►
From YouTube: Antrea Community Meeting 03/28/2022
Description
Antrea Community Meeting, March 28th 2022
A
Good
morning,
good
afternoon
or
good
evening,
this
is
the
andrea
committee
meeting
today
is
tuesday
march
29
6
in
the
morning
central
european
time.
If
you
are
instead
in
the
pacific
west
coast,
it
will
be
still
monday
for
you
and,
let's
start
with
today's
meeting.
So
today
we
have
a
very
nice
agenda.
A
We
will
start
with
an
introduction
on
with
a
discussion
from
grayson
about
icmp,
supporting
network
policies,
and
then
lan
will
provide
also
a
discussion
of
datapath
for
multicluster
networking.
So
since
we
have
a
very
packed
agenda,
I
think
it's
time
for
me
to
stop
talking
and
let's
start
with
the
presentations
grayson.
Would
you
like
to
go
first,
yeah
sure.
B
Okay,
you
guys
can
see
my
screen
now
the
slice
okay.
So
today
I
will
show
you
the
icmp
support
in
entria
network
policy,
and
this
is
today's
my
agenda.
First,
I
will
go
through
the
motivation
and
then
the
api
proposal
and
the
controller
side,
change
and
agent
side
change,
and
also
I
have
since
the
development
is
almost
done.
So
I
have
a
demo
video
for
you
guys
and
then
it's
the
q
and
a
section
so
for
the
motivation
we
all
know.
B
Icmp
is
a
very
commonly
used
protocol
and
especially
for
user
use,
for
use
it
for
debugging
and
also
we
already
heard
some
complaints
about
we're,
not
supporting
icmp,
and
this
is
the
github
issue
about
the
requirement
to
have
the
icmp
support
and
the
another
reason
is
some
cis,
like
calco.
They
support
smp
in
their
network
policy,
so
we
want
to
support
smp
in
hours
for
api
proposal.
This
is
our
current
api.
B
If
we
want
to
define
a
policy
on
the
some
specific
protocol,
we
have
a
field
called
ports
and
we
can
define
the
ports
protocol.
Ports
and
import
currently
only
support
the
tcp
udp
and
the
sctp
yeah.
And
if
you
want
to,
for
example,
matching
or
tcp
traffic,
you
can
define
a
policy
like
this
only
define
a
protocol
without
ports,
and
I
guess
we
are
familiar
with
this,
so
I
will
go
to
the
proposal.
B
B
In
this
way,
the
user
use
currently
user
won't
be
a
fact,
since
the
ports
are
still
here-
and
this
is
the
network
policy
port
struct,
we
didn't
change
this
struct.
Let's
see
the
example.
If
we
want
to,
for
example,
match
all
icmp
traffic,
the
the
rule
will
look
like
this
and,
for
example,
we
want
to
match
the
ping
request.
The
rule
look
like
this
and
if
we
want
to
match.
B
B
B
And
finally,
this
is
a
the
current
one.
We
want
to
pick
we
we
change
the
ports
to
to
another
field,
name
called
protocols
and
under
the
protocol
you
can
add
the
protocol
that
we
supported.
If
we
want
to
like
support
igmp,
we
can
add
another
field
in
this
struct
and
the
different
struct
may
have
different
specs.
They
can
use
different
like
their
own
struct,
to
define
their
parameter
like
s
p
type
and
for
l4
protocol.
B
They
have
port
and
port,
and
since
this
will
change
the
like
the
old
api,
so
it
will
require
us
to
bump
our
network
policy
version
to
will
offer
two
and
we
add
a
convert
function
to
translate
the
to
convert
the
web
alpha.
One
policy
to
the
vr
alpha
two
policy
mainly
change
the
ports
to
the
protocol.
B
In
this
case
user
using
the
older
version
api
are
won't,
be
affected,
and
this
is
like
some
example
like.
If
we
want
to
match
all
tcp
traffic,
we
can
define
a
a
policy,
a
rule
like
this,
and
if
we
want
to
specify
the
specified
port
of
tcp,
you
can
define
a
policy
like
this
and
for
icmp.
You
can
do
things
like
this
so
yeah.
This
is
the
api
proposal.
B
So
if
we
go
with
this
one
by
the
way,
if
you
guys
have
any
questions,
feel
free
to
interrupt
me
at
any
time
yeah.
So
if
we
go
with
this
api
proposal
on
the
controller
side,
we
bump
up
the
api
version
and
add
the
conversion
function.
