►
Description
!!! Our first antrea-LIVE show !!!
Focusing on upstream K8s network diagnostics with k8snetlook and FQDN policies (evolution in upstream as well as the antrea specific implementation).
- Antrea 1.3.0
- FQDN Policies
- k8snetlook
Hosts
- jayunit100 (Vmware)
- yashbhutwala (staked)
- sarun87 (Vmware)
thanks to @Arun Sriraman @Jianjun @abhiraut @Yang Ding @vrabbi @Amim Knabben @Luther (monson) for coming !
Todays Topics:
- ClusterNetworkPolicies
- Kubernetes Security
- AntreaProxy
- KubeProxy
- K8sNetLook
- Troubleshooting Kubernetes Services (ClusterIP, NodePort)
- Securing L7 traffic on Kubernetes with FQDN NetworkPolicies
Come say hi in #antrea in Kubernetes slack!
A
B
Sure
yeah
I'll
I'll
go
yeah.
My
name
is
yesh
butwella,
I'm
currently
working
at
a
company
called
state.
We
run.
You
know
a
bunch
of
different
blockchains
for
different
cryptocurrencies
and
provide
staking
services
for
customers,
but
I've
been
you
know,
sort
of
in
the
kubernetes
space
for
for
a
while
and
j,
and
I
used
to
work
in
the
past
that
synopsis.
C
Yeah
sure,
hey
everybody,
I'm
arun,
sri
raman.
I
work
in
the
vmware
sd
van
space,
so
the
product
essentially
allows
you
to
connect
multiple
locations,
edge
locations
to
your
data
center
and
cloud,
and
I've
been
doing
or
been
involved
with
kubernetes
for
quite
some
time
now
and
worked
with
jay
in
the
past
and
currently
in
in
some
far
away.
So.
A
A
Yeah
me
and
me
and
roone
over
here
at
vmware.
We
work
on
I'm
so
yeah,
I'm
jay
most
y'all
probably
know
me
that
are
watching
this
stream
anyways,
because
I'm
pretty
active
in
upstream
networking,
sig
network
related
stuff
and
yeah
me
and
arun
are
here
at
vmware.
We
work
on
a
whole
bunch,
a
whole
bunch
of
networking
related
stuff.
So
so
hopefully
this
is
our
new
stream.
So
in
case
we
we're
getting
logistics
and
everything
set
up,
but
folks
can
type
comments
in
the
inside.
The
little
comment
thing
and
we'll
answer
them.
A
This
is
partially
office
hours
and
it's
like,
if
you
have
android
questions
about
releases
and
stuff
depending
on
who
all
is
here,
we
may
be
able
to
give
you
some
really
interesting
answers.
It's
also
partially
a
hack
session
where
we're
going
to
be
able
to
go
through
things
and
look
at
stuff
together,
and
so
it's
kind
of
a
little
bit
of
both-
and
I
see
yang,
is
here
so
it's
great
to
see
yang
and.
A
So
yeah
folks
want
to
jump
in
we're
in
the
k8's
upstream,
andrea
channel,
so
yang.
What's
up
yang.
A
Great
to
see
you
cool
so
yeah
good,
so
we
just
got
started.
We
just
did
intros
so
yeah,
I'm
jay
and
my
friend
here
is
arun
and
yash
is
here.
Gosh
is
also
my
my
my
buddy,
so
so.
A
Like
the
purpose
of
this
stream
is
for
us
to
all
get
together,
look
at
stuff
going
on
in
upstream
networking
in
the
sig
network
area
in
the
network
policy
area.
So
it's
great
that
yang
is
here.
He
can
maybe
give
us
an
update
on
that
and
do
a
little
bit
of
hacking
and
hanging
around
and
learning
about
how
andrea
works
and
abhishek
is
here.
Abhishek
with
your
telescope
is
here:
okay,
okay,
so
and
and
abhishek
is
used
to
be
friends
with
the
roon
before
I
was
friends
with
the
women,
so
we're
still
friends,
you're
still.
A
E
D
Hi,
my
name
is
young
and
I've.
Also
I've
worked
alongside
with
a
attack
on
the
network
policy
sites
in
south
ventura
and
I've
been,
you
know,
a
part
of
the
project
I
think
over
a
year
now
and
yeah
we're
we're
glad
to
be
here.
A
Cool
okay,
so
I
was
thinking
what
I
would
do
so
me
and
aaron
were
just
playing
around
with
clusters.
