►
From YouTube: Antrea Community Meeting 10/10/2022
Description
Antrea Community Meeting, October 10th 2022
A
Okay,
so
good
morning,
good
afternoon
and
good
evening,
welcome
to
the
system
Soviet
committee
meeting
today
is
October
the
11th
or,
of
course,
if
you're
dialing
in
from
the
United
States,
for
you
will
still
be
October
the
10th
and
for
today
we
have
a
very
interesting
presentation
from
from
Chan
about
layer,
7,
Network
policies.
This
is
a
a
proposal
which
is
already
advertised
on
the
entria
The
Onion,
Tria,
GitHub
and
since
I
believe
that
we
have
now
a
good
Quorum
of
attend
this
on
the
call.
B
Film,
thank
you
and
thanks.
Everyone
for
joining
this
meeting
and
I
will
upload
our
present
in
the
proposal
of
The
Seven
Year
policy.
I
have
created
the
about
issue
in
Android
report
and
I
have
gotten
some
comments
from
Young,
and
we
had
some
discussions
there
and
I
will
share
more
details
about
the
use
case
of
this
feature
and
the
design
and
the
implementation
proposal.
B
Please
feel
free
to
interrupt
me
at
any
time.
If
you
have
any
question,
let's
first
take
a
look
at
the
motivational
for
this
future.
As
you
know,
kubernetes
in
your
policy
and
the
internal
native
net
policy
can
only
control
traffic
flow
at
layout.
Three
and
layer
4
based
on
the
package.
Ip
address
the
transport
protocol
under
the
transport
port,
so
security
applications
communicating
while
HTTP
protocols
at
IP
and
Port
level,
provides
very
limiting
the
security
as
the
IPS.
The
API
will
be
either
entirely
exposed
to
a
client
or
not
at
all.
B
So
if
you
want
something
like
some,
some
ports
can
access
your
application.
The
the
public
page
of
your
application,
but
not
other
secured
Pages.
It
is
notable
to
achieve
that
with
kubernetes
necology
and
the
current
ensure
nail
policies,
so
there
are
seven
reposites
can
provide
more
fine-grained
control
over
the
network.
The
network
traffic
of
container
workloads
based
on
the
specific
application
protocol
attributes,
for
example,
for
HTTP
protocol.
B
We
can
use
domain
webs
and
URI
paths
to
control
the
access,
so
you
can
achieve
that
for
some.
For,
for
for
some
public
page,
it
can
be
allowed.
It
can
be
accessed
by
all
clients,
but
for
some
purpose
for
some
privilege,
page
like
admin
or
back
end,
you
can
get.
You
can
grant
access
to
only
a
few
privileged
ports.
B
So
this
is
the
proposal
of
the
API
I
propose
to
use
a
crd
like
a
current
alternative
linear
policy
to
take
the
request
from
user
and
when
I
was
considering
whether
we
should
extend
the
current
nail
policy
to
support
the
seventh
protocol
or
which
create
an
API
folder.
Seven
policy
only
I
found
that,
due
to
implementation
restriction,
it
may
be
not
good
to
extend
the
current
near
policy
API
because
it
is
hard.
It
is
very
hard
to
support
lower
priority
and
TR
V
priority
like
current
layer.
B
Then,
if
we
reuse
the
left
four
nail
policy
API,
the
the
the
major
the
major
attributes
of
the
struct
will
not
make
sense
like
the
tier
and
the
priority,
and
since
they
are
therefore
under
level
7
has
had
the
the
protocol
has
different
values
for,
for
example,
for
layer
4.
We
use
SMP,
TCP
and
the
UDP
and
for
layer
7
we
use
HTTP
FTP
or
something
DNS,
something
like
that.
They
they
don't
have
many
many
many
attributes
in
common,
so
I
propose
to
have
a
new
level.
Seven
air
policy
API
and
it
will
not.
B
It
will
not
use
the
priority
model
like
kubernetes,
like
our
current
Android
policy,
but
use
white
list
mode.
It's
similar
to
kubernetes
in
our
policy
by
default.
A
port
is
now
isolated
at
level.
Seven,
an
O,
inbound
and
outbound
request.
Either
layer
7
will
be
allowed
in
this.
But
but
this
is
this
does
not
conflict
with
their
foreign
policy.
They
are
only
allowed
after
layer.
7
nail
policy
allows
them,
so
they
are
addictingly.
