►
From YouTube: Istio Networking WG meeting - 2018-09-27
Description
- Istio CNI proposal: https://github.com/tiswanso/istio-cni
A
B
A
B
B
Rafael's
presentation
last
week,
last
or
two
weeks
ago,
on
the
pod
number
controller
I
started
investigating
this
P&I
more
because
I
thought
it
fit
a
little
bit
better
and
it's
called
some
of
the
problems
that
we
were
talking
about.
Last
time
with
the
synchronization
and
in
my
colleague,
Robert
Lee
and
I
have
been
discussing
the
CNI
as
well
as
a
solution
for
the
IP
tables
set
up
also
in
the
context
of
like
ipv6
and
dual
stack
and
stuff.
B
So
I
went
ahead
and
created
of
TOC
sorry
I'm
sharing
the
actual
news,
so
yeah
I
went
ahead
and
created
a
TOC
with
a
quick
implementation
based
on
the
sample,
CNI
plugin,
which
is
really
basic
and
then
and
borrowed
a
lot
of
the
install
stuff
that
calico
goes
so
you'll
see
references
to
calico
and
the
implementation
deals
details,
but
really
the
this
doesn't
depend
on
calico
in
any
way.
So
it's
just
a
implementation.
That's
requires
just
that.
B
The
kubernetes
cluster
has
the
cni
plugin
enabled
and
it
and
then
your
normal
eye,
pan
plug-in
or
whatever
you've
got
for
actual,
actually
doing
pod
network
networking.
This
plugin
will
just
inject
or
the
installation
will
just
inject.
The
configuration
of
this
is
TOC
and
I
plug-in
into
the
plug-in
chain
at
the
end,
and
it's
sort
of
just
a
pass-through.
So
all
the
API
events-
it's
really
just
returning
the
previous
result
of
the
of
the
prior
plugin
in
the
Train
in
the
chain
and
just
doing
the
handling,
the
command
command.
B
Add
action
only
and
doing
the
IP
tables
set
up
for
the
redirect
to
the
sidecar
is:
do
proxy,
so
I
quickly,
I
think
it
may
be
it's
better
to
visually
show
what
happens
during
the
usage
and
then
we
can
about
implementation
a
little
bit
more.
If
anybody
has
questions
so
I
wrote
up
a
in
the
readme,
a
quick
set
of
info
on
how
to
use
this
in
a
normal
cube,
Adam
install
you
shouldn't
have
to
actually
even
change
any
of
these
options.
B
Unless
you
install
this,
you
know
in
a
different
name
space
other
than
sto
system.
So
the
way
it
works
is
there's
a
helmet
that
has
sorry
not
a
house
or
just
a
regular
manifest
that
will
create
a
couple.
The
cluster
role
and
role
binding
for
a
service
account
that
is
usable
by
the
actual
plugin
sorry.
C
A
B
So
yeah,
so
the
manifest
is
very
similar
to
the
Calico,
manifest
in
in
the
aspect
of
just
creating
a
service
account
and
a
demon
set.
So
the
service
account
has
really
just
get
privileges
on
the
pods
and
then
the
demons
that
is
is
really
just
the
Installer.
So
this
is
the
thing
that
goes
and
copies
the
binaries
into
the
offender
for
the
CNI
plugin
and
it
caught,
and
it
injects
the
configuration
into
the
config
file.
That's
set
up
in
the
in
the
CNI
config
directory.
B
D
B
B
D
A
D
A
B
F
B
Have
some
other
process,
the
demons?
That's
that's
calico
does
actually
so.
The
the
calico
demon
set
deployment
is
as
multiple
containers
in
the
pod
and
they
they
have
that's
where
they
run
their
no
TJ
in
in,
and
this
is
just
they
also
run
the
install
container
there.
But
so
we
don't
have
a
need
for
the
no
general
agent
right
now
so
I
just
have
yeah.
