►
Description
!!! Our first antrea-LIVE show !!!
Focusing on upstream K8s network diagnostics with k8snetlook and FQDN policies (evolution in upstream as well as the antrea specific implementation).
- Antrea 1.3.0
- FQDN Policies
- k8snetlook
Hosts
- jayunit100 (Vmware)
- yashbhutwala (staked)
- sarun87 (Vmware)
thanks to @Arun Sriraman @Jianjun @abhiraut @Yang Ding @vrabbi @Amim Knabben @Luther (monson) for coming !
Todays Topics:
- ClusterNetworkPolicies
- Kubernetes Security
- AntreaProxy
- KubeProxy
- K8sNetLook
- Troubleshooting Kubernetes Services (ClusterIP, NodePort)
- Securing L7 traffic on Kubernetes with FQDN NetworkPolicies
Come say hi in #antrea in Kubernetes slack!
A
B
Sure
yeah
I'll
I'll
go
yeah.
My
name
is
yesh
butwella,
I'm
currently
working
at
a
company
called
state.
We
run.
You
know
a
bunch
of
different
blockchains
for
different
cryptocurrencies
and
provide
staking
services
for
customers,
but
I've
been
you
know,
sort
of
in
the
kubernetes
space
for
for
a
while
and
j,
and
I
used
to
work
in
the
past
that
synopsis.
C
Yeah
sure,
hey
everybody,
I'm
arun,
sri
raman.
I
work
in
the
vmware
sd
van
space,
so
the
product
essentially
allows
you
to
connect
multiple
locations,
edge
locations
to
your
data
center
and
cloud,
and
I've
been
doing
or
been
involved
with
kubernetes
for
quite
some
time
now
and
worked
with
jay
in
the
past
and
currently
in
in
some
far
away.
So.
A
A
Yeah
me
and
me
and
roone
over
here
at
vmware.
We
work
on
I'm
so
yeah,
I'm
jay
most
y'all
probably
know
me
that
are
watching
this
stream
anyways,
because
I'm
pretty
active
in
upstream
networking,
sig
network
related
stuff
and
yeah
me
and
arun
are
here
at
vmware.
We
work
on
a
whole
bunch,
a
whole
bunch
of
networking
related
stuff.
So
so
hopefully
this
is
our
new
stream.
So
in
case
we
we're
getting
logistics
and
everything
set
up,
but
folks
can
type
comments
in
the
inside.
The
little
comment
thing
and
we'll
answer
them.
A
This
is
partially
office
hours
and
it's
like,
if
you
have
android
questions
about
releases
and
stuff
depending
on
who
all
is
here,
we
may
be
able
to
give
you
some
really
interesting
answers.
It's
also
partially
a
hack
session
where
we're
going
to
be
able
to
go
through
things
and
look
at
stuff
together,
and
so
it's
kind
of
a
little
bit
of
both-
and
I
see
yang,
is
here
so
it's
great
to
see
yang
and.
A
A
A
Like
the
purpose
of
this
stream
is
for
us
to
all
get
together,
look
at
stuff
going
on
in
upstream
networking
in
the
sig
network
area
in
the
network
policy
area.
So
it's
great
that
yang
is
here.
He
can
maybe
give
us
an
update
on
that
and
do
a
little
bit
of
hacking
and
hanging
around
and
learning
about
how
andrea
works
and
abhishek
is
here.
Abhishek
with
your
telescope
is
here:
okay,
okay,
so
and
and
abhishek
is
used
to
be
friends
with
the
roon
before
I
was
friends
with
the
women,
so
we're
still
friends,
you're
still.
A
E
D
A
Cool
okay,
so
I
was
thinking
what
I
would
do
so
me
and
aaron
were
just
playing
around
with
clusters.
We
had
like
we
had
an
infrastructure
panic
for
a
little
bit,
but
I
think
I
figured
it
out
arun,
I'm
going
to
give
you
an
ip
address
and
you
can
ssh
into
it
unless
you
have
a
running
cluster
right
now
and
it's
an
internal
ip
address.
So
I'm
just
going
to
give
it
to
you
in
the
stream
yard,
chat,
okay
and
you
know,
get.
