►
From YouTube: Istio Networking WG meeting - 2018-08-30
Description
- Discuss Envoy startup/readiness/health checking
- Discuss Secure Egress Traffic Control in Istio
- Discuss self-service ingress to multiple k8s clusters
A
A
Your
network
controller
that
was
discussed
I
think
about
two
meetings
ago,
will
also
talk
about
envoy,
startup
readiness,
health
checking,
and
there
are
two
more
proposals
and
discussions
secure
our
egress
traffic
control
in
East,
as
well
as
self
surface
ingress
to
multiple
kubernetes
clusters,
so
I
think
we'll
do
it
in
this
order,
and
it
would
be
great
if
well
allocate
about
like
10
to
15
minutes
for
each
topic,
but
no
more
we'll
try
to
stay
within
those
limits.
So
rough
island-
and
you
are
you
online.
B
C
I
can
I
can
summarize
that
issue
if
that
is
like
double
checked
thing
that
he
was
asked.
Oh
yeah,
so
I
think
this
was
an
old
issue
that
I
mean
a
PR
and
an
old
issue
that
we
had,
which
was
that
by
default,
when
we
start
in
the
the
issues
that
like
in
a
before
what
he
called
pilot,
could
actually
send
envoys
all
the
configuration.
C
The
health
checks
continue
to
fade
because
there
is
nothing
it's
an
envoy
that
actually
allows
traffic
to
enter
the
odd
or
leave
the
port
and
one
option
that
I
actually
had
earlier
was
that
when
the
system
starts
like
a
default,
configuration
that
we
can
have
for
every
envoy
is
to
allow
all
inbound
traffic
into
the
into
the
pod,
so
that
all
the
you
know,
health
checks
and
other
stuff.
Let
us
continue
to
pass
and
we
don't
have
two
players.
Anything
and
you
know
so.
B
B
C
D
B
B
C
D
C
D
B
First,
and
if
we
don't
find
anything
else,
I
mean
one
proposal:
I
mean
I,
I
mention
it
in
in
the
past.
We
have
the
unit
container,
so
they
need
container
I
know
is
doing
almost.
Nothing
is
just
setting
up
IP
tables
and
it's
running
before
the
application.
We
could
have
so
unit
container
to
a
bit
more
who
a
small
request
to
pilot
and
download
some
initial
configuration
and
then
when
the
application
starts,
and
we
will
have
a
configuration,
maybe
it
otherwise.
B
A
B
The
file
system-
we're
not
old
but
we'll
use,
occasionally
the
other
benefit
for
this
release.
Another
p0
that
we
have
for
one
one
which
Louie
feels
very
strongly
about
is
which
is
dynamic,
setup
of
IP
tables.
Where
we're
right
now
we
remember
we
had
that
workaround
for
the
security
program
where
IP
tables
is
facing
the
container
ports,
and
people
have
complained
that
they
need
to
declare
container
ports
and
so
forth.
Instead
of
just
us
magically
setting
up
the
supports
based
on
service.
B
With
this
approach
with
initializer
making
a
call
to
pilot
it
can
download
the
list
of
inbound
works
and
the
initial
configuration
the
same
time.
So
two
birds,
one
stone
of
output-
is
called
it's
not
very
hard
to
do.
I
mean
it's
just
basic,
a
pilot
agent
running
in
in
each
container.
We
making
a
call
to
pilot
getting
the
config.
We
have
secret.
It
may
even
wait
for
the
secrets
to
be
so.
It's
not.
We
don't
have
any
startup
program
because
no
secrets
so.
F
B
B
B
B
A
D
C
A
But
then
you
would,
you
will
need
your
app
to
change
or
like
at
least
your
specification
for
the
absolute
change
to
include
a
check
on
em
boy
right.
So
you
would
say
your
app
is
not
ready
until
MgO
is
ready.
So
then
you
need
to
add
something
to
the
app
and
we
we
want
to
preserve
the
application
binary
and
also
the
ml
file
unchanged,
because
we're
not
on
premises
of
this
do.
