►
From YouTube: Istio Networking WG meeting - 2018-11-01
Description
-CNI repo issues -- issue tracker: to accept
-CNI e2e test strategy
-Iptables redirect issue & proposed fix (Robert)
-Discuss sidecar lifecycle management (Robert)
-FYI: SDS and CNI
A
C
B
See
my
screen
yet
yeah,
okay,
so
just
the
beginning
of
meeting,
we
want
to
just
knock
off
your
plan
for
getting
through
some
logistic
albums
for
the
the
CNI
repo
and
the
the
kind
of
1.1
alpha
readiness
type
items.
So
I
created
a
issue
tracker
in
the
CNI
repo
to
just
list
out
everything
that
at
the
high
level
is
that
that
needs
to
be
done
to
get
on
the
track
towards
getting
a
release
ready.
B
So
the
main
problem
we're
having
is
after
the
sto
ecosystem
move
a
number
of
the
folks
that
are
in
the
owners
file,
don't
have
permission
to
assign
issues
or
to
approve
PRS
and
merge,
be
ours
and
theirs.
It
could
be
mostly
related
to
the
circle,
see
I
hook
up
or
the
DCO
check.
So
we're
we're
trying
to.
We
need
to
figure
that
out
so
that
we
can
unblock
a
lot
of
the
PRS
that
are
pending
to
merge
Tim.
D
E
D
First,
we
we
noticed
that
your
job,
your
PR,
the
job,
ran
the
circle
CI
jobs
for
him,
but
none
of
the
other
jobs,
even
though
we
resubmitted
some
this
morning,
the
circle
CI
run
so
I'm,
not
sure
exactly
what's
going
on
there,
but
it
was
only
your
specific
PR
that
I
was
able
to
run
circle
CI
the
other
ones
weren't,
even
though
they
came
after
yours.
Okay,.
E
F
E
E
B
B
Think
it's
a
repo
settings
thing
I
think
it
looks
to
me,
maybe
that
it
kept
the
some
of
the
settings
that
were
there
when
it
was
this,
do
Ito
system
and
it
wasn't
paying
attention
I,
don't
think
it's
actually
paying
attention
to
the
owners
file.
So
I
think
that
just
is
enough.
That
needs
to
be
said
on
the
steel,
okay,.
I
B
E
B
E
I
So
basically,
what
I
did
was
I
created
a
CI
hacker
team
and
inside
of
the
team.
There
are
eight
members,
which
is
what
him
I
think
he
wanted
to
be
the
initial
folks
in
the
owners
file
and
then
that
team
has
right
permission
to
the
CNI
repository
I
mean
I
could
try
to
maybe
make
you
team,
or
maybe
a
well
to
other
guy,
to
be
admin
of
that
repository.
That
might
be
easier.
Just
to
so,
we
can
try
to
testing
permission
a
little
bit
more
yeah.
D
J
I
E
H
K
J
L
B
J
E
B
I
A
B
F
B
So
a
for
the
other
sort
of
readiness
items
we
so
Constance
got
the
PR
for
the
nightly
job
to
push
a
doctor.
I
oh
I
was
gonna,
try
and
talk
to
Andy
about
from
the
test
and
release
team
about
what
we
should
be
doing
for
hooking
up
into
whether
we
should
hook
this
a
build
of
candidate
releases
as
a
specific
job
in
circle
CI
or
how
that
should
work.
E
E
D
E
D
B
E
Mean
having
various
and
publishing
it
to
the
official
least,
your
repository.
Is
that
one
thing
and
definitely
can
do
it,
because
that's
official
build
with
the
keys
and
approval
and
whatever
right,
but
in
terms
of
kind
of
we
already
have
a
big
mess
with
with
those
options
and
parties,
the
camera
and
too
many
things
bundled
together,
and
this
one
is
decoupled
enough
and
has
a
clean
interface
with
the
rest
of
this
job
I.
E
D
D
B
M
A
E
E
L
G
N
G
B
And
it
definitely
so
it's
not
going
to
be
linked
with
the.
If
that
worked,
not
gonna
be
linked
together.
Right
it'll
be
you,
you
have
to
install
this
do
and
then
you
have
to
do
this
to
your
sto
installation
and
use
the
sto
CNI
helm
chart
by
itself
to
so
that
battle.
We
can
document
that
that'll
be
the
harder
to
use
model,
but
if
for,
if
you're,
really
trying
to
trial
this,
the
quick
knob
is
just
you
know,
turn
on
CNI
off
helm
line
and
that's
an
opt-in
on
your
cluster
installation.
I
So,
basically
have
it
as
part
of
the
helm.
I
don't
have
to
read
documentation
to
enable
this,
because
the
helmet
shots
death
cargo
is
going
to
also
change.
