►
Description
Join Amim as he schools us on the sig-windows-dev-tools platform for building windows Kubernetes clusters, and testing them w/ real CNIs (antrea, calico)
A
C
Yeah
a
long
time
no
cj,
I
yeah,
I'm
not
sure.
If
you
guys
know
me,
I've
been
here
like
once
and
I
merely
work
on
the
andrea
network
policy
side
and
recently
I
also
work
on
the
entry
windows,
so
yeah
good
to
see
you.
D
Okay,
cool
hi,
guys
I'm
zach,
so
currently
I'm
working
on
the
networking
stuff
on
kanzu.
Pretty
recently,
I
have
work
on
kubernetes
related
stuffs
like
psi:
cd,
devops
and
sres
monitoring
these
kind
of
things,
yeah
nice
to
go.
A
B
Ford
go
ahead,
yeah.
So
what
what's
the
plan
for
today
I
mean
like
you:
do
you
want
to
go
over
the
news
or
oh
yeah,
you're
gonna
start
with
the
news
right,
so
this
is
gonna,
be
a
really
cool
show,
because
ameem
is
one
of
the
major
drivers
of
the
kaping
project
kpng
and
he's
also
driving
a
ton
of
stuff
in
the
windows
community
around
the
coupe
proxy,
and
he
also
is
doing
a
ton
of
work
downstream
at
vmware.
B
So,
like
I,
I
don't
think
he
ever
sleeps
and
he's
just
been
super
deep
super
deep
in
the
in
the
way
windows,
proxying
works
and
some
real,
deep
internals
in
the
way
the
coop
proxy
works.
So
he's
going
to
teach
all
of
that
to
us
today.
So
big,
thank
you
for
coming
on
the
show.
What's
up
doug,
I
see
a
lot
of
people
here.
Mike's
mike
zappa
is
here
which
is
cool.
Another
cni
pair
is
here,
and
scott
is
here,
so
we've
got
all
of
our
good
friends
are
here.
B
This
is
great
thanks
for
go
ahead.
Let's
get
started
with
the
news.
I
mean
let's
and
and
thank
you
so
much
for
running
the
show
today,
all
right
thanks.
A
Cool
so
the
we
separated
some
news
and
some
exciting
stuff,
that's
going
on
so
the
first
one
is
a
reflector
from
antonio.
A
We
had
some
issues
with
service
ip
allocation
on
cluster
ips,
so
there
are
some
conflicts,
some
in
some
cases
where
the
initial
ips
that
are
allocated
as
static
ips
ends
up
conflicting
with
the
dynamic
ips
are
located
so
to
solve.
This
antonio's
have
the
idea
to
refactor
everything
and
create
this
cap
for
balancing
the
static
and
dynamic
ipa
locations
on
your
cluster.
A
So
when
you
start
a
new
ip
server
like
a
cluster
ip
service,
it
gets
the
one
the
dot
one
in
the
in
your
list
and
for
dns
it
gets
10
and
then
with
what
antonio
did
was
to
get
some
step
and
based
on
your
cidr,
create
like
this
range
to
ensure
things
will
not
conflict.
So
if
you
are
interested
on
this
kind
of
cluster
ap
api
server
and
how
these
things
work,
this
is
a
very
good
read.
A
Next,
we
have
csi
proxy
by
james
jamie
created
this
pulse
here.
So
this
this
blog
post
is
pretty
cool.
It
shows
up
how
to
set
up
the
csi
proxy
with
a
driver
like
the
csi
smb
driver,
and
it
allows
you
on
windows
mount
a
new
shared
folder
from
your
windows
service.
So
you
have
another
windows
service
and
you
can
create,
like
this
mount
smb
amount
as
a
storage,
class
and
reuse.
A
This
storage
class
as
a
persistent
volume,
claim
and
mount
these
on
your
pods,
and
this
is
super
cool,
so
you
can
use
like
this.
The
four
windows
sharing
standard
it
was
at
least
like
20
20
years
ago.
I
don't
know
right
now,
but
you
can
use
this
mount
on
kubernetes,
it's
cool.
A
So
next
we
have
the
124
release
cycle.
This
is
this
is
started
two
days
ago
and
the
release
will
finish
on
19
april.
So
a
lot
of
things
are
going
to
come
into
this
new
release.
B
B
And
I
know
scott
parent
and
doug
are
all
here
which
is
great
and
then
and
mike
but
xql.
I
don't
know
who
you
are
but
yeah.
Let
us
know
where
you're
from
and
where
you're
coming
from
it's
great
to
see
new
people
joining
the
show.
That's
why
we're
here.
B
Also,
we
should
really
thank
jamie
for
for
that
blog
post
right
on
on
the
csi
proxy
stuff.
It's
funny.
I
have
a
meeting
about
that
tomorrow
at
work.
A
B
B
A
The
last
news
we
have
here
in
the
list
is
like
from
all
the
exciting
things
that
are
happening
like
finally,
docker
shim
is
being
removed
like
it's,
not
only
the
brigade
but
totally
being
removed
with
dims
open
up
your
and
this
is
merged,
and
it
goes
to
124.
So
don't
be
scared
because
there
are
other
alternatives,
and
this
is
pretty
cool,
because
we
can
use
one
only
container,
runtime
interface
and
standardize.
Everything.
B
It's
finally
out
so
you
were
telling
me
earlier.
I
was
telling
a
meme
I
was
like
come
on.
This
is
corny
like
how
many
times
can
we
make
the
same
announcement
over
and
over
again,
but
then
he
told
me,
I
didn't
know
this-
that
it's
actually
entirely
deleted
from
the
code
base.
