
is
the
definition
for
the
proposed
crd
and
in
the
external
node
stack,
we
will
define
the
network
interface
and
for
the
inter
network
interface,
you
can
specify
name
and
ips
or
either
of
them
and
no
no
way
expect.
Ipsum
is
the
must-have
field.
B
If
you,
I
will
see
later
that,
if
you
don't
specify
ip
for
the
network
interface,
we
will
not
generate
the
corresponding
external
entity
for
this
external
node,
and
I
also
need
to
point
out
that
when
we
define
an
array
for
the
interfaces
here,
but
for
the
first
release,
we
will
only
support
one
interface
per
external
node
and
multiple
interfaces
may
be
supported
in
the
future.
Release.
B
Now
another
api
change
is
the
entire
network
policy.
Api
changes,
as
I
have
already
pointed
out
and
point
out
on
the
example
case,
we
want
to
add
an
external
entity
selector
in
the
np
applied
to
field.
C
Okay,
probably
I
can
wait
for
you
one
more
question:
when
we
support
lamb
space
group,
we
will
also
support
each
other
in
the
name.
Space
group
and
the
group
can
be
used
for
apply
too
right.
D
Yes,
the
answer
to
our
question
is
yes,
we
will
provide.
B
And
okay,
that
is
the
api
part
of
changes
and
for
controller
side
of
changes.
The
controller
will
do
two
things.
One
is
to
convert
the
external
node
to
external
entity.
Another
is
to
manage
the
enter
agent
info
level
life
cycle
and
for
the
first
one
we
will
convert
the
external
node
to
external
entity
based
on
the
following
rules
and
first
it
will
generate
the
for
the
external
entity
name.
If
the
network
interface
name
is
empty,
we
will
use
the
external
node
name
directly.
B
If
the
network
interface
name
is
not
empty,
we
will
instead
use
external
node
name
heaven
interface
name
as
the
external
entity
name
and
as
tng
has
already
pointed
out,
the
all
the
external
node
labels
will
be
added
to
the
external
entity,
and
external
node
name
will
be
set.
The
external
name
field
in
the
external
entity.
B
When
we
define
an
external
node,
which
is
called
vm1
under
the
namespace
vm
demo,
it
has
the
labels
row
equals
db
and
it
has
the
interface
interface
name
can
be
specified
or
ignored
in
the
definition,
and
it
has
one
ip
here
for
the
generated
external
entity.
It
has
the
same
name
as
external
node,
because
interface
name
here
is
not
specified.
B
So
we
will
use
the
external
node
directly
and
for
the
namespace
it
they
are
the
same
and
labels
they
are
the
same.
And
if
there
are
multiple
labels
here-
and
it
will
be
multiple
labels
here
and
we
will,
we
also
add
a
field
called
only
reference
to
let
this
external
entity
to
point
to
the
to
the
external
node.
So
we
will
know
that
no,
which
external
node
is,
is
used
to
generate
this
external
entity
and
for
the
endpoints
it
is
populated
based
on
the
interfaces
field
and
another
important
field
is
the
external
node
field.
B
It
will
be
set
the
same
name
as
the
name
for
this
external
node,
and
basically
the
general
idea
is
that
we
will
generate
an
external
node,
an
external
entity,
for
each
interface
defined
in
the
external
node.
As
currently,
we
will
only
support
one
interface
per
node,
so
currently,
external
node
and
external
antenna
is
one
two
one
mapping.
B
Yeah,
if
there
is
no
question
for
the
conversion
here-
and
I
will
go
ahead.
B
It
is
the
enter
controller
who
create
and
delete
the
entry
agent
info,
and
it
has
the
entry
agent
who
will
update
the
content
of
this
entire
agent
info
and
and
the
advantage
for
this
change
is
that
we
can
only
grant
the
update
privilege
for
the
entry
agent
info
and
don't
grant
the
create
and
update
privilege
to
to
this
vm
so
so
that
it
is
a
more
secure
way
from
the
vm
perspective.
B
D
So
one
agent
says
starting
up.
We
show
the
first
secure
environment
variable
with
the
external
node
name
as
a
variable
keynote
name
as
what
we
have
done
on
the
container
case,
then
after
agent
is
that
it
you
know
it
knows
who
it
is.