H
B
B
But
what
we,
what
what
aspect
as
I
mentioned,
is
that
the
problem
is
the
application
when
it
starts
it
may
try
to
connect
to
a
service.
I
mean
the
first
thing
you're
doing
when
you
start
will
connect
to
the
database
and
pre
one
or
two
whatever,
and
these
are
national
database-
fails
because
we
don't
have
our
bound
cross.
This
your
application
will
crash.
Alexis
is
the
next
panic.
I
cannot
connect
to
the
database
because
the
application
when
it
starts
it,
expects
we
have
networking
and
until
a
voice
starts,
you
don't
have
network.
I
J
I
A
B
B
B
B
A
A
A
L
So
I
would
like
to
present
the
requirements
that
we
collected
from
several
customers.
The
current
solution
and
the
current
challenge
that
we
have
the
requirements
are
the
setting
is
we
have
micro
services
that
have
to
exist
external
services,
for
example
some
legacy,
databases
or
external
web
services,
and
we
want
to
control
this
exist,
a
control
and
monitor
so
the
requirements
that
we
collected
I
think
they
are
pretty
simple,
genera
straight
forward.
Nothing
fancy
here,
the
requirements
are
the
protocol
to
control
is
TLS
is
an
eye.
I
guess
this
is
the
most
popular
protocol.
L
Every
all
the
traffic
is
encrypted
to
live
demo
services.
The
second
requirement
is
that
it
has
to
be
transparent
to
the
application,
so
the
applications
to
continue
sending
requests
to
the
external
services
without
special
configuration
and
I
think
this
is
a
killer
feature
of
Vista
that
you
can
do
it.
You
can
provide
this
transparent
monitoring
and
control
by
injecting
mic
rejecting
cycle
process.
Sorry,
the
third
requirement
is
for
to
define
policies
and
to
enforce
the
policies.
So
there
are
two
kinds
of
policies.
L
The
first
one
is
error,
the
whole
mesh,
so
any
micro
series
may
exist.
Starwood
foo.com,
a
wildcard,
the
domain
or
a
policy
can
be
cursed.
Hostname,
for
example,
might
be
to
the
load
bar
dot
home
additional
kind
of
policies
if
policies
by
source.
So,
for
example,
the
user
can
specify
microservice
a
makes
s
star
dot,
foo.com
and
microservice
teammate
set
some
specific
post.
L
These
are
two
examples
of
policies
in
requirement
to
provide
the
monitoring
of
with
nine
of
all
the
access
to
external
services,
and
the
last
requirement
is
to
prevent
tampering
with
the
policies.
Okay.
So
the
assumption
is
that
some
of
the
application
pods
can
be
compromised
and
despite
despite
that,
the
policy
enforcement
still
have
to
function
correctly.
So
even
if
we
have
some
compromised
folder,
we
have
to
prevent
the
attackers
from
escape
monitoring
and
pick
which
of
the
requirements.
M
L
So,
first
of
all,
I
guess
we'll
all
be
with
the
question
that
side
approaches
cannot
be
trusted.
So
there
are
multiple
ways
for
an
application
to
bypass
it.
Cycler
pops
it
one
of
them
to
get
root
access
in
the
container,
not
in
the
port,
not
in
no
mood
in
the
container
only
and
then
run
is
as
a
user
with
a
variety
of
envoy
and
then
the
traffic
there.
B
L
They
have
to
deploy
Easter
components
and
the
gateways
to
dedicated
nodes,
the
normal
application,
any
applications
in
the
application
containers
the
nodes
that
have
some
access
to
these
dedicated
namespaces
and
to
apply
some
strict
security
measures
for
these
components.
So
this
is
the
assumption,
so
you
can
take
application
pods.
You
cannot
take
the
easier
components,
so
it
should.
It
has
to
be
provided
by
cloud
providers
outside
of
Wistar.
L
So
story,
so
do
you
mean
this
assumption
cannot
be
provided
by
a
cloud
providers?
You
know
it's
not
necessary.
I
mean
I,
don't
think
it's
necessary
to
have
absolute
code.
Okay,
okay,
an
additional
assumption
is
that
one
once
compromised
the
attacker
can
avoid
the
sidecar
proxy,
as
I've
said,
avoid
the
sidecar
box
interception
and
then
the
attacker
can
just
you
know.
