►
From YouTube: SIG Network Weekly Meeting 20201015
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
And
we
are
now
recording.
This
is
kubernetes
network
meeting
from
october
15th
2020.
lackey's
volunteered
to
lead
us
off
with
some
issue
triage.
B
A
Question
why
don't
we
try
the
the
new
label
and
see
what
it
gives
us.
C
C
D
D
C
C
B
B
C
Okay,
next
reserve
range
within
server
side
of
wherein
automatically
assigned
ips
will
not
be
chosen,
would
be
nice
just
to
be
able
to
specify
a
range
within
the
server
side
of
where
the
clock,
this
cluster
will
not
automatically
allocate
service
cluster
ips,
but
will
still
allow
services
to
be
created
within
the
cluster.
Ip
manually
specified.
H
B
A
B
B
C
Pods
cannot
reach
endpoints
with
in
the
same
node
for
udp
services
if
they
are
using
host
network.
This
is
you,
antonio.
D
Yeah
this
is
so
we
we
had
an
issue
with
the
when
the
points
are
using
host
network.
Well,
there
are
some
cases
that
is
a
you
know,
a
weird
scenario
and,
and
we
added
some
tests
and
we're
when
adding
this
test.
D
B
Is
this
you
asking
for
help
or
is
this
filing
a
bug,
because
you
know
it's
a
real
bug.
D
H
B
You'll
be
surprised,
I'll,
take
I'll,
take
a
look
at
it,
but,
like
I've
never
heard
this
before.
So
I
wonder
if
there's
environmental
context,
I'll
I'll,
open
it
and
take
a
look.
D
B
C
K
B
L
It's
it's!
It's
because
he's
using
the
azure
scenario,
which
uses
ib
from
the
v-net.
Can
you
add
me
there
as
well
lucky
so.
J
B
C
D
The
this
is
because
language
ship
added
the
dual
stack
to
the
cubenet.
I
tried
to
do
the
same
for
q
proxy
and
I
realized
that
the
buying
address
flag
is
is
really
a
mess.
You
know
it's
used
for
different
things
in
different
components,
and
I
I
mean
I
I
want
you
all
of
you
to
revisit
it
and
and
decide
the
best
solution
for
it.
H
G
D
D
The
problem
is
with
dual
stack.
We
are
not.
We
are
passing.
The
all
seeders
address
so
right
now
is
is
doesn't
happen
in
logic,
so
we
need.
We
need
to
normalize
it,
but
we
need
to
do
in
a
way
that
we
don't
break
anything,
and
I
mean
these
things
has
a
lot
of
historical
context.
That's
why
I
wanted
to
do
and
then.
A
I
was
gonna
say
we
we're
at
the
15
minute
mark
now.
So
that's
probably
the
last
one
thanks
locky.
Thank
you
see
if
I
can
find
this
suggested
topic
by
manu
manu.
Are
you.
A
A
Sorry
guys
getting
a
lot
of
sirens
today
so
trying
not
to
subject
you
to
them
looks
like
my
name
is
not
here
so
gobind.
I
think
you're
next.
M
Hey
everyone.
Can
you
guys
hear
me
see
me?
Yes,
okay,
cool,
so
thanks
for
the
time.
This
is
my
first
time.
You
know
I'm
lost
in
her
first
time,
talker.
I
guess
caller,
I
should
say
so
just
wanted
to
introduce
myself
first,
my
name
is
kobind.
I'm
a
product
manager
on
gke
and
at
this
networking
google-
and
I
wanted
to
you-
know,
talk
about
network
policy.
I
look
at
some
of
the
network
security
things
and
within
gke
and
kubernetes.
M
You
know,
since
I've
been
hearing
a
bunch
of
like
fqdn,
re-enhancements
and
there's
also
a
project,
that's
going
on
right
now
to
improve
our
policy
in
open
source
thanks
to
jay
another
folks
on
the
line
I
figured.
It
was
a
good
time
to
sort
of
address
this.
This
need
as
well
and
highlight
it
to
the
group
and
get
your
feedback
just
sort
of
a
you
know,
a
disclaimer
of
that.
You
know
this
is
just
a
sort
of
a
proposal
in
the
sense
that
I
wanted
to
get
a
conversation
started.
M
M
So
I
think
this
is
more
sort
of
an
attempt
to
gather
some
of
these
requirements
and
really
understand
what
it
is
that
an
fqd
and
network
policy
might
look
like
if
that's
the
right
thing
for
us
to
build
so
that
prelude,
I
guess
I'll
I'll,
stick
a
link
here
in
the
in
the
chat,
which
has
a
short
one
one
and
a
half
pager
that
talks
about
what
the
what
the
need
is.
M
The
customer
need
is-
and
I
just
wanted
to
sort
of
open
up
the
discussion
around
like
you
know
whether
this
is
a
good
idea,
what
sorts
of
things
that
we
should
think
about.
You
know
and
really
start
gathering
requirements
core
requirements
on
how
this
should
be
done.