Now
I
didn't
actually
know
that
yeah,
so
I
mean
proved
me
wrong.
Yet.
B
Yeah
so
I
promised
to
meme.
I
would
at
least
give
a
quick
introduction
because
he's
already
got
a
running
system.
We're
gonna
talk
about
the
sig
windows,
devtools
project,
so
just
keep
that
up.
While
I
vagrant
global
status,
delete
and
rebuild
my
environment
here.
So
okay,
do
you
wanna
share
your.
B
I'm
coming
I'm
coming
right,
but
there
it
is
okay.
Here
we
go
so
all
right.
I'm
gonna
vagrant
destroy
my
environment,
destroy
cd
source
cd,
so
the
sig
windows
devtools,
is
a
project
that
me
and
friedrich
and
ameem,
and
several
other
people
around
here.
Work
work
on
a
lot.
Jamie
phillips
has
helped
us
a
lot
on
it.
B
C
Sorry
for
the
introduction:
okay!
Okay,
maybe
you
should
zoom
in
a
little
bit.
B
So
maybe
we
can
get,
maybe
since
since
our
friend,
let's
take
windows,
dev
tools,
let
me,
while
this
dev
tools
here
it
is
yeah.
So
maybe
since
grayson
is
here
right
we
can
we
can
actually.
Maybe
we
can
get
the
entry
of
folks
to
start
using
this
more
often
right.
So
so
this
is
out.
B
You
know
yeah,
you
know
vicky
tried
it
out
recently,
so
so
or
are
not
vicky
when
so,
and-
and
so
this
is
our
development
environment
for
windows.
Nobody
before
this
before
this
project
existed,
really
there's
no
easy
way
to
just
like
from
source
spin
up
kubernetes
and
with
a
windows
kubelet
with
the
real
cni
that
worked
right.
That
was
like
a
big
project
like
you'd,
have
to
sit
there
all
day
on
a
saturday,
and
you
know
doug.
B
I
mean
there's
great
ways
to
run
in
azure
and
in
aws
and
in
vsphere
and
other
places
like
with
a
production,
kubernetes
environment,
but
there's
no
there's
no
open
source
easy
to
to
follow
automated
recipes
so
like
we
made
that
and
it's
completely
from
source,
and
so
I'm
real
excited
about
it.
You
can
see
we
got
contributors
from
rancher
from
vmware
from
sap
from
all
over
the
place
from
from
sap,
and
so
I'm
destroying
my
environment
and
making
a
new
one,
and
that's
really
all
it
takes.
B
You
could
just
clone
this
repository
and
literally
run
make
all
and
it
will
compile
kubernetes
for
for
for
for
linux
and
windows
like
the
actual
kubelets,
and
then
it
will
deploy
those
kubelets
right
and
then
it
will.
You
know,
deploy
them
with
the
api
server
and
ncd
and
everything
else,
and
after
doing
that
it
will
put
a
real
cni,
meaning,
calico
or
andrea.
B
You
can
pick
either
one,
even
though
I
think
I
broke
calico
yesterday,
but
it'll
it'll
install
either
one
of
those
cni's
for
you
right
and
it'll
spin
up
a
cluster
with
one
windows,
node
one
linux
node
and
you
can
just
you,
can
vagrant
ssh
into
it
and
you
can
hack
around
on
there.
You
can
run
end-to-end
tests.
You
can
do
all
sorts
of
stuff
on
there.
So
it's
a
really
great
way
to
learn
about
kubernetes
on
windows.
B
On
your
laptop,
like
you,
don't
need
anything
else,
right,
no
cloud
required.
So
that's
the
sales
pitch
amim
is
going
to
go
deep
into
the
details
of
how
this
works
of
how
andrea
works
on
it
and
then
something
else
real
interesting
about
some
of
the
some
of
the
like
intricacies
of
like
how
some
of
this
coupe
proxy
stuff
that
we've
been
looking
at
like
in
the
kpg
project.
Another
space,
especially
for
windows,
sort
of
play
into
the
whole
andrea
proxy
story.
B
B
Yeah,
let
me
switch
over
to
here.
B
Yeah,
let
me
open
vs
code.
C
B
B
Yeah,
so
the
way
this
works
is
like
at
the
very
top
level,
there's
a
make
file
right,
you're,
not
sharing
your
screen.
Oh
I'm
not
wait!
Here
we
go
sorry
yeah
at
the
very
top,
there's
a
make
file
right,
and
so
you
know
the
first
thing
we
do
is
we
fetch
kubernetes?
We
build
the
binaries,
then
there's
this
vagrant
step
and
then
there's
like
a
little
smoke
test
and
we
run
a
little
e2e
test
right
and
so,
when
you
run
make
all
it
sort
of
like.
B
Does
all
these
in
order
right
and
like
what
we
do
for
cni's?
Is
we
kind
of
have
forked
the
some
of
the
installation
utilities
for
the
ci
cnis
so
that
we
could
sort
of
have
our
own
so
that
it's
kind
of
hackable,
so
we've
like
copy
pasted
code
from
andrea
and
calico
into
here-
and
these
are
these?
Are
these
are
powershell
scripts
because
again
like
these?
Are
these
are
windows
installers
for
the
cni's
on
the
kubelet
right?
So
what
happens
is
when
the
windows
node
comes
up?
B
It
like
runs
this
script,
and
this
script
goes
off
and
it
sort
of
like
you
know,
makes
these
directories,
and
then
it
like
runs
these
entry
installation
steps
right,
and
you
know
at
some
point
we'll
be
able
to
entirely
converge
with
andrea
upstream,
but
we
found
that
it
was
easier
for
us
to
make
edits
locally
in
this
repository
having
sort
of
forked
these
scripts.
