►
From YouTube: Istio Networking WG meeting - 2019-05-09
Description
- Discuss ways to reduce DNS overhead of Envoy STRICT_DNS clusters. Should we recommend against "resolution: DNS" except where explicitly needed? Should we allow unambiguous FQDNs?
- IPv6 update
- CNI update
- New process for the installer
- Istio 1.2 update and github epics for 1.2 items
- Testplan for Code mauve
A
All
right,
hello,
everybody
and
welcome
to
this
your
networking
community
meeting
today
we
will
discuss
a
bit
about
DNS
and
ways
to
reduce
the
NS
overhead
and
John
I
hope
you're
here
with
us,
because
you
want
to
cover
this
particular
github
issue.
I
am
sharing
my
screen,
but
it
might
be
better
if
you
actually
share
your
screen
and
you
describe
a
bit
the
problem.
B
So
there's
a
few
suggestions
I
have
in
here
on
ways.
We
can
reduce
these.
The
most
obvious
one
is
reducing
the
frequency
of
requests.
I
think
five
seconds
seems
extremely
aggressive.
I
think
those
details
for
DNS
over
five
minutes,
at
least
and
especially
for
a
kubernetes
services,
because
career
noise
services,
the
IP
address,
will
never
change
unless
you
completely
delete
and
recreate
the
service,
even
in
during
an
update.
C
D
C
B
Now,
there's
the
global
setting
for
the
DNS
refresh
rate
and
it
defaults
to
five
seconds
which
is
envoys
default.
This
does
not
apply
to
the
bootstrapping
Fink,
though
we
should
probably
change
that.
But
that
means
that,
even
if
you
set
it,
then
we're
still
going
to
be
making
requests
for
pilot
and
tracing
every
five
seconds.
A
B
B
C
C
D
E
B
D
D
B
D
D
So
in
the
case
you
define
a
service
with
with
load
balanced
attack.
Dns,
then
it
will
resolve
for
normal
resolutions
that'sthat's
how
employee
will
do
load
balancing
for
those
things
and
if
you
do
it,
if
you,
if
you
happen
to
set
the
address
of
telemetry
or
or
I,
think
tracing
to
be
a
real
DNS
name
that
will
not
be
a
leap,
will
be
a
you
know,
normal
external
load
balancers
that
me
to
use
whatever.
D
G
D
H
D
F
B
You
okay,
so
the
next
issue
is
throughout
our
documentation,
samples,
etc.
We
use
DNS
resolution
on
our
service
entries
for
even
very
simple
cases
like
you
know,
expose
Google
or
calm,
which
causes
all
these
unnecessary.
You
know
DNS
requests,
should
we
change
our
samples
and
our
standard
to
using
resolution.
None
instead
of
DNS
when
it's
not
necessary.
B
Us
so
some
more
context
on
on
the
issues.
What
happens
on
a
request?
Is
that
say
you
make
the
service
entry
just
for
google.com,
you
do
curl
Google
resolves
the
DNS
is
some
IP
address,
and
then
it
sends
that
request
to
envoy,
which
is
also
doing
the
same
DNS
resolution.
So
we
kind
of
this
double
DNS
resolution
for
no
real
gain,
and
so
the
client
isn't
going
to
do
the
resolution,
no
matter
what
so,
it
seems
to
me
that
it
doesn't
make
sense
to
do
it
twice.
I'll.
D
B
Yes,
I
think
there's
one
example
where,
like
we
send
it
to
like
different
regions
or
something
so
like
in
those
cases,
the
this
would
be
needed,
I
think
for
the
standard
examples
we
can
clean
it,
muffin
yeah
for
the
others.
It
should
be
done,
though,
right
I
think
it
should
be
on
be
none
like
none
should
be
the
default.
You
shouldn't
look
switch
the
DNS.
If
there
is
a
compelling
reason,
you
need
it
right.
D
So
for
HTTP
services,
how
it
will
behave,
you
have
the
hostname
and
the
destination
rule
matches
on
or
service
entry
matches
on
hostname
and
they
need
to
apply
resolution
and
to
use
original
IP
to
to
forward
to
whatever
the
client
result.