They
are
addictive
policies
and
for
layer,
7
now
policy
once
a
port
is,
has
any.
B
There
are
seven
year
policy,
select,
selects
it
and
the
nail
policy
has
had
any
Ingress
law.
The
port
is
isolated,
for
Ingress
means
that
it
were
only
the
only
allowed
request
to
the
port
and
those
Allowed
by
the
immigrants
list
of
all
their
seven
year.
Policy.
That
applies
to
the
port.
If
you
are
familiar
with
kubernetes
near
policy,
they
are
basically
the
same
and
same
for
egress,
and
it's
as
we
have
mentioned.
Its
relationship
with
the
four
new
policies
and
the
data
plane
will
first
enforce.
B
Therefore,
the
NATO
policy
and
then
after
the
traffic
has
passed
the
validation
we
in
the
the
the
last
the
data
data
plane
will
enforce.
There
are
seven
near
policy,
and
this
this
is
the
API
struct
of
the
the
object
of
struct
of
there
are
seven
nail.
Policy
is
also
similar
to
our
current
policy,
but
with
without
the
priority
and
the
tail
attribute.
B
It
has
applied
two
fields
to
select
two
workloads
on
which
the
rules
will
be
applied
to,
and
it
has
a
list
of
Ingress
law
under
install
for
egress
law
and
for
each
rule
there
will
be
brought
a
list
of
protocols,
a
list
of
level
7
protocols.
Currently
we
for
the
first
release,
I
proposed
to
only
support
HTTP
protocol,
as
is
the
most
common
one
and
for
HTTP
protocol
at
least
three
HBO's
that
are
common,
commonly
used
host
message
and
passed.
B
Another
protocol,
just
for
example,
of
how
we
could
extend
the
Proto
support,
but
it
will
not
be
planned
in
the
first
release
as
the
only
use
the
DNS
service
should
be
the
code
DNS,
so
I'm
not
sure
whether
it
really
makes
sense
to
have
a
DNS
protocol
support
for
the
seven
year
policy
and
for
each
viewer.
If
it
is
any
Ingress
law,
it
will
have
a
list
of
phone
address
for
a
list
of
for
peer,
and
the
attribute
is
named
form
mean
means
well,
the
traffic
could
come
from
this.
B
Let's
take
a
look
at
an
example
for
such
a
layer,
7
air
policy.
It
applies
to
pause
with
label
f
equals
to
njs,
so
this
port
will
be
applied.
The
the
nail
policy
will
be
applied
to
this
port
and
we
have
two
Ingress
rule
and
the
first
one
selects
course
with
app
equal
calendar.
One
label
this
one,
and
it
will
allow
that
that
that
kind
to
access
the
talks
page
and
using
the
get
method
of
the
NGS
port
and
the
second
law
will
allows
client
2
to
access
admin
page
using
get
method.
B
And
since
there
is
no
law
for
current
three,
it
will
be
under
the
engine.
Support
is
isolated,
so
this
request
to
any
page
using
any
method
will
be
dropped,
but
for
kind
of
one
it
can
only
use
get
dogs
to
access
njs,
but
not
other
URL
and
the
other
methods
same
for
client
2.,
and
so
this
is
the
the
proposal
of
the
API.
If
no
questions
I
could
go
to
implementation
proposal.
D
B
C
B
C
B
Is
made
because
we
cannot,
we
are
not.
We
cannot
at
least
we
cannot
support
all
protocols,
but
if
we
we
don't
have
the
political
support
in
the
API,
but
we
allow
them.
Then
I
think
when
we
support
a
new
protocol.
The
the
meaning
of
the
the
existing
law
will
change.
For
example,
when
we
don't
support
DNS
in
the
first
release.
The
let
me
see
one
major
concern
is
that
there
is
no
due
to
implementation
restriction,
there's
no
way
to
say
every
old
protocol
like
open,
Flow,
In,
less
7
engine.
C
B
A
A
B
I
get
your
question:
the
host
is
for
the
domain
of
the
HTTP
attribute.
So
when
you
access
a
website,
you
could
specify
a
domain
right,
and
this
means
you
can
only
access
the
service
via
some
domain,
because
an
IP
could
be
mapped
from
multiple
iph
domain
names
right.
You
could
use
WWE
.google.com
to
access
it.
You
could
also
use
some
some
other
domain
to
access
the
same
application.
