►
From YouTube: Antrea Community Meeting 05/04/2020
Description
Antrea Community Meeting, May 4th 2020
A
Welcome
everyone:
this
is
the
entire
community
meeting
today
is
May.
The
5th
2020,
of
course,
for
people
in
United.
States
is
still
made
a
fort
and
one
let's
get
started
with
meeting
the
agenda
for
today,
it's
fairly
simple.
We
will
start
with
a
discussion
of
the
obvious
Hardware
offloading
proposal.
I
guess
Moshe.
Will
you
give
us
his
presentation
and
then
once
that
is
done,
Cody
as
some
feedback
about
cluster
Network
policy
that
we
discussed
in
the
previous
meeting
all
right.
So
is
there
any
other
topic
that
you
like
to
add
to
the
agenda.
B
C
C
We're
using
7
things
you
know
in
the
design
proposal,
because
we
are
using
the
SI
with
technology.
It
will
be
a
solid
advice,
plug-in
then
so
V
device
became
basically
allows
us
to
so
location
of
the
PCI
address,
not
doing
the
APC
location,
but
it's
actually.
According
to
a
population,
couplets
Alexa
T,
available
future
function
and
of
the
requested.
C
C
C
C
C
C
Edges
of
the
path
consists
in
the
device
of
this
virtual
function,
Percy
to
the
container
and
from
the
PC
I
just
also
need
to
find
the
buffer
presentó,
and
then
we
technical
person
so
and
we'll
plug
it
to
the
OBS
and
after
that,
basically,
the
cone
is
mostly
mostly
the
same.
So
we
have
the
net
intercept,
Ana
and
the
Russell
wasn't
oh
and
a
device.
You
know
the
presence
of
a
negative
feeling
and
that's
it
that
that's
the
owner
of
the
station
power.
D
C
C
F
C
Folder,
but
in
this
case,
what
will
happen
is
the
multis
configuration
will
be
the
embassy,
an
icon,
and
basically,
we
will
need
to
use
a
CL
d
of
the
network
attachment
that
staying
explaining
what
is
B
Angelia
for
figuration
for
the
default
for
the
kubernetes
Network,
and
so
this
is
the
default
way
of
doing
the
metal
figuration
thing.
But
you
did
today.
G
G
G
Basically
we
are
using
multiple
data
path,
flows,
meaning
that
a
packet
comes
in
to
the
obvious
data
path
and
a
12-2
in
cap
or
the
cap,
and
then
you
go
to
culmination
tracking
and
then
it
will
match
another
row
and
then
send
it
to
a
test
and
destination
port
so
which
means
that
a
packet
will
recirculate
heating
flows
like
hitting
free
flows
and
then
sending
to
the
destination.
So
is
right
now
this
flow
mechanism.
So
we
don't
want
to
do
any
partial
of
low,
because
any
processing
that
goes
to
software
to.
C
C
F
C
G
See
I,
see,
saying
and
I
know
that
somehow
a
lie
broken.
They
have
some
limitations
about
recirculation,
so
meaning
that
okay,
they
can
test
carnation
tracking
in
highway
by
fountain.
If
you
want
to
come
by
first
one
connects
connection,
checking
then
doing
tunnel
in
cab.
Then
it
doesn't
it
couldn't
do
that.
Just
saying
that,
okay,
you
cannot
recirculate
pack
it
back
to
the
beginning
of
the
highway
pipeline.
So
do
you
guys
aware
of
this
problem?
No,
it's!
Okay
in
your
Howard
to
do
this!
Recut
circulation
and
competition.
No.
C
B
C
Yeah,
so
just
what
them
Wednesday
is
currently.
The
only
thing
that
we
actually
can
offload
or
will
be
able
to
upload
is
the
possible
traffic
until
all
this
Q
box.
If
this
would
go
away,
and
then
we
can
start
on
to
see
where,
if
you
can
also
offload,
the
service
depends
on
what
the
data
pipeline
in
app.
B
F
C
Basic,
the
concept
of
the
concept
is
very
generic,
so
if
you
have
another
window
this
for
the
developers
on
top
for
a
question.