B
Yeah,
so
I
can
I
was
going
to
show
that
actually
works
so
in
this
is
a
green
screen
here,
and
I
can
actually
be
able
to
increase
the
phone
on
this
one.
This
this
is
just.
This
is
a
host.
That's
all
in
the
one
right
here.
I
have
another
screen
where
I
can
show
the
gke
setup,
but
so
this
is
the
pre
pre
condition
right
now
for
the
plugins
not
running
yet.
B
B
They
always
seem
to
use,
but
the
way
that
this
works
is
the
couplet
calls
this
in
exactly
this
order,
so
each
each
one
of
these
types
is
a
refers
to
a
binary
in
the
cni
bender,
and
so
each
each
pot
event
or
pod
creation
event
that
the
couplet
will
call
in
every
plug-in
in
this
chain.
It'll
pass
for
the
for,
like
the
port
MAP
plugin,
the
result
from
the
Calico
plugin
would
would
be
in
the
the
message
that
it
gets
invoked
with
or
the
parameters
that
I
gave
them
both
with
so
similarly
I'm
SOI.
B
A
B
H
B
The
port
map
plug-in
may
add,
or,
or
you
know,
change
something
in
there,
but
it
can
like
similar
to
what
I've
done
it
can
just
take
that
for
the
result
that
it
saw
from
the
previous
one
and
just
return
it
if
it
did
if
it
added
no
new
IP
address
or
anything
like
that,
so
that
you
can
kind
of
just
be
invisible
a
little
bit
in
the
chain
here
and
not
disturb
what
the
other
plugins
are
doing.
Okay,.
A
B
So
it's
just
created
another
list,
entry
with
all
the
print
with
with
the
reference
to
the
executable
and
then
the
parameters
that
for
the
plugin.
So
that's
that's
how
it
gets
configured,
and
this
would
be
this
happens
on
a
per
day
basis.
So
that's
why
it's
a
demon
set,
so
all
those
all
those
containers
that
I
just
referred
to
they're
running
on
each
node
and
they
they
run
it's
just
a
batch
script
that
installs
these
these
configs
and
also
there's
a
in
the
bin
directory.
B
We
see
that
there's
an
it's
d-o-t
and
I
executable,
and
then
I
just
put
the
VoIP
tables
sh
script
that
sets
up
IP
tables,
and
so
this
on
command
adds.
This
is
the
OC
and
I
will
clot
figure
out
whether
the
pod
is
a
an
envoy,
enabled
sidecar
pod
and
then
run
if
it
is
it'll
run
this
executable,
the
sorry,
the
issue
iptables
sh
with
the
right
parameters,
so
I
can
show
that
I'll,
just
I'll
do
like
the
book
in
flow
example.
So
I
have
this
setup
with
its
do
already.
B
B
So
book
info
with
the
side
cards
being
created,
is
it's
getting
set
up
right
now
and
then
just
I
forgot
to
show
earlier
that
this
is
just
the
demon
said
sitting
there
so
that
that
bash
script
that
did
the
install
I
just
have
a
a
while
one
or
while
sleep
in
there.
So
it
doesn't.
So.
Would
you
that
so.
B
C
B
B
Well,
yes,
NS
enters
into
the
names,
so
it
runs.
Ns
enter
with
IP
table
to
into
the
the
parameters
that
see
an
eye
plugin
get
from
the
from
google.
It
includes
the
Cabrini's
pod
net
namespace,
so
I
don't
have
to
look
that
up
in
any
special
way,
and
so
it
just
uses
that
and
a
center
into
the
namespace
and
then
runs
IP
tables.
The
thing
that
has
to
happen,
though,
is
the
kubernetes.
B
J
H
C
I
A
B
H
D
D
B
H
A
question
where
you're
doing
that,
so
that's
this
plugin
would
always
watch
out
all
the
paths.
On
this
particular
note.
