►
From YouTube: CNCF Networking WG - 2018-06-05
Description
Join us for KubeCon + CloudNativeCon in Barcelona May 20 - 23, Shanghai June 24 - 26, and San Diego November 18 - 21! Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy and all of the other CNCF-hosted projects.
Join us for KubeCon + CloudNativeCon in San Diego November 18 - 21. Learn more at https://bit.ly/2XTN3ho. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy and all of the other CNCF-hosted projects.
A
A
A
So
today
we
thought
we
will
cover
its
is
support
for
container
network
policies
in
annasher,
as
you
may
already
remember,
from
some
of
the
past
discussions
as
network
supports
overlays
or
what
we
call
virtual
networks
for
containers
when
you
deploy
kubernetes
containers
in
either,
they
can
also
link
we
get
right
into
a
virtual
networks.
Get
IP
addresses
in
the
privates
is
talk
among
it,
as
well
as
talk
to
VMS
and
on-premise
distances
through
through
the
eyes,
your
virtual
network
stack
that
is
already
available
for
VMS
and
offer
containers.
A
A
Okay,
so
the
policy
manager,
kubernetes
policies
natively.
Essentially,
however,
you
specify
the
kubernetes
policies
through
Djamel
policy
manager
will
plug
seamlessly
into
kubernetes
such
that
we
support
the
same
language
specification
that
kubernetes
will
be
open
source.
It
will
be
stateless,
it
does
not
require
any
store
or
state
replication
as
part
of
kubernetes
and.
A
B
A
B
B
So
we
have
three
type
of
handlers
that
sends
us
events
for,
for
example,
like
whenever
a
pod
is
created,
updated
or
deleted,
or
a
namespace
is
created
whenever
a
customer
CML
file
adds
new
policies
in
there.
So
so
we
have
event
handlers
for
all
of
these
events,
and
this
policy
manager
is
implemented
as
a
diamond
set
following
the
kubernetes
guideline
of
how
to
write
a
policy
manager
and
basically,
what
we
use
is
the
combination
of
IP.
B
B
So
so
that's
about
overview
of
what
we
do.
If
you
want
to
look
at
the
details
next
slide,
it
just
says
what
I,
what
I
just
talked
about?
It's
just
basically
whatever
I
just
said
using
client
go
is,
though,
is
the
one
we
use
to
register
for
the
callbacks
from
kubernetes.
If
you
want
to
look
into
more
details
in
the
in
the
next
in
the
next
slide,
we
have
details
on
how
how
it
is
implemented
as
a
completely
stateless.
So
we
don't
save
any
any
of
the
state.
B
We
rely
on
the
kubernetes
callbacks,
so
let
us
say
the
policy,
so
my
lashes
or
restarts
we
when
we
register
for
the
events
kubernetes
sends
us
or
whatever
is
the
current
state
regarding
policies
in
the
in
the
nodes
should
be,
and
we
work
off
of
that.
So
how
it
is
implemented
is
basically
in
the
forwarding
chain
of
the
table.
B
B
Think
it's
my
so
in
the
policy
you
know
there
are
you
can
specify
policies
based
on
four
levels
or
like
namespace
label,
namespace
names.
So
what
we
do
is
we
create
an
IP
set
for
every
pot
label
which
helps
us
in
reducing
the
number
of
equitable
rules
that
we
need
to
add
whenever
a
new
pot
gets
added
to
a
certain
label,
we
just
update
the
IP
set
and
none
of
the
existing
rules
need
to
be
changed.
So
that
is
one
thing
we
use
and
then
for
it.
We
so
in
the
policy
ml.
B
Also,
the
policies
are
based
on
ports
like
because,
like
HTTP
for
TCP
protocol
support
and
protocol
component
combination
along
the
period
we
have
funded
further,
and
then
we
go
the
same
thing
for
ingress
and
egress,
for
both
teams
will
forward
those
packets,
depending
on
which
port
and
protocol
and
Ikey
separate
matches
to
another,
for
unless
we
clear
solution
called
ingress
from
and
for
egress.
Similarly,
we
have
another
change,
egress
and
then
basically,
we
start
by.
We
start
by
rejecting
by
adding
the
result
and
then
in
so
the
first
two
rules
are
for
the
IP
blocks.
B
B
So,
okay,
so
we
are
clean,
only
cube
system.
What's
that
running,
let
me
let
me
deploy
3
namespaces,
so
what
I'm
going
to
do
in
the
demo
is
I'm
going
to
create
three
different
namespaces
and
pods
in
those
three
namespaces
and
I'm
gonna.