But
it'll
still
use
a
hostname
as
young-ji.
Okay,
Janey's
fine
does.
D
B
Okay,
so
the
the
last
point
here
this
is
maybe
more
of
a
minor
optimisation.
Now
that
we're
going
from
five
seconds
to
five
minutes,
but
do
the
way
that
the
resolution
dns
resolution
search
works
and
terere
Nettie's.
If
you
do
a
request
for
say,
Google
comm,
it's
actually
gonna
make
six
DNS
requests
because
first
it
looks
in
google
comm
namespace
Lester,
while
I
press
all
these
things
before
dad
she
goes,
and
so
one
way
to
avoid
this
would
be
to
do
a
request
for
google.com
dot,
and
so
the
dot
at
the
end
is
I.
I
B
B
Yeah
all
this
will
definitely
one
one
or
two,
not
one,
not
one
that
would
also
using
the
unambiguous
domain
name.
I
think
would
also
resolve
an
issue
where
I
think
you
can
kind
of
do
some
hijacking.
If
you
create
a
service,
say
google
service
and
the
name
space
comma,
then
the
DNS
request
for
google.com
would
resolve
to
that
instead
of
the
rule,
but
that's
probably
a
minor
security.
B
B
D
D
B
B
H
A
B
A
L
I
L
L
L
L
So
in
the
meanwhile
I've
got
a
intend,
simple
test
on
ku
Badham
din.
So
that's
the
doctor
and
docker
variant
that
runs
with
ipv6
on
circle
CI
and
that's
in
this
in
the
CNI
repo
right
now
so
I
we
we
can
I'm
gonna
I
want
to
get
that
figure
out.
What
the
long
term
strategy
for
the
Installer
testing
is
so
I
can
get
that
integrated
there.
So
that's!
Basically
the
update
I
can.
D
L
D
L
D
Even
even
if
kind
has
support
for
every
six
I
think
it's
very
valuable
to
have
to
have
at
least
one
test
for
each
environment,
so
I
want
to
order.
The
Mini
Cooper
test
running
as
long
as
mini
cube
exists
because
some
people
may
choose
for
whatever
reason
to
use
mini
good.
Some
people
may
choose
for
I,
don't
like
to
be
kind
of
monoculture
and
have
just
or
just
kind.
K
D
K
L
Okay,
yeah,
so
just
to
make
sure
it's
clear.
Also,
the
the
CNI
pr2
is
tio
installer
that
that
actually
doesn't
have
any
dependency.
Ipv6
doesn't
have
any
dependency
on
that,
so
it's
so
the
the
stuff
I
would
be
proposing
would
be
a
separate
PR
and
it
was
a
like
totally
just
the
test,
not
not
a
new
installer
functionality,
because
the
SPO
installer
doesn't
have
to
do
anything
for
ipv6.
It's
just
going
to
be
on
an
ipv6
infra
and
it
would
just
be.
How
do
we
trigger
the
KDC?
D
Prepared
and
if
you
can
do
it
soon,
I'm
hoping
to
get
after
the
one
one,
six,
five
whatever
86
is.
How
would
I
want
to
ask
the
release
manager
to
start
cutting
the
candidate
for
one
11.2
and
so
I
can
get
more
experience.
I
mean
you
can
start
early
testing
one
on
the
new
installer.
So
probably
can
wait.
I
mean
a
few
more
days
to
get
one
on
five
out.
Oh,
you
want
to
have
to
listen
same
time,
but
the
idea
to
have
the
cni
parts
integrated.
D
D
Me
know
if
I
can
help
I'll
be
happy,
and
one
thing
I
want
to
mention
on
this
subject:
I
do
not
people
noticed
distressing
environment
working
group.
We
have
a
new
process
to
install
the
demo
and
to
install
demo
profiles
or
kind
of
specific
configurations
of
issue
with
customize,
with
single
line.
Cube
CTL
apply
K
github
installer,
and
it
would
be
great
to
have
one
of
such
profiles
that
is
defaulting
with
CNI
okay,
so
people
can
have
kind
of
prepackaged.