B
A
B
No,
it
means
you
can
use
any
hosted
name
to
access
this,
the
http
service.
You
could
use
any
domain
name,
and
not
it's
in
that.
It
has
no
relation.
It
has
nothing
to
do
with
the
apply
tool
it
is
they
have.
There
are
seven
attributes
just
like
method
and
pass
you
can
you
can
only
access,
for
example,
admin
page
of
our
website
right,
but
before
the
admin
page,
the
the
URL,
the
the
prefix
of
your
url,
is
your
domain
right,
yeah,
something
like
www
dot,
something
and
that
that's
the
host?
B
B
You
mean
this
app
yeah
yeah.
This
is
just
an
example
of
Labor.
It's
a
kubernetes
style
of
selecting
entities.
It
could
be
anything,
it's
just
a
k,
key
value
pair,
you
you
can
you,
can
you
can
label
or
tag
objects
with
something
like
this?
Then
you
can
use
this
selector
to
select
to
select
objects
this.
This
is
just
an
example.
It
could
be
anything
you
can
use
organization,
you
can
use
username
or
anything
else.
B
It
includes
domain
only
at
least
in
when
I
load.
This
proposal,
I
I,
was
thinking
about
domain.
Only
I
didn't
include
Port,
because,
typically
we
don't
really
need
to
kill
the
the
transport
Port,
the
protocol
use
it
could
be
80
or
it
could
be
80
80
of
any
other
port
yeah,
but
but
I
also
have
a
an
open
question
similar
to
your
questions
and
whether
we
should
make
layer,
7
air
policy
only
be
enforced
to
specific
level.
4
Pro,
therefore
port,
for
example,
for
Edge.
B
Let's
set
for
HTTP
protocol,
whether
we
should
add
an
attribute
called
the
port
to
say
we,
it
will
only
be
applied
to
port
80.,
yeah
I
think
it
is
that
there
is
the
benefit
of
having
this
portfolio
will
be.
You
will
only
then
there
are
seven
engine
will
only
scan
traffic
to
that
Port.
Only
so
don't
need
to
scan,
and
the
data
plan
doesn't
need
to
redirect
all
traffic
to
that
port
to
the
server
engine.
B
D
B
It's
made
because
technical
restriction,
it's
very
hard
to
support
https
because
using
corrupted
to
traffic
we
we
cannot
know
the
protocol
the
HTTP
attributes,
for
example.
We
cannot
inspect
the
host,
we
can
inspect
host
the
field,
but
we
cannot
inspect
a
message
or
pass
phone
the
traffic
itself.
We
need
to
decrypt
the
the
request.
First,
then
we
can
only
do
that,
so
there
is
for
the
first
radius
or
in
in
the
view
upcoming
release.
I
think
it's
very
hard
to
support
https.
B
B
B
B
Oh
I
I
get
a
yummy
I
think
if,
in
the
way
I
I
was
thinking,
you
can
specify
a
protocol
to
be
HTTP
and
you
don't
specify
the
phone
or
use
yeah
use.
You
you
make
the
the
phone
to
be
empty,
so
it
will
match
our
address.
Then
it
will
not
allow
all
HTTP
requests.
But
if
you
want
to
deny
other
protocols
at
least
for
for
the
one
we
support,
then
you
need
to
specify
yes
and
protocol
as
well
and
yeah.
B
D
B
B
B
Like
other
nail
policies,
we
will
convert
the
CR
to
internal
or
control
plane,
NATO
policy
applied
to
group
and
just
group
objects
so
that
we
we
can
distribute,
distribute
the
information
of
the
policy
itself
and
the
address
set
and
the
workload
set
to
agents,
and
we
also
need
to
create
a
traffic
control
object
so
that
we
can
redirect
the
traffic
to
there
are
seven
engines.
For
example.
B
Here
we
approach,
Pro
I
propose
to
use
recorder
the
seven
ideas,
IPS
engine
and
I
I
will
explain
more
in
the
next
page
about
how
they
will
take
work
together
here.
We
we
I
just
want
to
give
a
brief
description
of
the
physical
workflow
and
the
third
step
is
Android
agent.
Well,
watch
the
the
computed,
the
nail
policy
applied
to
group
and
address
group
for
Android
controller,
and
it
will
also
watch
the
traffic
control
objects
from
kubernetes
API.
So
what?