First
I'm
gonna
show
that
these
namespaces
can
can
reach
each
other
so
right
now,
for
example,
we
have
three
namespaces
ns1,
ns2
and
ns3,
and
there
are
some
pods
they're
just
still
getting.
B
B
B
B
I
mean
so
these
are
nginx.
All
these
pods
are
running.
Nginx
I
am
in
one
of
the
pods,
the
namespace
2,
and
let's
pick
one
of
the
IP
addresses
from
namespace
Kiel,
and
we
should
be
able
to
no
because
right
now,
I
have
not
applied
any
policies,
so
we
can
get
something
from
the
nginx
that's
running
so
now.
Let
me
apply.
The
policy
can.
D
B
Is
very
simple
policy
that
says:
apply
it
on
the
namespace
3.
This
policy
needs
to
namespace
3
and
by
default
everything
is
blocked
unless
you
specify
something
in
that
policy
to
be
allowed.
And
if
you
look
at
the
ingress
ingress
part
of
the
policy,
we
can
say
any
namespace
that
match
labels
of
namespace
and
s1
only
that
will
be
allowed.
So
it's
one
of
the
we
have
like
we
support
everything
that
kubernetes
supports,
but
for
the
demo
purpose
we
have
a
simple,
simple
one.
So
I'm.
B
A
Security
groups
is
certainly
one
one
of
it
that
you
just
saw,
but
in
addition,
we
also
support
capabilities
for
service
chaining.
That's
something
that
we
called
routes
is
what
enables
customers
to
specify
policy
to
power
traffic
from
one
from
one
part
another
part
and
go
through
this
appliance
in
between
so
so
route
says
is
one
such
policy
that
that
we
are
considering
enhancing
policy
specification
with
another
one,
around
load,
balancing
and
DNS
right.
A
We
support
rich
load
balancing
policies,
and
similarly,
we
support
rich
capabilities
around
DNS
and
then
remote
one
premise,
so
so,
right
now,
while
security
groups
possible,
we
would
like
to
extend
the
Hamel
specific
include
policy
specification
for
these
other
scenarios
that
are
possible
with
actual
machines
but
are
not
possible
with
container
steady.
The.
B
Other
thing,
the
other
thing
I'd
like
to
add
to
what
said:
I,
don't
know
how
much
of
a
policy,
but
there
is
a
lot
of
you,
know,
value-add
and
also
providing
an
integrated
experience
where
the
cuban
it
is
policies
or
occurs.
You
know,
or
any
policy
coexists
with
as
your
we
need
policies
that
we
have.
If
we
can
use,
we
use
labels
back
and
forth,
or
you
can
use
ads
back
and
forth
in
the
two
environments
that
is
very
useful
in
profit
scenarios.
C
Yes,
I
definitely,
I
think
you
know
a
group
would
definitely
want
to
continue
talking
about
the
service.
Changing
the
load,
balancing
of
the
dns
extension
pieces
for
sure
does
a
kind.
The
top
three
there
is
along
with
like
ipv6,
is
like
a
fourth
area
that
we
want
to
definitely
take
forward
into
the
worker
to
try
to
define
some
extensions.
We
want
to
suggest.
C
A
So
so
we
support
two
kinds
of
labels.
One
is
what
we
call
system
labels
which
are
to
identify
as
your
services
and
another
is
to
we
support
custom
defined
labels,
which
customers
can
in
put
labels
on
on
any
part
of
their
containers
or
workloads.
Yes,
both
of
those
they
would
like
to
be
available
to
the
customers.
I.
C
C
A
Sure
sure
I
think
we
would
love
to
give
us,
maybe
will
probably
will
won't,
be
ready
for
the
next
meeting.
But
the
meeting
after
that,
we
should
be
ready.
So
how
about
we
intuitively
put
us
down
for
weeks
out
so
next
month
for
us
to
present
at
least
an
initial
proposal
on
on
routes
and
maybe
load
balancers
and
I'll.
C
A
That
would
be.
That
would
be
great
work
with
you
on
that
debug.
Yes,
yes,
that
would
be
great.
Can
one
question
I
had
was
how,
as
a
community,
how
do
we
want
to
approach
this
with
respect
to
B?
If
this
working
group
and
the
networks
a
group
in
kubernetes
right,
do
we
take
a
joint
work
together
to
kubernetes
networks
sake,
or
do
we
expect
the
two
communities
to
be
one
and
same
only?
How
do
we
see
that
happening?
A
C
For
the
most
part,
we
have
and
I
think
this
week,
Brian
is,
is
on
vacation,
but
we
usually
have
Brian
join
us
from
the
CNI
contributors
group
and
I.
