►
From YouTube: Antrea Community Meeting 08/10/2020
Description
Antrea Community Meeting, August 10th 2020
A
B
D
C
B
That's
right,
that's
right!
That
was
a
looking
at
this
luck
channel
that
was
puja,
suggesting
it
right.
So,
let's
we
have
quite
a
few
people
on
the
call
we
have
20
people
on
the
call
right
now.
Recording
us
started.
So
I
guess
we
can
start
with
the
first
topic
on
this
agenda
and
I
guess
that
would
be
raul,
providing
an
update
on
andrea
cloud
support
if
I'm
not
mistaken,.
E
E
E
E
C
G
E
E
H
E
E
So
it's
a
managed
service
so
with
starting
with
0.9
relays,
which
is
happening.
I
think
this
week
we
do
support
cni
chaining
with
azure
cni,
which
means
basically,
you
deploy
a
cluster
using
azure
managed
service,
which
is
aks,
you'll
choose
azure
cni
as
the
networking
plugin
and
today
they
support
calico
and
azure,
as
the
policy
plug-in
in
their
managed
service
like
aks
engine
is
a
different
project.
An
aks
managed
service
is
a
different
project.
E
Aks
engine
is
an
open
source,
so
we
can
contribute
and
add
our
cni's
in
that
project,
but
aks
manage
service.
It's
it's
managed
by
microsoft,
azure
folks,
so
they
base.
They
just
support
two
network
policy
cni,
which
is
azure
cni
itself
and
then
calico,
and
I
guess
cody
can
probably
share
more
details.
We
plan
to
add
entry
as
one
of
the
supported
cni
in
aks
engine
aks
manage
service
also,
which
requires
microsoft
support.
E
E
A
E
A
E
So
this
support
I
mean
like
this-
would
be
enabling
0.9
release
right
now.
It
is
an
amazing
master
branch.
So,
basically,
what
you
do
is
there
are
some
prerequisite
that
you
install
azure
cli
and
then
create
a
resource
group.
Sorry
create
an
aks
cluster
and
then
specify
just
the
network
plugin
as
azure.
E
This
will
deploy
aks
or
kubernetes
cluster
on
azure
cloud,
fetch
the
details
and
then
see
the
cluster
is
up
and
running
and
then
to
enable
entria
in
a
cni
chain
mode.
We
expect
customer
or
user
to
apply
this
entry
or
node
in
it,
yaml,
which
basically
preps
up
the
node
in
such
a
way
that
the
entry
cni
can
operate
can
operate
in
a
cni
chain
mode.
So
we
modify
some
settings
on
the
worker
node
like
change,
azure
cni
to
operate
in
transparent
mode.
E
Azure
cni
supports
like
two
more
bridge
mode
or
transparent
mode,
so
for
entry
or
cni
to
work
with
azure
cni,
it
has
to
operate
in
transport,
transparent
mode.
So
that's
what
this
node
in
yaml
does
it's,
basically
a
script
which
basically
toggles
the
mode
and
then
with
0.9.0
release.
Once
this
is
done,
you
can
apply
the
entry
yaml
and
once
it
is
applied,
it
will
operate
in
the
cni
chain
mode
because
entria
aks
in
entry,
aks
yaml.
We
have
set
the
traffic
mode
to
be
network
policy.
E
Only
more
so
user
doesn't
have
to
update
any
parameters
or
config
in
this
yaml
file,
and
this
just
shows
that
there's
a
node
in
it
and
then
the
entry
I
agent
and
the
controller
is
running
on
this
aks
cluster
and
one
last
thing
which
we
need
to
do
is
once
you
have
so
there
are
so
once
you
bring
up
the
aks
cluster
right.
There
are
few
pods
like
core
dns
dashboard
q
proxy.
E
So
what
we
recommend
is
once
you
have
installed
entria,
then
you
should
restart
pods
in
all
namespaces,
be
it
the
cube
system
or
be
any
deployment
on
any
namespaces
so
that
the
parts
can
be
managed
by
entry
or
crew
and
entry
can
enforce
the
network
policy
right
now,
it's
a
manual
step.
We
expect
user
to
delete
those
ports
which
we're
already
running
without
entry
going
forward.
H
So
cody,
how
far
have
we
gotten
with
like
getting
an
official
support
with
microsoft?