Lauren
Eastern
can
read
the
code
and
it
can
run
its
own
frequently
on
autopsy.
L
You
can
get
the
certificates
of
the
pod
and
it
can
start
sending
fake
mixed
reports
and
the
attacker
will
try
to
break
with
our
policies
and
our
goal
is
to
still
to
provide
secure
in
this
control
under
assumption
that
some
of
the
application
pods
are
compromised.
So
let
me
describe
how
we
can
do
it
in
my
opinion,
okay,
so
the
first
idea
is
to
enforce
control
input
and
provide
monitoring
in
some
trusted
component
in
this
case
in
the
egress
gateway.
So
we
direct
all
the
ingress
traffic
through
this
gateway.
L
Okay,
so
any
state
is
achieved
by
pilots
and
accounting
tables
to
own
voice.
So
we
have
sidecar
own
voice
and
we
have
the
Envoy.
At&Amp;T
goes
deeply
and
again,
as
I
said,
we
have
hardened
security
on
the
Ifrit
Italy.
This
is
the
one
step
two.
Is
this
ingress
gateway
component
that
we
trust
will
send
reports?
Okay,
we
trust
they
will
move.
The
fake
will
send
reports
to
telemetry
will
send
ship
messages
to
policy.
Okay,
mixer
and
their
monitoring
will
build
ister
formed
and
policies
or
seem
to
be
default
in
the
Eagles
deeply.
N
L
So
this
is
step
3
okay,
so
we
have
to
prevent
bypassing
the
Gateway,
for
example,
by
defining
Network
policies
that
all
the
Innes
traffic
that's
the
only
interest.
Rhotic
that
is
allowed
is
the
traffic
that
originates
at
theatres
gateway.
So
no
other
traffic
will
be
will
be
a
lot,
so
we
can
use
for
that
Network
policies.
We
can
use
firewall,
we
we
can,
for
example,
tailor
and
allocation
of
public
a
piece
to
the
internal
nodes,
and
we
can
configure
native
address
translation
devices,
okay
and
not
to
perform
and
negative.
G
G
B
L
G
B
Also
I
mean
yeah
everything
you
see
now.
You
know
you
score.
You
have
a
route,
I
mean.
If
you
want
to
prevent
outbound
trap,
you
could
put
a
firewall
rule
its
resort
program.
You
can
say
that
nothing's
from
inside
the
mesh
is
allowed
to
route
outside
by
simple
firewall
ruling
in
in
the
networking
and
then.
G
B
B
A
L
Additional
use
case
is
that
the
attacker
would
try
to
just
access.
You
know
to
steal
data
from
the
external
services.
Maybe
the
attacker
will
try
to
steal
beta
from
inside
the
mesh
and
pass
the
data
to
to
malicious
sites
okay
to
to
their
sites.
Let's
say
the
stolen
data,
the
malware
of
the
attackers,
maybe
we'll
try
to
download
updates
for
itself.
So
there
are
multiple
I
guess,
use
cases,
okay,
that
you
want
to
prevent
uncontrolled
unmonitored
access
from
your
cluster
to
the
outside
world
and
the
additional
use
case
in
what
additional
good
use
case.
L
L
B
N
B
B
L
So
good
question:
so
when
we
present
two
challenges:
okay,
one
is
solved
and
one
we
have
to
solve:
okay,
okay,
so
this
is
the
whole
picture
we
prevent.
You
know
we
blocking
any
excess.
That
is
not
true.
It
could
eat
any.
It
was
access.
Okay,
the
third
killing
is
to
handle
wild
card
domains.
So
suppose
we
have
a
policy
that
allows
access
to
start
good
food
on
corn
and
they
request
sent
to
MongoDB
one
dot
food
code.
So
how
can
they
give
way
forward
it?
L
L
B
D
I
L
L
D
B
L
Here
how
we
propose
to
solve
it
to
deploy
additional
a
sniper,
ops
II
on
the
local
host
on
the
in
there
in
the
pod
of
of
the
Gateway?