That's
not
belonging
to
is
still
system
namespace
and
as
soon
as
it
reaches
running
assume
it
has
the
Envoy
proxy.
You
would
I
mean
how
do
you?
How
do
you
ensure
you
are
doing
it
as
soon
as
at
the
right
timing
as
soon
as
the
policy
becoming
active,
yeah.
B
Scheduling
so
the
way
when
the
when
the
scheduler
creates
the
is
gonna,
create
the
pod
there's
the
cool
it
gets
an
event
to
create
the
network
namespace
even
before
the
pod
is
it's
only
after
the
pause
container
started,
I,
think
and
it
it
doesn't.
Even
it
doesn't
even
attempt
download
the
images
or
anything
for
the
other
other
containers
in
the
pot
until
this
plug-in
chain
runs.
So
some.
H
A
Right
place
to
do
the
work,
really
yeah
and
so
I'm,
not
sure
if
I
like,
if
it's
clear,
for
you
mean
that
this
is
not
like
the
kubernetes
controllers
approach,
when
you
have
a
process
running
watching
for
resources
in
kubernetes,
this
is
something
that
gets
invoked
by
the
cubelets.
So
it's
really
for
each
fault.
You
get
an
invocation
right.
It
wasn't
super
clear.
A
D
Remind
people
from
the
two
or
three
weeks
ago
or
more
that
we
discussed
the
other
problem
where
we're
in
voice
carta
can
be
slower
than
the
application
stuff
that
and
we
may
get
up
a
few
seconds
where
things
are
not
in
a
good
water
and
the
idea
of
moving
some
cash.
You
know
pre
putting
some
configuration
in
the
unit
container,
so
that's
actual
envoi
when
every
runs
it.
It
also
has
some
warmed
up
configuration
easily
some
some
warming
that
can
be
done.
So
that
was
the
plan
at
that
points.
F
L
D
G
A
D
D
A
M
A
To
deploy
it
in
the
that's
directory
and
it
will
be
loaded
by
by
kubernetes
api
server,
so
the
only
thing
that
so
when
you
start
your
baby,
I
server
you
have
an
option
where
you
say:
where
is
this
en
I
plug
in
and
if
you
put
equal
equals
c
and
I
it
goes
to
the
directory.
That's
Tim
showed
in
the
beginning
and
logs
everything
that's
in
there.
Well
so.
B
You're
exactly
right,
the
part
where
it's
a
little
clue
is
that
it
looks
at
only
the
first.
This
is
maybe
a
kubernetes
specific
thing,
but
it
only
looks
at
the
first
file
in
this
directory
line.
Alexa
graphically
so
it's
you,
you
have
to
to
add
the
plug
the
chain
approach.
You
have
to
be
able
to
detect
the
first
file
and
then
make
your
config
into
that
file.
So
it's
a
single
file.
F
B
B
M
A
B
H
B
D
D
A
D
B
F
Mean
just
just
I
reached
out
to
Tim
Harkin
and
some
other
folks
in
the
kubernetes
world
who
have
a
lot
of
experience
with
C&I,
so
we're
gonna
try
to
get
some
feedback
from
them
about
maintainability
or
reliable
any
concerns
with
c,
and
I
as
a
mechanism
for
doing
that,
so
hopefully
we'll
get
some
of
that
feedback
or
at
least
know
where
the
pitfalls
are.
This
will
be
good
to
have
that
and
I
think
I
see
spikes
on
the
call.
F
D
E
D
G
D
D
H
A
D
B
D
O
O
B
Yeah
you
so
you,
the
one
thing
I
would
like
the
you
know,
the
kubernetes
parameters
be
more
complete
and
it
would
be
a
little.
You
know
a
lot
more
detail
in
the
what
we
get
from
kubernetes.
So
we
really
only
get
a
few
things
in
the
front:
actually
Cooper
net
actual
internet
II.
So
what
we
use
sorry
I'm,
trying
to
find
the
code
here,
but.