So
basically,
if
the
code
is
a
vendor
agnostic,
so
I
know
there
are
arrival
is
it
is
called
Sol
Venus,
which
is
doing
some
of
the
magic
of
blue,
a
blue
team
in
the
of
looking
for
the
rough
laplacian.
So
the
pci
are
just
not
the
middle
of
football
telly,
although
it's
in
mesquita
it
just
a
function
in
devastated
the
way
that
we
look
for
the
little
channel.
C
C
C
C
Basically,
they
dependent
on
the
vendor,
so
what
happens
in
they
obviously,
frankly
we're
all
the
like
big
city.
We
have
the
framework
that
actually
changes
and
move
all
the
translate.
The
data
path
flow
to
PC
for
the
kernel
API
and
now
who
is
up
to
the
Dan
in
the
window,
either
it's
going
from
PC
software.
If
you
do
don't
have
the
implementation
as
a
band
or
or
it's
going
to
be
C
by
Hardware,
then
spinster
actually
they're
justified
flow.
So
the
theses
are
PC.
Flour
is
actually
rated
doing
it
in
the
mixer
I
know.
C
B
C
C
Connection
tracking
is
fairly
new
and
really
working
on
a
you
know,
automatic
connection
and
I
need
to
stick
with
the
driver
team
and
they
are
goals
that
they
want
to.
I
can
say
this
because
steam
not
there,
but
they
are
going
to
they
want
to
achieve
mentality.
What,
if
you
want,
the
numbers
I
can
provide,
but
I
need
to
check
eternity
and
exactly
what
are
the
important
thing
to
say
what
I
think.
B
C
C
So,
regarding
the
obvious,
all
the
pieces
from
the
audience
are
asking
me
to
the
the
world
Assisi
flower.
Next,
all
the
people
there
stinker
now
basically
over
a
driver,
improvement
stability
of
the
connection
tracking
feature
in
the
manager,
basically
on
the
pieces
that
part
of
the
flame
off
like
obvious
and
the
PC
flower
on
the
bit
of
already
telling
of
them.
A
A
C
A
Exactly
we
got
people
record
the
so
Dow.
Yes,
yes
makes
the
CI
available
that
that
would
be
great
because
you
know
you're
making
changes
in
you.
You
are
adding
your
easily
see
in
line
with
the
traditional
interface
processing,
so
it's
very
likely
that
some
contributor
will
break
your
code,
not
real,
because
and
therefore
it
will
be
good
it
why
we
check
the
buy
a
CI.
The
other
question
that
I
hear
is
more
about
interface
attachment.
So
it's
not
clear
to
me.
A
A
C
From
the
mallams
perspective,
what
you
need
to
do
is
just
when
you
create
the
the
network,
the
resource
you
fill
it
a
flag
in
the
SLV
device,
begin
to
allow
Hotel
DMA.
Okay,
once
you
enable
other
DMA
from
the
Milano's
constructive,
it
means
that
you
want
a
Milan
Dominika
application
in
the
in
the
container.
That's
that's
the
only
difference.
Other
vendors
which
are
not
be
for
gated,
like
Intel,
which
using
everything
is
usual
space
I,
don't
know
why
we
didn't
work
or
with
it
together,
so
because
DK.
C
C
C
C
Yeah
yeah
I
would
yeah
first
I
will
add
the
documentation
section
and
avocado
flow
today.
What
are
the
requirements
will
be
respected
and
I'll
to
do?
The
configuration
of
the
SLV
opinion
basically
are
all
200
bestowed
upon,
because
efficiency
will
still
dependent
on
the
SME
device.
Plug
in
multiple
spec
is
also
different,
because
we
need
to
first
epistle.
C
C
The
solution
is
both
also
nicely
that
you
can
only
pods
that
request
a
mess
alive
is
a
resource,
will
get
accelerated
if
you
don't.
First,
stop
in
the
prospects
means
that
you
don't
want
it
too.
Big
fella
like
that,
will
fall
back
to
the
PCH,
the
Vth
little
bit,
dopey.
Okay.
So,
basically
you
can
never
mix
of
accelerated
for
everything.
She
talked
to
everything.