Pre-Tested
I
mean
whatever
we
test.
D
A
D
D
The
documentation
will
get
some
decorators
and
people
who
know
about
dogs
will
need
to
translate
the
reynolds
with
the
proposal
and
the
wiki
page
to
get
people
started,
but
once
it
is
tested
and
if
the
community
accepts
it,
there's
always
a
to
be
documented
master
of
wanted
to
release.
They
have
one
month
to
write
the
dog.
So
it's
not,
but
testing
comes
first.
So.
H
G
A
All
right,
okay,
great
things-
I
mean
very
much
team.
I
have
also
a
couple
more
announcements
to
make
so
I'm,
not
sure
if
everybody
has
seen
the
communication
from
francois
related
to
release
dates
for
one
which
is
June
19th.
That's
the
current
plan
and
there
is
a
by
consequence.
There
is
a
release,
one
branch
that
will
be
cut
on
May
21st.
A
What
does
this
mean?
That
means
that
every
every
feature
or
bug
fix
after
May
21st
that
will
need
to
be
released
into
one
too
we'll
need
a
special
approval
from
the
release
managers.
So,
ideally,
if
you
have
PRS,
you
should
try
to
get
the
merge
in
before
that
date
and
because,
if
not,
there
be
like
more
more
work
to
do
also,
let
me
actually
share
the
list
of
the
current
github
epics.
A
So
it's
linked
from
the
from
the
meeting
notes
document,
and
these
are
the
epics
that
I
currently
tagged
for
milestone.
One
two
and
you
see
there
are
like
UX
improvements
refinements
to
namespace
isolation.
This
is
basically
refinements
to
the
sidecar
API.
There
are
a
bunch
of
issues
related
to
security
of
East.
You
know,
there's
a
big
one
for
each
geo,
multi
cluster,
which
has
way
too
many
issues
attached
to
it.
A
I'll
show
in
a
minute
and
obviously
I
I,
also
added
the
ipv6
support
team
answer
game,
mainly
because
it's
almost
ready
right
so
I
think
we
can
safely
target
forum
for
1.2.
Let
me
just
go
inside
the
ipv6
support
and
show
to
everybody
how
this
looks
like.
So
this
is
a
big
epic
of
grouping
for
all
ipv6
features
and
look
how
many
issues
were
fixed
in
that
area.
Alright,
so
all
these
are
closed
or
fixed.
Are
they
close,
are
fixed,
I,
think
they
are
closed
by
being
fixed,
or
is
that
correcting
what
it
shows
here?
A
I
I
A
A
K
Can
I
add
a
small
current
to
what
just
said
about
my
my
communication,
because
I
I'm
not
sure
it's
very
clear
if
you
have
been
in
the
past
like
if
you
have
been
working
on
an
issue
that
was
tagged
as
one
dot
to
verify?
If
you
really
wanted
to
learn
in
one
day
to
verify,
it's
currently
still
marked
with
this
milestone
because
most
of
the
1.2,
my
stones,
I,
have
been
moved
to
1.3.
So
that's
part
of
the
of
the
communication
and
I
think
it's
very
important
to
to
not
yeah.
A
Yeah
so
for
some
of
these
actually
moved
myself
just
today,
for
instance,
let's
take
this
one.
This
one
was
originally
like:
it
had
no
milestone.
Oh,
it
still
doesn't
have
a
milestone.
So
let's
say
we
go
here
and
we
target
to
milestone
1.2
and
if
you
are
working
on
an
issue
and
it
shows
march
on
1.3,
but
you
actually
want
it
in
one.
Please
go
ahead
and
change
that.
M
A
Go
here
and
my
to
filter
a
big
and
area
networking
if
I
change
it
to
be
environments
as
well,
it
will
pick
up
your
know
it.
Okay,
now
I
change
them
all.
What
happened?
Oh
you
guys
have
no
issues
in
I
know
why?
Because
all
your
environment
epics
are
probably
in
a
different
mind,
stone
or
something
yeah.
M
A
A
M
A
So
in
here,
for
instance,
let's
say
multi
cluster
is
being
you
know,
has
work
done
in
both
groups.