We
had
like
we
had
an
infrastructure
panic
for
a
little
bit,
but
I
think
I
figured
it
out
arun,
I'm
going
to
give
you
an
ip
address
and
you
can
ssh
into
it
unless
you
have
a
running
cluster
right
now
and
it's
an
internal
ip
address.
So
I'm
just
going
to
give
it
to
you
in
the
stream
yard,
chat,
okay
and
you
know,
get.
A
A
It's
in
there
and
you
can
you
know
the
username
and
password
to
those
machines
right,
okay,
so
so
arun
is
going
to
show
us
how
k8s
netlook
works
in
a
little
bit,
but
first
well,
I
don't
know
abhishek
or
yang.
Do
you
either?
One
of
you
want
to
talk
me
through
what's
new
in
1.3.0,
which
is
the
newest,
andrea
release,.
A
One
yeah,
so
I
was
just
playing
with
this
and
showing
a
rune.
So
this
is
kind
of
cool,
because
I
remember
when
the
first
fqdn
we
were
trying
for
a
long
time
to
convince
the
upstream
sig
network
folks
to
get
fqdn
working,
and
I
don't
know
where
that
landed,
because
I
I
kind
of
started
focusing
on
other
things.
But
as
far
as
upstream,
where
are
fqdn
policies.
E
And
they,
I
think,
have
merged
some
of
the
controller
part
in
in
their
gke
repository
and
that's.
E
That
they
want
to
donate
to
you
know
upstream,
but
in
terms
of
the
the
cap
itself
or
how
we
want
to
achieve
fqdn
policies
with
network
policies
that
is
still
not
agreed
upon
so
yeah
and
I
think
the
upstream
community
is
looking
for.
Volunteers
to
you
know,
drive
this
effort
into
the
community,
so
you
know
anyone
who's
listening
or
who's
on.
The
call
here
wants
to
work
towards
that
feel
free
to
join
us
on
the
sig
network
policy,
api
meetings
on
mondays,
so
yeah,
but
yeah.
E
So
as
part
of
that,
you
know,
we
wanted
to
fast
track
that
in
entry,
so
yang
had
a
significant
work
that
he
did
for
the
ftd
and
along
with
grayson
from
the
anchor
team.
A
Yeah,
so
that's
a
young!
You
got
anything
to
add
to
that
before
we
dig
into
some
some
live
stuff.
D
Yeah,
so
I
think
it's
been
a
while
since,
since
I
was
you
know
developing
this,
I
think
the
fqdn
policy
sort
of
like
code
was
ready
around
the
two
months
ago
and
then
they
undergo
some
improvements.
But
at
the
time
that
you
know
we
implement
this
fpdm
policy.
I
think
the
challenge
for
this
to
be
upstream
is
that
you
know
there
are
two
flavors
of
this
right.
So
if
you
think
about
fdm
policies,
people
apply
fpga
and
policies
into
flavors.
D
One
is
that
they
will
have
a
specific
ffd
and
they
wanted
to
sort
of
like
allow
a
vlog,
for
example,
google.com
or
facebook.com
right,
and
the
other
very
common
use
case
is
a
wildcard
use
case
where
people
wanted
to
say.
I
don't
want
anything
coming
from
facebook.com
to
access
my
workloads,
so
people
will
put
something
like
star.facebook.com,
and
this
is
an
on
the
upstream
side.
D
This
is
a
you
know
more
difficult
use
case
to
solve,
because
you
know
if
it's
a
static
f2dn,
you
can
always
sort
of
like
do
a
dns
query
and
resolve
that
fdm
to
a
specific
address.
But
for
you
know
wild
card
cases,
usually,
you
know,
rely
on
some
mechanism
in
the
cni
itself
or
the
implementation
itself
to
do
some
sort
of
like
proxy.
D
For
example,
we
actually
wanted
to
look
into
the
dns
response
and
to
see
if
that
it
actually
matches
one
of
the
wild
cards
that
users
specify
and
then
after
that,
do
some
sort
of
like
data
pass,
rule,
realization
and
decide.
You
know
whether
the
package
should
be
allowed
or
not
and
yeah.
I
feel
like
this.
Is
you
know
the
major
thing
that's
also
blocking
the
fpdn
to
to
be
you
know,
moving
forward
and
upstream
side.
Is
that
there's
a
lot
of
implementation,
specifics
in
the
ftd
and
policy
itself.
A
D
Oh
yeah,
those
are,
I
guess,
those
are
just
the
just
the
manual
on
how
you
can
use
an
fpdm
policy,
but.
D
A
An
example
and
see
and
see
if
we
can
go
from
there
what's
up
luther,
it's
good
to
see
you.