A
A
It's
in
there
and
you
can
you
know
the
username
and
password
to
those
machines
right,
okay,
so
so
arun
is
going
to
show
us
how
k8s
netlook
works
in
a
little
bit,
but
first
well,
I
don't
know
abhishek
or
yang.
Do
you
either?
One
of
you
want
to
talk
me
through
what's
new
in
1.3.0,
which
is
the
newest,
andrea
release,.
F
A
One
yeah,
so
I
was
just
playing
with
this
and
showing
a
rune.
So
this
is
kind
of
cool,
because
I
remember
when
the
first
fqdn
we
were
trying
for
a
long
time
to
convince
the
upstream
sig
network
folks
to
get
fqdn
working,
and
I
don't
know
where
that
landed,
because
I
I
kind
of
started
focusing
on
other
things.
But
as
far
as
upstream,
where
are
fqdn
policies.
E
That
they
want
to
donate
to
you
know
upstream,
but
in
terms
of
the
the
cap
itself
or
how
we
want
to
achieve
fqdn
policies
with
network
policies
that
is
still
not
agreed
upon
so
yeah
and
I
think
the
upstream
community
is
looking
for.
Volunteers
to
you
know,
drive
this
effort
into
the
community,
so
you
know
anyone
who's
listening
or
who's
on.
The
call
here
wants
to
work
towards
that
feel
free
to
join
us
on
the
sig
network
policy,
api
meetings
on
mondays,
so
yeah,
but
yeah.
D
Yeah,
so
I
think
it's
been
a
while
since,
since
I
was
you
know
developing
this,
I
think
the
fqdn
policy
sort
of
like
code
was
ready
around
the
two
months
ago
and
then
they
undergo
some
improvements.
But
at
the
time
that
you
know
we
implement
this
fpdm
policy.
I
think
the
challenge
for
this
to
be
upstream
is
that
you
know
there
are
two
flavors
of
this
right.
So
if
you
think
about
fdm
policies,
people
apply
fpga
and
policies
into
flavors.
D
One
is
that
they
will
have
a
specific
ffd
and
they
wanted
to
sort
of
like
allow
a
vlog,
for
example,
google.com
or
facebook.com
right,
and
the
other
very
common
use
case
is
a
wildcard
use
case
where
people
wanted
to
say.
I
don't
want
anything
coming
from
facebook.com
to
access
my
workloads,
so
people
will
put
something
like
star.facebook.com,
and
this
is
an
on
the
upstream
side.
D
This
is
a
you
know
more
difficult
use
case
to
solve,
because
you
know
if
it's
a
static
f2dn,
you
can
always
sort
of
like
do
a
dns
query
and
resolve
that
fdm
to
a
specific
address.
But
for
you
know
wild
card
cases,
usually,
you
know,
rely
on
some
mechanism
in
the
cni
itself
or
the
implementation
itself
to
do
some
sort
of
like
proxy.
D
For
example,
we
actually
wanted
to
look
into
the
dns
response
and
to
see
if
that
it
actually
matches
one
of
the
wild
cards
that
users
specify
and
then
after
that,
do
some
sort
of
like
data
pass,
rule,
realization
and
decide.
You
know
whether
the
package
should
be
allowed
or
not
and
yeah.
I
feel
like
this.
Is
you
know
the
major
thing
that's
also
blocking
the
fpdn
to
to
be
you
know,
moving
forward
and
upstream
side.
Is
that
there's
a
lot
of
implementation,
specifics
in
the
ftd
and
policy
itself.
A
D
A
An
example
and
see
and
see
if
we
can
go
from
there
what's
up
luther,
it's
good
to
see
you.
I
muted
you
because
there
are
some
background
noise,
but
now
I'll
unmute
you.
How
do
I
meet
you?
I
know
luther
and
scott
rosenberg
just
joined
us.
So
that's
that's
cool.
I
appreciate
you
all
coming
so
let
me
see
here
so
I'm
in
a
cluster
coupe
ctl
get
and
if
I
get
my
cluster
network
policies,
network
policies-
I
don't
know
if
I
have
yeah,
I
actually
have
one.
A
A
I
think
I
tried
cnp
and
it
didn't
work,
acnp,
acnp,
okay,
okay,
cool,
so
there's
nothing
in
there.
So
so
andrea
has
this
concept
of
cluster
network
policies.