We
tagged
them
as
post
and
some
issues
will
be
networking
specific.
Some
issues
would
be
environment,
specific
and,
of
course,
there'll
be
security
issues
as
well.
Right
sure
this
is
more
like
you
don't
wait
to
filter
it.
It
raises
visibility
on.
You
know
how
we're
progressing
towards
the
milestone.
A
I
want
to
also
show
like
the
UX
improvements,
for
instance,
because
that
sounds
very
you
know
generic,
but
it
has
some
of
the
things
we
been
wanting
for
a
long
time
like
the
elimination
of
dependency
on
port
name
for
protocol
identification.
That
is
the
part
where
you
need
to
name
your
for
with
HTTP
something
or
TCP
something
to
be
able
to
infer
the
protocol
or
this
one
which
requirement
to
declare
the
container
port
in
all
diamo
files.
But
most
people
don't
have
that
because
it's
an
optional
field
in
kubernetes,
but
this
sure
requires
it.
A
So
all
these
are
tags
for
one
two,
however
I'm
a
bit
concerned,
and
some
of
them
might
not
make
it
just
because
I'm
looking
at
the
issue-
and
this
is
not
assigned
to
anybody
so
I'm
gonna-
follow
up
on
this-
to
see
exact.
Who
are
the
owners
or,
if
you,
for
instance,
you
know
you're
working
on
a
specific
area
or
item
or
issue,
and
your
name
is
not
there.
Please
put
your
name
there,
because
that
will
probably
raise
the
level
of
confidence.
This
gets
done
in
one
to
also
I.
A
M
D
K
Yes,
like
on
the
on
the
date,
the
branch
will
be
kept.
Most
of
the
ducks
will
be
accepted
during
the
first
time
before
the
release
yeah.
If
it's
really
really
a
bug,
there
will
be
description.
Obviously
it's
not
like
if
there
is
like
yeah,
a
great
picture
that
can
hands-
and
you
are
like
at
least
on
this-
we
will
discuss,
but
mostly
that's
exactly
what
was
described
after
other
fries
burger
could
be
accepted,
which
really
means
that.
D
N
C
D
K
C
A
C
A
O
A
D
L
M
I
A
D
We
should
ask
us
if
you
have
the
necessary,
after
after
other
testing,
one
smoochie
discusses
if
we
should
make
CNI
the
default
is
a
or
recommended
or
something
similar.
Since
this
modernist
or
again,
it's
it's,
not
the
user,
which
one
which
profiles
they
just
reinstall,
but
we
should
discuss
it
commendations
for
this.
So.
J
So
so
Andhra
just
to
clarify
so
the
big
things
for
CNI
is
the
install,
but
that's
being
tracked
under
the
install
epoch,
the
ipv6,
which
is
being
tracked
under
the
ipv6
you're.
Looking
at
now,
and
then
there
was
a
separate
effort
which
won't
make
one
point
to
to
possibly
have
envoy
be
out.
You
know
in
its
own
container,
alright
so
pot,
but
that's
not
gonna
make
one
point
to
so
so
I
about
in
summary,
is
I.
Don't
think
we
need
a
separate
seeing
Hadi,
I,
think
of
any
type
or
covered
under
the
other
yeah.
L
J
A
A
C
And
then
I
think
Oz
and
some
other
other
people
are
working
on
tooling
to
actually
associate
the
test
plan
with
specific
test
cases
in
whether
they
pass
or
fail
so
Louis
a
first
stab,
actually
a
networking
test
plan,
but
you
know
I
think
he
like
got
like
you,
keep
put
in
like
half
an
hour
right
now
time.
So
it's
it's
far
from
concrete.
This
was
something
else.
C
I
was
gonna,
bring
up
from
the
TOC
tomorrow
to
basically
say:
look
we
need
to
start
having
something
like
a
weekly
meeting
with
working
group
leads
to
really
get
movement
on
things
like
the
test
plan.
Some
areas
have
filled
it
up.
Others
have
so
I'll
link
in
the
tab
to
this.
This
document
right
now.
Okay,
if.