So
this
is
not
proposal,
no
for
the
standard,
it
Lewis
deployment
or
a
cart.
Any
easier
provider
can
deploy
with
their
own.
It
was
it
way,
and
in
this
case
the
provider
can
deploy
this
as
my
proxy.
We,
you
know
any
Sun,
I
proxy.
We
tried
inch
next
and
it
works
okay.
Is
it
the
same
as
I?
All
the
way
through
is
there's
no
mutating
a.
B
L
M
B
E
E
B
C
E
E
L
B
L
Is
they
click
bingo?
So
this
is
the
transparent
required?
Okay.
So
now
this
is
the
challenge.
The
first
children
challenge
is
wildcard
domains.
Here
it
is
solved
by
additional
pop
see.
Now
we
have
a
different
challenge.
We
want
to
enable
policies
by
source,
ok,
so
for
that
we
have
to
use
MPLS
twister,
ok,
to
hit
the
sauce
principle.
So
now
we
have
this
Angeles
tunnel.
We
have
the
the
original
que
les
with
the
original
is
my
the
English
night,
and
we
have
this
outer
snipe,
ok
of
the
MPLS
tunnel.
L
Now
the
problem
that
we
have
that
the
envoy
of
the
of
the
Gateway
sees
the
the
outer
is
night
of
the
tunnel.
It
doesn't
see
the
lesson
I
units
an
I.
So
what
happens?
Is
this
envoy
import
to
the
mixer?
The
outer
is
my,
but
the
routing
is
performed
by
the
Englishman,
so
we
have
a
security
hole
here.
Okay,
so
mixer
receives
the
out
reasonable
that
while
the
traffic
is
sent
according
to
the
inner
smile-
and
we
want
to
report
to
the
mixer,
the
actual
hostname,
the
traffic
will
be
sent.
L
L
B
L
B
B
You
are
saying
that
you
are
going
to
do
one
and
TLS
21,
so
let
me
rephrase
Kenzie's
be
implemented
in
a
way
that
doesn't
add
a
lot
of
value
in
a
plug-in
or
some
ways
that
doesn't
create
a
lot
of
complexity
and
easier
because
understand.
This
is
a
wonderful,
your
skills
but
latency
problems.
We
already
have
scalability
problems.
We
have
a
lot
of
other
issues
that
we
need
to
resolve
before
he
can
take
this
kind
of
sounds
very
complicated
to
me.
I
don't
know
yeah.
L
G
B
Exactly
do
you
gain
by
this
so
application.
So
let's
say
if
there
is
no
cycle
invoice
for
the
application,
because
application
could
you
know
be
aware
that
there
is?
There
is
a
egress
gateway,
mm-hmm
socks
for
example,
or
whatever
we
are
doing
today
and
just
make
the
direct
connection
with
an
outer
SNI
and
I
mean
who
do
it,
for
example,
just
implement
the
socks
protocol
and
and
which,
which
has
authentication
or
some
some
of
the
other.
You
know
it
should
be
connect,
for
example,
h-2b
connect.
C
C
C
This
is
what
we're
using
in
on
trying
to
do.
Nan
way
for
tunneling
well
be
using
the
HTTP
to
connect
external
to
connect
in
order
to
turn
allah
a
bit
rate
traffic
through
through
envoy,
like
you
know,
where's
my
sake
well,
WebSocket
and
so
on
between
a
cross
envoys
and
the
part
of
the
proposal
there.
C
And
we
already
way
through
doing
that.
Actually
Alyssa
from
the
Washington
she's
already
started
doing
that
work,
and
we
do
have
a
rough
way
of
doing
that
for
WebSockets
over
h2,
but
there's
still
some
more
work.
That's
required
an
NG
HTTP
to,
after
which
we
should
be
able
to
do
Donald
arbitrary
stuff
over
H
yeah.
A
B
A
A
B
B
If
Ania
me,
no
I
think
it's
super
important
requirement,
and
and
and
we
should
prioritize
to
get
that-
that
part
may
not
demand
classroom.
It's
the
first
part
and
I
think
that
that
we
have
no
other
choice
but
to
implement
this
kind
of
on
demand
clusters.