I
muted
you
because
there
are
some
background
noise,
but
now
I'll
unmute
you.
How
do
I
meet
you?
I
know
luther
and
scott
rosenberg
just
joined
us.
So
that's
that's
cool.
I
appreciate
you
all
coming
so
let
me
see
here
so
I'm
in
a
cluster
coupe
ctl
get
and
if
I
get
my
cluster
network
policies,
network
policies-
I
don't
know
if
I
have
yeah,
I
actually
have
one.
A
A
I
think
I
tried
cnp
and
it
didn't
work,
acnp,
acnp,
okay,
okay,
cool,
so
there's
nothing
in
there.
So
so
andrea
has
this
concept
of
cluster
network
policies.
Now
abhishek
also
can
tell
you
all
about
there's
this
whole
cluster
network
policy
thing
going
on
well,
young
and
both
abhishek
have
worked
hard
on
that
and
there's
a
kept
for
that
and
abhishek.
A
If
you
want
to
put
the
link
to
that
cap
in
here,
I
can
link
folks
to
that,
but
we're
looking
to
get
all
the
interest
cluster
network
policy
stuff
as
much
as
possible,
at
least
into
upstream
over
time,
at
least
if
we
can
at
least
whatever
makes
sense.
A
So,
let's
see
so,
if
I
go
in
here
and
I
do-
and
I
do,
I've
got
I've
got.
I've
got
an
fqdn
policy
here
right.
So
folks,
look
here,
you
can
see.
I've
got
a
policy,
it's
got
a
priority
of
one.
Does
that
mean
it's
high
or
low.
E
That
means
it's
high,
so
any
so
it's
basically
think
about
it
in
terms
of
like
how
would
you
prioritize
your
work
items
right
when
you
think
of
certain
certain
work
items
are
being
like
highest
priority.
You
would
say
it's
a
p0
item,
so
lower
the
number
higher
the
priority
okay.
So
this
will.
A
E
So
if
you
have
this
so
we're
looking
at
the
one
on
the
ac
and
pfqdn1.
A
E
B
E
A
Obviously
yeah
so
so,
if
folks
want
to
go
and
try
this
out
and
play
at
home,
I
have
this
directory
here
and
it's
got
the
policy.
So
if
you
go
to
kj
unit,
100
k8s
prototypes
and
entry
live
1027
2022,
you
can
go
in
here
and
you
can
copy
paste
this
and
this
same
directory.
A
Cluster,
like
that,
you
can
just
literally
like
run
this
command
and
it
will
generate
a
multi-node
kind
cluster
for
you,
so
group
cpl
get
nodes,
each
of
which
is
running
android
1.3.0.
A
So
if
you
want
to
play
at
home,
it's
not
hard
so
and
then
there's
a
coupe
ctl
create
f
one
other
thing
that
I'm
creating
inside
of
the
same
repo,
which
is
there's
a
smoke
test
directory,
and
you
can
like
see
this
nginx
pod
service.
So
if
I
do
cat,
oh
sorry,
cat
got
that
slash.
A
Cat
dot,
dot,
slash
smoke,
tests,
engine
x,
pod
service,
that's
just
basic
smoke,
pods
right,
like
a
busy
box
container
and
I'm
labeling
it
with
app
entry
and
you'll,
see
why
that's
important
here,
because
it's
a
match
label
for
that.
So
I
want
to
block
stuff
like
young
was
talking
about
right.
I
want
to
block
things
so
coup
ctl
get
pods.
I've
got
this
running
and
I
go
down
here
and
I
want
to
make
this
network
called.
So
let
me
exec
into
this
pod.
Okay,
so
I'm
in
here
and
let
me
wget
www.foobar.com.
A
Okay,
so
it's
giving
me
an
error
403.,
that's
not
a
problem
right!
It
means
it's
able
to
get
there.
It's
just
that.
I
I'm
going
to
a
random
website,
so
I'm
not
returning
anything.
So
I'm
able
to
reach
foobar.com
I'll
be
able
to
resolve
the
ip
to
one
173.2312,
one.
Nine
three
four
make
a
tcp
connection
to
it:
connect
to
it
connect
to
the
web
server.
A
The
web
server
says
you
can't
access
this
resource,
but
I
see
you
and
I
can
hear
you
okay
cool
so
now
I
can
coupe
ctl
create
this
fqdn
policy
right,
oh
no.
What
did
I
do?
I
forgot
to
put
the
file
here.
We
go
okay.
So
now
I
made
this
policy
and
this
pods
policy
is
matching
the
label
of
that
pod
that
I
created
right.
