►
From YouTube: Istio Networking WG meeting - 2019-03-14
Description
- New format for the meeting
- CNI update
- Istio 1.2 priorities
A
C
B
Right
well,
hello,
everybody
and
welcome
to
this.
Your
networking
work
group
in
think
we
have
actually
a
couple
of
items
in
the
agenda.
First
is
CNI
updates
from
Red
Hat
and
the
second
that
we
plan
to
describe
continue
discussing
these
your
one
two
priorities:
it's
nothing
here,
but
I
will
add
it
and
before
we
start,
let's
talk
a
bit
about
how
we've
managed
to
engage
the
remote
that
and
is
a
bit
better.
So
we
actually
receive
feedback.
B
A
Well,
I
was
relaying
stuff,
I
heard
from
others,
but
you
know
one
possibility
is
say:
everyone
attends
over
GBC
from
their
desk
or
something
so
we
can't
just.
We
have
to
converse
over
GBC
as
well,
and
we
can't
do
this
every
ready
channel
over
anything,
but
another
one
is
also.
We
run
the
entirely
over
slack,
in
which
case
we
actually
have
a
nice.
You
know,
then
you
save
the
notes
someplace
to
some
doc.
You
may
be
the
meeting
notes
or
something.
B
Sorry,
sorry
well
we're
trying
to
make
sure
the
remote
attendees
have
better
chance
to
to
comment
like
to
bring
up
their
ideas,
and
it's
sometimes
difficult.
You
know,
as
being
you
know,
far
in
the
remote
room,
they
are
not
seeing
not
really
reading
what's
happening
online,
so
we
were
wondering.
How
can
we
do
this
better,
so.
E
Andrea
I
think
that
first
idea,
I
think
was
Josh
I
had
it
about
having
everybody
attend
from
their
desk.
That
may
be
disruptive
internally,
but
that
would
be
great
because
I've
seen
how
that
works
in
a
video
conference-
and
you
know
everybody
has
to
kind
of
fight
for
a
spot,
but
it's
better
than
one
room
dominating
the
conversation.
F
F
D
B
Because
the
screen
shows
the
loudest
person
it's
hard
for
my
church
to
be
louder
than
our
own.
Oh
I
understand.
Okay,
that's
interesting,
all
right!
So,
let's
so,
let's
try
this
new
option
for
next
meeting.
I
think
we
will
try
it
even
now
but
yeah
for
today.
I
guess
it
makes
sense
to
stay
here,
otherwise,
we'll
waste
too
much
time
moving
and
trying
to
find
headsets
and
everything
all
right.
So
I
think
we
can
proceed
with
the
with
things
here.
So
Marco
are
you
here
to
give
us
the
update
on
CNI
yeah.
G
G
B
B
G
But
let's
start
with
the
existing
C&I
plugin,
which
does
nothing
more
than
just
so
when
you
deploy
the
CNI
daemon
set,
it
obviously
runs
the
pod
and
the
pod
then
just
installed
CN.
I
plug
in
binary
onto
the
hosts
par
system,
I've
now
added
an
additional
container
into
the
pot
which
is
there,
so
it
can
take
care
of
the
Envoy.
Well,
there
is
your
proxy
container,
which
is
no
longer
run
through
kubernetes
directly,
but
sort
of
by
hacking
into
the
CRI
I.
Now
so
the
eat.
G
Protein
management
agent
runs
it
alongside
the
other
containers
inside
the
same
pod,
even
though
it's
not
even
visible
in
the
pod.
So
when
you
deploy
an
application
part
resource
with
NS
API
with
the
single
application
container,
the
sidecar
injector
no
longer
gets
called
so
I
disabled
it
and
instead
the
proxy
management
agent
takes
care
of
injecting
the
sidecar
into
the
pod.
G
By
doing
this,
we
take
care
of
the
problems
where
the
sidecar
container
currently
comes
up
too
late.
If
somebody
is
using
containers
in
their
pods
because
in
their
containers,
basically,
because
the
archetypal
rules
have
already
are
already
in
place,
none
of
the
image
containers
are
able
to
access
the
network
services
right
because
the
IP
tables
are
arriving
traffic
to
the
proxy
and
the
proxy
is
not
up.