Then
agents
will
get
the
external
node
from
the
kbps
server
with
a
filter
by
its
own
name.
D
So
for
each
vm
it
will
not
get
other
vms,
external
node
information
and
then
agents
who
can
get
the
network
interfaces
configured
in
the
external
node
and
to
try
to
guide
the
first
responding
network
interface
from
the
health
and
then
agents
will
try
to
realize
interface
on
os
for
the
details
about
how
agent
realized
narrowing
based
on
last,
I
will
use
the
next
page
to
introduce,
introduce
and
after
the
agent
realize
the
interface,
the
notification
unless
it
maintains
a
new
external
entity.
D
So
from
the
page
we
can
see
the
the
normal
workflow.
Actually,
we
are
focusing
on
these
two
passes
and
monday.
Maybe
you
can
go
to
the
next
page.
D
Okay,
this
page,
I
was
focusing
on
the
realizations
on
everything
phase.
First
of
all
one
case,
the
major
difference
from
the
container
case
is
that
so
we
should
maintain
manage.
The
whole
network
is
what
we
are
focusing
on,
so
to
not
break
the
existing
processes
consuming
the
networking
we
will
try
to
use
a
new
network
interface
can
configure
with
the
existing
name
and
ip
and
max
and
routing
of
the
never
interface
configuring
in
the
external
node.
D
So
when,
after
an
agent
finds
interface
by
the
ipl
drives
on
the
host,
it
first
attached
the
exit
first
server
name,
the
network
interface.
To,
for
example,
I
use
the
pinik
zero
and
in
the
unit
diagram,
and
then
they
create
the
pinik
zero
to
os.
Actually,
this
is
the
physical
interface
on
the
os
at
the
vm.
Then
agent
will
try
to
create
a
new
os
internal
part
which
is
configured
with
the
it
is
there
virtual
it
is.
D
D
We
don't
have
some
ip
pipeline
consumptions,
but
that's
the
nice
details
and
for
the
interface
config
part
after
the
parallel
parts
they
are
added
onto
the
os.
They
create
an
interface
config.
I
mean
one
interface:
config
is
used
to
map
the
pair
port.
So
in
the
new
type
point
we
can
represent
external
entity.
We
have
to
maintain
the
purpose.
We
have
two
overflow
ports,
one
is
the
internal
passport
and
another
is
the
mapping
uplink
port
and
the
interface
config
name
is
actually
the.
D
Actually.
It
is
general.
I
mean
the
the
name
defined
in
the
external
networking
space.
Then
android
agent
also
set
up
some
open
appliance
for
the
external
node
we
have
ipv
pipeline,
but
for
the
external
node
ip
pipeline
we
are
only
focusing
on
the
egress
and
the
ingress,
so
we
don't
have
their
two
hours
forwarding.
As
I
mentioned,
because
of
the
pair
pause.
We
will
try
to
forward
package
from
one
to
the
pair
directly
and
as
we
should
maintain
the
host
network,
we
should
also
maintain
the
non-ip
package
in
the
os
pipeline.
D
So
we
we
need
to
introduce
a
new
table
focusing
on
the
non-ip
packets,
but
for
this
new
pipeline
we
directly
forward
packets
from
one
to
the
pair
with
the
changes
on
the
external
node
for
osf
path.
The
new
pipeline
definition
has
only
four
tables,
and
I
listed
the
table
id
and
mapping
in
in
this
page.
D
E
D
By
now
we
in
our
first
release,
we
only
want
to
support
single
interface
and
we're
talking
target
thing
at
the
ram
case.
So
maybe
we'll
have
a
few
thoughts
about
environmental
case,
but
when
you,
when
we
maybe
have
some
thinking
about
it
later,.
D
D
Oh
one
more
I
want
to
mention
is
that,
since
we
are
focusing
on
the
egress
ironing
rights,
we
still
use
os
contracts,
but
only
one
os
contract
zone
is
used
to
maintain
the
commission
space.
That
one
thing
I
want
to
mention
for
the
security
part.
F
D
Attaching
actually.
F
D
F
D
Yeah
yeah
crisis:
this
is
because
well
synchronized.