As
I
said
similarly
change
the
ports
to
protocol-
and
in
this
case
there
will
be
no
impact
and
also
for
the
internal
mp,
we
can
add
the
icmp
type
and
icmp
code
here.
B
B
C
B
B
C
C
E
If
I
may
answer
this
question
from
what
I
remember
is
that
it
doesn't
really
matter
because
in
the
in
the
internal
storage,
it
will
always
be
your
alpha
2.,
and
it
was
only
when
user
tried
to
get
the
object
specifically
using
v1
alpha
1.
Then
the
reverse
conversion
will
happen,
and
you
know
the
developer.
One
object
will
be
returned
to
the
user,
otherwise
everything
will
be
basically
converted
to
an
alpha.
Two,
and
just
I
mean
the
storage
on
the
wire
to
the
controller.
Everything
will
be
really
awful
too.
C
E
E
You
don't
necessarily
need
to
do
that,
because
the
mirror
controller
is
in
place
because
we
have
two
different
entirely
different
api
groups,
but
for
virgin
bonds.
There
there
was
a.
There
was
a
common
practice
where
kubernetes
imposes
on
and
it
was
specifically
used
to
handle
cases
like
this.
So
from
what
I
remember
is
that
you
know
we
can
specify
a
specific
time
period.
We
can
just
warn
people
that
you
know
this
is
supported
for
now.
E
E
E
B
B
E
E
D
E
Of
the
conversion
function
applies
and
the
api
server
will
return.
You
are
not
for
one
resource,
but
I
think
trans
question
is
more
like
in.
If
we
already
have
a
resource
in
the
api
in
storage,
does
the
upgrade
bump
automatic
converts?
What's
in
the
storage,
to
a
newer
version?
And
if
my
memory
serves
me
correctly,
the
answer
is
yes,
but
I'm
not
100
sure.
E
C
B
F
E
In
that
case,
we'll
just
do
what
we
have
in
right
now
in
the
acmt,
where
we
have
the
namespace
selector
and
the
namespaces
field,
which
they're
essentially
doing
the
same
thing
in
some
senses.
But
there
are
slight
differences,
so
we
decided
to
maintain
both
of
both
of
them,
which
I
personally
didn't
think
is
a
good
idea,
but
for
for
transition
purposes
that
can
be
there
so
that
we
just
tell
you
there
that
for
the
ports
and
protocols
you
can
only
specify
one
of
them,
but
not
both.
B
F
F
C
G
A
F
B
B
Currently,
for
example,
you
have
you
have
one
kind
for
the
source
one
can
for
the
destination
and
the
one
kind
for
a
service
and
the
the
relationship
between
those
kind
is
end.
You
have
to
match
the
source
and
destination
and
the
services,
but
the
relationship
within
each
kind,
for
example
the
tcp
port,
80
and
tcp
443.
The
relationship
is
ore,
but
we
need
and
relationship
inside
each
kind,
which
means
we
should
support
a
multi-match
key
and
value
pairs
to
support
icmp
type
and
the
icmp
code.
B
D
B
B
B
B
B
B
B
A
B
A
A
B
B
B
B
E
Also
quick
words:
I've
looked
it
up
and
I
do
apologize.
It
seems
that
the
for
the
originally
created
resources.
If
they
were
ever
created
at
the
some
storage
version-
and
you
change
the
storage
version,
it
will
never
be
automatically
converted
to
the
newer
version.
It
is
only
when
you
update
the
resource,
then
it
writes
it
in
the
in
the
storage
using
the
newer
version
now
the
the
norm
of
deprecating.
It,
I
think,
is
for
a
really
long
time.
E
You
mark
the
resource
as
served
equals
true,
but
you
put
the
deprecation
notice
on
it,
so
that
whenever
people
you
know,
update
the
resource
or
try
to
create
a
resource
using
the
old
version,
they
get
a
deprecation
warning
saying
that
this
version
is
deprecated
and
you
probably
needed
to
wait
long
enough
for
all
people
to
trans
to
to
migrate
the
resource
to
a
newer
version.
Then
you
basically
remove
the
diversion
for
for
real.
So
it's
going
to
be
a
a
long
process.
C
A
H
Sure
no
problem,
let
me
share
my.
Can
you
see
my
screen?
Yes,
yes,
we
can
okay,
great,
I'm
not
sure
if
everyone
know
that
you
know
that
we
have
a
true
multi-cluster
support
since
1.5,
and
this
is
actually
advanced
feature.