G
So
in
this
case
the
proxy
is
up
and
therefore,
as
soon
as
any
container
runs,
it
obviously
can
go
through
the
proxy
and
everything
works
as
it's
supposed
to
work.
Okay,
that
is
the
end
of
our
side,
but
at
the
end
the
unfought
shut
down.
Obviously,
the
application
containers
get
shut
down
first,
and
only
then,
when
the
cni
plugin
gets
called
to
shut
it
to
tear
down
the
networking.
It
also
shuts
down
my
proxy
and
that's
it.
So
basically,
we
have
the
proxy
in
place
for
the
whole
last
lifetime
of
the
pop
right.
G
G
Have
the
book
in
for
app
running
if
I
now
delete
the
details,
but
you're
gonna
see
that
the
management
agent
first
opti
of
the
previous
pods
container
right
then
looks
up
the
necessary
config
max
open,
quick
map
and
then
start
shopping,
pasta,
sidecar
container.
And
if
you
take
a
look
at
the
note
itself,.
H
G
H
G
I
G
Yes,
exactly
that's
bypass
kubernetes,
primitives,
Pro,
controlled,
CPU
and
memory;
actually
it
does
set
them
on
the
container,
at
least
the
it
set
the
limits
right,
but
it
doesn't
set
the
requests,
obviously,
because
that
has
to
happen
before
the
body
scheduled.
So
that's
one
other
bad
thing
about
this.
B
Yeah,
actually,
we
should
be
like
if
you,
if
we
answer
a
question,
that
it's
on
the
chat,
which
should
repeat
the
question
loud
some
people
may
not
necessarily
be
able
to
join
like
fully.
The
meeting
may
just
be
listening
to
the
meeting,
so
I
think
you
know
it's
a
good
idea
of
time
without
the
question.
Okay,.
G
Yeah
so
so
the
question
was
whether
it
bypasses
the
urban
areas
primitives
for
controlling
CPU
and
memory.
I
actually
repeated
that
in
their
answer
itself,
so
it
was
pretty
clear.
So
the
other
question
is:
does
the
container
does
a
sidecar
piggyback
on
the
pod
CPU?
It
actually
doesn't
so
it
has
its
own
CPU
limits,
so
they
aren't
accounted
for
when
the
part
is
being
scheduled.
That's
also
a
problem.
Obviously.
E
G
The
agent
actually
looks
up
the
config
not
holding
the
template.
It
processes
it
in
the
exact
same
way
as
its
process
usually
and
then
I
just
extract
the
necessary
data,
like
the
image,
the
arguments,
the
CPU
request.
For
example,
you
see
the
reference
secret
and
so
on.
So
basically
I
extract
all
that
data
and
use
it
to
configure
the
sidecar
container.
So
it's
completely.
C
The
custom
configuration
is
that's
fine,
I
mean
there
is
nothing
we
can
do
about
it.
Some
people,
you
want
to
do
it
this
way,
but
presumably
the
CNI
also
can
be
customized
in
different
ways,
and
you
can
put
whatever
you
know
kind
of
templating
in
the
C&I
configuration.
So
they
can
reproduce
what
there
was
anything
in
the
cni.
C
E
G
Yeah,
so
just
for
the
record
I'm
not
completely
happy
with
my
solution,
because
when
I
started
thinking
of
about
this
I
was
sure
there
was
some
way
of
having
the
cubelet
around
the
additional
container
and
turns
out
there's
no
such
way
so
I
had
to
basically
replicate
whatever
the
cubelet
does.
So
it's
much
more
happy
than
it
initially
look
like
it
was
gonna,
be
right,
I'm,
not
sure
this
is
a
proper
solution,
long-term
right.
G
It
is
a
solution.
Now
when
there
are
the
other
issues
that
prevent
you
from
properly
injecting
the
sidecar
as
soon
as
you,
let's
say
in
enable
D
that
the
admission
controllers,
which
mutate
the
containers
right
so
then,
as
soon
as
you
do,
that
you're
currently
unable
to
actually
inject
the
sidecar,
because
the
part
gets
rejected
and
when
the,
during
the
second
phase
of
the
mutating
webhook
unit
of
the
admission
condition
plug
in
pass.
So
the
second
pass
which
basically
validates
the
part-
and
at
that
point
it
can
no
longer
mutate.
