►
From YouTube: Network Service Mesh WG Meeting - 2018-11-27
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
B
C
D
A
Okay
and
that's
scenario:
let's
go
ahead
and
get
started,
so
we
have
a
series
of
events
coming
up.
We
have
a
the
first
event
is
part
of
the
cube
con
co-located
events
is
the
Fido
mini
summit
on
December
10th,
and
there
is
going
to
be
a
network
service
master
session
and
that
with
two
with
two
talks
that
are
going
to
be
set
up.
A
So
we
have
cube
con
Seattle,
and
so
you
con
Seattle,
is
from
December
10th
13th.
We
have
two
sessions
to
talk
about
network
service
mesh
where
ed
and
I
will
present
and
we're
asking
for
anyone
to
write
blog
post
or
do
podcasts
or
talk
about
network
service
mesh
in
any
public
medium.
That
I
think
that
that
would
be
great,
and
so
we
also,
we
also
are
going
to
have
network
service
mesh
presented
in
boots.
E
A
C
C
D
A
A
D
C
A
G
A
D
A
F
D
F
F
Let
me
treat
you
I
will
and
I
can't,
okay,
so,
basically
in
in
skydive,
you
will
have
two
namespaces
and
what
I'm
doing
is
I'm
developing
a
probe
and
NSN
pub,
which
is
connecting
to
two
ns
MD
and
once
it
receive
cost
connect
that
involved
two
namespaces
and
also
control
off
skydive
and
also
monitoring
of
skydive
it
create.
It
creates
a
link
between
those
namespaces,
that's
really
simple,
but
that's
how
it
works.
F
F
D
And
so
the
good
news
is
I
think
we
what's
the
remote
next
stuff
lands
which
hopefully
will
be
today
or
possibly
tomorrow,
then
you
could
start
your
doing
that
as
well.
Oh,
this
is
very
cool
if
you
could
put
somewhere
in
the
notes,
a
link
to
the
code
you're
working
with
and
any
instructions
for
people
to
try
it
out.
F
A
One
of
the
things
that
we
could
do
is
we
could
do
one
of
the
few
things
number
one
is
if
it
is
safe
for
people
to
visit
a
website.
We
could
see
about
spinning
up
cluster
somewhere.
That
has
the
connections
on
there.
So
people
can
then
browse
through
the
information
themselves
as
it's
just
like
as
a
demo.
A
second
option
is
we
could
stick
a
video
up
there
and
a
third
option
is
we
could
stick
a
couple
pictures
up
on
the
website,
so
I.
F
A
F
Think
people
from
skydive
skydive
developers
are
on
the
cone
too
and
I
think
to
have
a
better
displaying
and
better
around
the
ring
of
NSM
component.
We
will
have
to
have
some
kind
of
help
from
the
skater
team
know
that
what
I
would
like
to
have
is
the
ability
to
highlight
the
the
NSM
component
and
points
clients
and
cross
connect,
link,
links.
I
think
it
should
be
the
main
goal.
Do
we
share
this
point
of
view.
F
H
A
D
C
I,
guess
you
see
it
so
what
essentially
I'm
showing
here
is
the
llamo
file
of
the
API
extensions
that
we
are
trying
to
do
so
we're
working
closely
with
it,
and
this
is
what
we
came
up
with.
Actually,
there
was
a
discussion
with
Matt
you
also-
and
this
is
already
merged-
it's
in
the
master
and
now
I'm
working
the
implementation
of
the
selector.
But
this
for
now
is
strongly
dependent
on
five
to
two,
the
mythic.
C
C
C
And
the
destination
select
the
actually
the
NAC,
we
will
give
its
declared
labels
marched
against
the
destinations
selector.
So
this
is
a
very
powerful
concept
and
if
I
can
scroll
it
a
bit
up,
this
will
essentially
allow
us
to
do
things
like
this,
so
this
is
kind
of
service
chaining.
