►
From YouTube: Antrea Community Meeting 11/21/2022
Description
Antrea Community Meeting, November 21st 2022
A
Perfect
so
good
afternoon,
good
morning,
good
evening
or
good
whatever
is
in
your
time
zone
and
welcome
to
the
distance
of
the
Andrea
community
meeting
today
is
at
least
in
this
time
zone
is
Tuesday,
20
November,
the
22nd,
and
for
today
we
have
an
update
from
China
regarding
the
API
changes
for
layer,
7
metropolitis,
so
Sean
yeah
you're
a
sharing
the
screen.
So
please
go
ahead.
B
We
make
a
change
to
the
level
7
policy
API
and
now
our
proposal
is
to
merge
the
the
seven
policy
to
the
existing
layer,
3
and
therefore
their
policy,
and
we
made
this
change
because
of
several
considerations,
including
that
first,
it
is
easier
to
manage
all
Security
in
one
place
if
with
a
separated,
seminal
policy-
and
maybe
we
will
need
another
cluster,
scoped
70
policy
user
will
have
file
apis
to
manage
the
security
of
their
workloads.
So
it
sounds
a
little
bit
complicated
and
second
is
after
receiving
many
feedbacks
about
use
cases.
B
B
It
would
require
the
user
to
be
more
careful
when
they
want
to
use
the
seven
airports,
especially
when
they
want
to
lose
their
workload,
need
to
use
multiple
protocols
and
if
some
of
the
protocols
are
not
supported
by
the
seven
features
yet,
for
example,
with
separate
clsm
API,
because
the
near
policies
are
enforced
in
different
stage,
so
a
traffic,
the
traffic
must
be
first
allowed
by
the
three
under
their
foreign
policy.
Then
it
must
be
allowed
by
The
Seven
Year
proceed.
But
you
know
some
Protocols
are
not
supported
by
the
70
policy.
B
For
example,
my
circle
already
some
database
protocol,
but
we
will
have
to
scope
the
traffic.
We
will
need
to
define
the
scope
of
the
traffic
that
will
be
handled
by
you
know
70
policy,
otherwise
they
will
still
be
dropped
by
the
seven
after
enforcement
of
layer
4..
So
on.
On
the
other
side,
the
the
user
must
guarantee
that
the
traffic
must
also
be
allowed
by
level
4.
So
they
need
to
consider.
B
It
is
more
consistent
with
the
assessing
existing
Solutions
if
we
import
the
the
seven
protocol
into
the
340
policy
in
which
investigated
several
existing
solutions
that
supported
our
seven
firewall,
including
NSX
and
cilium
and
Calico,
although
the
behavioral
behaviors
are
a
little
different,
but
the
API
design
is
very
similar
so
to
be
consistent
with
existing
solutions
to
and
give
user
constant
experience.
So
we
are
also
following
this
style
and
after
making
this
change,
there
has
to
be
some
a
few
limitations
because
of
the
a
restriction
of
implementation.
B
For
example,
as
you
can
see,
from
the
new
test
charge
of
the
network,
we
have
added
1.7
protocol
s
failed
to
the
existing,
therefore
law,
and
but
it's
it
its
meaning.
It's
a
little
different
from
others,
for
example,
for
this
port
and
the
protocols
their
relationship
is
all.
It
means
that
you
could
use
ports
to
define
the
port.
The
traffic
should
match,
or
you
could
use
broadcast,
to
define
the
other
non-tcp
and
non-uvp
protocols
such
as
ismp
and
ijmp.
B
To
scope
traffic,
it
doesn't
mean
that
their
relationship-
it
is
not
all
but-
and
it
means
the
traffic-
must
first
match
the
the
ports
field,
and
then
it
will
be
sending
forward
into
public
the
last
seven
a
well
engine
for
protocol
detection
and
the
lower
enforcements,
so
the
post
office
there
should
be
matched
and
because
we
support
only
allow
list
allow
this
term
for
now.
So
the
with
this
field
being
said,
the
action
can
only
be
allowed
at
the
moment.
This
limitation
exists
exists
in
other
solutions
that
are
supported.
B
R7
therefore
say
two
because
most
of
the
the
seven
engine
supports
only
white
list
or
Blacklist,
not
mixed
priority
against
style
loss,
and
as
long
as
the
traffic
matches
the
level
4
criteria,
the
traffic
will
either
be
allowed
by
the
if
they
match
their
seven
protocols,
otherwise
they
will
be
dropped
so
any
rule.
After
the
last
seven
book,
one
will
not
be
enforced
if
the
traffic
already
matches
earlier
for
the
criteria.
So
this
is
the
limitation
that
we
we
have
to
had.