K
G
G
There
is
a
new
proposal
out
or
marking
certain
containers
as
side
cars,
but
the
initial
implementation
is
just
going
to
take
care
of
the
main
containers,
so
it
will
allow
you
to
capsule
semantics
for
the
side
car
as
far
as
the
during
them
during
the
main
container
operation,
but
not
during
the
init
containers
right.
So
in
that
case,
if
someone,
if
an
application
developer,
is
using
init
containers,
they
have
no
access
to
the
network
inside
those
in
its
containers
for
now,
but
my
solution
fixes
both
of
those
problems,
but
it's
a
healthy
type
of
solution.
E
G
C
G
Of
the
same
same
bucket,
yes,
you
are
okay.
The
requests
are
used
for
scheduling,
but
they're
not
used
for
the
actual
container
right.
So
if
you
just
increase
the
request,
if
you
would
then
ensure
that
the
node
has
enough
resources
available
for
the
sidecar
also
right,
but
then
in
limits,
you
only
use
the
regular
amount
of
resources
that
your
app
requires.
Energy
additional
resources
are
specified
in
the
sidecar
template.
K
C
Same
problem
applies:
I
means
that
that's
kind
of
the
issue.
You
cannot
request
more
than
reading
it.
Now,
if
you
can,
you
cannot
say
I
want
request
for
CPUs
aromaticity
ders.
So
normally
you
want
to
to
have
a
job
that
is
using
three
CPUs.
You
want
to
have
a
limit
of
recipients,
so
it
doesn't
know
about
that
and
you
will
have
an
extra
CPUs
for
the
sidecar.
C
For
example,
you
will
need
to
request
four
CPUs
in
the
in
the
injector
to
accommodate
for
both
and
then
help
run
with
the
priests
accused
configured,
that's
not
possible,
so
we
need
some
some
some
something
similar,
which
is
I.
Think
it's
a
good
start,
but
there
are
some
details
that
don't
add
up
in
the
other
idea
that
was
discussed
by
some
people.
C
I,
don't
I,
don't
know
how
to
give
proper
credit,
because
I
don't
remember,
was
to
use
the
things
so
basically
to
use
cubelet
to
schedules
a
proxy
on
the
same
node
and
then
do
some
hack
to
make
sure
they
get
into
the
same
range
space,
but
that's
also
very
tricky
there
to
work
around
the
problems.
That
giblet
is
not
aware
of.
C
That
particular
sink
when
running
arts
part
of
the
books,
the
products
I
see
and
I
shall
see
and
I
will
account
to
request
for
five
CPUs
or
how
many
CPUs
requests
and
then
runs
them
us
itself,
things
aprox.
All
the
process
will
be
containers
in
the
CNI
agent
and
that's
a
lot
of
product
paradoxes,
because
anyone
who
has
a
system
access
can
you
see
the
ropes
and
was
for
the
bombing.
G
There's
another
question
regarding
this
Theophrastus
and
stick
and
proxy
status:
it
should
work
out
of
the
box
because
the
proxy
is
part
of
the
same
network
namespace.
So
all
its
ports
are
accessible,
and
this
do
controller
is
just
connecting
to
a
certain
port.
Then
it's
continued
to
be
able
to
do
so.
So
shouldn't
be
a
problem.
G
M
C
G
C
M
Yeah
we
will
I
there's
a
number
of
others,
so
basically
the
what's
missing
in
this
unit,
I
plug
in
that's
ready
to
probably
merge
from
a
CI
standpoint.
Is
we
have
dips
in
circle
CI
to
test
against
a
bunch
more
CNI
plugins
like
we've
been
flannel
and
stuff
and
and
we
I
can
I-
was
kind
of
I'm
gonna
push
the
nightly
for
that
soon,
but
we
could
run
those
tests
on
your
branch
before
and
and
then
the
regular
CNI
tests
as
well.
So.
K
I
have
one
question
which
wasn't
addressed,
which
was
about
there's
how
a
user
would
detect
if
there
was
like
a
problem
and
get
it.
It
would
be
great
if
we
could
have
some
instructions
on
all
that
stuff.
I've
never
used
to
see
and
I
plugin
for
an
it.