My
you
need
contain
a
configuration
for
automatic.
A
psych
is
a
big
bonus
for
me,
Elsa
I'm
sure
Tim
I
would
have
to
go
to
a
studio
somewhere
to
figure
that
out,
which
I
would
rather
not
I'm.
E
E
I
E
For
us,
safe
as
possible,
I
mean
Ozzy
me
my
series,
basically,
because
when
you
have
something
for
the
same
pair
of
do
one
two,
you
have
stopped
suddenly
change.
So
if
you,
if
you
just
install
the
cni
plugin
I,
believe
it
will
do
nothing
at
all
if
Szanto
train
every
detective,
inject
or
else
as
I
click
table
the
container.
So
since
they
can
have
a
namespace
switches
off
the
sweetheart
or
change
the
initiation
gradually
yeah.
So.
E
B
E
B
Mean
we
so
the
way
we've
made
it.
It's
sort
of
the
assumption
that
you're,
if
you're,
using
the
sidecar
injection
flag-
or
you
know,
you've,
already
injected
a
sidecar
in
the
container,
it
doesn't
check
and
see.
If
there's
an
it
container
there
right
now,
I
mean
we
could
you'd,
add
that,
but
it
assumes
it's
the
only
thing
doing
the
side
via
redirect
stuff.
B
Yeah
exactly
yeah,
so
it
wouldn't
really
kill
anything
from
the
script
point
of
view
in
from
the
ended
container
point
of
view,
so
I
think
coexisting
is
probably
works.
Okay,
we
haven't
really
tested
it
I,
don't
think,
but
I
think.
If
we
want
to
have
that
workflow
we
need.
We
should
probably
have
an
issue
where
we
document
how,
in
at
least
document
how
to
make
that
you
know
least
impacting
for
that
workflow.
Yes,.
E
D
But
but
it
works
for
both
for
the
manual
sidecar
injection.
The
only
key
is
you
have
to
tell
the
manual
to
use
the
actual
config
map,
not
the
embedded
logic
to
do
the
injection,
because,
if
you
use
the
config
map
the
home
is,
would
have
upgraded
the
config
map
to
remove
the
unique
containers.
So
you
just
tell
sto
CTL
to
use
the
config
matter
logic.
Yes,.
I
I
N
D
C
A
E
A
E
A
So
there
might
be
other
like
master
future
and
then
the
second
part,
if
I
already
have
a
cluster,
which
is
your
installed
and
I
wanna
enables
you
and
I
I'm
able
to
do
that
as
well
right,
but
am
I
able
to
do
it
on,
like
so
selective
first,
just
some
namespaces
or
a
node
or
it's
gonna,
be
for
the
entire
cluster.
Here
now.
E
D
D
Guess
the
key
thing
here,
because
we've
so
far
been
focusing
on
the
new
installation,
one
for
better
or
worse
so
I
think
what
I
think
the
key
thing
here
is:
what
are
the
two
use
cases
that
we
ought
to
make
sure
or
three
use
cases
make
sure
we
get
those
right
and
then
we
can
iterate.
It
sounds
like
we
want
another
one
and
a
freshman
Sawa
right,
a
precious
no.1
and,
of
course,
if
I
have
regular
right.
A
Then,
for
our
grade,
we
need
to
actually
define.
What's
the
functionality
to
people
expect
everything
will
be
switched
to
see
an
eye
or
the
new
part
will
be
using
see
an
eye
or
what
and
do
they
expect?
Are
they
required
to
change
the
config
Maps,
like
all
the
steps
have
to
be
documented
right
on
this
channel?
Well,.
K
B
E
D
Constant
I
mean
yeah,
I,
agree,
I,
agree
with
you
on
the
priority,
but
I
don't
think
it's
really
going
to
be
that
it's
that
hard
to
have
an
upgrade
process
to
and
as
Tim
was
saying
we
we
just
haven't,
really
tested
it.
So
I
think
we
if
we
actually
sit
down
and
put
our
minds
to
exactly
how
you
do
it
I
think
we
have
all
the
knobs
right
now,
probably
if.
B
We
don't
always
gonna,
be
the
coexistence
and
just
making
sure
that
we're
doing
everything
we
that
we
fulfill
that
use
case
in
the
way
that
people
would
expect
it
to
be
safe.
You
know
so
I
glued
namespaces
is
probably
the
wrong
way
from
we
should
probably
haven't
include
instead
but
stuff
like
that.
We
need
to
figure
if
we
need
to.
D
D
A
D
E
D
D
M
A
C
B
Yeah
overall
strategy,
right
now
for
what
we're
going
with
fferent
and
testing
is
similar
to
you
know
just
using
the
end-to-end
tests
in
stos
do
and-
and
we
start
off
with
the
circle,
TI
and
and
simple
and
trying
to
get
that
to
run.