We
do
the
same
thing
for
calico
right
so
for
calico,
we
do
the
same
thing.
We
have
these
scripts.
B
They
basically
do
the
same
thing
that
the
calico
installers
do
right,
but
it
allows
us
to
debug
things
at
a
really
low
granularity
inside
of
this
repository
right
and
we
we
actually
commit
the
calico,
like
the
ammo
itself
to
to
the
to
to
the
to
our
virgin
tree,
and
so
for
this
helper
is
for
andrea.
We
should
probably
name
it:
entry,
helper
or
something
and
so
like.
B
These
are
the
scripts
that
run
after
everything
comes
up
if
you're
interested
in
the
kubernetes
sigs
image
builder,
so
ameem
has
done
a
ton
of
work
on
this.
Can
you
talk
about
this?
To
me.
A
Yeah
sure
so
I
have
a
documentation.
Maybe
you
have
a
readme
here
that
can
help.
Basically,
basically,
what
we
do
here
is
to
copy
these
ova
like
images
that
people
are
using
on
upstream.
So
there
is
a
project
called
image
builder
and
we
are
using
this
image
builder
project
to
create
our
own
version
using
the
virtualbox
environment.
A
B
And
the
cool
thing
about
that
is,
like
you
know,
for
vsphere
for
for
tanzu,
for
example,
for
tanzu
we
we
have
vis,
we
use
image
builder,
like
if
you
spin
up
a
windows
cluster
on
tanzu
or
on
you
know,
cap
z,
things
like
that
you're
using
image
builder
a
lot
of
the
times
to
build
your
images.
First
and
image
builder
builds
an
ova
right.
It
builds
up
executable
like
an
operating
system
that
you
can
load,
and
so,
when
you
use
image
builder,
it's
like
well.
B
B
A
All
right,
that's
cool,
so
let's
get
more
details
on
on
this
image
builder
stuff.
So
this
is
pretty
cool
because,
as
I
say,
we
are
using
betel
tested
process
to
create
this
image
and
we
are
using
like
cube.
Image
builder
is
using
this
packer.
A
A
A
So,
as
jay
was
saying
like
basically,
this
vagrant
file
creates
for
us
like
two
machines:
one,
that's
the
control
plane
and
the
other
is
the
windows,
so
the
control
plane
here
is
a
linux
machine
because
we
don't
have
windows,
control
planes,
but
the
worker
that
gives
you
the
second
machine
that
runs
is
a
node
is
a
windows
node,
and
this
is
where
the
co
part
goes,
because
we
are
using
powershell
scripts
to
bootstrap
this.
This
configuration
here
so
after
the
process
is
pretty
straightforward.
A
So
the
first
time
you
run
this,
the
node
join
to
the
cluster
that
exists
like
here,
and
it
creates
like
a
lock
and
goes
to
the
cni.
We
we
support
calico
and
entry,
but
for
sure
entry
is
coolest,
so
we
have
like
show
scripts
that
runs
to
install
the
cni.
So
after
you
have
like
this,
you
know
installed.
You
have
your
node
join
your
node's
ready
to
go
before
we
go
straight
to
this,
to
the
to
the
shell
to
show
how
these
things
work.
A
I
want
to
go
briefly
on
how
we
installed
entry
in
this.
What
this
entry
script
does
and
the
challenges
we
had
to
bootstrap
these
entry
windows,
like
I
know,
grayson,
is
a
an
expert
on
obs
and.
B
A
Yeah,
so
I
would
like
to
thank
alinda.
He
is
a
developer
on
on
obvious
and
and
v-switch
and
all
this
stuff,
so
he
knows
a
lot
of
things
about
about
how
to
run
ovs
in
anywhere,
so
he's
a
car
developer
there,
ovn
and
obvious.
A
So
what
we're
learning
this
process
running
running
these
binaries
here,
like
the
obvious,
is
the
data
plan
so
grayson
can.
Can
you
explain
like
what's
the
deal
with
the
ovs
in
this
entire
architecture?
I
think
you
can
do.
B
C
Yeah
sure
obs
is
kind
of
work
as,
for
example,
since
I
previously
I
I'm
mainly
working
on
the
network
policy
and
the
ovs
is
kind
of
like
the
enforcement.
They
will
enforce
the
network
policy.
Our
network
policy
will
translate
to
some
open
flow
rules
in
the
tables
and
the
obs
will
do
in
the
like
the
forwarding
and
and
also
enforce
the
network
policy
like
this
package
should
be
dropped
or
rejected,
and
something
like
that
yeah.
It's
kind
of
under
layered,
the
it's
the
data
path.
B
Yeah
yeah,
it's
like
yeah,
it
basically
does
yeah
it's
it's
a
virtual
switch
that
lives
in
your,
and
so
you
could
do
anything
with
it.
You
could
build
your
own
software
defined
network
with
it
inside
the
we
have
a
really
cool
episode
with
grayson,
where
I
trolled
him
for
like
90
minutes
and
made
him
like
show
me
how
to
like
go
into
the
ovs
tables
and
and
actually
you
can
install
prometheus
metrics
and
you
can
see
what
ovs
rules
are
being
written
on
andrea.
B
Yeah,
all
of
entry
is
driven
by
open
v
switch
right,
that's
the
core
technology.
It's
like
calico
uses,
you
know,
psyllium
uses,
eppf
calco
uses,
you
know
bgp
and
so
on
and
so
forth
and
like
for
andrea,
the
backbone
of
it
is
obs
and
installing
that
on
windows
is
that's
kind
of
the
real
real
important
thing
that
that
you
need
to
do
when,
if
you're
running
andrea
on
yeah,
absolutely
as
your
cni
yeah.