Now
abhishek
also
can
tell
you
all
about
there's
this
whole
cluster
network
policy
thing
going
on
well,
young
and
both
abhishek
have
worked
hard
on
that
and
there's
a
kept
for
that
and
abhishek.
A
E
A
A
B
E
A
A
A
Cat
dot,
dot,
slash
smoke,
tests,
engine
x,
pod
service,
that's
just
basic
smoke,
pods
right,
like
a
busy
box
container
and
I'm
labeling
it
with
app
entry
and
you'll,
see
why
that's
important
here,
because
it's
a
match
label
for
that.
So
I
want
to
block
stuff
like
young
was
talking
about
right.
I
want
to
block
things
so
coup
ctl
get
pods.
I've
got
this
running
and
I
go
down
here
and
I
want
to
make
this
network
called.
So
let
me
exec
into
this
pod.
Okay,
so
I'm
in
here
and
let
me
wget
www.foobar.com.
A
Okay,
so
it's
giving
me
an
error
403.,
that's
not
a
problem
right!
It
means
it's
able
to
get
there.
It's
just
that.
I
I'm
going
to
a
random
website,
so
I'm
not
returning
anything.
So
I'm
able
to
reach
foobar.com
I'll
be
able
to
resolve
the
ip
to
one
173.2312,
one.
Nine
three
four
make
a
tcp
connection
to
it:
connect
to
it
connect
to
the
web
server.
A
The
web
server
says
you
can't
access
this
resource,
but
I
see
you
and
I
can
hear
you
okay
cool
so
now
I
can
coupe
ctl
create
this
fqdn
policy
right,
oh
no.
What
did
I
do?
I
forgot
to
put
the
file
here.
We
go
okay.
So
now
I
made
this
policy
and
this
pods
policy
is
matching
the
label
of
that
pod
that
I
created
right.
A
A
A
D
A
A
Okay
and
now
you
can
see
it
hangs
okay,
so
thank
you
young
for
realizing,
I
totally
exact
into
something
that
was
not
a
container,
so
all
right,
so
we're
in
so
so
we're
able
to
block
traffic
through
fqdn.
So
this
is
cool.
Just
so,
people
understand
the
difference
here.
The
normal
network
policy
api
doesn't.
So.
If
I
go
to
network
policy
api
kubernetes,
if
I
go
to
the
docs,
if
I
go
to
the
existing
docs,
you
can
read
about
these.
A
If
you're
new
to
this
stuff
and
like
it,
you
know
we
support,
matching,
pods
and
then
blocking
on
pods
and
blocking
on
name
spaces,
and
you
can
do
some
blocking
on
ciders
and
stuff,
but
you
can't
block
fqdns
using
the
kubernetes
api.
So
this
is
something
you
need
a
custom
cni
provider
to
do
like
andrea
is
doing
for
us,
so
really
excited
about
that
in
1.3.0.
A
If
folks
want
us
to
show
anything
else,
feel
free
to
like
add
questions
in
the
chat
thanks
josh
for
taking
notes.
Josh
has
taken
a
bunch
of
notes
over
here
so
and
the
cluster
network
policy,
and
it
looks
like
abhishek
so
abhishek.
You
can
add
them,
you
all
can
add
the
public
stuff
in
these
in
the
youtube
comments
in
the
thread,
so
folks
can
see
them,
and
then
I
can
do
this
see.
I
can
pop
up
the
little
thingy
on
the
bottom
and
it
looks
cool
so
yeah
feel
free.
A
A
You
can
use
a
cluster
that
I've,
given
you
we're
going
to
look
at
this
tool
called
k8s
netlook,
so
kns
netlook
is
like
a
network
diagnostics
tool
that
arun
was
hacking
on
for
a
while
that
allows
you
to
sort
of
anytime
you're
like
in
a
customer
environment
or
whatever,
and
you
want
to
see
like
why
networking
isn't
working.
Usually
the
first
thing
you
do.
Is
you
try
to
curl
from
a
node
port?
A
Then
you
try
to
call
curl
from
like
a
cluster
ip
to
see
if
basic
stuff's
working,
then
you
try
to
see
if
dns
is
working
with
the
api
server.