Don't
know
if
we
have
anyone
on
here
from
the
the
network
sig,
but
we
usually
have
one
or
two
people
from
Google
join
representing
the
network's
sake.
This
means
I,
don't
know
if
they
were
able
to
make
it
today
or
9:00.
C
Yeah
we
sort
of
collaborate
together
and
you
know
whatever
you
know,
whatever
we
bring
forward
as
a
proposal
from
here,
we
would
probably
present
it
to
the
TOC
in
the
CNC
app
and
then
from
there
walk
through
the
different,
whether
it's
a
CNI
request
or
whether
it's
kubernetes
requests,
we
would
work
with
the
appropriate
groups.
Collaboratively
on
them
sounds.
C
A
C
I
can
definitely
provide
that
to
you
and
I
I.
Think
it's
fine
more
along
the
lines
of
you
know,
specifically
the
policy
pieces
and
the
extensions
you
know
how
we
have
an
implementation
to
show
kind
of
how
that
works,
so
kind
of
show
the
running
code
and
the
example
of
you
know
how
the
policy
definition
works.
So
I
would
talk
more
about
it.
Offline,
maybe
I
think
that's
that's
where
the
long
lines.
What
else
think
II
sounds.
A
C
C
So
the
the
next
agenda
item
was
around
part
of
the
workgroup
charter.
Was
you
know,
looking
at
the
the
networking
space
and
on
the
and
the
landscape
that
the
CN
CF
has
put
together,
there's
quite
a
few
companies
that
they
sort
of
and
projects
that
they've
sort
of
put
into
the
network
space
of
those
projects?
I
know
we
worked,
has
presented
to
the
TOC
and
is
interested
in
becoming
an
official
CN
CF
network
project,
and
so
one
of
the
things
I
have
asked
them
to
do
is
come
and
present
to
this
working
group
and
I'll.
C
Try
to
get
that
scheduled
me
for
the
next.
The
next
meeting,
but
you
know
part
of
what
we
want.
Try
to
do
I
think
is
looking
at
some
of
the
network
projects
out
there,
especially
in
the
areas
that
you
know
we
discussed
previously
in
you
know
the
low
balancing
piece
you
think
about
some
of
the
services
that
are
needed
in
network
ipv6
type
of
services.
C
You
know
looking
at
projects
that
are
addressing
those
areas
and
then
reaching
out
to
those
projects
to
talk
about
what
the
cloud
native
aspects
would
look
like
in
those
projects,
so
so
I
definitely
open
for
anyone
on
this
call
to
look
get
those
companies-
and
you
know,
suggest
once
it
might
be
of
interest
that
are
filling
a
gap
and
the
cloud
native
ecosystem.
Today
that
we
should
talk
to.
C
Same
thing
with
like
monitoring
tools,
you
know,
there's
other
sort
of
like
areas
were
that
are
kind
of
complementary
to
network,
but
they're,
not
in
the
network
space
that
we
probably
should
brought
in
scope
of
the
discussion.
To
is
what
all
that
kind
of
complementary
to
what
networking
is
is
providing
to
the
cloud
native
infrastructure.
D
D
D
Particular
work
could
go
one
being
somewhat
service
provider
or
in
nature.
I
think
we've
seen
you
know
at
the
FBI,
oh
and
some
of
that
flavor
of
projects,
much
of
what's
in
the
CN
CF
and
the
general
focuses
much
more
inside
the
data
center
and
Kenneth
enterprise
and
end-user
orated,
so
I'm
happy
to
EE
suggest
things
more
toward
that,
and
so
some
of
those
things
are
like
service
meshes
a
decent
topic,
coming
lots
of
kind
of
education
to
happen
in
that
area.
Lots.
D
Other
other
things,
maybe
ever
around
and
I,
actually
just
missed
epochs
presentations,
I,
don't
know
thousands
I
think
it
Deepak
had
presented
before
as
well
I
if
I
recollect
it
was
around
Microsoft's
perspective
on
enhanced
network
policies
and
really
further
in
context
of
communities.
Policies
with
that,
that's
certainly
there's
lots
of
like
QoS
is
there
are
other
higher-level
network
services
that
you'll
probably
get
to
be.
D
A
A
D
B
C
A
biggest
disconnect
in
sort
of
the
efforts
are
going
on
with
ipv6
and
the
vendors
ability
to
support
them
right
now,
as
you
probably
know
me,
that's
something
that
I'm
very
interested
in
sort
of
helping
to
sort
see
from
the
in
user
standpoint
right
if
we
can
have
a
strong
in
user
voice
back
to
to
the
community
space
I
think
it
would
be
very
beneficial
to
I
know
my
being
a
little
bit.