But
this
part
is
already
supported,
so
we
are
not.
B
We
will
not
go
much
detail
here.
We
just
need
to
know
that
Android
controller
will
be
responsible
for
creating
the
traffic
control
objects
to
redirect
the
traffic
agent
well,
we'll
handle
the
near
Point
C
address
group
and
apply
two
group
objects
and
can
convert
them
to
their
seven
engine.
Specific
rules
for
silicana
is
called
signatures.
We
will
generate
signal
signatures
and
makes
ricotta
instance
to
reload
the
rules.
We
just
update
it
agent.
B
B
I
remember
when,
when
I
tested
it
with
a
public
set
or
for
IDs
rules-
and
it
takes
a
few
seconds
to
to
load
a
sink-
that's
a
lot
of
signatures,
I
I
guess
for
our
user
case.
Since
we
may
have
only
hundreds
of
layer,
7
policies
in
a
common
cluster
Maybe,
it
will
take
very
few
seconds
and
how
how
when
they
tested
it.
I
will
take
a
note
and
test
and
do
a
performance
benchmark
test
to
see
the
delay.
C
B
C
B
B
So,
for
example
like
this,
there
are
seven
no
policy
object.
We
will
create
such
a
control
plane
in
our
policy.
The
difference
it
is
the
only
difference
is
the
protocol.
It
will
be
http
instead
of
gcp
and
UDP,
like
layer,
4
policy
and
the
source.
Reference
will
point
to
type
of,
therefore
layer,
7,
nail
policy
yeah,
so
they
can
reuse
the
the
same
internal
API
and
you
will
do
another
thing
to
sync:
traffic
control
objects.
B
B
Then
we
will
ask
straight
cutter
to
listen
to
this
two
interfaces
and
to
track
their
relationship.
We
will
also
specify
the
owner
reference
of
the
traffic
control
objects,
so
that
kubernetes
garbage
collector
could
help
us
to
clean
the
traffic
or
control
objects.
When
this
cell
seven
nail
policy
is
deleted,
and
it
could
also
help
track
the
mapping
between
just
seven
necropsy
and
the
traffic
control.
B
Srikata
instance
in
IPS
mode
on
demand
on
demand
means
that
when
there
is
no
less
7
air
policy
received,
it
will
not
run
silicone
instance
and
once
the
first
there
are
seven
blue
eyes
received,
it
will
start
the
instance
under
the
the
binary.
Obviously,
counter
will
be
packaged
to
enter
agent
image,
so
we
don't
need
so
you
don't
have
to
use
different
manifests
when
they
want
to
use
their
seven
future
important
feature.
B
B
The
first
one
is
a
pass
rule,
it
will
say:
pass
HTTP
phone
list
address
phone,
any
port
to
this
address
to
any
port,
and
the
URI
exposed
must
match
in
this
string
and
to
to
make
the
to
make
other
traffic
being
dropped.
We
need
to
add
another
rule
for
Default
job,
which
means
all
other
protocols.
All
other
peels
will
be
dropped,
and
this
is
the
reason
why
supporting
other
protocols,
the
default
job,
other
protocols
difficult-
and
this
has
to
be
a
specific
protocol.
As
far
as
I
know,
it
could
support
other.
B
B
B
Documents
it
says
that,
even
though
we
could
have
a
priority
field
for
each
signature,
it
will
it's
not
the
order.
The
signature
will
be
scanned.
The
signature
will
only
be
scanned
by
the
by
the
order
of
action.
First,
then,
the
order
of
priority
so
and
even
we
with
the
past
Priority
One
job
priority
two
and
then
another
pass
priority.
Three.
It
was
still
scanned
first
and
the
set
the
third
one.
First,
then,
the
job
was
that's
the
main
major
destruction.
B
B
And
for
data
plane,
when
there
is
no
layer,
7
airport
C,
applied
to
these
two
ports,
they
will
communicate
directly
and
once
we
have
the
seven
policy
applied
to
either
of
them.
There
are
communication
will
be
redirected
to
slaykata
first
James
ricotta,
we
are
enforced,
we
scan
the
signatures
and
enforce
the
action
it
could
be
passed.
Then
the
traffic
will
be
sent
back
to
their
play
and
finally
delivered
to
destination
or
it
will
be
dropped.
It
can
also
support
reject,
but
I
I
haven't
done
it
in
in
the
first
release.