A
So
this
match
label
is
saying:
I
want
to
apply
this
policy
to
this
specific
pod
so
that
this
pod
drops
all
egress
traffic
so
that
the
cni
andrea
drops
all
egress
traffic
to
this
fqdn
right.
So
then
I'll
go
over
here
and
now
I
can
do
it
curl
our
w
get
www.fubar.com,
let's
see
if
it
works.
A
A
Oh
maybe
I
did
it
in
the
wrong
name.
Space
could
ctl
get
what
is
it
a
cnp?
A
D
A
A
Okay
and
now
you
can
see
it
hangs
okay,
so
thank
you
young
for
realizing,
I
totally
exact
into
something
that
was
not
a
container,
so
all
right,
so
we're
in
so
so
we're
able
to
block
traffic
through
fqdn.
So
this
is
cool.
Just
so,
people
understand
the
difference
here.
The
normal
network
policy
api
doesn't.
So.
If
I
go
to
network
policy
api
kubernetes,
if
I
go
to
the
docs,
if
I
go
to
the
existing
docs,
you
can
read
about
these.
A
If
you're
new
to
this
stuff
and
like
it,
you
know
we
support,
matching,
pods
and
then
blocking
on
pods
and
blocking
on
name
spaces,
and
you
can
do
some
blocking
on
ciders
and
stuff,
but
you
can't
block
fqdns
using
the
kubernetes
api.
So
this
is
something
you
need
a
custom
cni
provider
to
do
like
andrea
is
doing
for
us,
so
really
excited
about
that
in
1.3.0.
A
If
folks
want
us
to
show
anything
else,
feel
free
to
like
add
questions
in
the
chat
thanks
josh
for
taking
notes.
Josh
has
taken
a
bunch
of
notes
over
here
so
and
the
cluster
network
policy,
and
it
looks
like
abhishek
so
abhishek.
You
can
add
them,
you
all
can
add
the
public
stuff
in
these
in
the
youtube
comments
in
the
thread,
so
folks
can
see
them,
and
then
I
can
do
this
see.
I
can
pop
up
the
little
thingy
on
the
bottom
and
it
looks
cool
so
yeah
feel
free.
A
A
You
can
use
a
cluster
that
I've,
given
you
we're
going
to
look
at
this
tool
called
k8s
netlook,
so
kns
netlook
is
like
a
network
diagnostics
tool
that
arun
was
hacking
on
for
a
while
that
allows
you
to
sort
of
anytime
you're
like
in
a
customer
environment
or
whatever,
and
you
want
to
see
like
why
networking
isn't
working.
Usually
the
first
thing
you
do.
Is
you
try
to
curl
from
a
node
port?
A
Then
you
try
to
call
curl
from
like
a
cluster
ip
to
see
if
basic
stuff's
working,
then
you
try
to
see
if
dns
is
working
with
the
api
server.
There's
this
list
of
things
we
all
do
that
are
kind
of
intuitive
he's
kind
of
automated
all
that
over
here
at
kns
netlog.
So
he's
going
to
show
us
that,
working,
I
guess,
and
now
how
do
we
want
to
do
it
a
roon?
What's
the
what's
the
plan
here,
do
you
want
to
get
into
my
cluster
or
do
you
have
something
I
think
you're
on
mute?
C
So
I
did
take
a
look
at
the
cluster
that
you
gave
me,
but
I
might
not
be
able
to
get
net
look
on
there,
I'm
still
figuring
out
how
to
get
into
your
cluster
completely.
So
let
me
share
what
I
have
okay,
we
need
to
see
if
things
are
running
as
they
are
just
give
me
a
sec.
A
A
Oh
yeah,
is
it
photon
there
should
be,
but
you
should
be
able
to
yum
install.
What
do
you
get?
Let
me
see
so
I'll
do
coop
ctf.
Let
me
start
a
t-much
session,
so
t-marks
new
dash
sg,
okay.
Now
let
me
do
I
will
I
can
share
this
screen
as
well.
While
we
want
something
you
can
see.
A
Okay
cool,
so
now
I'm
sharing
my
terminal.
So
if
I
do
so
for
folks
interested
in
vmware
tons
of
this
is
a
vmware
tonzu
cluster,
that's
running
and
we
run
andrea
by
default
in
vmware
timezone
right.
So
if
I
do
ctl
cluster
info,
you
could
see
ctl
get
nodes,
okay,
so
here's
I'm
in
a
management
cluster
and
so
here's
here's
my
three
nodes.
So
a
roon.