But
if
it
was
like
some
kind
of
hints
on
how
to
like
look
and
see
if
it,
if
the
rules
had
been
done
right
for
users
to
court
troubleshooting,
why
things
aren't
working,
but
the.
M
M
B
B
B
L
O
B
M
D
D
M
D
B
Name,
we
know
this
like
delays
of
up
to
5
minutes
and
it's
some
issue
with
certificates
not
being
mounted
and
because
of
this
quad
phaser
readiness,
prob
and
so
on.
So
I
do
think
we
have
a
big
issue
with
that.
Thank
you
please,
in
my
opinion,
a
bit
too
long,
and
it
also
can
cause
flakiness
in
our
end-to-end
test
which
wait
for
two
minutes
so.
D
C
D
M
Think
when
I
was
making
a
bunch
of
namespaces
and
doing
in
starting
pods,
not
with
Auto
sidecar
but
I
mean
I,
and
that
was
usually
without
a
not
not
out
of
sidecar
that
I've
tested
it
with
and
I
saw
it.
But
I
went
back
and
retried
after
Lynne
and
I
talked
and
I
haven't
been
able
to
reproduce
it
sense.
So
I,
maybe
I'll
blow
that
cluster
away
and
try
it
again.
One.
C
Comment
that
I
was
is
topic
one
one
thing
that
is
a
design
doc
of
tracing
in
security
environments.
So
once
again,
CNI
plug-in
can
do
relatively
easy
is
to
wait
for
for
the
secrets
to
show
up
from
from
Citadel
or
if
the
new
SDS
is
used
to
actually
provisions
the
UDF
socket
for
SDS.
So
that
means
that
the
proxy
will
never
be
started
as
opposed
to
not
be
stuck
because
I
see
a
nice
waiting
anyway.
Until
the
secrets
answer
exactly
shows
that
we
wait
on
your
secrets.
Are
there
and
then
we
start
sank
right
in.
C
Very
hard
change,
but
the
three
key
part
is
we
integrate.
The
ASD
is
because
they're
kind
of
deprecated
things
are
secrets.
The
way
we
mount
secrets
into
ports
and
the
new
HDS
is
not
completely
ready
yet
I
mean
it's
requires
brand
new
cluster
and
some
other.
But
if
you
can,
someone
can
look
into
this
it'll
be
a
key
awesome.
E
So,
like
just
back
on
just
backtrack
a
little
bit
on
the
problem
with
the
secrets
not
married
I've,
seen
that
too
and
I've
got
a
bug
file
for
it.
I
think
we
need
to
take
a
look
at
that.
You
know
post
one
one
and
see
if
we
can
sort
that
out,
because
I
mean
it
takes
like
two
minutes
for
a
cluster
startup
sometimes,
and
that
could
be
a
problem.
So
I
agree,
that's
a
problem
and
it
may
be
your
seeing-eye
problem
or
may
not
be
so
I
think
Department.
B
Think
this,
like
the
issue
with
like
the
delay
in
startup,
has
anything
to
do
with
CNI.
So
that's
completely
orthogonal
and
hopefully
the
CNI
will
help
alleviate
those
if
we
implement
what
costing
just
suggested
that
will
definitely
help
because
we're
getting
into
a
sort
of
a
bad
loop
of
readiness
and
crash.
How
does
it
called
crash?
Look.
C
D
D
B
B
No
ok
good.
So
then
we
can
move
to
the
next
topic,
which
is
actually
a
continuing
continuation
of
discussions
related
to
Easter
1.2
priorities.
So
we
had
very
little
time
during
the
last
Mindy
and
the
suggestion
was
for
people
to
add
bullets.
Let
me
actually
share
the
screen
to
add
bullet
points
with
features,
and
we
will
have
a
discussion
to
rank
those.
So
maybe
I
should
share
this
screen
now
and
we
can
start
the
discussion.
B
Okay,
so
you
see
the
first
one:
that's
improv
test
coverage
for
existing
feature,
I
think
that's
like
really
the
highest
priority.
For
now.
We
really
need
to
do
a
bit
better
with
quality
in
general
in
East
EO,
and
we
have
like
there
is.
Probably
people
have
seen
already
the
go
code
move
or
how
is
it
called?
Is
there
is
a
document
called
cold
move
which
suggests
a
bunch
of
improvements
related
to
testing
and
quality?