If
the
second
part,
you
may
need
to
discuss
a
bit
more
than
so.
B
A
L
B
Not
doing
SMI
what
the
application
is,
starting
that
TCP
I
mean
just
like.
We
have
this
problem
already
of
not
getting
visibility
into
the
application
if
the
application
is
starting
already
in
TLS
connection
or
TLS
connection,
assuming
we
solve
that
problem
by
direct
integration
or
some
other
mechanism,
if
the
sidecar
would
get
clear
text,
would
it
avoid
a
double
encryption,
a.
L
L
L
L
A
B
C
A
G
B
D
A
D
A
B
A
D
D
Great
so
I'll
just
start
with
a
brief
overview
of
the
use
case,
we're
looking
at
and
sort
of
why
we're
presenting
it
in
this
meeting.
So
basically,
we
have
a
proposal
for
a
self-service
TCP
in
restaurant
to
multiple
kubernetes
cluster,
so
we're
particularly
interested
in
the
use
case
of
external
TCP
connections,
trying
to
reach
an
application
on
a
kubernetes
cluster
when
an
application
developer
creates
their
creates
their
deployed
application,
they
wanted
to
be
able
to
be
externally
routable.
We
are
also
considering
the
use
case
of
multiple
clusters
that
are
coming
up.
D
So
while
there
is
a
way
that,
on
a
per
cluster
basis,
you
can
configure
a
load
balancer
and
have
your
services
externally
routable.
When
you
deploy
many
services
on
many
different
clusters,
it
becomes
painful
to
manage
external
ratability.
So
we're
looking
to
solve
self-service
ingress
routing
for
multiple
kubernetes
clusters
using.
D
Building
on
top
of
this
do
so,
basically,
we
don't
believe
that
this
requires
any
changes
to
sto
as
exists
today,
but
we
wanted
to
see
if
this
use
case
resonated
with
anybody
if
they've
seen
anything
similar
and
had
any
general
suggestions.
So
as
you
can
see,
no
chord
changes
so
we'll
go
down
basically
to
the
data
plane
design.
So
the
idea
is
in
order
to
have
external
route
ability.
D
We
wanted
to
deploy
an
additional
routing
cluster,
it's
what
we
call
it
and
you
would,
as
an
operator,
only
have
to
configure
a
load
balancer
to
forward
to
your
routing
cluster
and
then,
of
course,
you
would
expose
a
node
port
to
forward
to
the
sto
proxy.
This
via
proxy
would
know
where
exactly
the
service
is
living
and
would
be
able
to
forward
correctly
to
the
node
port.
That's
associated
with
that
service
in
kubernetes.
B
D
D
So
we
believe
that
we
can
also
support
the
load
balancer
case
I,
think
for
just
like
an
initial
POC,
we're
looking
at
requiring
a
user
to
create
a
node
port
service,
but
you
could
believe
like
it
could
be
extended
to
also
be
certain
for
be
dynamically
configured
for
services
of
load
balancer
as
well.
Yeah.
D
O
B
B
B
D
G
G
G
O
G
A
C
They're
looking
for
feedback
in
terms
of
our
lives
like
right-
and
this
is
I-
mean
a
better
way
to
visualize.
The
context
is,
if
you
imagine,
cloud,
foundry
and
kubernetes
and
like
this
is
one
example
where
a
typical
example
is
people
in
the
cloud
foundry.
They
would
like
to
allocate
a
kubernetes
cluster
just
to
run
stateful
services,
like
my
sequel
or
like
some
of
these
area.
These
days.
B
A
D
B
Doesn't
give
you
access
to
the
clusters
that
the
column
I
mean
with
the
cursor
I?
Don't
know
if
you,
if
you
saw
the
designs
that
we
have
today
and
the
implementation
of
for
multicast
initiative
today,
is
a
problem
across
the
registry
that
it
gives
you
an
lists
of
registries
and
IP
addresses.
But
you
don't
have
any
credentials
to
connect
to
the
API
servers
and
watch
them
like.