It's
about
data
paths,
connectivity
and
I'm
working
on
this
design
and
the
implementation.
H
You
know
that
because
we
already
have
something
in
1.5.
So
before
I
jump
to
this
connective
design,
I
like
to
show
you
that
some
basic
idea
basic
idea,
so
we
used
during
the
data
paths
connectivity
and
here
you
know
that
we
have
a
talk
about
the
subfolder
mod
cluster
folder
and
it's
all
about
matte
cluster
and
in
multi-cluster.
We
in
we
have
some
basic
pipeline,
which
we
will
introduce.
H
Those
different
results
between
cloud
between
the
member
cluster
in
our
class
sets,
and
this
is
a
basic
which
we
will
also
reuse
it
in
the
data
paths.
Connectivity
yeah
I'll
just
remind
you
that
if
you
are
not
so
familiar
with
the
math
cluster
architecture
and
the
song
terminology,
I
might
be
used
in
following
a
demo
and
showing
meeting,
and
you
can
check
here
and
to
see
what
kind
of
thing
you
you
can
learn.
H
Okay,
sorry,
let's
go
back
to
the
data
path
connected
design
and
the
the
first
thing
is
that
you
know
that
in
1.5
we
allow
user
once
they
set
up
the
class
sets
and
the
joints
on
different
member
clusters
and
they
can
share
or
they
can
export
and
import
a
different
service
in
our
class
set.
Then
they
can
communicate
and
access
the
exported
service
for
other
member
cluster.
H
This
is
the
original
purpose
of
this
mud
cluster
feature,
but
you
want
to
find
there
is
a
limitation
that
you
know
we
need.
We
need
to
the
on
the
underlay
network
to
make
sure
that
there's
a
pod
port
or
network
access
or
connectivity
is
supported
in
underlay,
a
network
which
means,
if
there
is
not
supported,
then
actually
our
multi-class
feature
will
not
work.
So
in
this
phase
we
are
going
to
support
the
data
connective
data
paths
connectivity.
So
even
the
underlay
network
cannot
support
the
part
ip
access
directory.
H
We
can
use
this
data
path
feature
to
allow
the
mud,
cluster
service
or
powder
access
here
in
our
database
design.
Actually,
we
introduced
a
new
idea
about
that.
It's
a
giveaway
notes,
this
gateway
node
is
actually
you
can
sing
that
so
one
general
node
in
a
cluster,
but
you
pick
up
you
assigned
you
assigned
and
treat
it
as
a
gateway
note
this
this
node
will
be
responsible
for
all
cross-cluster
traffic.
H
As
long
as
the
traffic
will
be
forwarded
to
the
other
member
cluster,
then
the
trafficker
will
go
through
the
go.
We
know
the
first,
then
it
will
be
forwarded
by
this
gateway
note
to
other
member
clusters,
so
you
will
see
that
we
have
gateway
node,
and
you
know
that
during
the
datapath's
connectivity
we
need
to
make
sure
that
the
member
cluster
know
each
other's
network
information
like
the
portsider,
the
service
class
ip
slider.
H
H
One
is
turn
up
a
tunnel
and
points.
This
actually
represents
a
gateway
node,
and
it
will
have
some
basic
information
about
this
local
memory.
Cluster,
like
the
pod
sider
used
in
each
node,
and
also
the
service
class
ip
slider
and
another
one
is
turner
and
boy
imports.
You
know
that's
once
we
have
a
channel
endpoint
resource
in
our
local
memory
cluster.
H
Our
multicast
controller
will
be
responsible
to
do
the
exporter
role
and
it
will
export
the
tunnel
endpoint
to
the
leader
cluster.
Then
other
member
cluster
will
watch
this
kind
of
resource
import
and
import
it
as
a
tana
airport
import
in
another
map,
cluster.
Okay,
let
me
move
forward
and
you
know
I
just
mentioned
that
we
are
reused.
The
extra
resource
x
for
impulse
pipeline,
which
we
introduced
in
1.5.
H
You
can
just
you
know
that
we
have
besides
the
class
member
cluster,
we
have
leader
clustering
in
our
class
sets.
You
can
consider
that
leader
cluster
is
responsible
to
exchange
information
between
member
clusters.
Once
we
have
the
information
being
exchanged
in
each
member
cluster,
the
data
connectivity
will
not
be
impacted
by
the
leader
cluster.