F
C
And
so
does
two
things.
First
of
all,
the
only
point
of
the
proposal
was
considered.
Well,
you
all
play
with
the
design,
because
you
know
the
different
pieces
that
we
need
to
orchestrate
this
stuff
like
this
and
Athena,
so
he
devised
plug
a
mortise
and
I
wanted,
first
of
all
to
make
sure
that
we
don't
have
any
gap,
so
he
is
from
that
perspective.
I'm.
The
next
thing
that
I
need
to
do
in
the
monoxide
is
to
do
the
obstacle,
then
also
any
take
the
piece
from
the
from
the
Mellanox.
C
C
F
B
C
Fine
by
me,
yes,
I
will
choose
the
oldest,
because
just
basically
I
did
the
other
I
didn't
read
it
as
an
alternative,
but
the
other
ways
put
so
much
logic
in
and
just
to
make
this
and
get
the
resources
and
basically
clone
what
much.
This
is
already
doing,
just
to
find
a
branch
from
the
base
of
the
gaya.
Just
so
on
the
vellum
said
Phil.
This
weighs
more
I
selected.
All
the
way.
C
E
E
C
And
version
perspective
is
just
to
using
at
the
policy
for
this
nickel
you
just
to
make
sure
that
duty,
CPUs
and
the
big
PCI
is
aligned
on
distinct
noma
for
better
performance.
This
can
still
work
without
quality
manager,
but
you
know
maybe
the
procedure
will
be
a
performance
degradation.
So
that's
the
only
thing
that
there's
no
changes
in
policy
manager
and
I'm
learning
to
sitting
tended
to
something
like
that
just
test
and
if
you
don't
dare
miss
because
you
have
an
older
supernet,
this
version
of
something
like
that,
it
will
work.
E
B
A
D
D
H
D
D
D
I've
got
tearing
or
categories
put
in
here
and
we're
not
quite
there
yet,
but
I
think
it's
important
to
talk
about
ordering
of
policies
and
how
we
want
to
treat
things
in
in
the
document
we
were
talking
about
treating
queue
raised,
network
policies
and
cluster
level
network
policies
as
different
orderings,
where
the
way
that
calico
does
it,
it
basically
treats
the
entire
block
of
kubernetes
Network
policies
as
an
equal
entity
to
other
cluster
level
network
call
or
native
policies.
I
would
say
not
just
cluster
level
but
native
policies.
D
So
really
the
difference
is
kubernetes
network
policies
versus
an
ant
tree
and
native
policy.
In
this
case,
and
then
the
order
of
this
block
here
is
a
globally
defined
value
that
can
be
changed,
and
then
you
can
basically
structure
policies
in
that
bottom
tier
category
around
that
block.
I
just
wanted
to
get
some
feedback
about
that
question
first
and
and
understand
some
of
the
reasoning.
Cuz
I
know
that
we
were
also
dedicating
specific
OBS
tables
to
the
ordering
of
those
policies
and
how
that
might
impact.
You
know
the
design.
F
D
So
the
story
might
be,
is
you
may
want
to
sandwich
so
for
one
user
story,
maybe,
as
you
may
want
to
limit
certain
users,
application
developers,
for
example,
to
only
be
able
to
create
kubernetes
network
policies,
a
lot
of
enterprises
do
that
and
but
you
may
want
to
sandwich
their
communities
Network
policies.
You
know,
between
native,
to
Brandon,
it's
network
policies
and
actually
evaluates
them
in
an
ordered
fashion.
As
an
example.
E
D
This
might
be-
and
this
might
be
like,
if
you
don't
want
your
default
rule
to
be
deny
all,
but
you
want
your
default
rules
basically
to
be
deny
all,
except
for
43
or
something
like
that
right.
So
if
they
don't
explicitly
allow
for
43
or
80,
you
might
be
able
to
have
set
a
default
rule
to
allow
that,
so
you
would
have
to
have
in
this
case
a
rule
you
know
somewhere
down
here
would
be,
do
you
know
global
or
a
namespace
rule
that
would
enable
that
communication.
If
you
didn't
do
an
explicit
denial.