But
we
quickly
realized
that
in
the
circle,
CI
image
making
mini
cube,
work
with
CNI
reliably
is
is
difficult,
partly
being
a
compatibility
issues
with
the
circle.
Ci
Ubuntu
version
that
they
support
and
kubernetes
110.
B
O
B
Instead
of
coop
net
and
then
that
allows
us
as
united
to
add
the
plug-in
to
the
chain.
So
if
we
can
get
that
going,
then
we
can,
we
can
just
add
a
new
proud
job
to
so
we
want
to
add
a
proud
job
in
and
that's
triggered
by
sto
sto
that
test
with
c
and
I
and
then
also
a
proud
job,
that's
from
the
triggered
by
changes
to
Castillo
CNI
repo.
P
D
Just
going
to
add
to
it,
so
you
know
we'll
have
one
job
in
each
trigger
from
each
repo,
probably
pointing
to
the
latest
nightly
from
the
other
one,
as
the
fixed
tag
associated
with
the
PR
under
test
so
said
said
that
so
for
so,
for
example,
we're
testing
a
PR
and
it's
do
sto,
then
we
have
to
pick
a
specific
label
and
tag
from
C
and
I,
so
most
likely
will
to
latest
nightly,
or
we
could
choose
that.
That.
E
Will
work
I'm
wondering
if
we,
if
we
are
not
going
back
to
the
early
days
of
history
o
where
we
had
multiple
repositories
and
dependencies
between
them
and
was
a
mess
of?
Maybe
maybe
an
alternative
would
be
to
modify
visibile
scripts
yeah
I
sketch
that
thing
and
I
mean
just
will
get
check
out
on
both
stories
and
with
we.
B
E
They
will
upgrade
his
Joe
and
have
so
basically
it's
kind
of
a
test
where
every
night
they
say
they
put
the
images
that
were
built
at
night
and
say
they
have
permanent
load
and
they
verifies
that
the
rollout
and
everything
else
does
not
result
in
five
four
trees
and
all
the
other
stuff
that
aggress
so
I
think
that
may
also
be
a
good
opportunity
to
test
this
CNI.
So
if
every
night
we
pulls
a
co
night
back
in
into
those
clusters,
yeah.
G
G
G
G
J
E
D
E
A
H
B
E
A
B
Q
Right
but
but
but
in
terms
of
where
the
executable
is
wrong,
and
you
know
they
are
basically
running
in
the
same
storage
space
or
and
they
are
basically
using
the
same
log
file,
because
you
know
we
are
running
the
CN
host
the
namespace
and
you
know
the
the
powers
coming.
We
cannot
use
pass
containers
namespace
to
execute
the
F
tables,
because
you
know
the
just
not
available
out
there.
Ip
tables
tools
another
in
the
past
container,
and
we
don't
have
this
problem
because
we
were
running
the
iptables
script
in
the
unique
container.
Q
So
basically
that
environment
is
pretty
much
isolated
and
so
I
see
using
his
own
X
log
X
table
walk,
but
you
know
we
can
do
you
know
I
put
a
Lina
fix,
I,
think
I
mean
for
now.
It's
working,
you
know
is
the
is
adding
a
retry
logic
and
it's
the
same
type
of
logic.
You've
seen
another
see,
that's
right.
It's
same
time
logic,
not
this
year
and
you
mean
seem
to
have
a
logic
to
do
a
few
demos
or
no
you've
seen
the
same
type
of
retry
logic.
Q
You
know
it's
basically,
the
same
in
return.
Logic
used
by
the
IP
tables
to
eat
stuff.
Just
like
you
know,
we
don't
have
the
options
you.
If
we're
using
all
the
release,
we
don't
have
that
option
like
wait
or
we
into
both
those
options
so
just
to
be
safe.
You
know
we
just
add
a
retailer
check
in
the
shell
script
ourselves
and
it
should
be
working.
Q
Q
Q
So
what
P
in
the
face,
what
namespace
Weekender
you
know
we
cannot
enter
any.
We
cannot
choose
any
pain
in
the
face
and
you
know
just
into
that
pit
in
fest
I
was
trying
to
enter
to
the
into
the
past,
and
you
know
that's
a
past
campaigner
right.
So
what
I'm
trying
to
internet
namespace?
But
you
know
at
the
table
twos,
it's
not
a
memo
on
there.
I.
D
Q
E
C
Q
E
A
P
A
P
D
D
Q
Laptop
has
some
issues
with
the
speaker,
but
so
you
know
three
weeks
ago
and
we
had
a
little
demo
on
this
car
lifecycle
management
in
common
loosely
coupled
car.