D
I
B
So
this
is
the
net
namespace
and
it
has
like
the
container,
ID
and
stuff
like
that,
so
I,
so
I
just
basically
used
that
to
connect
to
III
used
that
in
the
parameters
from
the
CNI
network
config.
So
you
can
see
that
there's
a
coop
config
here
that
the
install
script
creates
that
coop
config
from
that
service
account
that
it
that
the
manifest
sends
up
and
and
then
gives
it
to
this,
the
plugin,
the
plug-in
config
so
I
in
in
that
I.
That's
that's!
B
F
P
F
F
H
B
H
I
was
just
saying:
I,
don't
see
anything
you're,
it's
your
install!
It's
just
yeah
I'm
we're
trying
to
understand
the
exactly
requirement.
I
just
like
to
try
it
in
a
cloud
we
were
basically
based
on
what
Sharon
was
just
raising.
So
I
saw
you
have
this
host
network
equals
true,
but
I
don't
see,
privilege,
true
I'm
trying
to
is
that
accurate,
based
on
what
you've
been
decoy
yeah.
B
N
F
R
About
the
rumen
moving
these
four
IP
tables,
I
was
looking
some
similar
approach
to
search
essentially
rational
functions
in
two
parts:
yeah
thanks
for
saying
that,
and
your
stuff
looks
a
lot
better
than
what
I
did
so
that's
great
well,
what
I
did
was
basically
somebody
mentioned
earlier:
I
create
a
V
there
and
I,
just
like
a
a
new
network
namespace
to
route
all
traffic
in
and
out
of
it,
and
that
even
which
route
leads
for
IP
tables.
So
you
don't
mean.
H
R
R
D
R
K
D
R
H
R
F
F
M
M
R
M
R
L
F
D
D
F
D
H
B
B
A
Okay,
so
we'll
wait
to
hear
from
you
Lin
from
Shira
more
like
all
the
interested
parties,
but
hopefully
like
the
the
major
roadblocks
with
that
right,
so
I
think
we
might
like
it's
very
likely.
We
will
go
ahead
with
this,
like
going
with
the
CNI
doing
the
redirection
inside
this
unit,
login
right
and
then
next
we
can
tackle
like
how
we
capture
that
traffic
right
now
it's
IP
table.
Maybe
we
can
do
it
via
for
the
visa,
but
I
would
actually
like
to
see
more
from
JA
like
what.
A
P
F
So
and
I
think
there's
a
couple
things
that
need
to
happen
if
we're
gonna
kind
of
consistently
like
move
forward
on
this
as
an
organization
right.
So
when
we
need
to
write
a
document,
we
should
get
this
into
the
sto
org
right,
so
that
people
can
collaborate
on
our
under
those
auspices.
Assuming
that
we
all
agree,
then
we
would
essentially
sponsor
that
work.
F
Right
and
that
this
I
think
is
that
there's
a
couple
of
different
tracks
within
the
project:
yeah
right,
there's
the
spokes.
You
can
work
on
the
resource,
attribution
side
and
it's
supposed
to
work
on
that.
The
networking
side
and
that's
some.
What
they're
gonna
be
folks
we're
going
to
work
on
the
hot
dog
right
side
right
all
right.
E
Do
we
have
all
that
stuff
flow?
Can
we
not
then
hitch?
Those
I
think
we
can
and
I
think
they
can
go
and
set
up
tracks,
and
we
just
need
people
to
say
that
they're
gonna
own
those
bits
totally
yeah.
It's
like
we're.
Definitely
interested
in
hot
reload
and
I've
been
talking
with
you,
some
about
that.
We
yeah
in.
D
F
Is
one
of
the
party
of
all
the
things
that
we
have
once
we
have
basic
capture
working?
That
would
be
the
next
most
important
thing
for
the
health
of
the
project.
Yeah.