A
Yeah
so
on
those
screeds
that
jay
show
I'm
not
sure
if
it
makes
sense
to
show
this
again
but
you're.
B
C
Actually,
this
is
kind
of
like
off
my
range.
B
Nsx
can't
you
do
it
in
nsx
yeah.
Definitely
right
like
if
you're
running
nsx,
then
I
think
you
can
offload
a
bunch
of
stuff.
I
don't
know
if
you
can
do
it
in
other
clouds,
but
the
very
least
I
know
you
can
do
stuff
when
you're
running
entry
and
nsx,
and
you
could
turn
hardware
offloads
on
and
off
and
it
works
faster
and
better
in
newer
versions
than
in
older
versions.
B
A
Okay,
so
the
first
thing
when
we
downloaded
this,
this
binary
is
like
installing
ovs
from
from
our
script.
A
Basically,
the
binary
here
like
what
we
need
to
spin
up
like
v,
switch
or
blah
blah
the
binary
that
we
needed
was
not
was
not
coming
up
and
the
demon
was
not
coming
up,
and
this
service
here
was
not
running
and
nothing
was
showing
like
you,
you
type
the
command
and
you
press
enter
or
not
was
showing
up
so
talking
with
ali.
A
We
discovered
that
there
are
a
few
libraries
missing
on
this
thing,
even
if
there
was
no
output
like
it's
missing,
libraries
or
I
don't
know,
I
was
like
what
is
ldd
to
show
me
what's
missing
and
with
he
showed
me
like
this
project
here.
This
project
can
open
the
binary
and
shows
you
the
dependencies
of
your
of
your
banner
like
an
ldd
can
do
so.
We
could
get
like
what
doll
is
missing
and
download
these
later.
A
So
this
is
basically
basically
like
was
missing.
The
visual
called
c
plus
plus
library-
and
I
was
missing,
like
the
ssl
library
so
by
the
four-hour
image
builder,
doesn't
have
that
and
then
interest
package
that
we
have
upstream
doesn't
have
that
as
well.
So
it
was
like
kind
of
a
pain
to
discover
what
was
missing
and
was
not
on
the
windows.
But
that's
that's
cool.
C
A
Cool,
so
the
other,
the
other
crazy
thing
that
we
spent
a
lot
of
time.
Debugging
and
learning
was
when
you
have
multiple
mix
in
your
machine,
your
it
can
cubelet
and
the
cni
can
choose
like
the
wrong
interface
to
do
both
the
tunneling
and
bootstrap
the
node.
So
when
you
run
like
your
node
a
lot
of
stuff
here,
but
when
you
do
like
your
node
and
you
get
one
ip
when
you.
B
D
A
A
A
I
think
was
calico
with
vxlan
right,
but
yeah
enter
as
well.
I
remember
yeah.
B
We
had
a
bug
yeah
like
I
think
they
fixed
it.
I
think
it
was
fixed
it,
but
now
in
andrea
it
used
to
be
an
entry.
I
think
it
like
did
a
default
selection
of
the
nick
or
something
and
like
now
now
I
think,
because
we've
I
filed
an
issue
about
this
when
we
first
saw
this
and
then
they
fixed
andrea,
so
that
you
can
conf
you
have
you
can
sort
of
arbitrarily
like
when
it
comes
up.
It
doesn't
just
bind
to
the
first
device
that
it
sees,
which
is
what
it
normally
did
for
windows.
A
Okay,
so
basically,
this
script
runs
like
installs
for
two
binaries
like
install
ovs.
That's
your
services
and
install
cube
lat
and
keep
in
cube
proxy
more
to
services.
So
we
have
four
services
and
you
have
enter
agent.
That's
five
services
running
on
your
on
your
windows
by
this
script.
So
that's
everything
that
node
needs
to
join
in
the
cluster
and
start
to
treating
the
workloads
it
receives.
A
That's
basically
how
we
install
the
cni
on
this
project,
some
other
crazy
stuff,
we'd
pass
it
like
the
buggy.
I
think
the
hard
part
is
to
get
the
debugging
stuff
and
like
affix,
what's
what's
breaking
so,
but
this
was
pretty
cool
as
well.
Any
pod
was
not.
The
pod
was
not
loading
like
we
could
schedule
the
pod,
and
the
point
was
like
with
some
random
error
like
failed
to
reserve
sandbox
name,
and
I
was
like
whoa
how
how
we
can
solve
this
thing
like
I
don't
even
have
one
one
a
over
here
so.
B
Yeah
like
in
this
case
coupe
ctl,
describe
wasn't
working
right
like
so
so
in
windows.
If
you
have
such
a
low
level
container
d
error
that,
like
like
you,
could
coop
ctl
describe
something
and
if
container
d,
I
think
what
we
found
right,
I
mean
you
were
telling
me
earlier.
It
was
like
container
d
was
failing
at
the
cni
level
on
attachment,
but
coop
ctl
described
wasn't
giving
us
the
actual
error
for
it
right.
That's
correct!
That's
correct!
A
Yeah,
so
this
is
the
double
event
racing.
That's
the
default
place
that
container
d
puts
his
log.
I
have
no
idea
how
to
get
this
thing,
so
james
showed
me
how
to
do
that
in
one
project
he
was
working
on
and
on
sig
windows.
He
created
like
this
host
process
and
he
created.
A
I
don't
know
what
is
that
visual
studio
called
microsoft,
things
that
extracts
the
data
for
you,
the
the
output
for
you
and
prints
for
you,
so
you
can
like
create
a
pod
inside
your
node
with
this
whole
process
capability
and
extract
this
log,
and
for
this
we
need
host
process
windows
feature
flag
because
we
are
using
by
the
full
one
of
the
old
versions
of
of
cube.
