►
From YouTube: Istio networking WG meeting - 2018-10-11
Description
- Loosely coupled Istio Envoy sidecar https://github.com/baodongli/cni
-Istio CNI design doc
WIP Impl: https://github.com/istio-ecosystem/cni (potentially moving to istio org- TC approval)
-Configurable envoy log format
B
B
A
A
A
Are
they
have
a
lot
saying
that
on
that
aspect,
so
I'd
like
to
postpone
that
for
next
week,
in
fact-
and
we
have
the
the
second
item
which
in
itself
it's
super
important-
and
this
is
basically
Robert-
will
would
present
us
how
he
can
basically
decouple
theme
and
boy
sidecar
from
East
iam
bar
no,
no
I
shouldn't
say
that
maybe
I
would
like
to
say
exactly
what
it
does.
So
you
call
the
loosely
couple
is
different
for
sidecar
the
feature
so
yeah
it's
over
to
your
bed.
Alright,.
A
A
C
A
G
F
C
F
Get
anybody
see
this
window
now?
Yes,
it's
working
perfectly.
Thank
you
how
much
so
this
is
Robin
Lee
from
Cisco.
So
a
couple
weeks
ago
the
team
presented
yeah
at
least
you're,
seeing
I
I
mean
you
know
which
can
have
you
know
installed
at
a
table
into
the
namespace
and
in
the
same
time
we
limited
the
need
to
have
in
it
containers.
F
So,
basically,
you
know
I'm
thinking
about
use
the
same
idea
as
kubernetes
uses
to
have
multiple
containers
share
the
namespace
you
can,
you
know
separately,
install
the
I
mean
wrong
the
sidecar
container
on
top
of
the
applications
path.
So,
and
we,
this
is
your
seeing-eye,
you
know,
is
kind
of
the
ordering
of
starting
and
starting
up
all
the
objects
is
kind
of
quite
failed
to
achieve
this.
F
H
F
It's
a
working
system,
but
it
does
works
to
show
the
the
concept
so
basically
at
the
install.
Obviously
you
is
exactly
the
same
with
if
you
see
a
funny,
but
I
just
need
to.
You
just
need
to
do
a
few
special
steps,
specific
steps
to
to
share
the
secret.
If
you
have
Matt
Munoz,
you
have
to
you
want
to
copy
the
secrets
into
the
node
and
so
that
this
secret
can
be
mounted
into
the
container.
F
So
this
is
my
cluster
I.
Have
a
spare
I
have
sureños
cluster,
and
this
is
the
master.
Node
and
I
have
two
mini
nose
on
the
left,
so
so
I'm
not
going
to
go
through
the
install
process
anymore.
I.
Think
team
has
already
show
that
a
couple
weeks
ago
so
with
but
I'm
going
to
show
what
I
as
part
of
the
install
was
installed
in
the
system.
So
you
can
see
there's
this
script
to
add
this
sidecar
I
also
have
a
clean,
app
script
in
the
year.
I
met
me.
A
F
F
F
F
F
F
D
F
F
F
F
Each
at
all,
like
in
here
you
have
the
application
production
page
product
page
details,
ratings
reviews
each
one.
Actually,
each
part
has
a
namespace
network
name
space
so
that
namespace
is
started
up
by
created
by
kubernetes
and
its
first
is,
you
know,
start
the
past
container
and
and
once
that's
get
started
so
I'm
going
to
do
go
back
to
here.
Let
me
fix
this
and
it
will
go
back.
F
F
F
D
Sorry,
the
reason
I'm
asking
is
because
it's
also
work
on
the
security
working
group
to
move
to
the
node
agent,
which
is
also
a
demon
set
and
ZEB
will
removes
I
need
to
attach
to
the
filesystem
nice
space
and
to
read
secret.
So
basically
it
will
be
just
mainstays
need
to
be
attached
and
nothing
else.
So.
D
F
F
F
D
D
F
What
I'm,
trying
this
I
think
I
haven't?
You
know
I
think
initially,
we
need
to
come
up
with
a
design
document.
This,
basically,
is
my
knee
to
the
back
side
of
my
car
right
also.
You
know
you
know
if
for
our
premium
whatever,
so,
if
I
go
back
to
my
so
this
this
Gaeta
page-
and
this-
is
this
great-
how
it
works
right
now,
this
picture
shows
we're
not
seeing
that
so
I
only
got
to
see.