B
We
have
how
to
have
because
the
implementation
registration,
but
it
shouldn't
affect
the
actual
use
case.
For
example,
I
I
listed
two
use
cases
we
received
in
the
last
community
meeting
the
first
he
said
for
an
implication.
I
know
that
my
my
workload
only
serves
as
a
HTTP
server.
So
what
I
want
to
do
is
I
only
want
to
let
the
clients
to
accept
my
workload
using
HTTP
protocol,
because
this
is
the
only
one
it's
supposed
to
be
used.
So
this
is
what
this
could
be
put
agnostic.
B
Equally,
we
could
Define
such
a
rule
to
allow
only
HTTP
request
and
the
master
match,
with
the
hosted
name
and
regardless
of
the
transport
protocol,
of
course,
is
TDP
and
you
can
solve
the
port
being
used.
So
this
is
one
use
case,
and
another
use
case
is
I
know.
My
application
well
depend
depend
on
some
other
services.
B
So
the
the
database
service
traffic
will
first
be
allowed.
Then
all
TCP
traffic
or
otcp
traffic
with
this
port
specified
can
only
be
http,
and
my
my
application
may
also
need
to
access
DNS
service,
so
I
I
will
also
I.
Can
I
could
also
specify
another
udv
Port.
This
could
also
be
moved
behind
this
behind
this
level,
seven
and
Rule.
B
C
C
B
B
All
in
English
traffic
must
match
HTTP
Protocol.
No
other
traffic
will
be
allowed,
regardless
of
the
port
being
used.
You
could
use
a
port
80
to
access
HTTP
service.
You
could
use
other
Port
as
well,
but
regardless
of
the
port
being
used,
they
must
be
HTTP
request
and
if
you
want
to
only
to
say
you,
you
know
that
your
application
will
only
run
on
a
specific,
listen
to
a
specific
Port.
Then
you
could
also
Define
the
scope
of
the
the
the
traffic
that
the
last
seven
engines
should
inspect
with.
B
B
C
B
If
we
we,
if
we
don't
have
this,
it
means
that
all
traffic
will
be
allowed
right,
but
if
this
is
a
pure
level
four,
so
actually
the
level
criteria
is
used
to
scope,
the
traffic
that
will
be
inspected
by
the
7
engine,
so
this
this
lure
already
will
handle
all
incoming
traffic
yeah
under
the
isolation.
Well,
of
course,
we
are
happy
because
it
will
only
be
allowed
once
this
match
and
if
this
seven
protocol
is
not
matched,
they
will
be
chopped.
B
C
Well:
okay,
but
I'm
just
I'm
just
worried
about
not
only
you
know
the
the
meaning
of
it,
but
also.
How
do
we
implement
this
like
right
now
on
the
layer,
4
layer,
4
case
this
would
be,
will
be
as
is
right
and
and
right
now
you
know
if
we,
if
we,
when
we
introduce
the
L7
protocol,
I
I
do
feel
like
this
is
a
huge
change
in
the
semantic
potential
semantic
meaning
of
the
rule.
C
B
Yeah
yeah
I
understand
that.
That's
also
why
it
was
not
closed
proposed
in
this
way
in
the
beginning,
but
after
more
discussion,
we
found
that
if
we,
if
even
if
we
have
a
separate
last
Seminary
policy,
there
has
to
be
some
limitation
and
there
has
the
meaning
of
the
women
how
to
do
some.
Something
in
therefore,
as
well
to
make
the
work
together
and
we
will
also
need
to
search.
B
B
I
understand
your
concern,
but
better
for
my
investigation
that
other
solutions
that
use
this
style
also
has
this
limitation.
Even
they
support,
allow
and
deny
job
and
they
support
the
priority.
But
actually
the
priority
does
not
even
play
a
lot
in
the
when
the
blue
is
seven
yeah,
but
at
least
we
in
our
in
our
limitation
with
their
respect
their
priority,
and
it's
just
that
we
we
will
have
a
default
deny
when
the
traffic
is
already
handed
by
the
7
engine.
C
E
I
have
a
small
question
in
my
understanding:
I
think
the
learn
form
rules
is
used
to
filter
the
traffic
tools
and
there
are
seven
engine
and,
and
then,
if
we
don't
limit
the
large
wall
traffic,
then
all
related
traffic
will
be
found
in
the
2007
engine
and
the
only
the
only
the
rule
defined
by
layer
7
will
be
allowed.
Another
other
track
bill
will
be
dropped
instead
of
my
insta
is
my.
Is
that
my
understanding
right.