So
and
afterwards
you
know
we
volunteer
to
come
up
with
some
requirements
and
you
know
potential
implications
for
for
it.
So
if
you
look
at.
Q
There
are
some
reviews
already,
basically,
you
know,
I
derived
the
requirements
from
loop
in
cyclist
is
still
documentation.
I
think
you
know,
then
that
document,
although
it
talks
about
the
issues
with
pretty
much
laid
out
the
requirements
for
this
independent
house,
whatever
you
name
it
and
you
know
the
second
life
cycle
management
outside
the
vacation
and
I
know
there
are
a
few
attempts
already
out
there
to
address
some
all
of
the
issues
that
discussed
in
that
document.
So
in
this
document,
I
was
trying
to
you
know,
based
on
whatever
already
existed
out
there.
Q
I'm
trying
to
you
know
talk
about
the
you
know
what
should
be
considered
in
the
in
the
implementation.
So
in
this
section
it's
the
requirements
so
I'm
not
sure
that
is
this
exactly
reflects
what
we
want
to
do
for
the
psychologist.
You
know
left
side,
car
lifecycle
management.
So
anybody
is
welcome
to
comment
on
this
and,
if
you
know,
I'm
missing
something
in
the
requirement
or
it
should
be
rewarded
or
things
like
that
in
that
nature-
and
the
next
section
is
talk
about
the
implementation
considerations,
so
you
know
basically
is
talking
about
the
implementation.
J
K
A
Q
A
Okay,
so
then
that
means
that,
like
we
should
all
definitely
be
checking,
there
were
like
aspects
like
the
debug
ability
for
the
CNI.
The
rest
of
us
attribution
all
that,
so
we
have
to
make
sure
that
they
are
all
listed
here
even
before
we
jump
into
how
this
is
going
to
be
implemented
right
right,
he's
not
okay,
so
I
think
that's
also
for
you
Louie
to
review
those
requirements.
D
D
This
really
is
not,
you
know,
a
full
implementation
design
document,
but
I
think
that
we
do
pretty
early
on
make
some
assumptions
about
the
implementation.
Like
this
section
on
for
the
theme
for
the
convenience
of
the
following
discussions,
it's
assumed
that
the
sidecar
is
not
going
to
run
in
the
application
pod
right.
Q
E
A
E
E
E
A
So
I
split
this
document
into
really
requirements
for
each
job,
and
you
know
how
we
can
how
those
are
addressed
with
the
like
proxy
or
outside
of
the
proxy
and
with
the
sidecar
proxy
separately
right,
because
it
may
be.
You
know
some
of
these
are
already
addressed
by
the
sidecar
proxy
option
that
we
have
today
and
we
realized
everything.
E
E
It's
not
secure
affinity,
so
let
me
try
to
put
you
know
in
a
way
that
doesn't
imply
the
solution,
but
I
think
to
be
able
to
upgrade
the
sidecar
without
requiring
the
rollout
of
exactly
is
perfectly
valid
in
the
goal.
To
isolate
complete
is
to
secure
all
the
secrets
and
also
traffic,
that
in
separate
ship
intercepted
by
the
sidecar
from
applications
also
quite
mysterious,
and
unfortunately,
that
kind
of
implies.
A
O
O
G
I
So
question
on
the
upgrade
ability
I
think
it
will
be
also
interesting
to
highlight
that,
let's
say
if
my
booking
for
product
page
hasn't
changed
and
cycle
changes
and
now
I
need
to
rolling
upgrades.
You
pick
up
the
new
cycle
change
now.
Do
you
expect
a
book
info
product
page
container
to
actually
be
up
and
down
because
of
the
cycle
has
been
changed,
but
the
darker
image
itself
for
the
book
came,
fall
and
everything
else.
It's
it's
unchanged.
I
G
I
A
G
G
G
Everybody
agrees
that
see
and
I
can
yield
a
higher
degree
of
separation
than
is
currently
available
in
Corelli's,
but
they
have
a
goal
that
we
deliver
a
higher
degree
of
separation
within
the
existing.
For
any
context,
that's
not
clear
still
is
that
would
even
achieve
what
we
want,
so
things
evolve
and.
A
A
O
G
A
G
A
E
A
A
B
B
E
So
basically,
I
want
to
take
a
look.
If
we
can
leverage
CNI
to
provisions
SDS,
you
know,
HDS
is
the
secret
discovery
service
that
is
coming
and
we
kind
of
it's
also
running
pair
node,
and
we
have
all
kind
of
discussions
about
how
we
are
going
to
establish
trust
between
boy
and
node
agents
that
this
increment
is
SDS.
So
my
proposal
basically
just
put
UDS
locate
in
each
point
as
part
of
CNI
to
bootstrap
itself.
Anyway,
this.