Maybe
some
other
processes
are
listening
on
the
ets
zero,
but
if
they
just
use
the
region
name
to
os
and
then
create
a
new
report
with
a
different
name
and
since
the
ip
and
ipn
routing
migrated
from
the
existing
interfaces
to
the
os
internal
parts,
the
the
other
processes
listed
on
the
the
pth0
might
be
broken.
E
So
I
also
have
a
question,
so
we
are
using
just
one
bridge.
We
are
not
using
multiple
bridges
for
multiple
interfaces
right
and
then
yeah.
D
E
E
And
then
you
have,
we
will
have
some
flows
to
cross
the
th0
to
p
nick
0,
and
the
package
will
not,
for
example,
coming
into
each
zero
and
coming
out
from
team
nick
one.
So
you
always
have
photos
to
to
exchange
the
package
between
the
matching
virtual
interface
and
physical
interface.
D
Correct,
as
you
may
know,
that
for
container
case
when
the
packet
engine
enters
enter
the
os
popular
in
the
table
zero,
we
only
set
the
source
smart
register
mark
just
to
know
that
where
the
packet
is
entering
live
from,
but
in
external
case
external
case
in
the
first
table
of
ipad
line,
maybe
not
just
the
the
first
table,
you
know
as
pipeline.
D
We
are
already
citing
the
target
of
ports
in
a
register
one
and
in
the
last
table
we
only
output
the
package
to
register
one
which
was
passed
in
the
table
in
the
first
table.
So
we
don't
need
the
letter
to
order
three
table
to
forward
package
according
to
destiny
or
destination
mic,
but
we
don't
need
to
analyze
in
external
notice.
E
C
So
winning
I
remember
in
nst
design
we
choose
to
attach
the
fader
interface
to
the
bridge
with
a
wizard
pile,
and
I
remember
one
reason
to
be
for
the.
I
think
it's
for
the
who
says
restart
case,
I
think
there's
some
difference
between
internal
port
and
the
wii
supplier.
In
that
case,
I'm
not
really
sure.
I'm
not
sure
you
know
about
that
or
have
you
solved
it.
D
C
D
Sure
I
will
check
with
the
other
device
about
that
is
done.
Why
is
relevant
to
namespace?
Sorry,
according
to
my
original
discussion
with
them,
they
said
that
they
want
to
keep
the
name
of
the
the
pair
the
same
as
the
existing
interfaces,
so
they
want
to
use
a
name
base
for
each
interfaces.
C
D
D
Yeah,
it
is
simple,
but
actually
I
think
asians
should
maintain
the
the
the
I
mean
that
if
we
want
to
use
a
namespace
to
configure
the
network
interface
with
the
the
same
name,
we
should
require
other
interface
other
processes
to
go
into
their
namespace
sure.
But.
C
I'm
not
saying
we
must
put
the
visa
power
in
a
different
name.
I'm
just
saying:
could
we
replace
internal
poll
with
we
supper
even
when
we
put
all
the
device
in
the
same
name
speed
the
default
namespace.
C
That's
what
I
forgot
so,
let's,
let's
I
hopefully
you
can
you,
can
you
can
double
check?
What's
the
reason
they
use
with
isabel
in
nfcd?
C
I
think
there
are
some
reasons
about
open
with
stockist
sure
I
will
check.
A
D
D
A
Well,
I
believe
that
we
probably
want
to
open
for
conversation
with
the
entire
community.
That
was
that
is,
like
a
a
let's
say,
that
from
a
design
perspective,
probably
a
it's
from
this
presentation,
it's
less
than
what
it
looks
like,
because
there
are
many
changes
that
are
going
into
the
obvious
pipeline
for
supporting
vitro
machines.
A
So
one
question
that
I
had
is:
what
is
your
plan
for
implementing
the
changes
in
the
obs
pipeline?
Are
we
going
to
treat
external
nodes
as
a
special
case,
or
are
we
going
to
develop
a
completely
different
pipeline
for
that
or
what
is
your?
The
solution
that
you
have
in
mind.
D
D
All
the
changes
are
ready,
and
so,
since
we
are
supporting
the
flexible
pipeline,
I
mean
for
the
osw
path
changes
since
we
are
already
supporting
the
pipeline,
so
one
agency
is
running
on
them,
also
a
parameter
server.
D
The
pipeline
only
is
introduced
for
external
cases,
so
we
don't
have
the
case
that
the
os
purplis
full
container
and
external
existing
on
the
same
same
agent
case
and
actually
for
the
code
plan.