B
A
A
So
I
was
like
okay,
let's
what
other
approaches
do
we
have
here
right?
So
I
discovered
this
service
management
thing
that
you
can
reconfigure
your
services
on
windows
and
then
I
could
redo
the
path
and
add
the
logs,
and
now
I
could
output
the
logs
here,
but
I
think
that
there
should
be
better
ways.
So
the
problem
is
that
we're
using
a
cni
configuration
from
from
linux
with
not
existing
cni.
B
A
Yeah,
so
what
happened
with
this
binaries
here
is
that
when
the
the
pod
ups,
this
binary,
the
binary
runs.
So
you
can
like
allocate
ips
and
do
more
stuff
and
you
can
configure
the
plugins
of
the
plugins
reside
on
opt
cnib
and
what
happens
that
we
bring
the
linux
version
with
binders
that
are
not
here.
So
the
output
was
not
shown
me
like.
The
error
was
not
being
shown
in
the
portland,
but
enable
container
d
logs
show
me
there,
and
this
was
fixed.
B
Okay,
cool
yeah,
so
these
are
all
tricks.
You
know
the
thing
to
keep
in
mind
if
you're
getting
into
windows
and
you're
getting
into
android
networking
on
windows
or
really
any
cni.
It's
like
these
are
tricks
to
keep
in
mind
like
you
should
reach
out
to
us
on
sick
windows
and
slack
reach
out
to
a
meme
or
or
arvin's.
Here
too,
he's
he's
fought
with
a
lot
of
these
problems.
B
Right
and-
and
you
know
just
ask
us,
but
like
there's
tricks
like
there's
for
everything
that
you're
used
to
doing
in
in
windows,
whether
it's
system,
ttl
status
or
system
or
journal
ctl,
for
example
like
or
you
know,
top
or
any
of
those
things
like
or
ps,
like
there's
any
there's
a
powershell
equivalent
and
so
like.
We
use
those
in
windows.
It
just
takes
a
little
while
to
learn
what
those
are.
A
Yeah
should
how
to
james
and
mark
from
from
microsoft,
to
teach
me
a
lot
of
these
tricky.
B
Ones
they
taught
me
a
lot
of
it
too.
Yeah
also
yeah
and
perry
also
showed
me
a
lot
of
this
stuff.
Actually
in
stuart
who's,
not
here
yeah,
that's
cool,
stuart
preston,
he's
a
pm
for
windows
at
vmware
he's
my
friend.
He
tests
all
this
stuff
before
rci
can
test
it.
I
don't
know
how
he
does
that.
Okay.
A
So
cool
yeah,
the
next
top
topic
like
is
something
we
are.
We
are
experimenting
like
so
kubernetes
services
and
session
affinity,
and
now
we
can
like
go
to
the
cluster
and
take
a
look
on
what
we
have
in
the
closer.
A
B
How
many
people
in
the
audience
do
you
all
know
what
session
affinity
is?
Does
everybody
understand
what
it
is
and
how
it
works
in
kubernetes
or
have
you
ever
used
it?
If
so,
like?
Let
us
know
in
the
comments
it's
kind
of
a
lesser
known
feature.
When
you
make
a
kubernetes
service,
you
can
give
it
a
give
it
this
notion
of
session
affinity.
That'll.
Have
it
stick
to
a
pod
for
a
while,
as
opposed
to.
A
A
Yeah,
so
basically
we
have
this
session
affinity
by
two
things.
Like
known,
we
don't
have
any
session
affinity
or
we
have
like
sectional
affinity
by
client
ap,
so
your
ap
is
binded
to
a
particular
pod.
If
you
request
through
the
service,
one
of
the
only
configurations
that
we
have
is
a
time
out.
So
it's
like
a
time
to
leave
for
this
session.
A
So
what
is
that
this
expires?
We
expect
the
load
balancer
the
load,
balancing
behavior,
to
happen
again
right
so
yeah
that
that's
mostly
what
session
affinity
is
at
this
point.
B
A
Yeah
for
user
space,
I
think
the
behavior
is
is
a
little
bit
different,
but
yeah.
That's
what
we're
going
to
see
right
now
so
cool.
We
have
like
three
pods
running
here
like
we
have
this
net
shoot
plot.
This
is
like
some
fancy
pod
to
the
bug
network
that
that's
declined.
So
we.
B
A
That
that's
correct,
so
what
I'm
going
to
do
is
like
to
put
put
one
pod
on
each
node,
so
they
are
in
different
nodes
because
we
don't
have
like
three,
no
two
windows
nodes.
So
we
have
two
windows
known
as
the
other
environment.
We
can
test
there,
but
right
now
we
have
like
part
one
on
control,
plane
and
po
on
part
two
on
windows
right
and
what
we're
gonna
do
is
get
like
this
net
shoot
and
do
a
request
through
the
pod
and
see
the
behavior
of
sectional
affinity.
A
I
don't
know
it's
some
fancy
board
some
fancy
container.
It's.
B
B
A
You
go
yeah,
so
yeah.
You
are
using
this
thing
here,
so
my
session
affinity
is
five
seconds
right,
so
I
expect
to
have
this
load
balancing
going.
You
know
for
five
seconds
on
each
pod,
so
you
can
count
this
thing
three,
four
five
and
then
it
goes
to
the
other
pod.
This
is
the
expected
behavior
of
ttl
in
my
opinion,
and
that's
how
entria
proxy
is
implemented
in
cluster
ip.