I
can
ssh
into
one
of
these
nodes
by
doing
ssh
cap
v
and
if
you
do
tmoxa
you
can
join
me
in
here.
A
I
don't
know
if
you
use
too
much,
but
so
if
I
get
wget
okay,
so
if
I
do
young,
can
I
do
young
install
cash?
Why
w
get?
I
don't
know?
A
A
A
C
Did
it
yeah
it
went
well,
I
think
there
were
about
500
plus
people
who
are
yeah
both
both
live
and
virtual,
okay
and
I'm
happy-
and
I
heard
good
feedback
that
it's
going
to
help
people
figure
out
networking
issues
without
losing
all
of
the
hair
that
they
have
so
so.
A
C
Is
there
a
coupe
config
on
the
node
that
you
can
export
to
yeah?
Are
you?
Are
you
in
this
session
with
me?
No,
I
am
not
so
let
me
yeah.
A
Into
that
that
jumper
it's
10.92
to
118.96
and
then
I
can
meanwhile
get
a
koop
config
for
you.
So
actually
we
should
have
a
coupe
config
on
there.
I
guess
this
is
the
first
time
I've
ever
tried
to
do
this.
Fine
slash
name.
A
B
C
Hand
so
I
finished
doing
that
on
tkg
mgmt,
vcmd0
node,
so,
okay,
so
we're
in
the
wrong
node
here.
So
I
guess
you're
in
a
different,
not
wrong,
but
in
different
words.
A
A
A
C
A
And
I
can
do
config
yeah,
you
still
do
like
you.
Do
like
those
old-school
single
dash
command
line
options.
G
A
A
C
C
A
C
What
do
I
do
now
right
so
now
we
need
to
see
what's
going
on
right
and
the
tool
itself
does
need
some
permissions
on
this
level
to
be
able
to
create
packets
and
send
them
out
on
sockets.
C
So
it
does
need
a
net
raw
socket
permission
when
it's
running,
so
it
might
be
it
probably
just
a
pseudo
problem.
So
if
you're
on
a
debug
at
the
very
end,
it'll
also
tell
you
what's
going
on
when,
when,
when
each
of
the
checks
are
being
run,.
C
Okay
right,
so
you
can
see
that
it's
actually
able
to
talk
to
the
api
server
and
run
live
z,
check
and
health
checks
for
all
of
the
api
components.
Okay,
it
was
able
to
what
happened
that
it's
not
able
to
open
an
icmp
socket
to
run
icmp
or
ping
tests,
and
that's
because
it's
operation
is
not
permitted.
So
you
you
need
to
run
this
tool
in
sudo
or
oh.
A
C
The
host
site
checks
look
good
right,
so
it's
able
to
talk
to
the
default
gateway
from
the
host.
It's
able
to
talk
to
the
kubernetes
api
server
yeah.
It's
able
to
also
run
service
checks
right,
so
this
kubernetes
api
server,
endpoint
ip
that's
going
to
be
the
cluster
ip
within
google
play.
So
that's
what
is
backed
by
either
proxy
or
cube
router
or
one
of
the
other
implementations
out
there.
G
A
C
Okay
yeah,
so
it
is
going
to
run
the
ip
icmp
check
on
the
kubernetes
cluster
ip
so,
which
means
it's
also
checking
service,
ip
pathway
which
is
host
to
service
ip
to
part.
Okay,
some
formula.
A
C
So
this
is
all
running
from
the
host
okay,
so
it
is
it
is.
It
has
got
the
service
ip
from
from
kubernetes,
because
it
has
a
cube
config.
It's
able
to
so
it
does
a
http
call
to
see
what
his,
what
what
the
api
server
returns
and
it
returns
a
401,
because
it's
not
there.
It's
forbidden
we're
not
using
a
an
authentication,
token
or
a
barrel
token,
but
that's.
C
It's
it's
a
past
test
from
a
greatest
network
perspective,
yeah
and
then
what
it
does
is.
It
tries
to
get
all
of
the
end
points
that
are
backed
by
that
service
ip.
So
you
have
three
control
plane,
endpoints,
three
api
servers
running
somewhere.
A
G
A
So,
just
for
folks
that
are
playing
at
home
they're,
maybe
because
we're
going
a
little
fast.
I
just
want
to
make
sure
people
get
to
see
this.
So
if
I
do
coop
ctl
get
notes,
you
can
see,
we've
got
three
control
plane
nodes
right.
So
what
arun
is
talking
about
here
is
that
these
three
nodes
here
correspond
to
those
three
control.
Point
nodes
right,
exactly
exactly.