Because
if
we
end
up
with
a
you
know,
we
we're
in
like
at
the
initial
stage
itself,
you
can
supply,
saying
that
you
know
entry
will
be
the
official
or
andrea
will
be
the
cni
for
this
cluster.
Then
we
don't
need
to
restart
these
pause,
because
nks
would
be
there
from
the
beginning.
A
A
We
have
a
similar,
maybe
not
exactly
related,
but
a
similar
situation
in
as
well,
and
is
something
that
any
type
of
a
managed,
kubernetes
service
provider
you
know,
needs
to
ensure
that
all
the
components
of
the
cni
have
been
installed
before
we
actually
start
the
you
know
start
immediate
pods,
so
that
we
can
make
sure
that
they
get.
You
know
plumbed
with
the
right
cni
and
we're
aware
of
those
pods,
so
we
can
apply
network
policy.
F
E
C
F
F
E
E
A
A
E
F
F
E
E
E
A
A
E
E
A
A
A
A
We
wanted
to
be
able
to
support
chaining
with
the
native
eni,
cni,
and
so
initial
tests
showed
we
had
a
a
race
condition.
That's
not
necessarily
a
a
problem
within
antria.
It's
actually
something
that's
common
to,
probably
all
the
cni's
that
would
need
to
chain
in
any
situation.
Basically,
the
the
issue
is
we,
like
many
other
cni's,
install
the
actual
cni
binaries
that
kubla
calls
using
kubernetes
as
a
deployment
mechanism.
So
basically
we
have
a
daemon
set
that
that
also
deploys
our
agent,
but
can
also,
as.
H
A
If
those
binaries
aren't
present
and
registered
correctly,
you
can
actually
if
a
cluster
comes
up,
pods
can
get
scheduled
and
started
and
they
won't
be
registered
with
andrea
right.
Andrea
won't
be
responsible
for
some
of
the
provisioning
that
takes
place,
and
so
once
andrea
comes
up.
Things
like
network
policy,
for
example,
wouldn't
be
enforced
until
those
pods
are
restarted
in
and
plumbed
with
the
appropriate
network
interfaces
that
andrea,
then
can
enforce
things
like
network
policy
and
and
and
we've
called
this
out
to
amazon.
A
As
you
know,
this
is
a
potentially
something
that
we
actually,
as
both
amazon
and
and
the
entry
community
need
to
take
up
stream
to
discuss
as
a
potential
issue
with
the
way
cni
is
used
in
kubernetes
right.
We
need
a
way
for
the
kubernetes
framework
to
if
multiple
cni's
are
being
specified
or
maybe
a
way
to
specify
that
multiple
cni's
are
being
specified
in
terms
of
a
chaining
mode,
ensure
that
all
of
the
initialization
has
been
done
for
all
the
cni's
before
pods
actually
begin
scheduling.
A
So
it's
almost
a
an
update
to
you
know
whether
or
not
you
know
nodes
are
ready
for
for
scheduling
in
the
interim.
We've
worked
out
a
plan
with
amazon,
where
we
can
restart
any
pods
that
have
been
scheduled
once
the
the
cni
initialization
has
completed
right,
so
that
we
can
avoid
this.
This
race
condition,
if
you
will,
where,
where
a
pod
could
have
been
scheduled
before
andrea,
had
a
chance
to
initialize
all
of
its
components
and
be
able
to
enforce
policy.
A
C
C
E
Yeah,
I
can
talk
about
it,
so
let
me
go
over
the
initial
support
and
what
enhancement
we
are
doing
in
the
guess,
ek,
sorry,
so,
yeah
with
0.5.0
release,
you
could
just
apply
the
entria
pks
yaml
file
and
we
expected
a
user
to
modify
a
few
parameters
in
entry
or
config
file
with
respect
to
default
mq
and
the
service
sider.
So
this
page
is
not
updated.
E
Before
applying
this
entry,
eks
yaml
in
0.9
release,
we
have
removed
this
extra
configuration
in
a
way
that
the
default
mtu
now
would
be
auto
discovered.
So
once
you
apply
entria,
it's
going
to
figure
out
the
m2
empty
of
the
primary
nic
and
will
set
the
default
and
I'll
adjust
the
default
mtu.
Accordingly,
user
doesn't
have
to
modify
this
argument
and
then
the
service
sider,
our
parameter,
is
not
needed
with
entry
or
proxy.