A
So
when
you
say
we
have
like
two
kinds
of
services
and
three
kinds
of
more
kinds
of
servers,
but
for
this
for
this
test
here
we
have
two
kinds
of
searches
that
we
are
testing
is
a
cluster
ip
like
the
internal
port
to
pod
ap
and
a
node
port,
and
this
allocates
a
high
port
in
your
node
in
our
is
binded
to
your
ip
node.
So
you
can
access
this
from
external
places.
A
When
you
do
node
port,
we
do
through
qprox
user
space
in
this
version
of
of
entry.
A
Okay,
I
know
we
have
a
lot
of
features
of
entry
covering
that
we
go
on
that
later,
but
right
now
that's
how
it
works.
Node
port
goes
to
q,
prox
user
space
and
closer
ip
goes
to
enter
proxy
approx
is
the
equivalent
of
cube
proxy.
B
Yeah,
so
so
so
so
in
this
one,
you've
disabled,
oh
you're,
in
you're,
looking
at
node
port
services.
First
right,
this
is
a
plain
cluster.
Ip
call
cluster
ip.
B
Yes,
so
in
cluster
ips,
we're
only
going
to
see
the
way
that
andrea
interprets
session
affinity
and
then
afterwards
he's
going
to
show
us
node
port
services
and
when
you
run
andrea,
the
version
of
android
we're
running
right
now
and
when
you
run
andrea
and
you
don't
and-
and
you
also
run
the
coupe
proxy-
the
coup
proxy
traff
coupe,
the
user
space,
coupe
windows,
coops
proxy
will
load
balance
your
node
port
traffic
for
you,
but
the
andrea
proxy,
which
is
a
newer
feature.
Some
people
don't
know
about
it.
B
A
Yeah,
that's
correct
so
closer
what
what
I'm
doing
is
like
I'm,
hitting
the
servers
servicing
right
now
through
the
dns,
and
there
is
a
load
balancer
across
the
pods
made
by
entry
proxy
and
that's
the
behavior.
We
are
seeing
right
now
so
as.
A
Cool,
so
what
we
are
going
to
see
now
is
another
behavior
of
an
old
board,
so
we
are
going
to
hit
the
same
service
but
using
the
high
port,
so
I
am
expecting
to
have
the
same
behavior
like
after
five
seconds.
B
Okay,
so
now
we're
looking
at
the
windows,
the
user
space
proxy,
that's
in
kubernetes
entry
and
we're
gonna
see
how
that
works.
So
this
is
a
really
weird
corner
case,
but
we
care
about
it
in
the
android
community,
because
up
until
one
release
ago,
we
still
relied
on
the
windows
user
space
proxy
right.
So.
A
B
B
A
Crazy
behavior
that
we
saw
and
was
not
working
as
expected,
and
things
can
can
go
even
worse,
because
there
is
a
in
the
middle
of
this
thing,
where
the
tto
is
being
ignored
for
user
space
yeah.
A
B
Yeah,
this
is
really,
I
don't
know
how
long
it
took
for
you
to
like
do
these
experiments,
but
I
think
this
is
this.
Is
this
is
great.
So
this
helps
us
to
like
motivate
to
finish
removing
the
user
space
proxy
from
intri
right.
It's
been
in
there
for
a
long
time,
but
it
doesn't
really
have
much
much
value
anymore,
so
we're
moving
the
user
space
proxy
out
and
this
is
yeah
yet
another
reason
why
we're
going
to
move
it
out.
It
doesn't
seem
to
do
have
the
same
semantics
as
the
as
it
should.
A
Yeah,
it's
important
to
notice
that
the
user
space
is
deprecated.
We
are
like
testing
stuff,
but
you
should
not
be
using
that
in
production
by
default.
So
we
have.
D
A
Features
on
entry
that
go
versus
the
functionality-
and
this
is
the
code
that
causes
this
behavior.
Basically,
we
don't
expire
the
session
unless,
unless
you
do
not
request
anything
so
as
you
can
see
here
after
you
do
a
request,
it
saves
the
less
user
time.
A
So,
worse
than
that,
these
affinity,
affinity,
type
is
not
updated,
so
like
the
cto.
Second,
is
not
updated.
What
happens
that
the
service
creates
this
object
here?
The
service
serves
inside
the
service
map
and
this
cto
is
never
updated
so
that
the
fall
is
always
the
default
it.
The
value
you
save
in
our
in
our
client
service
stuff
is
ignored,
so
even
in
user
space.
B
Yeah
so
g
noted
that
yeah,
like
now
one
for
out
like
andrea
proxy,
does
node
port
service
proxy
for
you.
So
it's
like
these
problems.
You
know,
won't
exist
on.
If
you're
running
a
newer
version
of
andrea
you
could
for
windows
or
whatever
you
can
just
use.
You
don't
need
to
use
the
user
space
proxy
anymore.
It
used
to
be.
B
We
use
the
user
space
proxy
though,
and
the
reason
is
because
andrea
uses,
ovs
and
ovs
extends
the
windows
networking
subsystems
and
because
it
because
of
that
sort
of
technical
set
of
dependencies,
you
can't
use
the
kernel
space
windows
proxy,
but
so
you
it
was
a
temporary
bridge
for
us
until
we
got
entry
of
proxy
fully
working
with
node
ports
on
windows
and
everything.
A
Yeah,
that's
cool,
and-
and
at
this
point
there
is
an
implementation
of
the
same
functionality
most
of
the
case.
So
it's
totally
advised
that
you
use
this
instead.
A
E
B
Yeah,
so
cool
yeah,
so
we're
removing
the
user
space
proxy
from
core
we
have
do
you
want
to
talk
about
kpng
now.