The
role
of
leader
cluster
just
helped
us
to
exchange
those
information
like
the
tunnel,
endpoints
resource
and
another
resource
yeah
and
okay.
Let's
move
over
the
data
paths
connectivity
here.
H
I
just
mentioned
that
we
introduced
a
new
concept
about
the
gateway
node,
it's
just
a
general
node,
but
we
pick
it
pick
up
it
as
our
getaway
node.
It
will
be
responsible
to
transfer
to
forward
all
the
cross
clusters
traffic
to
other
member
cluster.
Here,
as
you
can
see
in
cluster
a
there
is
a
gateway
node
and
in
class
c.
All
of
the
member
clusters
will
have
a
gateway
note
and
all
other
nodes
will
be
just
a
general
node
and
it
will
not.
It
will
not
talk
to
other
member
cluster
directly.
H
You
will
see
that
any
traffic
cross
cluster
will
go
to
will
go
first
to
the
gateway
node
and
then
it
it
will
be
checked
by
our
enter
agent
and
decide
if
it's
a
cross-cluster
traffic.
If
it
is
that
material
forward
to
another
node,
the
remote
gateway
node,
based
on
the
based
on
our
open
flow
rules,
yeah
this
one
you'll
see
it
will
be
forwarded
to
class
c,
and
if
the
party
is
trying
to
access
some
ipo
the
service
in
cluster
b,
it
will
forward
it
to
class
b
and
gateway
node
as
well.
H
H
The
basic
information
is
about
the
local
class
ip
sorry
id,
and
then
the
name
is
actually
usually
it
will
be
the
node
name
and
the
subnet
it's
what
we
talked
about.
It's
a
pod,
sider
used
in
each
node
and
and
also
the
so
it's
a
cluster
ip
slider
and
this
private,
ip
and
public
ips
represents
gateway.
Nodes
is
ip,
and
this
we
used
to
you
know
when
we
set
up
some
tunnel
open
flow
rules.
We
need
the
target
ip
right,
so
we
will
choose
private
ipo
public
ip
to
do
the
rules.
H
Okay,
let's
condition.
Another
part
is
another:
crd:
is
the
tunnel
endpoint
imports
this?
This
resource
is
actually
almost
the
same
as
turner
endpoints,
but
the,
but
the
purpose
is
that
it
tells
the
user
the
mean
that
is
some
china
endpoint
from
other
member
clusters.
It's
not
a
local
thailand
bond
and
it's
also
almost
the
spec,
is
almost
the
same.
H
Okay,
the
tunnel
endpoint
export
input
process.
This
actually
is
almost
the
same
as
the
service
expo
import
process.
So
it's
not
it's
actually
quite
straightforward.
It's
just!
Let's!
Let
me
simply
go
through
it.
You
know
that
so
once
the
user
chooses
a
node,
that's
giveaway
node
here
the
way
to
choose
a
nodes
gateway
node,
we
just
simply
add
an
annotation
here-
is
a
gateway
annotation
and
to
the
node
them.
H
Then
our
multicast
controller
will
watch
this
kind
of
node
event.
The
update
is
event.
Then
the
member
cluster,
the
member
clusters
controller,
will
create
a
corresponding
channel
endpoint
to
local,
and
you
will
see
a
local
china
endpoint
resource
being
created
and
including
just
some
necessary
information
and
of
course
it
depends
on
the
what
kind
of
a
node
change.
If
it's
a
gateway
node
do.
H
I
have
some
basic
steps
to
create
a
ton
of
endpoints
if
it's
a
general
node,
it
means,
for
example,
if
there
is
a
new
node
coming,
then
we
know
that
there
is
a
new
part
of
cider
will
be
used
in
this
member
cluster.
So
so
it
will
be
also
reflected
in
our
china,
endpoint
subnet
and
okay.
When
the
entire
endpoint
is
created
locally,
then
the
multicaster
controller
will
watch
these
events,
and
you
know
it
will
follow
the
resource
exchange
pipeline
rapids
into
our
resource
exports
resource
in
our
leader
cluster.
H
Once
leader
cluster
saw
this
kind
of
new
creation
event.
It
will
convert
it
into
the
resource
inc
import
in
the
leader
cluster.
So
actually,
when
the
new
resource
import
is
created,
then
the
member
cluster,
the
other
member
cluster,
will
watch
this
kind
of
events
in
leader
cluster.