If
you
wish
to
call
it
like
that,
I
thought
it
sounds
a
little
bit
blurry
still,
but
that's
more
or
less
what
we
have
today,
I
guess
that
once
we
get
further,
we
will
be
able
to
show
a
bit
more
like
a
more
meaningful
demo.
D
C
D
C
So
there
was
also
this
idea
of
create
action,
so
once
the
new,
the
new
connection,
establishment,
is
matched
like
against
the
source
selector,
then
you
can
enable
a
route
action
which
will
essentially
link
it
to
an
NEC
that
provides
the
asked
us
service
and
you
we
also
played
a
little
bit
with
the
idea
of
what
it
would
be
if
we
can
spawn
the
service
on-demand.
So
that's
what
creates
would
do
for
us
here.
So
in
the
description
of
the
network
service,
we
can
just
tell
the
intention
of
that.
C
If
someone
requests
a
service,
this
will
be
automatically
spawned
and,
depending
on
the
configuration
it
could
be
spawned
within
the
same
cluster,
on
the
same
node
or
different
options
here
this.
This
is
very,
very
powerful
concept
in
terms
of,
and
also
also
probably
dangerous,
as
with
everything
that
is
powerful,
but
yeah
I
think
that
if
it's
used
properly
and
configured
properly,
this
who
this
view
I'll
allow
you
to
to
have
a
very,
very
much
then
dynamic
configuration
of
the
needed
services.
C
F
C
D
Really
interesting
question
Matthew,
which
is
at
what
point
do
we
rewire
policy
changes,
because
I
can
think
of
at
least
two
answers
for
this
question?
The
first
answer
is
you
you
process
the
selection
of
the
wiring
of
the
time.
The
connection
is
requested
by
the
client
and
it
stays
the
way
it
was
right,
so
you
don't
update
it
when
the
policy
is
updated
and
there
are
definitely
going
to
be
circumstances
where
that's
gonna
have
to
be
true,
because
some
Network
service
endpoint
of
the
chain
has
some
kind
of
state
related
to
that
connection.
D
That
would
be
painful
to
recreate
and
then
the
second
one
would
be
to
say-
and
this
is
definitely
something
we
could
do.
The
question
is
how
to
toggle
the
flag,
but
if
the
policy
is
updated,
you
update
the
wiring
for
the
connections,
because
the
beautiful
part
about
the
cross
connects
is
I,
can
leave
the
same
kernel
interface
in
your
pod
or
the
same
time.
I
have
interface
in
your
pod
and
I
can
change
the
destination
connection
of
that
cross,
connect
in
the
data
plane
and
simply
cross
connect.
D
You
choose
something
new,
so
this
allows
this
should
allow
us
to
do
things
like
Auto
healing.
So
if
a
network
service
endpoint
identifiably
dies,
we
could
connect
you
to
a
new
one,
and
it
should
also
allow
us
to
do
if
we
so
choose
automatically
automatic
rewiring
on
policy
change.
It's
just
a
question
of
under
what
circumstances
is
that
a
good
idea?
D
A
E
Yes
looks
like
yesterday,
I
finished
my
work
with
every
agent
in
a/c
antennas
and
point
as
far
as
I
know,
it's
already
a
part
of
integration
tests
and
it's
a
little
bit
changed
concept
at
create
polar
quit
or
commit.
Now
we
have
one
site
that
request
connection.
It
always
something
like
slave
and
the
other
site
is
always
kind
of
master,
but
they
don't
know
that
they
stay
for
masters.
They
just
have
destination
of
source.
E
D
And
some
of
the
remote
work
I
think
we're
playing
with.
It
does
become
a
problem
before
522
lands.
We
can
do
that
and
once
522
lands,
then
we
should
have
multi
node
testing
and
the
pod
affinity
will
put
all
the
network
service
clients.
On
the
same
note,
and
then
the
polity
activity
will
put
one
each
of
the
deeper
flavors
appendices
that
we
have
on
going.
The
two
nodes
that
we
have.
A
I
I
A
Yeah
I
think
there
was
still
a
minor
issue
that
we
were
running
into
with
522
and
getting
it
to
the
so.