So
in
0.9
release
we
are
enabling.
E
F
E
E
F
E
Let's
take
it
offline,
okay,
so
yeah,
so
we
remove
these
two
limitation
and
then
we
can
operate
in
a
cni
chain
mode
with
the
aws
cni
and
inferior
cni
will
operate
in
just
the
network
policy
only
mode.
There
is
a
documentation
which
talks
about
the
cni
chaining,
which
is
the
policy
only
mode.
If
you
guys
are
interested
in
looking
at
how
we
did
the
cni
chaining
and
what
we
call
the
l3
mode.
This
is
a
good
start.
You
can
take
a
look
at
this
documentation.
E
Let's
go
back
to
eks,
so
there
were
two
things
which
we
remove
and
the
third
thing
which
cody
was
mentioning
about
a
rate
race
condition
in
which,
if
you
have
two
cni's,
like
aws
cni
and
an
entry
or
cni
chained
together,
then
it
may
so
happen
that
we
have
an
existing
issue
in
which
like.
If
there
are
some
parts
which
are
running
before
entria
is
deployed,
then
you
need
to
manually
restart
it
right.
Otherwise,
the
engineer
will
not
manage
those
sports
and
network
policies
won't
be
applied.
E
So
that
is
one
issue
and
we
documented
saying
that
once
you
install
entria,
you
delete
the
existing
parts
in
all
namespace,
but
the
problem
is
a
little
tricky,
maybe
that,
let's
say,
if
you're
doing
a
scale
up
of
your
worker
nodes,
then
it
may
so
happen
that
the
worker
node
comes
up
with
aws
cni
and
as
soon
as
it
comes
up,
a
pod
gets
scheduled
and
then
then,
when
entry
is
applied
after
the
pod
was
scheduled,
then
it
may
not
be
managed
by
entria.
So
this
is
little.
E
This
is
the
risk
condition
which
cody
was
talking
about,
and
here
we
can't
expect
user
to
monitor
for
scale-out
event
and
then
kill
pods
which
are
running
on
that
worker,
node
and
so
on.
Right,
so
what
we
are
doing
as
a
temporary
fix,
I
mean
like
the
proper
fix,
can
come
from
upstream
obvious
upstream
kubernetes,
but
as
a
temporary
fix
for
eks.
What
we
are
doing
is
we
are
adding
a
node
in
its
script.
A
Are
they
generally
applicable
that
we
could?
We
could
take
those
upstream
as
part
of
the
conformance
test,
so
that
we
could
determine
if
other
c
is
have
the
same
problem
as
part
of
our
effort
to
drive
this
upstream
for
a
fix
is?
Is
there
any
way
that
we
can
use
what
we
know
now
to
determine
if
there's
problems
and
say
other
cni's
that
run
against
those
performance
tests.
E
Sure
so
at
least
we
know
from
ceiling
that,
if
you
don't
restart
the
existing
parts,
it
will
not
be
managed
by
an
ceiling
that
that
is
what
we
know
for
sure
that
they
also
recommend
restarting
the
existing
parts,
but
for
calico
I
have
not
seen
any
documentation
wherein
they
talk
about
this
problem.
They
don't
mention
that
you
would
have
to
restart
any
parts.
A
E
E
E
H
E
E
So
this
we
had,
we
have
a
jenkins
job
in
which
we
run
conformance
test
on
eks,
gke
and
aks,
and
if
you
see
they
are
all
passing
and
as
this
test
we
do,
we
operate
in
network
policy.
Only
more
and
and
maybe
antonio
or
yang
can
talk
about.
There
are
a
few
tests
which
we
skip.
We
run
mostly
the
network
policy
test
and
then
for
basic
community
test.
There
were
some
things
which
we
skipped.
E
E
E
Think,
and
also
one
another
thing
if
we
have
this
conformance
test.
So
if
you
want
to
deploy
a
cluster
in
aks,
eks
or
gk,
you
can
also
use
this
standalone
script,
wherein,
if
you
pass
in
your
credentials
like
azure,
app
id
tenant
and
password,
it
can
help
you
deploy
the
cluster
and
set
up
entry
or
two
in
network.