There's
this
list
of
things
we
all
do
that
are
kind
of
intuitive
he's
kind
of
automated
all
that
over
here
at
kns
netlog.
So
he's
going
to
show
us
that,
working,
I
guess,
and
now
how
do
we
want
to
do
it
a
roon?
What's
the
what's
the
plan
here,
do
you
want
to
get
into
my
cluster
or
do
you
have
something
I
think
you're
on
mute?
C
A
A
A
Okay
cool,
so
now
I'm
sharing
my
terminal.
So
if
I
do
so
for
folks
interested
in
vmware
tons
of
this
is
a
vmware
tonzu
cluster,
that's
running
and
we
run
andrea
by
default
in
vmware
timezone
right.
So
if
I
do
ctl
cluster
info,
you
could
see
ctl
get
nodes,
okay,
so
here's
I'm
in
a
management
cluster
and
so
here's
here's
my
three
nodes.
So
a
roon.
I
can
ssh
into
one
of
these
nodes
by
doing
ssh
cap
v
and
if
you
do
tmoxa
you
can
join
me
in
here.
A
A
A
A
A
C
A
A
B
C
A
A
A
C
A
G
A
A
C
A
C
C
Okay
right,
so
you
can
see
that
it's
actually
able
to
talk
to
the
api
server
and
run
live
z,
check
and
health
checks
for
all
of
the
api
components.
Okay,
it
was
able
to
what
happened
that
it's
not
able
to
open
an
icmp
socket
to
run
icmp
or
ping
tests,
and
that's
because
it's
operation
is
not
permitted.
So
you
you
need
to
run
this
tool
in
sudo
or
oh.
A
C
The
host
site
checks
look
good
right,
so
it's
able
to
talk
to
the
default
gateway
from
the
host.
It's
able
to
talk
to
the
kubernetes
api
server
yeah.
It's
able
to
also
run
service
checks
right,
so
this
kubernetes
api
server,
endpoint
ip
that's
going
to
be
the
cluster
ip
within
google
play.
So
that's
what
is
backed
by
either
proxy
or
cube
router
or
one
of
the
other
implementations
out
there.
G
A
C
A
C
So
this
is
all
running
from
the
host
okay,
so
it
is
it
is.
It
has
got
the
service
ip
from
from
kubernetes,
because
it
has
a
cube
config.
It's
able
to
so
it
does
a
http
call
to
see
what
his,
what
what
the
api
server
returns
and
it
returns
a
401,
because
it's
not
there.
It's
forbidden
we're
not
using
a
an
authentication,
token
or
a
barrel
token,
but
that's.
C
A
G
A
So,
just
for
folks
that
are
playing
at
home
they're,
maybe
because
we're
going
a
little
fast.
I
just
want
to
make
sure
people
get
to
see
this.
So
if
I
do
coop
ctl
get
notes,
you
can
see,
we've
got
three
control
plane
nodes
right.
So
what
arun
is
talking
about
here
is
that
these
three
nodes
here
correspond
to
those
three
control.
Point
nodes
right,
exactly
exactly.
C
B
C
H
A
C
A
C
C
C
A
C
C
C
C
A
C
C
A
A
A
C
H
C
C
A
C
G
C
G
A
C
A
A
A
A
A
That's
a
yeah,
it's
a
docker
hublot
rate
limit
issue
because
we're
inside
of
a
vmware
data
center
right
now.
So
so,
let's
see
if
this
works
and
then
maybe
we'll
get
lucky,
maybe
one
of
them
will
pull
down.
If
not,
I
can
change
to
using
our
hardware
proxy
over
at
vmware.
We
have
a
hardware
proxy
that
we
use.
So
can
we
see
if
the
pod
basically
works,
though?
First,
how
do
I
test
it?
So.
C
C
So
what
k
does
net
look
and
everything
looks
running
right
from
a
kubernetes
perspective,
so
what
data
will
do
there
is
try
to
run
a
bunch
of
checks
as
if
it's
running
within
the
part,
so
it
uses
the
network
namespace
of
the
part
on
the
host
and
then
think
of
it
like
running
a
sidecar
container,
but
not
really
through
kubernetes,
just
just
outside
of
it.
So.
A
C
C
A
C
C
A
A
C
It
does
not
exact
per
se.