You
know,
selfish,
like
you,
I've
been
spent
a
lot
of
time
in
this
space
and
the
MasterCard
be
in
a
transaction
network.
C
C
We're
trying
to
you
know
we're
trying
to
really
get
our
vendors
to
understand
that
ipv6
isn't
an
option
for
us
so
another
than
supported
that
it's
on
the
roadmap
and
it's
it's
even
even
like
working
with
some
of
the
cloud
solutions
out
there
today,
they're
all
ipv4
and
ipv6
isn't
part
of
the
capabilities,
yet
so
I
think
it's
a
big
area
that
we
can
help
drive.
So
if
you
want
give
an
update
to
the
to
working
group
on
what
Cisco
is
doing
with
the
Koopman,
you
think
that
would
be
really
good.
I.
Think.
D
You
know
that's
interesting,
so
you
guys
here,
yeah
you're
having
traverse
the
ipv6
I
can
be
force
back
as
you
guys,
communicate
outside
your
networks
and
then
yeah
people
are
trying
to
try
to
use
really
in
the
public
cloud
services.
You've
got
you've
got
that
translation
challenge.
Yeah
I
think
we've.
C
D
And
can,
as
you
steward
the
service
working
group
as
well,
we've
shown
and
I
don't
know
that
it's
gonna
happen
all
that
often,
but
but
at
least
with
cloud
events,
you
know
a
lot
of
hesitancy
reservation
on
the
public.
You
know
the
lead
to
public
clouds.
The
half-way
have
you
asked
to
really
partake
and
adopt,
but
certainly
like
almost
the
peer
pressure
at
this
point.
All
right
might
pay
off
said
yeah
to
the
extent
there
you
know
we
would
have
gained
enough
mass
around
I
could
be
six.
That
way.
A
Certainly
I
think
in
your
comments
on
ipv6
requirement
is
very
useful
even
for
us
in
action
because,
like
you
said,
customers
need
to
ask
for
it.
I
don't
think
there
is
broad
awareness.
Like
we
I
know,
we
have
run
out
of
IP
addresses
ourselves.
Just
like
you
said,
and
and
so
at
an
infrastructure
level.
They've
been
moving
towards
ipv6,
but
as
far
as
exposing
it
to
customers
is
something
that
we
have
been
treading
quite
slowly
partially,
because
customers
haven't
been
coming
out
to
us
and
saying
they
must
they
must
have
ipv6.
C
So
I
can
charge
definitely
service
matches
running
since
I've
been
wanting
to
kind
of
have
a
discussion
which
I
might
see
if
I
can
align
something
up
for
two
weeks
from
from
today
for
a
service
discussion,
I
think
it's
it's
very
interesting.
I'll
start
working
on
an
ipv6
one
with
with
my
friends
at
Cisco,
see
if
I
can
get
somebody
from
the
driving
that
needed
join
us
and
and
give
us
a
brief.
You
know
what
what's
going
on
there.
D
D
C
C
The
important
point
right
and
I
if
within
the
server,
less
work
group
right,
we,
we
kind
of
identified
a
white
paper
topic
right
and
went
after
that,
I
think
in
your
right
and
then
and
I
working
group
I'd
like
to,
and
it
doesn't
have
to
be
one
like
what
server
this.
It
was
only
more
of
about
just
how
you
kind
of
positioned,
server,
lists
and
function
as
a
service
and
and
what
it
means
to
cloud
native
into
platform
in
service
and
that
kind
of
stuff,
right,
I.
C
Think
in
the
networking
what
we
play
when
I
have
a
couple
of
different
white
papers
that
may
be
more
along
the
lines
of
the
different
services
that
we
are.
You
know
trying
to
like
kind
of
highlight
from
an
end-user
community
are
important
services
that
have
no
gaps
today
in
the
delivery,
and
the
execution
of
you
know
to
do
things
in
the
cloud
need
of
wait
today.
So
so
I.
Definitely
it
would
like
I,
don't
know,
I,
don't
have
an
idea
of
what
that
proposal
is
yet,
but
I
think.
C
Once
we
talk
about
some
of
the
different
services
that
we
want
to
look
at.
Adding
extensions
to
the
cloud
native
and
we
look
at
you-
know:
service
mesh.
We
look
at
ipv6
when
we
look
at
QoS
and
maybe
a
few
other
topics
to
come
out
of
those
discussions.
I
think
well
to
your
point.