C
B
C
H
A
C
A
C
That's
the
api
servers
livesee
endpoint
right
that
the
healthy
endpoint
for
api
server
gives
runs
a
bunch
of
api
server
checks,
that's
already
in
upstream
kubernetes.
So
you
can
do
this
today.
If
you
want
to
hit
the
kubernetes
api
servers,
services.
C
C
Cool
you
can
do
a
dash
or
s
at
the
end
of
the
command
they
remove
debug
and
say
dash.
Yes,
oh
sorry,
not
dash
s.
Yeah
silent.
I
forgot
to
use
the
short
form
as
well.
So
just
a
second
yeah.
A
C
C
C
C
A
C
Yeah,
we
could
do
that
so
so
cadence
network
itself
can
be
run
in
multiple
ways.
It
can
be
run
as
a
binary
on
the
node,
where
there's
a
problem
or
are
on
the
node,
where
a
pod
is
exhibiting
an
issue.
You
can
also
run
it
through
a
docker
container.
C
There
is
a
docker
container,
that's
uploaded
with
the
binary,
so
you
can
run
that
similar
size
or
you
could
just
use,
run
it
as
a
kubernetes
job.
Okay,
there
is
a
yaml
spec.
A
A
A
C
C
That
idea
yeah
the
idea
why
I
don't
recommend
running
it
as
a
part
within
the
kubernetes
environment
is
because
you're
debugging
a
kubernetes
problem,
and
now
we
want
to
deploy
another
new
deployment
into
kubernetes.
H
C
And
the
debugging
tool
running
in
the
prop
in
the
environment
that
you're
trying
to
debug.
So
so
then
what
do
you
do
you
exactly.
C
C
A
C
G
C
G
A
C
Already
have
and
a
couple
of
host
names
there's
a
host
names.
Example
on
kubernetes
documentation
right
it
gives
you
the
host
name
of
the
part.
A
A
A
C
A
A
That's
a
yeah,
it's
a
docker
hublot
rate
limit
issue
because
we're
inside
of
a
vmware
data
center
right
now.
So
so,
let's
see
if
this
works
and
then
maybe
we'll
get
lucky,
maybe
one
of
them
will
pull
down.
If
not,
I
can
change
to
using
our
hardware
proxy
over
at
vmware.
We
have
a
hardware
proxy
that
we
use.
So
can
we
see
if
the
pod
basically
works,
though?
First,
how
do
I
test
it?
So.
C
C
So
the
assumption
is
that
you
have
a
you:
have
a
problem
at
the
source
or
the
destination,
but
but
but
app
a
is
not
able
to
talk
to
app
b.
C
So
what
k
does
net
look
and
everything
looks
running
right
from
a
kubernetes
perspective,
so
what
data
will
do
there
is
try
to
run
a
bunch
of
checks
as
if
it's
running
within
the
part,
so
it
uses
the
network
namespace
of
the
part
on
the
host
and
then
think
of
it
like
running
a
sidecar
container,
but
not
really
through
kubernetes,
just
just
outside
of
it.
So.
A
C
So
yeah,
so
let's
talk
about
how
you
want
to
deploy
kds
network
first
right.
So
are
you
talking
about
it
in
terms
of
running
it
as
a
binary
on
a
host
or
as
a
likewise.
C
A
C
C
A
A
So
I
would
normally
do
this
right
cool
and
then
so
I'm
running
k8s
network
on
here
and
then
what
does
it
do?
Does
it
exec
into
this
pod.
C
It
does
not
exact
per
se.
What
it
does
is
that
kts
network
first
runs
as
a
process
within
the
host
network
name
space
on
that
host,
and
it
does
a
bunch
of
host
checks
that
that
we
saw
oh
okay,
so
so
kubernetes
networking
the
way
I
see
it
you
you
need
to
look
at
it
in
three
three
terms:
part-to-part
connectivity.
B
C
C
It
yeah,
if
you
talk
about
it
in
the
networking
terms,
it's
east
west
versus
not
south
versus
inbound
right,
okay,
yeah,
so
k
does
network,
runs
on
the
node
and
and
does
a
bunch
of
checks,
yeah
and
then
what
it
does
is
given
a
source
part.
It's
going
to
use
linux,
network
namespaces
and
linux,
okay,
okay,
to
go
into,
or
rather
switch
the
process
into
running
into
that
particular
process.
The
parts
network
namespace.
A
Net
ns
lookup
thing
over
here
and
a
center.