Then
it
will
convert
it
and
write
a
new
channel
and
tana
endpoint
import
locally.
Maybe
if
you're
not
familiar
with
a
framework
of
multicultural
might
be
not
so
it
might
be,
some
can
be
confused.
H
H
We
have
to
do
something
in
the
entire
agent,
so
we
introduced
my
class
feature
and
in
the
android
agent
configuration-
and
here
I
just
add
a
new
feature
here-
named
mathcaster
and
also
unnecessary-
a
new
global
virtual
mac-
it's
it
will
help
us
to
distinguish
the
cross
cluster
traffic
and
in
our
current
design,
you
know
that
we
plan
to
support
the
in-cap
mode
only
at
least
in
first
release.
So
we
will
reuse
the
existing
china
interface
interface
and
it's
so
we
don't
have
to
create
a
another
new
term
interface
for
cross-cluster
traffic.
H
Here
here
is
actually
some
sample.
The
open
flow
sample,
which
is
working
in
the
it's
some
snapshots
from
my
poc
codes-
and
I
think
maybe
we
don't
have
to
jump
to
the
detail
or
my
one
thing
might
be
highlighted-
is
that
there
is
a
new
field,
this
about
the
import
that
will
be
used
because
once
we
reuse
the
existing
tunnel
interface,
it
means
some
traffic
will
go
this
tunnel
and
it
will
also
be
forwarded
in
this
through
this
same
tunnel.
H
H
H
So
once
you
have
overlapping,
I
think
the
behavior
is
not
ex
will
not
be
supported
and
we
want
to.
Maybe
the
network
communication
might
be
broken,
and
so
in
the
future
we
may
support
ipo,
lapping
and
also
you
know
in
first
in
this
design.
I
just
reuse
the
tunnel
interface
and
we
will
use
the
default
in-cap
mode.
The
geneve
so
in
the
future,
maybe
we
can
introduce
ipsec
and
also
the
class
set
dns,
because
even
we
have
the
database
connectivity,
we
can
communicate
between
each
part
or
service.
H
F
F
H
F
H
H
H
H
You'll
see
that
in
a
leader
cluster
or
leader
namespace,
so
we
have
a
one
multicast
controller
and
the
input
system.
We
have
another
controller,
it
took
place
as
a
member.
This
one
is
leader
and
it
will
watch
the
our
annotation
for
the
note
and
to
create
hana
endpoints
for
now-
and
I
already
have
some
I
already
already
created
or
not
pick
up-
one
node
as
gateway
in
c2.
So
you
will
see.
D
H
H
H
Yeah,
you
can
see
that
it's
actually
a
sim,
it's
a
sim,
almost
the
same,
just
a
different
result,
a
different
resource,
but
the
the
content
or
the
stack
is
the
same
because
we
only
want
to
get
the
outsider
and
the
suicidal
right
and
eventually
the
member
cluster.
The
c2
member
cluster
will
get
the
notification
of
this
creation,
this
resource
information
and
that
gets
a
new
endpoint
imports.
H
H
You'll
see
that
the
critical
information
is
wiser,
of
course
we're
not
critical,
but
so
we
all
we
are
more
concerned
about
the
private
ip
for
remote
tunnel
setup
and
also
those
subnets
used
in
in
a
c1,
a
member
cluster.
Let's
go
and
let's
see,
go
back
to
see
it's
actually
almost
the
same
you'll
see
here,
it's
a
private,
ip
and
the
subnet
type
to
be
it's
being
imported
in
c2.
H
H
Yeah,
you
will
see
that
we
can
communicate
to
the
service
directly
but,
as
I
said,
we
use
ip
rights
the
ideal
way.
I
think
it's
better
to
use
the
dns,
but
for
now
it's
it's
not
so
ideal,
but
the
datapath's
connectivity
is
working
now
yeah.
I
think
okay
yeah.
I
think
that's
all
for
my
demo
and
the
design
presentation.
Let
me
know
if
you
have
any
question.
A
A
H
A
A
F
F
A
A
A
D
I
H
I
H
I
I
H
H
A
A
All
right,
it
seems
then,
therefore,
it
might
be
all
for
today.
I
would
like
to
thank
as
everyone
for
attending
and,
most
importantly,
many
thanks
to
grayson
and
lan
for
providing
two
very
nice
presentations
and
demos.
So
thanks
again
for
attending-
and
I
wish
everyone
a
good
night
good
afternoon
or
a
good
day.