C
It's
a
proposed,
or
it's
or
a
bunch
of
ideas,
it's
nothing
that
it
agreed
on
is
that
you
need
to
on
the
move
good
moment
for
test
coverage
and
existing
features
again.
There's
two
different
testing
frameworks
that
are
means
a
stability
and
performance
and
also
the
new
local
testing
frameworks
that
is
being
paralyzed,
develop
tons
of
work,
yeah.
D
C
D
P
What
kind
of
two
dimensions
this
right?
So
one
is,
you
know,
what
are
we
going
to
actually
use
is
infrastructure
the
tests,
and
how
are
we
going
to
structure
them
like
what
dependencies
will
it
be
reasonable
or
unreasonable
for
the
tests
to
take
right
in
terms
environments
and
other
things,
and
then
the
second
thing
is
being
a
bit
more
formal
about
having
a
kind
of
test
coverage
plan
right.
D
I
think
that's
what
I'm
trying
to
I
think
it's
not
clear
for
either
of
them.
The
new
attack,
very
important
I.
Don't
think
many
of
us
have
minded
I,
think
I
feel
like
it's
being
kind
of
cooks
and
still
being
cooked
the
other
one
about
the
guidance.
It's
certainly
mm-hmm
and
coverage
is
certainly
not
really
clear.
As
far
as
what
type
of
tests
needs
to
be
using
what
type
of
framework
and
what
type
of
coverage
are
we
shooting
for
and
the
certainly
produce
a
table
are
well.
P
Know,
that's
that's
the
plan
right,
so
I'm
gonna
obviously
get
to
see
these
dialog
with
some
kind
of
baseline
set
of
stuff.
The
test
framework
stuff
is
obviously
new
house
is
just
getting
ready,
I
think
sometimes
early
next
week
to
merge
it
up
into
master,
so
people
can
kind
of
start
poking
around,
but
yeah
we're
gonna
have
to
kind
of
start
with
some
kind
of
average
sheet,
maybe
and
sorry
identifying
gaps
and
start
classifying.
C
B
B
Have
in
the
East
your
drive,
we
have
feature
matrix
that
covers
it's
pretty
updated
icing.
Now
it
was
meant
to
cover
the
various
networking
features
and
the
type
of
coverage
we
had
like
in
unit
test
and
then
to
end
and
so
on.
So
maybe
we
can
try
to
add
to
that
and
bring
it
up
to
date.
Many
things
have
changed,
including
unit
as
coverage
is
not
the
same
as
it
used
to
be.
B
P
C
B
B
B
Hallelujah,
maybe
we
can
we
take
an
action
item
to
get
the
education
that
we
need
on
this
new
test
framework.
So
let's
say:
can
we
have
somebody
like
oz
or
Nate,
give
a
good?
You
know
good
demo,
good
description
either
in
the
east
or
networking
or
making
these
do
community
meeting.
Did
we
share
it
with
what.
L
P
C
The
tests
are
running
today,
I
mean
do
make
test.
I,
believe
you,
your
greatest
earnings,
are
examples
that
you
can.
Anyone
can
run
is
not
different
than
any
other
unit
system
framework
and
for
the
other
tests
it's
a.
It
means
that
it's
one
up
until
now
and
one-liner
you
need
to
run
one
command.
Then
you
have
the
testing.
O
P
P
There
are
the
new
integration
testing
framework
is
designed
to
enable
feature
testing
in
simpler
environments
that
we
curtain
use
today
and
intend
right.
So
it's
designed
to
allow
for
cover
to
the
same
feature
faster
I.
Can
it
be
run
entirely
locally
within
the
set
of
constraints
and
effectively
what
it
does
is.
It
just
runs
the
jobs
outside
of
Cooper,
Denny's,
environment
and
stubs
out
things
that
are
necessary
so
that
you
can
start
basically
exercising
features
end
to
end.
P
C
P
So
there's
what
should
happen
over
time
and
there's
some
discussion
in
the
code.
Mold
is
that
you
know
these
integration
tests
and
testing
on
kind
are
sufficient
to
basically
produce
a
release
candidate
of
a
component,
and
then
the
components
are
pulled
into
a
kind
of
release,
bundle
where
they
are
run
against
smoke
tests.