E
D
Entire
block
yeah,
this
entire
block
would
have
to
be
relegated
to
a
single
tier.
The
way
that
calico
handles
it.
It's
called
a
default
tier.
It
could
be
a
you
know.
It
needs
to
be
basically
the
the
tier,
because
kou
network
policies
do
not
have
a
tier
specification
right,
so
they
have
to
land
in
a
quote:
unquote
default
tier
for
that
to
work,
and
then
you
could
specify
what
you
wanted.
That
order
of
that
default
here
to
be
typically
as
the
last
policy.
The
last
tier
excuse
me
evaluated,
but
I
just
wanted
to.
E
D
E
D
Though
we
would
have
a
great
question,
so
we
would
have
to
have
a
part
of
the
configuration
CRD
or
or
a
state
a
static
state
would
have
to
store
what
the
what
the
order
number
is
for
the
kubernetes
network
policy
block
right
because
it's
that's
us,
that's
a
synthetic
value
right!
There's!
There's!
You
can't
store
that
on
a
conveyance
network
policy.
There
would
have
to
be
a
synthetic
value
representing
that.
So
we
can
either
do
that
with
you
know
a
separate
CRD
or
a
configuration
option
in
a
global.
You
know
configuration
CRD,
yeah.
E
D
D
D
You
know,
typically
the
way
Carre's
network
policies
work
within
namespaces.
If
no
policies
are
defined
at
all,
then
there
is
no
default
deny
right.
You
have
to
define
at
least
one
policy
to
get
the
default
deny
and
the
way
that
some
had
approached
that
was,
they
would
always
ensure
that
they
had
a
a
rule
at
the
very
end
of
this
default
here.
That
would
be
a
default
deny
all
if
none
of
the
other
policies
matched.
D
What
some
enterprise
has
found
was
that
it
was
difficult
to
to
ensure
that
there
was
always
that
policy
at
the
very
end
of
the
tier,
and
so
they
asked
for
a
configuration
option
instead,
that,
basically,
you
know,
allows
you
to
either
define
all
namespaces
or
a
single
or
a
set
of
namespaces
to
have
a
behavior
of
default,
deny
all
for
their
namespace
and
that's
that's
and
that's
a
configuration
option
rather
than
a
policy
that
could
be
controlled
by
a
separate
are
by
value.
They.
F
Have
a
question:
if
you
have
a
policy
on
below
two
best
at
the
policy
block,
then
what
will
be
the
default
behavior
of
the
capacity
policy,
for
example,
on
including
Spidy
for
the
hola
war
right
for
the
ones
you
quit
ingress
points
a
for
example.
Then
you
all
not
only
traffic
defunding,
the
policy
for
YouTube
or
other
traffic
for
the
ports
arrested
by
the
ingress
policy.
But
if
you
have
policy,
P
notice
that
for
City
we
want
to
keep
the
same
behavior
or
your
thing.
F
D
If,
if,
for
example,
you
were
to
used,
you
know
a
policy
to
represent
that
default
behavior,
what
that
would
mean
is
if,
if
you
didn't
have
in
a
particular
namespace
a
namespace
see
didn't
have
any
policies
applied
to
it,
then
the
default
behavior
in
kubernetes.
You
know,
given
that
there's
no
other
policies
up
here
right,
matching
namespace
C
would
be
to
just
allow
any
traffic
through,
but
you
could
have
a
global
policy
that
matches
all
namespaces
down
here.
That
would
basically
be
your
default
and
I
all
yeah
in
that.
D
D
F
D
F
F
D
D
F
F
D
Yeah,
because
it
would,
it
would
be
taking
on
the
standard.
Yes,
you
would
have
to
have
the
rule
to
drop
all
other
traffic,
because
even
if
one
of
these
here
matched
for
that
namespace,
then
it's
the
standard,
kubernetes
behavior
of
you,
you
assigned
at
least
one
policy.
That
means
that
it's
deny
off
for
anything
that
wasn't
explicitly
declared
okay.
F
F
D
F
D
F
B
D
F
B
Not
an
inventory
this
is
we
go
ahead.