We
plan
to
have
this
code
in
the
next
release,
for
I'm
sure,
maybe
1.8.
D
A
A
Janjun
has
a
question
on
the
chart
regarding
specifically
table
14
no
ip.
I
was
also
curious
why
no
ip
john
john
suggests
that
maybe
should
be
non-ip.
A
Okay,
so
if
there's
another
question,
I
would
like
to
seek
a
clarification
on
the
relationship
between
external
node
and
external
entity.
Can
you
go
back
to
the
slide
that
mandy
presented
so
yep
perfect
this
one?
There
will
be
a
controller.
I
assume
that
reads
this
information
and
creates
the
external
entity
resource
now.
Is
this
just
taking
data
from
one
entity
and
moving
it
into
other
data,
or
does
it
also
involve
a
searching
for
a
vm
using
some
provider.
B
And
if,
if
user
can
fix
some
invalid
information,
assuming
in
the
interfaces
and
when
the
agent
site
monitoring
the
external
node,
it
will
search
the
interface
by
ip
it.
If,
if
it
cannot
find
the
corresponding
interface-
and
it
will
not
do
any
further
procession
and
we
can
see
some
errors
from
agencies.
A
I
see-
and
I
have
another
question-
sorry
in
terms
of
information-
the
resource
on
the
right
external
entity.
What
kind
of
information
is
adding
on
top
of
the
external
load,
because
I
see
that
I
it
seems
to
me-
I'm
sorry.
Maybe
I'm
mistaken
here,
that
there
are
exactly
the
same
attributes
just
in
a
different
order.
A
B
Yeah
yeah
for
external
nokia
note
case
the
we
will
only
set
the
endpoints
field
for
external
entity
here
and
for
for
the
definition
here.
They
are
slight
slightly
different
because
the
interface
network
interface
we
define
it
can
has
one
name
but
multiple
ips
for
a
interface,
but
for
the
endpoint
existing
definition
is
one
name
and
one
ip.
So
if
there
are
multiple
ips
here,
you
will
define
an
array
with
multiple
endpoints
in
this
field.
B
Yeah
we
will
not
set
other
fields.
I
know
you,
you
mean
that
external
entity
has
other
fields
other
except
the
endpoints,
and
for
for
external
no
case
we
will
not
set
those
fields.
Only
endpoints
field
will
be
set.
C
You
a
little
contest
here.
Actually
we
have
two
two
types
of
install
entities.
C
I
think
what
mundy
and
the
winning
shield
here
is
just
one
type,
these
types
created
from
install
node,
basically,
so
when
we
create
a
cell
anything
from
install
node
for
that
when
finally
can
be
another
type,
it's
more
like
in
this
public
car
support
with
this
cover
the
wamps
and
the
latest
service
in
public
health,
but
we're
doing
the
wrong
agency
in
inside
the
room,
but
we
just
so
it's
not
easy
to
note,
especially
so
known,
still
means
know
that
we
really
wrong
when
we
switch
an
agent
until
agent
in
the
node,
but
in
the
18th
code.
C
In
this
case
I
mentioned
that
we
we
don't
really
run
wrong
agent
in
the
agent
is
when,
but
we
just
discovered
when
the
cradle
is
not
entitled
for
the
win,
so
you
say
well,
actually
we
are
introduced,
it's
only
a
before
historic
node,
so
other
times
only
for
the
agent.
In
this
case.
C
That's
why
you
don't
have
this
interface
or
you
know,
multiple
interface
or
it's
installed
on
node
crd
earlier,
but
we
just
installed.
We
just
have
install
entity,
but
since
we
start
to
add
the
agent
model
for
when
and
now
we
we
decided,
we
need
a
new
crd
to
express
again
with
agent
and
we
call
this
toner
node,
but
still
for
most
of
our
code
to
handle
policy
and
other
you
know,
data
paths.
A
That
is
correct.
That
is
correct,
and
that
is
also
I
understand
now
why
there
are
two
we
are
using
two
crs,
but
I
have
a
final
question
so
do
for
the
external
entities
which
are
owned
by
an
external
node?
A
So,
let's
assume
that
I
am
a
clumsy
user,
so
I
have
an
external
entity
which
is
attached
to
a
vm
without
reference
by
an
external
node.