B
B
B
B
B
D
B
B
B
This
configuration
is
in
introduced
when
adding
traffic
control
futures
a
feature
it's
made
because
once
the
traffic,
the
package
is
handed
by
a
user
space
instance
like
three
cutter,
the
pack,
the
packet,
the
package,
some
pack,
some
attributes
of
the
package
is
not
set
directory
when
the
packet
is
sent
back
to
the
data
plane-
and
this
is
is
a
no
issue
to
such
applications
and
to
resolve
it.
The
check
sound
of
loading
must
be
disabled,
so
the
sender
yourself
will
calculate
the
checksum
and
the
the
the
the
issue
could
be
avoid.
D
B
B
Accurate
I
didn't
see,
but
you
know
it
were,
it
will
have
some
cost.
I
haven't
do
down,
I
haven't
done
careful
bench
back
test.
Yeah
I
will
also
do
that
either.
Follow-Up,
basically
I
think
it
makes
some
Hardware
offloading
meaningless
and
calculating
check
sound
when
the
traffic
doesn't
leave
the
server.
It's
a
waste
right.
B
And
then
the
last
one
is
the
performance
like
or
for
managing
the
Lewis
like
a
changing
Cascade,
you
know
in
communities.
If
we
have
something
like
a
sec
or
poles,
there
could
be
hundreds,
thousands
and
of
iths.
Then
we
we
have
to
list
all
IP
address
in
one
signature,
I'm,
not
sure
I'm,
not
very
familiar
with
the
Implement
implementation
detail
of
the
seven
engine,
but
it
looks
like
you
may
be
not
widely
efficient
to
pass
the
rule
and
or
to
scan
the
rule
when
attack.
C
B
D
B
Yeah
and
the
current
prime
in
one
dot,
oh
I
think
is
sorry,
is
not
1.9
it's.
It
should
be.
1.10
I
propose
to
support
hdb
protocol
in
one
to
ten
and
support
other
protocols
based
on
you,
the
feedback.
You
know
later
releases
foreign
and
that's
all
of
the
presentation
yeah.
If
you
have
any
other
questions,
welcome.
A
D
B
D
I'm
asking
because
in
some
other
Solutions
I
see
they
are
using
NY
and
the
invoice
supports,
for
example,
grpc
in
the
HTTP
and
a
rich
set
of
matching
on
HTTP,
which
set
of
rules
for
matching
on
HTTP
headers
path
in
the
various
fields
in
HTTP.
So
maybe
that
that
is
another
kind
of
engine
and
you
can
also
easily
extend
the
engine
by
programming,
some
plugins
for
the
invoice,
so
I'm,
not
sure.
If
sorry
Kata
is
also
like
this,
we
can
extend
the
story
cutter
to
support
any
near
seven
protocols.
D
B
Yeah
I
think
so,
when
we
discussed
with
srikata
I
suppose
they
said,
if
you
want
to
support
other
protocols,
you
can
use
signatures
to
do
that
even
srikantai.
That's
not
how
the
protocol
passer
the
the
major
problem
of
using
employees
and
why
it's
actually
a
proxy,
so
it
works
in
level
four
level.
Four
in
in
at
level
four,
you
were,
you
will
create
sockets
to
take
the
the
request,
and
then
we
send
a
new
request
to
the
back
end
So.
Currently
in
in
our
traffic
control
implementation.
B
We
we
actually
work
at
Layer
Two.
We
just
forward
the
traffic
to
one
network
interface
and
ask
the
the
server
engine
to
take
request
form.
So
it
could
work
very
well
with
the
the
IDS
IPS
engines
like
a
snort
record,
or
maybe
the
other
Solutions,
but
it
cannot
easily
work
with
and
and
why
underway,
also
evaluated
and
way
before
and
because
of
the
nature
of
proxy.
B
A
A
All
right,
it
seems
that
might
be
all
for
today.
So
thanks
a
lot
to
channel
for
this
presentation,
it's
been
extremely
informative
and
we
are
looking
forward
to
see
this
implementation
seeing
going
GA
in
entria
1.10,
that's
going
to
be
a
really
nice
addition
to
the
set
of
Andrea
features,
anterior
natural
policy
features,
and,
of
course
you
know
we'll
have
plenty
of
time
to
to
argue
about
the
right
naming
for
the
CRS
that
we
are
going
to
be
added
as
a
part
of
this
feature.