What's.
G
D
F
A
A
J
A
Some
degrees
of
you
know
various
degrees,
but
I
think
that's
like
a
great
step
forward
already
right
because,
like
in
the
same
sense,
we
can
actually
at
the
node
level,
we
can
create
a
network
name
space
for
envoi
and
like
connected
so
I
was
thinking
you
have
these
pair
or
something
right,
instead
of
like
still
using
the
same
network
namespaces,
the
pods
and
IP
tables
we
I
I
really
want
to
get
through
it
completely
of
the
IP
tables
tree
direction.
Your
some
other
mechanism,
but
I
mean
it's
so
great
to
say
like
this.
I
D
D
A
Like
what
I
always
wanted
to
see
was
like
this
decoupling
of
Amboy,
because
right
now,
for
instance,
and
boy,
if
my
crashes,
it
crashes
for
a
number
of
times,
and
then
it
actually,
we
have
this
pilot
agent.
Battery
starts
it
for
a
number
of
times,
but
up
to
a
limit
and
I've
seen
cases
where,
like
Android,
crashed
completely
and
remained
in
a
crash,
state
and
cubelet
did
not
restart
the
pot,
because
the
main
and.
A
D
D
K
A
J
H
D
F
A
E
E
F
This
picture,
I,
think
give
a
clear
sequence
of
events
are
things
that
that
happen
as
kind
of
bringing
up
the
path.
So
you
can
see
the
the
first
step
is
wrong
path,
container
the
public
from
cause
container
and
then
at
some
point
later
eating
books,
the
cie
plug-in
chain,
and
as
far
so
one
this
year,
CF
I
mean
execute.
You
know.
The
main
part
in
my
case
is
plan
on
is
going
to
say
networking.
F
D
D
D
D
A
D
They
are
doing,
is
they
actually
create
a
port
for
is
there
I
mean,
is
just
zero
down
del
del
container,
so
they
create
a
pod
as
well.
I,
don't
know
how
they
are
doing.
It
is
a
demon
set
because
ecn
is
a
demon
set
and
it's
raining
stuffiness
and
and
then
you
can
cube
CT
and
execute
to
that
particular
port.
So,
technically,
when
you
create
this
docker
container
I
seen
you
can
create
a
fake
or
some
some
other
form
of
wood.
That
is
this
thing
from
the
main
pod,
but
it's
also
visible
from
kubernetes
yeah.
H
H
A
There
are
definitely
some
advantages
in
being
tightly
coupled
to
kubernetes,
like
you
get
all
this
for
free
right,
like
you,
bled
lifecycle
management
cube
CTL
exact
into
the
container,
but
we
need
to
find
strike
the
balance
here
right.
We
want
to
have
some
degree
of
flexibility
to
with
the
upgrades
and
everything,
and
you
know
like
try
to
use
as
much
as
we
have
already.
D
H
D
A
D
M
M
D
Because
you
have
to
do
two
ways
to
do
it.
This
one
is
a
new
node
agent,
because
the
secrets
will
have
the
mode
agent.
So
you
just
connect
directly
to
know
the
agent
you
don't
have
to
deal
with
amounts.
The
other
one
is
to
watch
secrets
base
to
have
some
agent
or
whatever
you
are
doing,
the
CNI
plugin
watch,
the
parent
is
secrets,
and
then
you
have
access
to
the
secrets
and
you
can
copy
them
to
the
file
without
any
secret.
Is.
H
J
You
guys
are
great,
but
so
the
way
we
did
it
was
we
actually
created
a
new
new
space
network
namespace
in
the
app
pod.
So
all
the
other
namespaces
for
the
proxy
are
available
like
file
system.
Namespace
is
to
get
secrets
and
it
keeps
it
more
isolated
and
hopefully,
depending
on
what
we
do
in
next
couple
of
days,
we
can
actually
make
it
the
proxy
Sam
still
managed
by
cubelet
that
will
give
us
access
to
some
resources
and
things.
That's
we're
struggling
this
time
just
to
get
that
to
work.
J
I
like
what
Roberts
done
as
well,
because
making
the
proxy
a
part
of
the
node
is
another
way
of
looking
at
it.
Ie
then
all
the
app
pods
can
talk
to
a
single
proxy,
so
I
think
both
ways
have
some
advantages
and
disadvantages.