B
Let
me
look
I'm
looking
at
the
hack
md,
I
I
here
it
is
okay,
okay,
is
it
me
I
don't
know
whose
turn
it
is
me
and
me
talked
about
this
beforehand.
We're
like
okay
I'll.
Do
this
part
you
do
that
part.
Then
I'll.
Do
this
part?
Okay?
Here
we
go
kp
yeah,
so
all
right
yeah.
What
do
you
have
next?
Oh,
we
have
the
deprecation.
B
We
have
the
operational
readiness
stuff
so
yeah
we
should
yeah
you're
right.
We
should
talk
about
that
so
part
of
what
this
sort
of
makes
us
like
part
of
what
this
sort
of
like
moves
us
towards.
Let
me
share
my
screen
here.
Is
this
idea
that
like
well?
We
need
to
define
how
do
I,
oh
here,
it
is
yeah
we
need.
B
We
want
to
define
these
things,
for
we
want
to
define
the
behavior
of
networks
and
of
all
these
other
stuff,
especially
on
windows,
because
you
know
we
work
a
lot
on
windows
network
stuff
but
like
in
general.
We
wanted
to
find
this
looks
like
james
has
a
suggestion.
B
Let's
just
commit
it
whatever
it
is,
so
you
know,
and
so
we
have
a
specification
for
the
way
windows
networking
should
work,
and
these
are
kind
of
like
the
core,
fundamental
definitional
things
that
we
came
up
with
and
these
some
of
these
are
implemented
in
the
existing
or
all
of
them
in
one
way
or
other
you
know,
are
mostly
implemented
in
the
existing
windows.
Sig
windows
tests
that
come
inside
of
kubernetes
right.
B
So
if
you
go
to
kubernetes
github,
if
you
go
in
there,
you
go
to
the
e2e
tests
right
you'll,
see
that
there's
a
whole
directory
of
e2e
tests
specific
to
windows
right
and
you
know
so
so
I
think
in
all
in
all
I
think,
there's
like
25
total
e2e
tests
split
across
these
files
so
like,
for
example,
this
hybrid
network
dot
go
like
this
test
has
essentially
like
all
of
the
semantics
of
like.
I
think
some
of
these
right.
B
I
don't
remember
exactly
but
like
there's
other
things
that
you
care
about,
like
stateful,
set,
ips,
being
preserved,
endpoint
slices
working
properly
and
then
there's
like
advanced
networking
tests
like,
for
example,
network
policies.
B
Right,
you
know,
and
so
in
the
in
the
existing
kubernetes
and
to
end
test,
there's
a
test
suite
for
network
policy,
so
you
can
go
here
and
you
go
to
network
and
you
go
to
blah
blah
blah
blah
blah
blah.
Here
you
go
so
these
support
windows
as
well
now
right
so
so
these
support
windows,
the
this
test
framework
is
in
here,
and
this
is
actually
me-
and
I
meme
worked
on
this
for
a
long
time.
But
we
added
windows
to
this
not
too
long
ago.
B
So,
like
you,
can
test
windows,
network
policies
as
well,
and
the
ability
to
ipv6
and
ipv4
I've
never
run
the
windows
end
to
end
tests
for
those,
but
I
I
think
they
work
the
same,
and
so
all
these
things
are
invoked
using
ginkgo,
which
is
a
golang
tool.
B
That's
easy
to
read
and
understand,
like
from
a
business
perspective,
so
that,
like
somebody
running
an
enterprise
windows
system
can
can
sort
of
go
ahead
and
sort
of
like
without
having
to
run
this
really
complicated
filter
command
here,
where
they
skip
certain
tests
and
they
add
other
tests
right,
they
can
simply
use
a
tool
called
sono
buoy,
which
is
one
of
our
tools
here
at
vmware
that
it's
an
open
source
tool
that
is
used
for
kubernetes,
conformance
to
like
sort
of
test,
whether
their
cluster
is
conformant
to
the
windows
conformance
specification,
and
then
they
can
just
have
a
flag
like
does
it
support
host
processes?
B
Does
it
support
active
directory?
Does
it
support
network
policies
etc?
Right
or
they
could
just
do
all
right,
and
then
that
would
give
people
in
an
enterprise
who
are
running
a
windows,
kubernetes
cluster,
the
ability
to
really
verify
that
all
the
basic
windows
functionality
is
supported,
so
we're
trying
to
like
make
that
a
thing
and
that
sort
of
plays
in
with
what
I
mean
was
talking
about
earlier.
You
know
like
with
session
affinity
right,
like
I
don't
know.
B
B
I
yeah
I
have
it
here:
it's
somewhere,
it's
operation
operated,
I
implemented
part
of
it,
so
I
have
this
just
a
little
bit
of
it.
It's
not
the
whole
thing.
It's
it's
not!
It's
not
complicated.
It's
just
a
single
goaling
program
that
tries
to
it
takes
in
the
takes
in
a
specification
you
know
and,
and
then
the
output
of
it
is.
You
know
whether
these
particular
features
pass
or
fail
or
not
right.
B
So
it's
kind
of
a
lower
level
implementation
of
this,
but
I
want
this
specification
eventually
to
like
obviously
evolve
a
little
bit
so
that
we
don't
have
to
put
these
actual
tags
in
here,
but
this
is
kind
of
the
the
way
I
would
envision
this
like.
We
would
publish
a
yaml
file
like
this,
so
that
an
end
user
could
just
say.
I
want
to
make
sure
networking
for
windows
works.
I
want
to
make
sure
network
policies
work.