Then
I
decide
to
go
to
two
end
points
and
I
modified
the
ip
addresses
here
in
endpoints
now.
Will
there
be
a
mechanism
that
resynchronizes
again
the
external
entity
to
the
external
node,
or
do
we
have
to
do?
We
have
just
to
tell
users
that
you
should
not
go
and
modify
this.
B
You
mean
you,
if
user
accidentally
identify
modify
the
field.
Yes
for
the
current
in
implementation.
I
will.
I
will
correct
this
after
in
the
reconciliation,
if
the
I
mean,
if
the
extern
and
if
the
controller
restart,
we
will
reconcile
all
the
external
node
and
he
can
change
it
back.
B
C
A
B
Part
change
because
we
monitor
the
external
node,
it
will
not
have
any
impact,
but
for,
if
you
change
the
external
entity
part
because
the
agent
side
network
policy
controller
is
is
watching
the
is
actually
watching
the
external
entity
selector.
So
if
you
modify
the
external
entity
by
accident,
I
think
it
may
have
an
impact.
B
A
Okay,
so
now
sorry,
I
don't
want
to
steal
the
meeting,
but
I
have
to
ask
another
question.
So
do
we
have
to
worry
about
the
case
where
the
user
is
not
clumsy
but
maliciously
tries
to
modify
this
data
to
impact
the
way
in
which
network
policies
are
enforced?.
E
B
E
Will
be
the
users
because,
for
example,
the
name
space
is
vm
demo,
so
the
users
are
in
are
referring
to
the
kimnes
that
mean
or
I
referring
to
them-
the
name
space
manager
of
william
demo,
because
maybe
we
can
assume
that
him
nation,
the
namespace,
managed
manager
at
the
guy
who
are
managing
the
security
policy
and
they
will
not
maliciously
override
the
information
in
the
namespace
and
the
workload
user
inside
the
vm
can
now
switch
to
kinase
and
has
no
authorization
on
managing
these
information.
A
Yeah,
I
think
that's
a
good
point.
I
believe
that
you
know
these
are
kubernetes
crs,
so
even
securing
those
should
be
managed
with
the
kubernetes
airbag
so
yeah
it
should
not
be.
It
should
not
be
a
big
deal.
It's
just.
It's
just
a
matter
of
making
sure
that
these
that
you
know
that
access
to
external
entity
as
the
proper
airbag
controllers.
E
A
All
right,
sorry
for
sorry
for
asking
so
many
questions
I
know
and
well.
I
do
hope
that
somebody
somebody
else
from
the
community
has
any
question
here.
A
All
right
it
appears,
then
there
are
no
questions
and
we're
looking
forward
to
see
this
feature
in
included
in
andrea
1.1,
and
I
guess
that
now
we
can
move
to
open
discussion.
So
if
there
is
any
topic
that
you
would
like
to
bring
up
any
bug
that
you
would
like
to
discuss
anything
that
you
like
to
complain
about,
please
go
ahead.
A
Okay,
so
just
a
quick
update
from
me
last
week
there
was
a
cubicon
in
valencia,
spain.
As
you
know,
we
had
an
entry
office
hour,
chan,
chan
and
myself
hosted
it.
A
We
didn't
have
many
participants,
but
at
the
highest
we
we
had
like
15
participants
in
in
the
meeting.
We
had
a
small
introductory
short
introductory
presentations
about
a
presentation
about
andrea
features,
the
scope
of
the
project,
the
status
as
a
cncf
project,
and
I
have
to
say
that
was
pretty
much
it.
A
There
was
still
very
little
user
interaction
as
it
typically
is
for
these
office
hour
sessions,
but
I
believe
that
there
was
already
an
improvement
compared
to
the
previous
edition
in
terms
of
community
participation.
A
So
that's
all-
and
I
will
just
wait
a
minute
for
check
if
other
team
members
have
anything
to
discuss,
and
otherwise
we
can
call
it
a
day.
A
A
A
A
A
Yep
anyway,
so
I
believe
we
can
stop
the
recording
and
that's
all
for
today.
A
So
thanks
again
for
joining
and
and
well-
and
I
wish
everyone
a
good
day
a
good
afternoon
and
if
you
are
in
the
west
coast.
I
wish
you
a
good
night.