You
know
making
them
global
to
the
node
makes
scalability
a
little
bit
tricky
because
as
a
pause
come
and
go
with
the
props,
a
running
in
node
name,
space
get
overloaded.
And
how
would
you
scale
it
already
do?
A
Now
we
have
the
other
options
as
well,
so
what
I
think
we
need
is
somebody
to
take
ownership
of,
like
writing
the
various
models.
You
know
like
basically
having
the
way
it's
this
picture
right
now,
but
have
it
with,
like
the
other
combinations,
also
like
when
you,
when
the
network,
namespaces
and
finding
sizes
are
also
different,
like
with
the
pros
and
cons.
You
know,
because
it's
we're
talking
a
lot,
but
when
we
actually
see
it
written
down,
we
may
be
able
to
make
a
better
decision
on.
You
know
what
to
go
forward
with
well.
J
A
J
Let's
do
that
tried
target
the
next
meeting
for
to
go
through
this
and
mm-hmm.
We
could
try
and
do
a
demo
of
what
we've
done
and
go
through
the
pros
and
cons
of
all
all
the
processes.
I
think
they've
all
have
pros
and
cons,
and
we
may
decide
that
we
want
to
offer.
You
know
a
couple
ways
of
doing
it
right.
A
J
L
J
E
Argument
against
putting
it
in
the
current
document
is
that
the
implementation
points
for
these
are
probably
going
to
little
different.
We're,
probably
not
going
to
get
everything
implemented
all
the
same,
so
it
might
be
better
to
actually
have
them.
As
you
know,
a
chain
of
documents
that
will
more
closely
follow
the
implementation,
because
is
where
to
get
to
order.
D
E
D
A
We
also
have
to
keep
in
mind
that
just
like
one,
one
more
so
like
people
have
already
got
used
to
this
idea
of
the
sidecar.
That
leaves
you
know
by
the
application
and
all
that
and
whatever
other
models
we
choose,
we
have
to
make
sure
we
don't
confuse.
You
know
the
audience
too
much,
because
there
be
yeah
I
mean
for
thought.
Well,.
A
Tiger,
but
it
can
be
something
else
than
sidecar
so
like
that's,
why
I
think
it's
good?
If
all
of
us
first
have
an
understanding
of
you
know
the
benefit,
so
we
don't
really
go
with
somebody
choosing
one
approach,
another.
You
know
in
implementing
a
different
approach
and
then,
when
we
try
to
console
us,
you
can
compare.
I
Documentation
I
mean
Steve
also
said,
is
well
needed
on
different
approach
in
different
scenarios.
The
problem
I
have
with
the
current
diagram
today
I
think
last
week,
or
maybe
the
week
before
last
week,
everybody
and
I
was
you
need
container
and
I.
Think
everybody
gets
that,
but
now
we're
talking
about
moving
epoxy
out
of
the
iPod.
So
there's
a
resource
and
lifecycle
management.
I,
don't
think
we
have
answer
for
lifecycle
management,
yet
so
I'm
hesitant
to
move
to
that
model
before
we
even
have
an
answer
for
that.
So.
E
I
think
that's
kind
of
what
I
was
also
referring
to
learn
is
that
you
know
we're
gonna
have
to
document
the
models.
Maybe
you
know
we
can
easily
do
this
in
web
spec
as
well.
It's
just
you
know,
document.
You
know
an
initial
implementation,
that's
more
constrained
and
then
possibilities
other
possibilities
to
move
it
further
along
and
then
decide.
We
have
possibilities
we
implement
so.
N
Long
actually
just
documents,
the
removing
of
the
anit
container,
what's
required
for
that
and
in
the
basics
you
know
framework,
and
then
you
know
so
I
guess
we
could
look
for
approval
of
that
duck
and
then
move
towards.
You
know
it
introduces
this
concept,
but
it
doesn't
really
dive
into
it.
I
think
you
know
we
could
put
it
in
that
other
dock
or
manage
that.
A
H
H
D
H
D
H
H
D
Not
very
good
at
understanding
how
documents
welcome
I
might
prefer
to
try
something
on
multiple
cluster,
because
the
main
concern
with
this
problem
is:
if
we
lose
any
class
that
provider
vendors,
that
doesn't
support
this
model
or
where
it
will
not
work
or
if
we
can
start
drooping
the
world
model.