I
think
we
will
have
a
much
better
view
of
if
we
were
to
do
a
white
paper.
What
would
we
do
it
on
and
when
we
do
one
would
we
do
like
two
different
white
papers?
We
can.
C
Party,
you
know
at
one
point:
the
CNC
have
had
a
I,
don't
know
if
I
had
the
right
would
I
colored
it
a
testbed.
We
had
like
a
you
know:
super
NAB
had
provided
some,
you
know
servers
and
you
know
giant
before
they
were
acquired
had
you
know,
put
some
resources,
I'm
kind
of
building
out
an
environment
where
we
could
actually
host
and
test
out
projects
and
ideas
and
have
them
interoperate
together
so
and
stuff
like
that,
and
that
all
died
because
of
different
reasons,
but
I
still
think
it.
C
You
know
there's
enough,
there
was
enough
interest
here
and
especially
if
I
working,
who
has
enough
interest
in
doing
me,
something
there.
You
know
I
know
from
talking
with
Dan
and
seems
yes
that
they
definitely
provide.
You
know
resources
to
work
with
us.
You
know
whether
it's
doing
a
white
paper,
whether
it's
getting
access
to
some
kind
of
a
an
environment
that
we
can
test
out.
Some
of
these
you
know
ideas
or
you
know,
for
that
matter.
A
lot
of
the
things
that
you
we're
talking
about
here.
I
have
up
and
running
in
different
environments.
C
D
The
proposal
was
around
performance
testing
of
various
container
network
drivers,
and
you
know
like
there's
some
natural
expectations
that
overlays
bear
some
overhead,
but
but
even
at
that,
like
like
various
host
level
network,
you
know
just
various
drivers
are
the
same
as
Yamaha
we're
still.
You
have
different
implementations
and
you
know
that,
like
yeah
as
a
matter
of
fact,
this
thing
be
something
good
for
us
to
take
a
look
at
how
this
call
chat
is
a
free
tool
that
we
created
at
Summa
wings.
D
At
about
that
time
too,
it's
really
created
with
that
use
case
in
mind.
It
was
going
to
facilitate
group
tests,
kind
of
performance
tests
across
different
networks,
kind
of
like
an
eye
perf,
but
you
know
pretty
way
and
helps
you
kind
of
compare
the
he's,
not
a
fact.
There's
a
little
bit
of
like
some
weed
scope,
type
visualization
in
here
it's
been
a
while
since
we've
updated
it
but
get
around
it.
D
D
D
But,
but
did
I
bring
this
up
again,
mostly
to
reinforce
the
point
that
you
were
making
about
like
hey,
there
is
at
scale
reports
or
tests
like
he,
or
at
least
you
know,
I
know
that
as
the
one
we
were
focused
really
heavily
on
the
C&I,
the
various
network
drivers
there
and
which
one
to
use
and
why
and
making
him
off
was
it.
It
was
kind
of
the
why
this
project
was
created
right.
C
I
like
it,
we
definitely
get
it.
Something
scheduled
to
talk
through
this
and
I
do
think.
There's
you
know
what
groups
within
the
CN
CF
have
have
some
flexibility,
still
there
kind
of
define
what
are
some
of
the
outcomes
that
we
want
to
define
and
then
what
sort
of
don't
quest
we
want
to
take
back
to
the
CN
CF
in
terms
of
having
an
environment
for
doing
things
or
having
you
know,
a
tech
writer
to
work
with
us
to
help.
You
know
document.
C
You
know
a
white
paper,
for
instance
I'm
not
completely
clear
on
the
whole
CNI
integration
engagement
piece,
yet
that
but
then
I
need
to
kind
of
still
work
out
with
the
TOC
but
I
stuff
like
we
have
ability
to
kind
of
request.
You
know,
Oh
update,
you
know.
I
would
hear
some
some
things
that
we
think
of
gaps
in
in
the
specification
they
may
not.
You
know,
accept
them,
but
I
think
it's
to
our
scope
to
kind
of
define
things
that
we
see
is
missing
needed.
C
C
The
TOC
page
haven't
updated
that
in
a
while,
so
I'll
get
that
updated
with
these
agenda
items
and
get
a
schedule
together
and
get
speakers
lined
up
to
come
and
speak
with
us,
and
each
meeting
will
try
to
have
a
presentation
and
also
you
know,
knock
off
some
of
these
tactical
discussions
we
want
to
have
as
well.
So
maybe
twenty
minutes
on
presentation,
20
minutes
on
you
know
tactical
next
steps
and
discussions
like
we
had
today
and
then
you
leave
20
minutes
for
you,
no
new
topics
or
open
items.