A
A
You
know,
I'm,
not
really
considering
the
impact
from
from
a
implementation
or
from
an
implementation
perspective,
because
in
a
way
another
will
find
a
solution
there.
One
aspect
that
probably
we
want
to
consider
here
is:
what
do
we
need
to
document
for
users?
So
is
there
any
caveat
that
we
need
to
document
or
it
would
be
like
just
standard
entry
or
network
policies
within
addition,
because
from
what
you
told
me,
I
think
there
are
some
some
aspects
that
users
must
be
explicitly
aware
of
right
when
they
want
to
configure
layer,
7,
Network
policies.
B
B
A
F
F
So
you
know
that's
in
in
cap
mode,
when
we
have
those,
let's
talk
the
in-class
traffic,
it
will
go
through
the
tunnel
right,
even
even
it's
in
cluster
traffic
or
even
it's,
a
cross-cloud
traffic
or
traffic
will
go
to
the
tunnel
interface
and
it's
all
controlled
by
our
entry
agent,
our
own
children,
the
primary
ceiling
and
the
multi-class
traffic.
Well,
one
thing
that
I
like
to
highlight
is
that
the
multi-class
service,
for
example,
here
it's,
we
call
its
multi-class
service
and
it
has
some
endpoint.
F
The
end
point
is
the
plus
IP
from
other
member
clusters.
For
example,
here
you
can
see
the
service
full.
It
has
Part
B
the
IP
is
192,
but
it's
not
the
endpoint
of
the
multi-class
endpoints.
We
will.
The
multicast
endpoint
will
be
the
service
class
IP.
So
you
will
see
that
so
when
you
are
trying
to
access
from
the
port
a
in
the
member
Class
A
and
the
part
A
actually
access
this
IP.
This
is
IP
is
the
class
IP
which
is
generated
by
the
local
member
cluster
a
and
it
will
be
have.
F
It
will
have
a
new
endpoint.
This
endpoint
will
be
maintained
by
entry
Mart
cluster,
the
endpoints
will
be
the
class,
so
remote
service
cluster
IP.
So
here
is
which
I
like
to
highlight
before
we
move
forward,
and
one
thing
as
I
mentioned:
all
traffic
is
in
the
tunnel
and
we
have
it
in
the
income
mode
right.
But
now
we
like
to
you
know,
run
those
traffic
in
network
policy
only
mode
and
in
nail
polish
on
mode,
the
entry
is
no
longer
the
primary
cni.
F
So,
as
you
can
see
here,
the
assumption
is
no
longer
meet
and
it's
no
tunnel
interface
and
it
has
no
tunnel
between
nodes,
even
in
cluster.
So
even
we
set
up
those
tunnels
between
different
member
cluster.
Here,
like
this
to
support
a
multi-class
traffic,
we
still
need
a
way
to
you
know
because
we
have
a
Gateway.
It
should
class
the
member
cluster.
We
need
to
make
sure
that
all
traffic
goes
to
the
Gateway
first,
then
it
goes
out
to
other
member
cluster.
F
If,
let's
take
the
E
case
as
an
example,
the
all
the
traffic
will
go
through
the
were
controlled
by
the
Primacy
eye,
the
corresponding
roads
will
be
set
up,
so
the
part
actually
will
not
go
through
the
tunnel.
One
thing
is,
there
is
no
Tunnel
right
and
another
thing
that
or
those
three
roads
will
be
added
by
the
primary
cni.
F
F
Of
course
it's
for
cross-cluster
traffic,
only
for
local
cluster
traffic.
We
don't
want
to
impact
them
and
another
thing
that
we
need
to
set
up
the
roads
between
the
Gateway
and
the
general
node.
So
we
can
make
sure
that
all
cross-class
traffic
can
be
forwarded
from
or
rotated
by,
the
Gateway.
Only
right
and
the
next
thing
that
which
is
a
new
funding
that
last
time,
I,
missed
I,
think
we
also
need
to
you
know,
update
those
containers,
interface
MTU,
because
we
have
the
tunnel
interface
here
and
for
any
cross-class
traffic.
F
We
need
to
reduce
them
to
you,
so
it
cannot
be
dropped
when
there
is
a
large
package
so
for
now,
I
think
this
is
also
another
Trend.
We
need
to
make
it
make
in
the
entry
agent
and
actually,
since
last,
community
meeting
I
I
think
the
first
design,
which
is
a
little
complicated,
and
we
have
a
follow
offline
discussion
with
a
few
people
and
here
actually
comes
up
a
new
Option.
F
F
But
after
a
few
discussion
we
think
that's,
it
might
be
simpler
to
just
create
a
lower
Swift,
rewarding
which
you
can
consider
that
it's
as
part
of
the
roads
inside
of
the
OBS,
instead
of
Let
It
Go
controlled
by
the
primary
cni
rights
we
need
to.