Don't
you
think
we
would
have
to
write
a
controller
for
each
class
for
each
cloud,
for
example,
and
then
that
controller
would
like
automatically
take
the
metadata
out
your
kW
SVM,
for
example,
and
translate
it
into
labels,
so
that
would
be
automatic
like
we
need
to
write
a
controller,
but
that
translation
would
be
automatic
doing
something
else.
Okay,.
D
Since
you're
already
writing
the
adapter
just
elevate
any
specific
attributes
to
be
a
standard
key
value
pair.
Even
if
you
need
to
namespace
them
right
to
to
make
them
more
unique
or
something
like
that,
you
could
still
namespace
the
the
keys
of
the
metadata
with
their
values
and
I.
Just
think
it
would
make
the.
B
It's
completely
compatible
with
this
proposal
because
those
external
entity
objects
are
going
to
be
initialized
by
the
code
that
you
have
that's
bringing
in
the
inventory
and
as
part
of
creating
those
objects
in
the
community
API
server.
We
can
do
translation
of
the
cloud
native
metadata
to
veggies
labels,
I.
D
D
Going
with
this
is,
if
you
used
a
similar
metadata
tag
for
both
external
entities
and
internal
entities,
I
now
have
to
specify
that
tag
twice
in
my
policy
right.
Instead
of
being
able
to
write
a
generic
policy
that
says,
I
want
to,
you
know,
accept
all
ingress
from
pods
of
this
type.
I
could
have
power
I'm.
Sorry,
workloads
of
this
type
I
could
have
workloads
both
as
pods
and
as
external
entities
that
match
that
metadata.
It
would
function
using
this.
It's
just
your
but
you're,
duplicating
yourself
right.
So.
E
D
Yeah
basically
I'm
calling
it
more
of
an
endpoint
selector
than
a
pod
selector
right,
you
really
at
the
end
of
the
day,
when
you're
building
your
filtering
rules.
What
you're
filtering
on
our
end
points
that
have
some
type
of
metadata
attached,
whether
it
be
a
pod
or
an
external
entity
which
could
be
like
a
VM.
E
I
think
the
the
selector
that
we
are
trying
to
introduce
some
more
to
binary
Stein,
wherein
you
otherwise
would,
if,
if
you
want
to
specifically
only
target
pods
and
not
other
endpoints,
which
you
may
have
in
your
in
your
system,
then
it's
a
little
bit
tricky
to
to
get
that
into
the
system
like.
If
you
just
have
a
generic
selector,
it
would
select
all
kinds
of
endpoints,
but
if
you
want
to
filter
them
on
parts,
that's
it
then
you
might
have
to
do
some
more
layers
of
the.
F
F
F
F
D
D
D
Sure
make
sense,
the
only
other
question
I
had
was
conveying
cluster
Network
policy
rule
metrics
as
the
status
field
in
CR
DS.
My
question
was:
is
that
in
in
terms
of
the
status
fields
of
CR
DS,
those
are
typically,
you
know
reflecting
current
state
and
not
necessarily
time
series
values,
our
metrics
and
so
I
know.
This
was
a
question
already
asked
about
scale.
D
If
we
intend
for
those
to
typically
be
just
time
series
observables,
do
we
actually
need
them
in
a
CR
D?
Is
anybody
that's
going
to
be
observing
them
just
going
to
hit
the
Prometheus
great
point
or
other
mechanism
we
used
to
expose
those
instead
of
hitting
the
c
rd
wanted
to
get
some
understanding
of
the
justification
on
that.
E
F
E
D
D
A
D
D
A
It
makes
to
me
sense
to
me
to
discuss
this
further
and
close
down,
but
up
and
close
down
on
this
topic,
perhaps
during
this
week,
without
having
to
wait
the
next
Monday
or
Tuesday
all
right
yeah.
So
maybe
we
can
abhishek.
Perhaps
if
that
works
for
you,
you
can
try
and
propose
a
meeting
and
the
sheer
each
other's
luck
channels
so
that
we
can
have
another
topic.
We
can
have
another
call
the
topic
during
the
getting
in
on
the
topic
in
this
week
and
say
that
I
think
we
are
already
four
minutes.