C
C
C
Exactly
so
yeah,
so
you
you
give
the
you
give
netcatus
netlook
cubeconfig,
so
it
can
get
information
from
kubernetes,
so
it
gets
the
no
the
node
name,
the
container
id
and
the
runtime.
And
then
it
goes
to
the
container
runtime
down
there
and
tries
to
get
the
exact
proc
id
or
process
id
to
use
to
figure
out
which
network
name
space
it
it's
running
in
okay,
okay,
cool
and
then
it
logs
in
there
and
runs
a
bunch
of
these
checks.
C
C
C
The
advantage
is
that
it
doesn't
it's:
it's
not
known
to
kubernetes,
so
it's
like
a
side
car.
If
you
think
about.
A
It
so
it's
actually
running
processes
inside
of
this
name
space
and
in
the
host
name:
space.
Okay,
exactly
that's
cool!
That's
really
cool
yeah!
I
think
we're
close
to
time
maroon
any
three
we
got.
Does
anybody
have?
I
know
june
jen
you're
here
on
youtube
if
you
want
to
leave
any
andrea
announcements
or
abhishek
or
any
any
other
folks
that
are
on
this
call.
Now
is
the
time
otherwise,
and
you
of
course,
do
a
room
so
jay.
C
The
cubecon
talk
has
a
good
demo
that
goes
through
all
of
the
checks
all
of
the
parts
and
how
the
tool
is
built,
the
architecture
and
and
what
all
checks
it
does.
How
does
it
how
it
does,
as
well
as
how
to
debug
a
kubernetes
problem
in
general
and
then
what
what
to
do
so
do
take
a
look
at
that.
A
In
a
few
weeks
or
something
to
ruin
like
you
know,
this
is
our
first
entry
of
life.
So
it's
like
you
know
we're
just
playing
around,
but
if
folks
are
interested-
or
even
you
know,
whatever
people
are
still
learning,
so
maybe
nobody
understands
what
to
ask
yet,
but
maybe
we
do
a
deeper
dive
and
you
could
show
us
how
it
actually
works
under
the
hood.
A
A
All
right,
okay,
here
we
go,
this
is
beautiful.
Look
at
this
awesome
here
we
go
cool,
so
this
is
cool.
Thank
you.
Thanks
for
helping
me
out
everybody
thanks
for
coming
josh,
thanks
for
showing
up
josh,
I
don't
know,
I
know
luther
you
showed
up.
I
don't
know
if
you
have
anything
going
on
on
the
cni
end
that
you're
excited
about.
A
I
A
He's
talking
about
he's
talking
about
entry
on
windows,
and
so
by
the
way.
Speaking
of
entry
on
windows,
we
have
a
couple
of
bug:
fixes
I'm
gonna
bring
those
there's
a
cut.
There's
a
windows.
There's
a
couple
of
windows
bug
fixes
one
is
related
to
reboots.
That's
on
its
way
and
host
process.
Containers
are
coming
along
and
antriaproxy,
which
is
a
big
thing
for
windows.
A
Has
we
have
prs
now
for
andrea
proxy,
which
is
a
replacement
for
andrea
proxy,
which
is
a
replacement
for
the
coupe
proxy
and
there's
node
port
cluster
ip
and
whatever
there's
like
the
third
pr,
there's
like
three
or
four
seminal
pr's
and
those
are
all
in
wait.
A
Well,
we've
got
some
andrea
folks
in
here
abhishek.
What's
the
most
exciting
thing
or
young,
what's
jin
jin
is
here
jiu
jin
yeah
thanks
so
jin
jin.
Do
you
have
a
elevator
pitch
or
abhishek
about
andrea
proxy
and
why
it's
such
an
exciting
new
feature.
E
I
think
if
ginger
is
here,
I
think
he's
probably
the
right
person
to
talk
about
it.
But
essentially
I
you
know
we.
What
we
want
to
do
is
like
get
rid
of
q
proxy
and
do
everything
with
obs
in
with
entry
proxy,
and
that
will
also
help
us.
You
know,
do
network
policies
efficiently
and
in
addition
to
that,
it's
portable
to
windows
as
well,
and
I
believe
there
are
other
few
topics
which
is
related
to
notepad
services
that
can
be
solved
by
using
anterior
proxy.
Very
well.
E
But
I
believe
again,
junior
might
be
a
better
point
of
contact
on
that.
But
but
I
think
you
know
once
once
we
start
handling
you
know.
Things
is
with
obs
with
entire
proxy
there's
more
flexibility
for
us
to
do
a
lot
more
and
we
can
do
more
features
as
opposed
to
trying
to
get
it
done
using
cube
proxy
and
have
just
just
having
to
run
one
single
proxy
is
easier.