It
works
on
local
vagrant
set
up
we're
having
a
little
bit
of
trouble
with
it
in
the
circle
CI
or
packet
environment.
So
ed
and
I
are
working
to
to
finish
off
at
those
last
details
and
that
way
we
can
get
this
merged
in
as
soon
as
possible.
So
and.
D
The
process
it's
it's
been
really
interesting.
A
lot
of
the
process
of
writing
network
service
has
been
you
get
something
working
and
then
you
look
at
what
you've
written
okay.
This
has
to
be
refactored,
and
you
because
I
factored
it
is
something
that's
a
little
bit
senior.
So
if
you
go
looking
through
the
code
for
522-
and
you
see
some
slightly
rough
spots,
a
lot
of
those
slightly
rough
spots
are
actually
labeled
as
to
do
this
is
slightly
rough.
So
it's
probably
a
interesting
place
to
go
fishing
for
small
things
that
you
can
do.
A
Just
and
just
so
that
people
know
part
of
part
of
what
we
intend
to
do
in
time
with
the
with
these
particular
setups.
Is
we
don't
want
people
to
have
to
understand
or
know
these
little
details
in
order
to
get
your
client
or
your
endpoint
running?
So
one
thing
that
we
want
to
do
is
to
provide
clients
and
libraries
and
so
as
well
in
the
future,
so
that
people
can
get
that
abstract
most
of
this
away.
A
So
that
way
that
you
can
just
focus
on
your
logic
and
not
have
to
worry
about,
did
you
use
you
put
the
right,
grammars
and
again
mif
working
or
where
the
X
LAN
or
so
on?
So
so
for
us
that
that's
a
like
right
now
we
we
have
to
we're
running
into
a
couple
of
those
little
things
right
now
and
I
and
in
the
future
you
shouldn't
have
to
you,
shouldn't
have
to
worry
with
that
back.
You
should
absolutely
you
could
just
plug
in
and
work
so
yeah.
D
What
are
the,
what
are
the
really
cool
things
about?
5:22
is
before
we
spawn
for
network
service
clients
and,
of
course
we
just
were
round-robin
a
you
know,
two
of
those
in
there
all
spun
bazinga,
two
of
those
into
being
connected
to
providers
of
a
network
service
that
are
local
on
the
same
note,
and
to
end
up
being
connected
remotely
to
something
on
a
different
note
and
guess
what
they
literally
don't
know.
The
difference.
C
A
D
Yeah,
so
basically
the
trickier
is
we're
using
the
device
plug-in
API
in
order
to
allow
us
to
inject
environment
variables
and
mounts
into
containers.
You
know,
and
this
is
sort
of
a
necessary
thing,
and
so
right
now
the
the
component.
We
have
the
NS
md
p,
which
is
doing
that
advertisement.
It
is
advertising
a
you,
know,
sort
of
a
fixed
number
of
device,
IDs
right,
I,
think
it's
currently
10
and
effectively.
We
need
to
make
sure
that
it
will
scale
that
pool
so
you've
always
had
at
least
10
in
reserve.
D
In
case
you
know,
lots
of
ponds
get
scheduled
all
of
a
sudden
so
that,
as
things
get
allocated,
it
will
sort
of
note
that
and
expand
the
size
of
the
pool.
So
we
start
with
a
full
10
and
we
get
one
of
allocated
and
we
expand
the
size
of
the
pool
to
11,
because
that
way
we've
got
10
on
allocated
in
the
pool
and
so
forth.
It's
just
sort
of
part
of
making
the
whole
system
more
robust.
A
D
Landed
in
that
area
into
being,
you
know,
I
think
that's,
probably,
essentially,
the
problem
comes
down
to
the
NS.
Mvp
should
not
be
advertising
and
assent
resources
until
the
NS
MD
is
up
and
functional
and
the
an
assembly.
You
should
not
be
indicating
that
it
is
up
and
functional
until
the
data
plane
is
up
and
functional,
and
you
get
all
kinds
of
weird
behaviors.