If
this
one
works
better,
so
possession
prototypes
that
are
kind
of
easy
in
the
release
and
can
be
tested
across
what.
A
O
A
F
So
but
I
don't
have
I
want
to
say
anything
more
about
the
I
think
it's
pretty
clear
how
they're
out
there
and
next
the
last
section
of
this
page.
You
know
this
way.
You
know
it's
talking
about
that.
To
have
a
running
a
sidecar
manager,
you
know
I,
don't
have
a
good
name
for
it,
but
just
responsible
for
the
sidecar
lifecycle
management-
and
you
know
it
will
this
work
with
SEO
CA
and
their
necessary
components
to
you
know
start
stop
invoice
at
cars.
F
You
know
potentially
month
secrets
and
maybe
may
not
be
required
as
a
custom,
pnina
and
I
agree.
The
second
is
that
impacting
a
pinch
in
traffic
with
my
hosta
a
hungry
start.
So
this
way
you
can
start
to
containers
and-
and
you
know,
one
we
will
gradually
go
away
or
the
other
will
take
the
tasks
over
on
mentally.
F
F
A
O
Make
one
quickly
I
think
we
need
to
be
cognizant
on
this
on
how
a
users
actually
going
to
debug
this
because
their
instance,
the
access
logs,
you
are
going
to
be
in
a
completely
different
place.
How
is
primitive,
Prometheus,
currently
scrapes
on
voice
directly
in
master
and
within
one
one?
How
how
is
Prometheus
going
to
know
kind
of
what
to
scrape
and
the
other
thing
is
things
like
proxy?
The
proxy
convict
me
exact
into
the
envoy
containers,
so
we
waited
enough
if
we
want
to
keep
that
command
in
there.
A
Yeah,
that's
definitely
part
of
the
criterias.
You
know
that
we're
gonna
use
to
compare
the
different
approaches
right
line.
For
instance,
I
haven't
mentioned
this,
but
you
brought
a
good
one.
So
I
mentioned,
like
the
others,
you
know
like
it
was
press
attribution
the
last
one,
but
this
is
definitely
the
debug
ability
right
troubleshooting,
all
that.
So
we
have
to
all
like
go
into
that
document
wherever
that
is
and
add
those
yep.
J
A
N
N
N
Yeah,
sometimes
you
have
to
click
on
the
person
who's
talking
got
it.
So
it's
open
for
comments.
There's
some
TV
DS
in
here.
We
start,
you
know,
have
the
implementation
put
into
sto
this
ecosystem,
/c
and
I.
Anybody
can
create
issues
I,
think
and
if
you
need
to,
if
you
want
to
work
on
it,
let
me
know
because
I
can
add
you
as
a
collaborator.
We
have
a
few
guys
who
did
that
already
outside
a
Cisco
there's.
N
So
the
main
goals
of
this
are
the
trusty
approach
that
solves
the
removing
of
the
internet
container
it.
The
the
non
goals
are
for
this
doc
right
now,
I
have
as
not
you
know,
with
the
moving
the
sidecar
out
of
the
of
the
user
of
Cabrini's.
Pod
is
not
really
a
goal
for
this
and
doing
anything
besides
iptables.
Redirect
is
not
really
a
goal
right
now
for
this.
If,
if
we
want
to
make
something
like
that,
a
goal
I
think
we
we
could
like.
We
were
saying
with
those
into
the
other
Doc's.
N
D
Comment
story
on
the
goal
of
decoupling
environment
networking
deters
from
history
Co
I'm.
What
it
is,
wonderful,
I,
don't
object
to
this
goal,
but
I
want
to
make
sure
we
keep
things
consistent.
So
if
we
want
to
move
also
at
the
table
initialization
to
a
separate
repository,
we
should
make
sure
that
either
we
Opie
over
the
IP
tablescape,
because
we
had
this
problem
is
the
past
thing
was
a
huge
pain
right
more
so
so.
A
N
D
Europe
I
mean
it's
one,
single
being
a
separate
request.
We're
seeing
is
that
if
it's
Easter
or
Easter
community,
alright,
personally,
don't
care
too
much
about
this
as
a
QSC
decision
where
to
put
stuff.
But
my
concern
is
to
make
sure
that
wherever
we
have
it's
a
single
equitable
speech
units,
five
and.
A
I
The
steering
committee
has
decided.