What
it
does
is
that
kts
network
first
runs
as
a
process
within
the
host
network
name
space
on
that
host,
and
it
does
a
bunch
of
host
checks
that
that
we
saw
oh
okay,
so
so
kubernetes
networking
the
way
I
see
it
you
you
need
to
look
at
it
in
three
three
terms:
part-to-part
connectivity.
B
C
C
It
yeah,
if
you
talk
about
it
in
the
networking
terms,
it's
east
west
versus
not
south
versus
inbound
right,
okay,
yeah,
so
k
does
network,
runs
on
the
node
and
and
does
a
bunch
of
checks,
yeah
and
then
what
it
does
is
given
a
source
part.
It's
going
to
use
linux,
network
namespaces
and
linux,
okay,
okay,
to
go
into,
or
rather
switch
the
process
into
running
into
that
particular
process.
The
parts
network
namespace.
C
C
C
Exactly
so
yeah,
so
you
you
give
the
you
give
netcatus
netlook
cubeconfig,
so
it
can
get
information
from
kubernetes,
so
it
gets
the
no
the
node
name,
the
container
id
and
the
runtime.
And
then
it
goes
to
the
container
runtime
down
there
and
tries
to
get
the
exact
proc
id
or
process
id
to
use
to
figure
out
which
network
name
space
it
it's
running
in
okay,
okay,
cool
and
then
it
logs
in
there
and
runs
a
bunch
of
these
checks.
C
C
C
A
It
so
it's
actually
running
processes
inside
of
this
name
space
and
in
the
host
name:
space.
Okay,
exactly
that's
cool!
That's
really
cool
yeah!
I
think
we're
close
to
time
maroon
any
three
we
got.
Does
anybody
have?
I
know
june
jen
you're
here
on
youtube
if
you
want
to
leave
any
andrea
announcements
or
abhishek
or
any
any
other
folks
that
are
on
this
call.
Now
is
the
time
otherwise,
and
you
of
course,
do
a
room
so
jay.
C
A
In
a
few
weeks
or
something
to
ruin
like
you
know,
this
is
our
first
entry
of
life.
So
it's
like
you
know
we're
just
playing
around,
but
if
folks
are
interested-
or
even
you
know,
whatever
people
are
still
learning,
so
maybe
nobody
understands
what
to
ask
yet,
but
maybe
we
do
a
deeper
dive
and
you
could
show
us
how
it
actually
works
under
the
hood.
A
A
All
right,
okay,
here
we
go,
this
is
beautiful.
Look
at
this
awesome
here
we
go
cool,
so
this
is
cool.
Thank
you.
Thanks
for
helping
me
out
everybody
thanks
for
coming
josh,
thanks
for
showing
up
josh,
I
don't
know,
I
know
luther
you
showed
up.
I
don't
know
if
you
have
anything
going
on
on
the
cni
end
that
you're
excited
about.
A
I
A
He's
talking
about
he's
talking
about
entry
on
windows,
and
so
by
the
way.
Speaking
of
entry
on
windows,
we
have
a
couple
of
bug:
fixes
I'm
gonna
bring
those
there's
a
cut.
There's
a
windows.
There's
a
couple
of
windows
bug
fixes
one
is
related
to
reboots.
That's
on
its
way
and
host
process.
Containers
are
coming
along
and
antriaproxy,
which
is
a
big
thing
for
windows.
A
E
I
think
if
ginger
is
here,
I
think
he's
probably
the
right
person
to
talk
about
it.
But
essentially
I
you
know
we.
What
we
want
to
do
is
like
get
rid
of
q
proxy
and
do
everything
with
obs
in
with
entry
proxy,
and
that
will
also
help
us.
You
know,
do
network
policies
efficiently
and
in
addition
to
that,
it's
portable
to
windows
as
well,
and
I
believe
there
are
other
few
topics
which
is
related
to
notepad
services
that
can
be
solved
by
using
anterior
proxy.
Very
well.
E
But
I
believe
again,
junior
might
be
a
better
point
of
contact
on
that.
But
but
I
think
you
know
once
once
we
start
handling
you
know.
Things
is
with
obs
with
entire
proxy
there's
more
flexibility
for
us
to
do
a
lot
more
and
we
can
do
more
features
as
opposed
to
trying
to
get
it
done
using
cube
proxy
and
have
just
just
having
to
run
one
single
proxy
is
easier.