You
know
with
actual
production
environments
that
have
long
running
tests
like
the
the
time
Causton
described
and
things
that
are
a
bit
more
like
what
the
end
ten
tests
do
today,
ng
ke.
Q
I,
don't
thing
I
want
to
point
out
is
last
week,
people
mention
that
they
didn't
know
how
to
run
the
tests
and
that
they
thought
that
they
could
only
be
run
by
like
Googlers
I've,
updated
all
the
documentation
and
clean
things
up
a
lot.
So
if
you're
still
having
issues
running
them,
please
file
an
issue
or
something
now
anyone
can
run
them
even
on
a
small
cluster
performance
stability
test
right.
Yes,.
B
P
C
Because
there
is
a
big
confusion
here
and
instability
that
means
that
we
you
can,
you
can
verify
the
performance
of
the
system
in
a
small
cluster
and
everything
is
perfectly
doable
with
a
small
cluster.
So
anything
that
is
not
possible
today
is
scalability
test
I
mean
if
you
want
to
run
tens
of
thousands
of
what
else
for
is
that
we
still
require
a
dedicated
cluster,
but
that
is
not
required
for
the
testing.
Is
that
something
we
still
do
pretty
least,
and
it
needs
to
be
done
in
a
large
cluster.
B
B
M
B
P
O
P
B
B
B
B
And
we
can
do
that
offline,
okay,
but
I,
guess
that's,
don't
be
an
easier
way
to
keep
track
of
everything
all
right.
Next,
one
ipv6
quality
support.
We
actually
discussed
this
lot
last
time
and
I.
Think
sir
gaze
on
top
of
this.
So
if
it's
coming
that
in
1/2,
that's
perfect,
okay,
this
is
more,
like
general,
promote
some
of
the
features
and
a
and
api's
from
alpha
to
beta
okay.
So
that
will
happen.
I
guess,
for
what
is
it
now
still
alpha
that
everything
it?
No?
No,
there
are
I.
B
D
C
B
P
P
C
P
B
D
D
B
P
B
B
Channel,
okay,
okay,
so
so
this
is
you
turn
on
the
line.
Yes,.
C
B
C
B
B
C
B
B
I
see
so,
basically,
we
don't
have
an
owner
for
this
one
yet
need
to
find
an
owner
I
think.
But
what
probably
need
to
do
the
actor
is
that
crank
so
now,
I
think
we're
just
going
through
this
like
sort
of
requirements
and
discuss
a
bit
about
them,
so
that
people
understand
what
they
mean,
and
then
we
will
have
the
actual
like
see.
Who
can
do
what?
Because
there
are
quite
a
few
of
them?
Yes,.
C
Rewriting
the
whole
generation
of
the
configuration
it's
not,
and
we
want
to
do
it
first
for
for
the
container.
What
we
can
do
in
a
safe
way
basically
can
evoke
team
users
will
still
use
old
way
if
they
have
something
at
work,
but
they
are
ever
a
way
to
sign
up
between
it
with
this
mode
and
after
we
go
to
a
release
and
it's
stable
and
we
verify
everything
is
fine,
then
we
make
it
a
default.
C
C
C
B
C
A
huge
change,
and
again
it's
not
very
it's
just
the
fact
that
they
are
planning
to
remove
it.
That's
the
only
reason
we
are
doing
it
for
for
an
outbound
chain
for
inbound
chain.
We
need
to
do
it
to
support
the
Scotty
report,
so
we
are
doing
first,
it's
a
thing
that
is
required
as
I
move,
this
probably
the
second
one
after
we
need
to
be
very
careful
with
production
stability.
As
you
know,
we
have
so
many
problems
and
we
need
to
be
very
carefully
to
knee
any
change
in
omega
yeah.
B
B
M
D
B
F
P
P
I
think
that's
that's
probably
gonna
just
continue
with
the
usability
feedback
that
we've
gotten
is
you're.
Making
me
do
more
config
than
I
want.
You
know
like
90%
of
my
traffic
is
HCP
and
it's
not
hard
to
sniff
HCP
or
give
the
administrator
some
way
of
saying
look.
All
of
my
traffic
is
HTTP
and
I'll
label
it
as
something
else.
If
it
is
something
else
right
something
along
those
lines.