E
G
E
C
A
A
I
was
going
to
give
a
quick
update
and
I
can
defer
mine
to
the
very
end
on
kind
of
what
we're
doing
in
the
network
policy
v2
working
group.
So
so,
let's,
let's
continue
and
try
to
finish
out.
I
think
what
all
the
good
work
that
rahul
is
talking
about
here
on
on
cloud
and
then
I'll
I'll
save
the
last
a
couple
minutes
for
a
quick
update
and
we
can
take
any
questions
from
there
perfect,
so
so
rahul.
A
The
other
thing
I
was
going
to
mention
is
you
know
this
concept
of
you
know.
We
talked
about
a
policy
only
mode.
We
could
also
be
a
primary
c
I
in
in
both
eks
and
in
your
build
your
own
cluster
on
ec2
and
the
reason
you
might
want
to
do
that
you
may
want
to
use
ip
spaces
that
are
orthogonal
to
you
know
what
was
provided
in
a
vpc
or
in
the
case
of
aks.
F
A
A
F
A
So
therefore,
we
get,
I
think,
more
efficient.
We
don't
have
all
we
don't
have
the
overhead
of
encapsulation
for
for
every
for
every
traffic
path,
only
those
that
are
crossing
subnets,
yep
now
jinjin.
If,
if
we
turn
on
something
like
hybrid
mode,
it
does
disable
some
of
the
diagnostic
features
correct,
because
some
of
the
diagnostic
features
rely
on
underneath.
F
F
A
Thanks
for
clarifying
that
yeah,
so
that's
that's!
You
know.
If,
if
one
other
question
I
had
on
that,
jinjin
do
does
our
command
line
utilities
and
different
things
that
that
might
be
using
those
tools?
Do
they
inform
the
user
that
they
can't
work?
Because
of
that,
or
is
that
something
the
user
just
needs
to
know.
C
A
Great
well,
that's
good,
that's
good
information
to
know
if
you're
trying
to
run
trace
flow
and
you're
wondering
why
it's
not
working,
you
might
check
to
see
what
mode
you're
running
in
so
I
think
we've
covered
all
the
the
different
cni
modes
that
we
support
and
ways
of
running
in
amazon.
The
only
one
we
haven't
gotten
to
is
a
gke.
So
does
someone
want
to
talk
about
what
we're
doing
with
no
end
cap
and
in
gke
rock
classic
here.
E
E
H
So
before
we
move
to
gk,
I
have
a
question
only
case
you
guys,
I
guess
some
of
you
are
already
aware
that
amazon
is
working
on
the
next
generation.
Vpc
cni
right-
and
I
think
you
know,
apart
from
the
the
other
drawbacks,
that
they
have
over
the
pod
density
and
etc.
The
thing
that
is
relevant
to
this
discussion
is
that
I
think
they're
also
trying
to
solve
or
introduce
a
network
policy
controller,
along
with
the
ability
to
apply
security
groups
directly
on
the
on
the
paths
with
some
crds.
A
So
we're
definitely
looking
at
that
in
terms
of
their
their
their
cni
implementation.
So
so
right
now,
if
we
go
as
a
primary
c,
I
we
do
have
an
advantage
in
terms
of
you
know,
pod
density
right.
We
don't
have
to
necessarily
scale
hardware
to
match
the
number
of
enis
that
are
needed
for
additional
pods.
If
a
if
a
user,
for
example,
wants
to
run
a
lot
of
small
pods,
there's,
there's
definitely
a
cost
advantage
of
running
something
like
antria
as
as
a
primary
cni.
A
Security
group
affiliation
as
something
that
we
can
enforce
with
with
network
policy.
It's
definitely
something
that's
on
our
roadmap,
and
so
we
will
be
addressing
that.
I
do
think
that
there's
still
going
to
be
some
additional
advantages
with
antrio
proxy,
for
example,
and
the
way
that
we
handle
vips
et
cetera,
that
are
going
to
give
some
performance
advantages.
A
A
A
H
I
see
a
lot
of
people
like
you
know,
waiting
for
that,
at
least
I'm
following
that
issue,
and
I
see
a
lot
of
people
like
following
that
issue
and
waiting
for
these
developments
to
happen
directly
within
the
amazon
vpcc.
Instead
of
you
know
them
relying
on
calico
or
andrea
for
policy
only
mode.
So
so
I
just
wanted
to
share
that
with
the
team
and
see
if.