A
D
Couple
of
things
for
the
demo
that
are
sort
of
floating
around
one
of
them
is
we've
been
talking
about
the
demo,
doing
something
that
was
basically
like
Sarah's
story,
where
we
basically
stand
up
the
world's
simplest
firewall
and
then
configure
something
back
to
the
PM
gateway
and
BPA
could
be
pretty
easily
configured
with
some
ACLs
to
do
a
stateful,
firewall
behavior
and
it
also
supports
IPSec,
and
so
we
would.
There
are
still
some
outstanding
items
there
for.
Basically
writing.
D
Some
super
super
simple
network
servicing
points
for
those
two
operations
so
that
we
could
actually
deploy
them
in.
In
this
case,
a
network
service
in
point
is
just
literally
a
tiny
bit
of
code
that
configures,
whatever
the
additional
rules
are,
and
then
you
like
ACL
rules
or
sets
up
your
IPSec
connection
to
your
IPSec
concentrator
here,
the
VPN
gateway
and
then
just
call
the
existing
code
that
we
have
when
a
connection
comes
in
to
connect
the
endpoint
you'll
connect
the
incoming
connection
into
the
VPN
stuff.
So
you
shouldn't
be
super
complex.
D
D
This
is
part
of
why
having
the
EPP
a
network
service
client
example
is
very
helpful
because
you
would
be
both
a
client
and
a
server
in
that
case
and
then
maybe
a
little
bit
of
interesting
learning,
because
you
have
to
learn
to
program
a
couple
of
ACLs
with
the
BPP
agent
over
gr,
PC
and
then
there's
one
other
interesting
thing
that
we
would
have
to
do,
and
that
is
we
would
probably
want
to.
We've
talked
about
when
doing
parameters.
D
A
C
A
A
So
if
someone
gets
to
gets
to
it
first
or
decides
to
to
hop
onto
it,
be
the
only
thing
that
we
that
we
recommend
is
that,
if
you're
working
on
something
that
it's
publicly
on
one
of
these
boards,
that
you
put
the
post
on
there
that
you're
working
on
it,
so
we
avoid
basically
try
to
deduplicate
work
but
other
than
that
like
no
one
should
feel
bad
for
opting
to
take
something
early
if
no
one's
gotten
up
to
it.
Yet.
D
You
know
the
right
place
to
walk
and
and
I
I.
Don't
personally,
you
know
I,
don't
personally
find
the
frustration
of
not
knowing
where
to
look
to
be
productive,
so
I
will
often
just
say:
okay,
here
is
the
place
where
you
would
want
to
go.
Look
and
here's
the
things
that
I
would
suggest
you
think
about,
and.
D
That
that
said,
please
don't
ever
read
an
issue
that
I
write
is
something
you
should
robotically
follow
right,
I,
don't
need
people
robotically.
Following
these
things,
there
are
always
going
to
be
things
that
I,
don't
think
of
they're,
always
gonna,
be
better
ideas,
so
I'm
trying
to
help
not
to
direct
yeah.
A
A
G
G
That
DP
DK
is
having
Numa
issues
it's
crossing
over
it.
Doesn't
we
don't
have
these
same
problems
on
docker,
so
we're
able
to
be
very
selective
on
pinning
what
cores
are
used?
We
don't
have
that
type
of
fine-grained
control
in
kubernetes
after
we
disabled
the
second
CPU
socket,
then
we
stopped
having
errors.
It
was
actually
causing
VPP
to
crash
with
a
DP
DP
care
memory.
G
So
we
have
that
right
now
in
place
until
we
can
figure
out
anything
else
on
the
kubernetes
side.
This
does
allow
us
to
use
at
28
cores
with
hyper-threading
or
14
course,
without
hyper
threading
on
the
systems
at
reason,
and
then
the
in
the
host
side
on
the
worker
nodes
we
have
VPP
set
up
as
a
V
switch
and
that's
working
as
well.