We
need
to
capture
those
traffic
figure
before
it
goes
out
and
controlled
by
the
prime
ministeri.
So
we
need
to
add
the
research
forwarding
rule
for
each
part,
I
think
the
first
option.
F
If
we
set
up,
then
each
part
in
the
level
straight
forward,
it
might
be
a
huge
number,
but
after
a
few
discussions
we
think
that
so
one
thing
is
that
the
CT
module
will
introduce
some
performance
issue
or
we
say
the
latency
and
and
actually
in
the
narrow
policy,
only
mode,
it's
usually
running
in
the
public
cloud
and
the
part
number
should
be
not
so
big.
So
actually,
even
we
add
a
one
rule
per
part,
it's
a
it
should
be
acceptable.
So
actually
I
do
that.
F
F
So
here
is
the
original
proposal
and
and
in
the
original
proposal
that
we
also
use
the
CC
label
to
save
the
The
Source
Tana
IP
of
the
request.
You
know
that
when
we
have
a
request
package
from
General
nodes
and
from
a
pod
or
general
node
to
the
Gateway,
the
Gateway,
the
reply
package,
we
won't
be
able
to
know
which,
which
node
it
should
be
forwarded
back
to
so
we
use.
F
F
To
tell
that,
for
example,
here
is
a
pod
Original
Part,
which
we
can
say
it's
a
clan
pod,
it's
IP
and
when
it's
a
parties,
this
match
to
this
IP-
and
we
will
set
the
right
tunnel
here
and
the
only
thing
we
need
to
do
is
to
watch
the
part
event
to
set
up
this
kind
of
rule.
The
difference
between
the
option
A
is
that
the
option
A
we
might
not
need
there
might
be
1B,
so
many
important
rules,
but
in
this
option
b
we
may
have
one
rule
for
one
part.
F
So
when
the
party's
number
is
Big,
then
we
will
have
a
long
list
here,
but
after
I
think
based
on
our
experience,
we
think
that's
a
the
performance
or
the
latency
introduced
by
this
rules
number
should
be
acceptable.
So
there
are
two
options
and
I
did
some
Performance
Based
on
these
two
options.
Actually
you
can
see
that
see,
option
A
or
the
the
original
design
at
and
and
the
option
b
in
the
TCP
type
string
type
of
test.
F
It
has
not
much
difference,
I
think,
but
for
these
two
it's
actually
has
a
slight
improvements.
If
we
goes
to
the
plan,
B
sorry
the
option
b,
of
course,
the
option
b-
I
only
add
one
rule
for
the
Pod
IP.
So
it's
actually
no
huge
open,
Flow
rule
list
in
the
environment,
so
the
number
might
be
not
so
precise,
but
it
can
tell
us
that
if
we
don't
have
the
city
label
in
the
in
the
process,
it
may
help
on
the
latency
and
help
to
increase
the
transaction,
a
number
yeah.
F
F
Think
of
when
the
end
point
of
the
multi-cluster
is
the
local
service
class,
the
IP
and
the
part,
the
client
part
is
trying
to
go
to
the
local
service
backend
in
the
same
cluster,
the
actually
the
product
traffic.
It
won't
be
go
to
the
tunnel
traffic.
If
we
didn't
do
anything
regarding
this
part,
the
traffic
will
go
through
the
Gateway.
A
No
thanks
a
lot
for
your
presentation,
Lan
at
least
no
question
from
my
side,
we'll
need
to
find
the
solution
for
stretch,
Network
policy
support
because
I
still
thinking
as
a
user.
It
will.
It
feels
rather
awkward
if
we
have
a
network
policy
only
multi-cluster,
and
then
we
are
not
able
to
support
stretch
Network
policy
in
that
modality
in
that
mode.
So
yeah,
we'll
we'll
we'll
need
to
figure
out
a
solution
for
that
that
I
don't
know
if
a
young
angry
isn't
already
have
some
idea.
F
C
D
C
C
A
A
Well,
it's
fair
to
say
that
probably
there
are
no
other
topics
for
today.
In
that
case,
I
would
like
to
thank
all
the
attendees
for
for
attending
through
this
meeting,
in
particular
thank
John
and
Lan
for
presenting
about
layer,
7,
Network
policies
and
network
policy
only
multi-cluster
mode.
So
thanks
again,
thanks
again
for
your
presentations
and
I
would
like
to
wish
everyone
a
good
day
a
good
afternoon
or
good
night.
Thanks
for
attending
and
I'll
see
you
in
two
weeks
time.