A
Thanks
kevin,
I
I'll
say
I
did
stop
that
the
other
day
and
took
a
quick
look
and
then
queued
it
up
one
as
well
and
circulated
to
a
couple
of
my
colleagues
so
like.
A
M
Yeah
for
sure
I
would
love
to
share
our
thoughts
on
this
casey
and,
of
course,
you
know,
we've
been
talking
sort
of
having
this
discussion
about
how
does
calico
and
and
psyllium
and
other
providers
fit
into
all
this,
and
you
know
we
we've
been
sort
of
trying
to
figure
out,
like
you
know,
what's
the
right
way
to
implement
this
in,
you
know
open
source,
and
I
think,
there's
many
questions
to
be
answered
here,
but
at
the
very
least
I
do
want
to
first
start
thinking
about
what
the
right
proposal
should
be
like.
M
What
are
the
requirements
that
we
want
to?
You
know
capture
here
to
that.
You
know
it's
tricky
from
what
I've
understood
I
mean
I'm.
I
haven't
really
like.
You
know,
opened
the
dns
book
in
a
long
time,
so
I
apologize
if
I
don't
fully
know
the
the
entirety
of
the
knowledge
there,
but,
but
I
think
the
the
important
thing
here
is
that
this
is
a
customer
need,
and
I
I
wanted
to
know.
First
of
all,
if
anybody
disagrees
that
this
is
something
that
we
we
should
address.
G
M
G
M
Yeah,
it's
definitely
a
to
do
for
on
on
my
plate
to
work
with.
You
know
everyone
who's
interested
and
by
the
way,
the
number
of
comments
has
been
like
amazing.
So
it
made
me
sort
of
think
about
many
things
that
I
was
you
know
probably
just
getting
to
on
my
own
pace,
but
yeah
it
sort
of
accelerated
that
journey,
but
yeah.
M
I
think
it's
definitely
on
my
to-do
list
to
go
through
and
like
really
address
some
of
these,
the
the
sim
the
how
how
it'll
work
kind
of
thing,
but
there
were
some
more
fundamental
questions
around
what
are
the
requirements
in
the
sense
that
how
free
should
it
be
updated?
M
How
accurate
does
it
need
to
be
in
the
sense
that
you
know
dns
is
not
globally.
You
know
consistent.
I
saw
that
in
some
comments.
Also,
there
is
a
question
around
whether
this
should
be
part
of
never
policy,
or
it
should
be
a
policy
of
its
own
like
a
dns
policy
like
a
so
I
I
think
those
are
some
of
these
open
questions
that
I
personally
don't
have
enough
historical
context
on
kubernetes
to
be
able
to
answer.
M
So
if
I
think
a
good
starting
point
here
might
be
that
if
this
is
not
the
right
sort
of
forum
to
have
a
deep
dive
on
like
a
technical,
you
know
issue
like
this.
Maybe
people
who
are
interested
in
in
having
a
follow-up
conversation
can
tag
themselves
on
the
dock,
and
then
I
can
organize
some
time
for
all
of
us
to
to
sync
up
and
really
go
through
some
of
these
details
would
that
would
that
seem
reasonable.
H
M
I
shared
it
with
this,
alias
with.
M
B
M
Right
yeah,
so
I
thought
this
was
the
most
almost
sort
of
appropriate,
so
yeah
so
should
I
just
do
kubernetes
dab
at
google
groups.com.
G
B
Because
we,
we
have
been
unable
to
convince
our
domain
admins
that
share
with
the
whole
web
is
a
reasonable
thing
for
google's
internal
domain.
G
B
M
Okay,
the
folks
who
didn't
have
access,
if
you
wouldn't
mind
just
trying
again
and
verifying
that
this
time
it
worked
for
you
bridget.
I
think
it
was
maybe
for
you
to
try
it
out
once
see.
If
you
have
access.
M
M
But
yes,
okay,
so
I
think
a
couple
things
that
I
just
wanted
to
mention
like
it
does
seem
like
this
is
something
of
interest,
given
the
amount
of
comments
that
I've
seen
on
the
dock
and
given
that
there
are
other,
you
know,
solutions
to
this
outside
of
kubernetes
oss.
So
I
do
think
this
is
a
valid.
M
You
know,
and
I
don't
hear
any
opposition
to
that
so
I'll.
Take
that
as
a
yes
and
I
think
we
should
just
make
progress
on
figuring
out
where
this
belongs
so
I'll
continue
to
work
with
the
network
policy
working
group,
so
jj
at
all.
I
guess
you
know
I'll
continue
to
partner
with
them
and
I
believe
dan's
also
on
it,
so
we'll
just
sort
of
continue
to
make
progress
on
this
and
and
maybe
come
back
to
sig
network
with
a
more
concrete
proposal
of
how
we
should
do
this.
M
A
Yes
sounds
reasonable
to
me:
okay,
I
I'll
make
sure
to
do
a
review
of
that
myself
and
anybody
else
who
is
interested
to
encourage
to
take
a
look.
M
All
right
awesome,
thank
you.