So
but
yeah
again,
I
think
I'm
more
on
the
net
policy.
A
Is
breaking
up,
but
he
likes
network
policies,
yeah
june
jen.
What's
your
yeah,
so
I
yeah
for
me
from
a
windows
perspective,
it's
huge
because
normally
like
with
windows,
right
like
if
you
think
about
it
like.
If
I
have
a
multiple.
If
I
have
a.
A
If
I
have
a
cluster
and
I'm
running,
I
have
a
windows
node
over
here
and
I
have
a
linux
node
over
here
right
and
I'm
running
coupe
proxy
on
on
windows,
as
is
right,
I
have
to
run
coupeproxy
without
privileged
containers.
I
have
to
run
that
as
like
a
well
unless
I'm
using
rancher
wins,
but
even
then
right.
A
I
have
to
run
it
as
a
as
its
own
host
process
and
manages
that
as
its
own
as
its
own
piece
of
hardware
right
and
on
linux,
I'm
running
antrip,
I'm
running
the
coug
proxy
and
that's
also
that's
running
in
a
pod
and
that's
running
in
a
privileged
pod
right.
So
here
it's
in
a
pod.
Sorry
for
my
horrible,
my
role,
but
here
it's
in
a
pod
here
it's
on
the
host
right.
A
If
I
run
entry
a
proxy,
then
I'm
basically
can
I
can
run
every
andrea.
Can
manage
both
my
cni
right
and
can
manage
my
cni
for
both
linux
and
windows,
and
it
can
also
manage
all
of
my
all
of
my
service
routing
and
everything
else
all
through
the
cni.
So
it's
one
less
thing.
I
have
to
worry
about
to
me.
Like
that's
the
biggest
thing.
The
other
big
thing
is
that
ovs
open
vswitch,
the
the
thing
that
enters
based
on
doesn't
like
to
run
that
on
windows.
A
Is
I
like
the
fact
that
ovs
now
can
be
like
a
first-class
citizen
in
my
cluster,
managing
all
the
networking,
as
opposed
to
half
of
it,
being
windows
and
half
of
it
being
non-ovs
so
for
windows.
People
here
that
might
make
sense
for
the
rest
of
you.
I
don't
think
you
care
about
that
explanation,
but
here's
june
jen
he's
got
a
couple
of
points,
so
the
major
point
is:
keep
the
whole
forwarding
pipeline
in
a
single
data
plane.
Oh
yes,
good
for
management,
troubleshooting
maintenance.
A
It
gives
a
lot
of
also
like
for
us
at
vmware.
It
gives
us
a
lot
of
native
integrations
that
we're
interested
in
there
are
performance
advantages
compared
to
ip
tables
as
well.
And
yes,
windows
is
a
single
data.
Plane
implementation
across
windows
links
so
yeah
yeah.
So
it's
going
to
make
windows
networking
fast,
faster,
faster.
It's
going
to
be
it's
going
to
be
great.
A
Now
one
interesting
thing:
I
compared
linux,
windows
and
windows
and
linux,
networking
bandwidth
over
the
user
space
proxy
on
android
and
the
performance
is
about
the
same,
which
is
interesting
for
a
single
pod
or
is
pretty
close
like.
So
it's
not
like
it's
really.
You
know
things
are
pretty
good
right
now,
but
yeah
all
right
anything
else.
Anybody
else
wants
to
share
we're
kind
of
at
that
hour
mark.
So
I
think
I'm
going
to
close
up
otherwise
and
thanks
everybody
for
coming
to
the
first
andrea,
live
stream.
I
A
I
A
Yeah
we'll
do
a
big
demo
of
android
proxy
soon,
maybe
next
time
so.
Okay,
thanks
luther
for
coming
luther,
is
over
at
rancher
by
the
way
folks.
So
thanks
for
coming,
it's
good
to
see
people
from
different
companies
coming
and
hanging
out
to
learn
more
about
andrea
and
everybody
keep
in
touch
with
us
on
the
andrea
channel
in
upstream
slack
on
kubernetes
or
come
find
us
well.
A
You
can
find
me
in
luther
in
the
sig
windows
room
and
you
can
find
a
rune
in
upstream
slack
and
everybody
else
here,
thanks
again
josh
for
showing
up
and
helping
me
run
these
from
stakes
and
we'll
catch
up
later,
I'm
going
to
end
the
broadcast
bye.
Everybody
bye,
abhishek
yang,
thanks
for
showing
up
june
jen,
take
care.