G
So
all
this
is
preliminary
to
the
NSM
availability
for
us
to
plug,
in
which
sounds
like
it's
pretty
close
as
far
as
some
of
those
needs,
probably
won't
have
them
at
least
for
puke
on
and
but
we'll
be
looking
how
to
plug
those
in
after
so
the
next
step
is
setting
up
the
test
case,
we're
going
to
be
using
and
deploying
with
home,
for
that.
This
is
for
the
kubernetes
site
on
the
OpenStack,
and
the
big
site
is
working
with
the
VPP
Neutron
plugin.
So
this
is
the
OpenStack
VPP
plugin,
it's.
G
G
Those
were
working
on
C
set
and
we've
been
porting
over
to
the
all
of
that
code.
That
was
functioning
on
the
packet
side.
This
is
in
the
docker
KBM
and
then
replicating
what
works
on
dr.
KVM
in
to
kubernetes
and
OpenStack.
Is
it's
the
way
that
we've
been
going
through
that
so
those
test
results
are
pushed
up
for
all
of
those
services,
including
running
multiple
service
chains,
on
the
same
node?
G
Well,
if
people
have
experience
with
the
OpenStack
VPP
side,
that's
an
area
that
nature
on
plug-in
would
definitely
be
helpful
there
and
then-
and
you
can
reach
ping
me
on
slack
cloud
NATO
for
shoot,
an
email
either
way
and
then
the
other
one
is.
If
you
have
experience
with
kubernetes
and
the
CPU
core
management
side,
there's
some
new
stuff,
that's
rolled
in
like
110,
with
the
policies
that
you
can
set,
but
we
need
stuff,
even
more
fine-grained
control.
So.
D
But
there
is
nothing
that
I'm
aware
of
even
in
the
pipeline,
for
allowing
you
to
pick,
which
course
create
at
ease,
deploys
you
to
and
that
I'm
not
necessarily
the
closest
guy
to
that
problem.
But
it
is
a
problem.
I've
been
following
a
lot
because
I
realized
this
kind
of
stuff
is
going
to
be
important.
Yeah.
A
G
A
D
The
one
thing
to
be
careful
of
is
the
last
time
I
poked
my
head
into
this
problems
based
in
the
device
plug-in
management
working
group.
There
were
a
lot
of
things
being
discussed,
but
nothing
had
actually
reached
the
status
of
accepted,
so
lots
of
people
have
lots
of
hacks,
but
it's
not
clear
whether
any
of
those
hacks
are
going
to
actually
make
it
into
the
real
kubernetes.
Yet
yeah.
A
D
J
A
Only
have
five
four
minutes,
so
let
me
just
toss
out
a
real
quick
call
for
help
first
and
then
I'll,
you
have
the
rest
of
the
time.
So
anyone
who
wants
to
help
with
documentation
or
help
with
the
website
any
help
in
that
area
would
be
greatly
appreciated
because
it
needs
to
be
all
up
and
ready
to
go
for
you
fun.
So
it's
an
easy
way
to
join
in
and
help
and
with
that
magic
you
have
the
the
rest
of
the
time.
J
Well,
I,
don't
know
what
at
wants
me
to
talk
about.
I
have
an
issue
with
that
call
time,
I,
admit:
I
overlooked
the
consensus,
call
or
rough
consensus
call
or
email.
I
express
my
view
over
email,
I,
don't
have
anything
else
to
add
the
call
and
conflicts
for
ffd
il
me
be
called,
but
is
held
by
weekly,
which
means
that
my
coverage
here
will
be
not
spotless,
but
rather
spotty
and
I,
wonder
if
there
is
any
way
to
avoid
the
conflict
as
I
believe
that
there
is
a
huge
potential
for
collaboration
between
the
two
projects.
A
E
D
D
J
A
D
I
would
strongly
encourage
everybody
who
attends
the
meeting
to
please
monitor
and
pipe
up
on
that
email
thread.
We
may
very
will
keep
this
time
depending
on
you
know,
obviously,
finding
a
time
that
works
worse
for
work
for
more
people
is
not
going
to
be
a
thing,
but
maybe
we
can
find
a
time
that
works
better
for
everybody.