Sto
ecosystem
is
not
on
the
sto
brand,
so
it's
not
going
to
have
sto
logo
along
is
tio
ecosystem.
So
that
means
it's
not
a
repository
blessed
by
the
Israel
organization.
So
if
this
is
a
core
function,
which
is
a
core
function
in
my
view,
to
do
you
need
container,
we
should
definitely
move
to
is.
Do
is
do.
D
D
A
D
N
N
G
G
I
N
So
a
good
question
we,
what
I
was
thinking
was
and
I've
implemented
some
of
this.
So
the
have
we
have
a
helmet
art.
Very
you
know
basic,
but
it's
McCann
have
you
know
multiple
values,
files
and
really
really
these
these
files
only
need
to
be
kind
of
specific
to
the
hosted
kubernetes
environment.
Probably
you
know
this
one
would
be
the
most.
The
main
one
would
be
the
most
customized
I
guess
for
anybody's
bare
metal
system
or,
however,
they
install
kubernetes
but
for
the
hosted
environments
would
be
pretty
stable.
N
So
the
the
gist
I'm
thinking
is
that
there
would
be
a
helmet
art
and
then,
if
you
know,
if
we
move
support
this,
when
we
support
this
in
under
the
the
linkage
took
from
the
ISTE
Oh
control
plane
would
be
a
requirements,
dependency
and
we
would
have
to
have
you
know
we
would
have
a
released
version
of
the
helm
chart
in
a
in
a
sto
helm
repository
that
we
referenced
from
our
main
list.
Eo
requirements
helm
chart,
that's
how
I
was
envisioning
this
so.
N
I
P
N
G
N
I
N
So
the
version
when,
when
there
has
to
be
compatibility
right
for
if
you're,
using
automatic
sidecar
or
it's
do
CTL
you,
you
would
have
to
use
a
with
the
automatic
stop.
You
would
have
to
use
a
Helmand
stall
with
the
cni
knob
enabled
so
that
it
would
not
inject
the
anit
container
into
the
config
map
yeah
and
then
with
sto
CTL.
N
D
N
A
K
Fine
I
mean
I
can
either
post
it
in
me,
networking
slack,
but
basically
I
added
some
fields
to
the
HTTP
default,
blog
format
that
envoy
uses
and,
at
the
same
time
enable
TCP
logging
and
a
summation
PRS
and
after
those
went
in
a
question,
came
up
from
somebody
else.
If
we
should
make
those
things
configurable,
because
the
person
in
question
was
wondering
if
the
logs
to
be
in
a
JSON
format,
nice
I,
don't
know
so
I.
K
D
Make
it
into
East
unit
or
in
iterative
mailing
list,
not
the
slug
channel,
so
so
it's
easier
to
get
offline,
because
not
even
a
stone,
slab
and
I'll
be
happy
to
participate,
because
we
have
another
concerned
about
the
size
of
the
configuration
right
now.
The
the
stuff
which
the
logs
are
format
is
kind
of
increasing
the
size
that
we
push
and
we
push
quite
a
lot
of
configurations.
D
D
A
K
K
Basically,
all
the
fields
that
we
could
for
TCP
logging,
since
we
currently
didn't,
have
anything
for
that
mom
and
then
somebody
raised
the
question.
If
we
we'd
consider
exposing
that
as
something
that
a
user
can
configure,
if
say,
they
didn't
want
all
the
fields
or
if
they
wanted
something
in
a
JSON
format.
So.
D
D
D
D
Right
participating,
which
would
blow
because
for
consistency
but
for
our
course,
custom
format
but
I
think
yeah.
We
need
the
for
Jason
for
jay-z,
especially
somebody,
especially
since
I'm
breaking
change,
I
mean
if
you
have
people
who
are
parsing
logs
in
the
current
format.
You
definitely
want
them
to
to
be
surprised.
Is.
A
I
A
The
admin
stuff
I
do
from
my
perspective.
It's
it's
an
easy
choice.
You
have
to
offer
the
knob,
so
yes,
ok,
alright,
so
we
are
only
5
minutes
over.
Thank
you
very
much
for
attending
and
again
we
had
very,
like
I,
think
fruitful
discussions
and
I
like
that.
Everybody,
you
know,
really
brings
all
the
good
ideas
forward.
So
it's
working
really
great.
So
thanks
a
lot
and
see
you
in
2
weeks
or
for
networking
or
in
one
week
for
environments.