It's
because
otherwise
we're
gonna
go,
spend
resources
right
now,
I'm
doing
like
container
sequence
startups
for
the
injection
stuff
yeah
like
Nate
was
gonna
like
yeah.
E
F
So
from
the
Google
side,
right
now,
most
of
our
folks
are
super
focused
on
fixing
the
kind
of
the
config
scale
issues
all
right.
We're
spending
a
lot
of
time
on
that
that
work
is
obviously
entirely
orthogonal
to
this.
I
can
get
consulting
help
from
the
gke
and
kubernetes
experts,
on
whatever
predicting
on
the
resource,
attribution
side
and
yeah.
F
Consult
on
this,
so
we
we
like,
we
know
what
we're
doing
is
solid.
Hopefully,
I
can
go
chat
with
the
Calico
folks.
The
cilium
focusing
gets
some
guidance
from
them
too,
and
they're
obviously
out
there
doing,
combination
part
pitches
anyway,
so
I
think
they've
been
motivated
to
talk
about
it.
Spike
I,
don't
know
if
you
want
to
say
anything
on
that
subject:
I
think
he
dropped
out
of
the
call
earlier.
Okay,
maybe
I
go
to
a
real
meeting.
D
F
F
What
we're
hearing
is
that
the
kind
of
security
model
which
is
the
sidecar
is
part
of
your
application
is
not
actually
what
operators
want.
What
they
really
want.
Is
they
want
to
verify
that
the
sidecar
is
doing
what
they
expect
right
in
terms
of
secret
management
right,
and
they
don't
want
that
to
be
under
the
control
of
the
application
right
so
will
be
of
the
operators
the
cluster
is
gonna.
D
That
we
can
also
improve
the
way
we
walked
out
of
right.
Now
we
put
an
annotation
to
not
have
the
injection.
If
we
go
this
way,
we
can
say
hey
if
you
have
a
class
that
permission
on
your
service
accounts
and
you
can
opt
out.
Otherwise,
you
are
in
so
instead
of
things
that
you
know,
we
just
put
an
annotation
you're
out,
we
can
make
it
more
secure
and
enforceable.
Basically,
I
mean.
M
H
M
Because
he'll
check
completely,
if
you're
not
running
as
part
of
the
pod
namespace
by
effectively
trying
to
like
putting
a
hole
in
that
hole,
it
variable
stuff
which
says
like
if
you're
coming
from
the
Kubler
with
this
IP
since
for
any
other
demon
set
and
so
on,
we
have
a
you
know
the
IP
address
that
the
cooperate
is
actually
gonna
use
that
in
put
stuff
in
the
IP
tables,
I
said
that
traffic
is
not
captured,
in
other
words,
which
actually
allows
us
to
like
get
it
on.
The
health
check
issue
completely
right.
D
E
F
F
A
F
A
C
A
F
A
F
H
A
F
F
N
N
D
L
D
A
A
E
H
B
Q
L
H
L
F
Of
the
different
pieces
of
the
project
and
almost
do
more
detail
ones
phase
by
phase
right,
but
we
roughly
know
the
different
pieces
and
we
just
need
to
blow
our
description
of
them
and
what
their
dependencies
and
interactions
might
be
in
a
delivery
schedule
associated
with
them
like
if
we're
gonna
do
like
you
know
the
bridging
right
there
probably
be
a
more
detailed
design
doc
for
that,
but
I
think
we
can
write
like
a
couple
of
paragraph
outline
of
that
sure,
and
then
we
could
kind
of
figure
out
where
they're
gonna
order.
It's.
A
F
M
F
Work
with
Tim
Tim
can
be
the
permeable
for
he
gets
credit.
You
first
mover
advantage
ten
and
then
we'll
all
pile
on
to
make
sure
that
we
fleshed
out
the
ideas
and
make
sure
things
are
covered.
Then
we'll
do
another
pass
to
just
flesh
out
details
and
get
our
broader
review
and
shouldn't
take
too
long
in
the.