So
but
yeah
again,
I
think
I'm
more
on
the
net
policy.
A
A
If
I
have
a
cluster
and
I'm
running,
I
have
a
windows
node
over
here
and
I
have
a
linux
node
over
here
right
and
I'm
running
coupe
proxy
on
on
windows,
as
is
right,
I
have
to
run
coupeproxy
without
privileged
containers.
I
have
to
run
that
as
like
a
well
unless
I'm
using
rancher
wins,
but
even
then
right.
A
I
have
to
run
it
as
a
as
its
own
host
process
and
manages
that
as
its
own
as
its
own
piece
of
hardware
right
and
on
linux,
I'm
running
antrip,
I'm
running
the
coug
proxy
and
that's
also
that's
running
in
a
pod
and
that's
running
in
a
privileged
pod
right.
So
here
it's
in
a
pod.
Sorry
for
my
horrible,
my
role,
but
here
it's
in
a
pod
here
it's
on
the
host
right.
A
If
I
run
entry
a
proxy,
then
I'm
basically
can
I
can
run
every
andrea.
Can
manage
both
my
cni
right
and
can
manage
my
cni
for
both
linux
and
windows,
and
it
can
also
manage
all
of
my
all
of
my
service
routing
and
everything
else
all
through
the
cni.
So
it's
one
less
thing.
I
have
to
worry
about
to
me.
Like
that's
the
biggest
thing.
The
other
big
thing
is
that
ovs
open
vswitch,
the
the
thing
that
enters
based
on
doesn't
like
to
run
that
on
windows.
A
Is
I
like
the
fact
that
ovs
now
can
be
like
a
first-class
citizen
in
my
cluster,
managing
all
the
networking,
as
opposed
to
half
of
it,
being
windows
and
half
of
it
being
non-ovs
so
for
windows.
People
here
that
might
make
sense
for
the
rest
of
you.
I
don't
think
you
care
about
that
explanation,
but
here's
june
jen
he's
got
a
couple
of
points,
so
the
major
point
is:
keep
the
whole
forwarding
pipeline
in
a
single
data
plane.
Oh
yes,
good
for
management,
troubleshooting
maintenance.
A
It
gives
a
lot
of
also
like
for
us
at
vmware.
It
gives
us
a
lot
of
native
integrations
that
we're
interested
in
there
are
performance
advantages
compared
to
ip
tables
as
well.
And
yes,
windows
is
a
single
data.
Plane
implementation
across
windows
links
so
yeah
yeah.
So
it's
going
to
make
windows
networking
fast,
faster,
faster.
It's
going
to
be
it's
going
to
be
great.
A
Now
one
interesting
thing:
I
compared
linux,
windows
and
windows
and
linux,
networking
bandwidth
over
the
user
space
proxy
on
android
and
the
performance
is
about
the
same,
which
is
interesting
for
a
single
pod
or
is
pretty
close
like.
So
it's
not
like
it's
really.
You
know
things
are
pretty
good
right
now,
but
yeah
all
right
anything
else.
Anybody
else
wants
to
share
we're
kind
of
at
that
hour
mark.
So
I
think
I'm
going
to
close
up
otherwise
and
thanks
everybody
for
coming
to
the
first
andrea,
live
stream.
I
A
A
Yeah
we'll
do
a
big
demo
of
android
proxy
soon,
maybe
next
time
so.
Okay,
thanks
luther
for
coming
luther,
is
over
at
rancher
by
the
way
folks.
So
thanks
for
coming,
it's
good
to
see
people
from
different
companies
coming
and
hanging
out
to
learn
more
about
andrea
and
everybody
keep
in
touch
with
us
on
the
andrea
channel
in
upstream
slack
on
kubernetes
or
come
find
us
well.
A
You
can
find
me
in
luther
in
the
sig
windows
room
and
you
can
find
a
rune
in
upstream
slack
and
everybody
else
here,
thanks
again
josh
for
showing
up
and
helping
me
run
these
from
stakes
and
we'll
catch
up
later,
I'm
going
to
end
the
broadcast
bye.
Everybody
bye,
abhishek
yang,
thanks
for
showing
up
june
jen,
take
care.