B
I
want
to
make
sure
the
core
stuff
works
and
then
the
focus
and
ginkgo
skip
flags
in
terms
of
what
tests
are
actually
used
and
run
in
what
context
are
are
sort
of
just
part
of
that
file.
And
then
the
user
doesn't
care
about
anything
other
than
knowing
core
functionality
passes.
Network
policies
fast
gmsa
fails
whatever
right
yeah
and
then
we
have
the
kpmg
project,
which
is
where
we're
sort
of
rebuilding.
I
mean
you
have
your
pr,
so
a
meme
kind
of
owns
the
entire
windows
story
for
kpng.
B
So
the
first
thing
that
I
think
he's
done
is
he's
ported
over
the
windows
user
space
to
run
in
kpg,
which
is
the
next
generation
coupe
proxy.
It's
a
coup
proxy
that
separates
out
the
the
stuff
that
talks
to
the
api
server
from
the
back
ends
that
do
the
data
plane
work
so
right
now
we
have
iptables
ipvs
and
nft
pretty
soon
we'll
have
the
windows
kernel,
space,
the
windows,
user
space
and
you
know
the
linux
user
space.
B
So
that's
like
how
all
this
sort
of
comes
together
and
well.
Zach's
got
a
little
surprise
that
he'll
show
you
next
week,
but
zack.
Maybe
we
should
just
show
them
really
quickly
since
you're
here,
so
you
want
to
talk
them
through
the
service
load,
balancer
stuff
zach,
that
you're
doing
this
is
our
sort
of
new
conformance
suite
that
we
want
to
build
for
services.
D
Oh
yeah,
so
the
kubernetes
store
is
very
data
right,
so
this
is
yeah.
We
plan
to
do
another
show
about
it
later,
but
currently
I
can
you
know
overview
about
this.
This
project
is
it's
kind
of
like
a
sphere,
so
you
can
so
you
can
run
in
any
existing
kubernetes
cluster
to
validate
the
networking
functionalities.
D
So
it's
yeah.
You
can
run
this
on
boy
also.
It
will
spin
up
a
container.
No,
so
we
have
two
paws
which
will
do
some
validation
on
the
network
in
the
cluster
and
then
kill
itself
after
it
finished,
and
then
you
can
retrieve
the
result
to
your
local
and
see
what
what
field
or
not
the
core
of
this
project
about
this
is
the
matrix.
Actually.
So
we
can
see
a
part
two
part
connection.
D
For
example,
if
part
one
can
connect
to
part
two
through
node
ports
or
class
cluster
ip,
or
can
we
achieve
a
hairpin
or
session
affinity
through
the
services
so
yeah?
The
metrics
can
show
you
as
a
result,
the
logic
about
this
project
is
yeah,
so
it
will
testing
the
power
to
power
connections
through
cluster,
ip
node
ports
and
load,
bouncer
or
external
name.
This
kind
of
services,
and
and
also
notepad
local,
as
show
as
showing
the
chart
and
then
produce
the
metric
portable
connection
metric.
D
It
will
signify
and
or
implies
it's
okay
or
fail
for
the
connection
from
auto
part
yeah.
This
project
is
originally
created
by
jay
and
meme,
actually
and
and
this
chart-
and
this
diagram
is,
is
written
by
I
mean
so
I
think
it's
it's
it's
totally
making
sense,
and
I
think
this
this
meditator
is
is
valuable
to
to
any
clusters.
D
B
Yeah,
so
so
meme
did
built
all
this
like
a
while
ago,
like
almost
what
was
it
a
year
ago
I
mean
yeah,
maybe
yeah,
so
he
built
out
this
test
suite
about
a
year
ago
to
give
us
like
table
tests,
and
the
nice
thing
is
these
pods
land
on
different
nodes?
They
have
an
anti-affinity
thing
going
on
so
for
us
like
on
a
customer
site,
it's
nice
because
you
know
you've
always
got
a
customer
and
they're
like
well.
This
pod
isn't
working
you're
like
well.
Does
it
work
on
other
nodes?
B
If
you
delete
it,
does
it
come
back
up
in
another
place
and
work
right,
and
so
like
this,
just
sort
of
solves
that
problem
of
by
giving
us
a
table?
These
pods
are
in
different
places
and
obviously
it's
cni
agnostic,
it's
coop
proxy
agnostic.
B
So
anybody
who's
like
building
a
network
tool
or
or
diagnosing
a
kubernetes
network
can
use
this
to
like
visualize,
where
things
are
broken
and
where
things
are
failing
and
what
services
are
failing
and
why,
but
like
zach,
has
sort
of
really
polished
it
off
and
is
he's
sort
of
taken
on
the
role
of
like
growing
the
community
around
it
and
building
out
all
the
details
of
it
so
that
it
it
is
fully
fleshed
out
and
so
that
we
can
really
start
using
it
at
larger
scales,
maybe
even
donate
it
to
kubernetes
so
reach
out
to
him.
B
D
I
will
try
to
to
make
it
better
yeah
using
this
yeah.
Let's
see
next
week,.
E
C
B
B
B
All
right
grayson:
can
you
tell
us
what's
coming
up
next
in
the
entry
up
front
before
we
go.
B
C
Yeah,
I'm
still
working
on
the
service
account
selector.
I
mentioned
it
last
time
like
you
can
use
the
service
account
either
use
the
namespace
or
the
name
or
the
label
selector
to
select
some
service
account
and
all
the
workloads
or
all
the
parts
use.
This
service
account
will
be
selected
as
a
in
the
network
policy
like
I
can
apply
a
network
policy
to
all
this
service
account
that
you
cannot
talk
to
other
kind
of
another
group
of
pods
or
you
cannot
talk
to
the
external
something
like
that.