B
Different
two
different
things
here
that
what
what
Pilate
is
doing
today
is
watching
for
some
secrets
and
whenever
the
secrets
are
created,
the
secrets
contain
a
cube
config
and
they
get.
Those
coupons.
Digger
creates
a
connection
to
the
remote
API
server
and
then
is
watching
the
remote
API
server
for
services,
endpoints
and
all
other
stuff.
B
B
D
B
D
There's
there
would
be
another
box
here
right,
because
the
coop
API
is
like
the
kubernetes
api
is
to
register
with
the
cluster
registry.
We're
envisioning.
The
cluster
registry
would
run
on
the
same
cluster
as
the
route
manager.
So,
in
addition
to
when
I,
add
zit
self
on
to
the
cluster
registry,
it
could.
D
B
B
What
we
have
if
we
use
the
same,
if
we
don't
really
implemented
infants
the
wheels
that
we
already
invented.
So
besides
the
terms
I
mean
is
the
second
part
and
is
the
part
that
I
think
is
the
core
of
this
proposal
to
have
this
creation
of
each
tier,
configs
and
external
words.
That's
already
something
we
are
trying
to
do
for
for
the
0dp
and
for
the
split
ideas
that
we
discussed
last
time.
B
O
B
J
B
D
B
This
will
be
something
that
this
needs
to
be
internal
expertise.
Itself
is
not
something
that
is
implemented
by
history,
something
that
you
know:
yeah
Chloe's,
kubernetes
provider,
I
mean
jakie
years
and
so
forth.
We
need
to
plan.
Why
not
modify
the
existing
service,
because
Easter
is
creating
the
service
for
the
Gateway
with
a
list
of
ports
that
are
forwarded.
You
know
the
easterly
egress
service,
which
is
type
load
balancer
and
entire
internally
has
a
list
of
40,
80,
443
and
a
bunch
of
other
ports.
O
B
Maybe
I
was
confusing
so
right
now,
East
yo
creates
a
single
IP
address,
so
we
can
locate
the
single
IP
address
at
a
single
load
balancer,
but
the
load
balancer
has
a
list
of
ports.
What
we
are
discussing
here
is
anything
or
adding
ports
to
the
load
balancer.
So
you
have
a
service
type
load
balancer
and
is
inside
you
have
a
list
of
ports,
and
that
was
the
most
kubernetes
implementations
that
we
know.
A
B
You
arrange
what
you
can
do
one
by
one,
so
you
can
programmatically,
add
ports,
I,
know
it's
a
menace
to
underage
and
and
I
think
it's
been
open
for
two
or
three
years.
You
cannot
fold
it
for
some
cloud.
If
a
particular
cloud
provider
has
this
facility
injury
this
resource,
but
we
need
a
solution
that
also
works
on.
You
know:
jke,
bluemix
and
oversee
other
providers
that
don't
have
this
external
port
facility
and.
B
O
So
I
think
you're
misunderstanding.
Something
is
the
route
manager,
it's
the
one
that
is
creating
and
responding
to
these
CR
DS
right
the
right.
This
is
simply
a
datastore
mechanism
for
the
route
manager
track
of
which
external
ports
have
already
been
allocated
and
which
ones
are
still
available
for
its
allocated.
We're
not
expecting
the
cloud
provider
to
do
anything
with
this
external
or.
B
O
B
O
B
B
B
H
D
Want
to
be
hung
up
on
like
node
per
versus
load,
balancer
I,
think
that
you
well
maybe
are
just
ending
up,
but
I
believe
like
like
the
main
thing
is
that
the
sto,
like
the
SEO
ingress
gateway,
the
proxy
in
the
routing
cluster,
is
able
to
somehow
communicate
with
the
worker
that
the
service
is
running
on
right.
So,
yes,.
J
B
Commented
today,
if
you
create
a
gateway
resource
with
with
a
particular
world,
the
proxies
a
gateway
proxy
will
automatically
open
support.
So
we
don't
probably
need
the
second
resource
because
it's
already
implemented
so
the
moment,
if
you
infuse
load,
balancer
type,
node
port.
The
moment
you
create
the
gateways,
the
proxy
will
release
an
on-set
port.