A
H
A
Now
that
that's
good
insight-
and
the
other
question
is
also
going
to
be-
is
like
how
much
extension
from
upstream
kubernetes
network
policy
they're
going
to
support
right,
there's
also
a
lot
of
work
that
this
team
is
doing,
and
this
community
is
doing
right
now
on
extending
you
know
the
capabilities
with
like
cluster
scope,
network
policies
and
other
things
to
that
nature.
That
still
may
be,
you
know
very
different
than
than
what's
offered
you
know,
natively
by
by
amazon,
for
example,
in
in
their
policy
provider
engine
that
they're
working
on.
H
H
F
It
usually,
we
enable
our
policy
crd
right,
at
least
for
aksgas
gk.
Here
we
can
easily
change
the
yammer
file
to
enable
the
feature
gate
for
unshared
policy,
and
you
can
have
a
generality
policy
if
your
question
is
for
eks
engine,
because
in
your
case
engine
it's
a
supposed
thing,
I
I
think
for
that
one.
H
F
A
E
E
E
E
E
So
what
we
do
with
this
node
in
it
is
we
modify
the
cubelet
parameter
from
cubenet
to
cni
so
that,
if
we
add
our
cni
entries
cni
in
the
config
file,
the
cubelet
can
honor
it.
So
that's
what
we
do
that
this
node
in
it
does
it
basically
updates
the
qr
parameter
from
cubenet
to
cni,
so
that
entryway
can
be
inserted.
E
And
then
insider
thingy
we
can
once
we
enable
and
proxy
for
gk.
We
can
move
this
too
and
then.
Lastly,
the
common
problem,
which
we
discussed
for
all
engineering
mode,
is
once
you
have
the
entry
up
and
running.
You
need
to
kill
the
existing
parts
or
restart
the
existing
parts
so
that
they
can
be
managed
by
entry.
E
One
note
is,
we
are
actually
not
doing
any
cni
chaining
for
gk,
okay,
like
for
aks,
we
change
it
with
azure
for
switching
it
with
aws
for
gk
is
there
is
no
chaining?
What
we
do
is
we
just
intrigue,
becomes
the
primary
cni
and
then,
and
we
operate
in
no
end
cap
mode,
which
means
there
is
no
encapsulation
required.
C
A
E
E
right
and
once
you
have
a
dpc
native,
more
disabled,
they
allocate
a
secondary
sider,
called
twenty
zero
zero
zero
and
carve
out
and
carve
out
ciders
subnets
for
each
fault
each
node.
The
way
we
do
it
in
entry,
so
as
part
of
the
node
ipam
controller,
the
gke,
whatever
submits
they
have
allocated
for
a
particular
worker
node.
That
information
is
passed
down
to
the
worker
not
through
through
that
node
controller
itself.
H
E
Yeah,
I
think
the
google
tweaked
it
in
such
a
way
that,
if
they,
if
they
are
allocating
some
xyz
subnet
for
a
particular
worker,
know
that
information
is
propagated
down
to
the
kubernetes
construct
itself.
You
don't
have
to
call
any
cloud
apis
to
figure
out
what
is
the
subnet
a
worker
node
is
working
on.
They
can
fetch
this
information
from
kubernetes
like
from
the
north
spec
right.
A
Excellent
well,
since
we're
at
the
top
of
the
hour
salvatore,
I
will
hold
and
and
and
bring
a
update
from
the
working
group
for
our
next
session
and
let
you
know
what
we're
working
on.
But
if
you're
interested
in
participating,
please
check
out
sig
network
github,
there's
actually
a
link
to
what
we're
doing
in
the
network
policy
v2
working
group.
If
you'd
like
to
participate
between
now
and
then.
H
A
B
B
I
see
perfect,
and
it
seems
then
that
we
are
done
for
today's
meeting
and
we
also
have
an
agenda
for
the
next
meeting,
which
should
be
a
conversation
on
the
network
policy
v2
and
and
a
discussion
about
a
potential
entry
operator
which,
in
light
of
what
we
discussed
today
for
public
cloud,
becomes
a
little
bit
interesting
because
you
know
there
is
going
to
be
some
overlap
and
anyway,
that's
something
that
we
can
discuss
in
two
weeks
time
anyway.
I
think
that
is
all
for
today.