Thanks
for
the
time
I'll,
take
this
and
we'll
go
work
on
the
proposal
with
the
interested
folks,
then.
A
I
think
we
had
h
d
harry,
I
believe,
yep
yeah.
Yes,.
F
Yes,
so
I
wanted
to
talk
about.
I
think
we
talked
about
this
problem
a
couple
of
sig
meetings
ago.
Where
services
normal
services
can
they
have
cluster?
Can
they
have
srv
records?
So
last
time
we
checked
in
tim,
asked
like
okay,
maybe
do
a
write-up
and
send
that
to
a
mailing
list.
I
just
got
to
that
yesterday,
but
this
is
the
dock
that
I've
shared
on
the
mailing
list
and.
F
No
srv
records
for
both
normal
and
headless
services.
Headless
services
give
you
pod
ips
in
their
survey
record
the
normal
services
they
they
have
sort
of
a
cname
and
a
port.
So
so
you,
you
have
an
srv
record
for
a
normal
service,
but
it
points
to
you
know
my
service
dot,
my
name
space,
dot,
service,
dot
domain,
and
then
you
also
get
a
port
as
a
answer
of
the
srv
record.
F
So
here
is
the
sort
of
the
problem
I
have
described
that
you
know
there
are
cases
where
even
a
service
of
type
cluster
ip
requires.
You
know
they.
They
would
like
to
bypass
cube
proxy
and
directly
send
the
traffic
to
to
the
pod.
So
the
doc
doc
is
here.
You
know
antonia
and
adel
has
commented
on
it.
Please
take
a
look,
I'm
looking
for
some
guidance
around.
You
know
how
to
move
this
forward
as
to
you
know,
is
this:
something.
L
L
L
B
I
just
want
to
there's
there's
two
parts
of
this
there's:
whether
srv
records
for
vips
makes
sense,
and
my
understanding,
I'm
admit,
I'm
not
an
srv
expert.
My
understanding
is
that
srv
for
vips
do
make
sense
because
they
allow
you
to
do
like
protocol
based
lookups,
and
so
then
the
following
question
is:
do
we
want
in
general
dns
for
endpoints
unpacked
from
a
service
bit
right
and
if
we
do
then
does
that
srv
apply
to
that?
So
I
think
we
should
tackle
those
as
two
separate
problems.
F
B
Yeah
I
mean
that's-
that's
been
done
in
the
past,
providing
like
a
different
instead
of
svc.cluster
local,
providing
like
ept.cluster.local.
I
think
openshift
pioneered
that
and
the
interesting
part.
There
is
because
we've
got
a
bunch
of
different
proposals
in
flight.
Like
endpoint
subsetting.
We
will
need
to
figure
out
how
that
intersects
with
this
idea.
B
F
Okay,
I
can
take
a
look
at
that
and
what
would
be
the
path
forward
to
to
you
know
coming
to
an
agreement,
or
you
know
approaching.
D
B
L
E
E
B
Exactly
well
it,
how
does
it
play
with
endpoint
slice,
but
also
if
we
were
to
do
the
sub
setting
approach
with
for
topology
right
where
a
node
in
zone
a
would
get
endpoints
that
were
sort
of
ideal
for
zone?
A
does
dns,
follow
that
or
does
dns
return
you
all
of
the
endpoints,
regardless
of
zone,
and
if
it
does
follow
that
like
how
closely
does
it
follow
it?
So
I
think
it's
an
interesting
intersection
of
features.
B
Did
you
we
talked
about
adding
this
as
to
the
cap
as
a
graduation
criteria
right,
adding
which
part
sorry
the
dns
intersection
with
subsetting?
B
F
F
Okay,
I
guess
so
then
I'll
follow
up
with
robin
tim
like
later
on
as
to
how
to
solve
the.
E
Yep
just
wanted
to
do
a
quick
check
in
on
dual
stack
status.
E
I
listed
off
all
the
things
from
last
time
and
then
thanks
everybody
who
was
editing
that
as
well
removed
the
things
that
are
already
done
just
wanted
to
bring
up
that
these.
As
far
as
I'm
aware
are
the
current
work
items
and
it
looks
like
most
of
them
need
some
review.
E
B
Yes,
so
I
took
a
look
through
the
big
pr
last
friday
when
I
had
a
big
block
time
and
I'm
happy
to
say
that
I
successfully
made
it
through
all
the
api
machinery
stuff,
and
I
thought
it
all
looked
pretty
good.
The
rest
of
the
pr
is
also
very
large,
but
it's
a
lot
less
contentious.
I
have
most
of
tomorrow
set
aside
to
try
to
go
through
that
again.
E
Thanks
tim
go
ahead.
D
There
was
yesterday
or
two
days
ago,
anes
and
carl
were
debugging
with,
and
I
were
debugging
something
and
we
realized
that
coordinates
is
only
watching
foreign
points
we
reach
out
for
to
to
chris
hover.
I
think
that's
the
name
from
court
dns
and
he's
going
to
try
to
implement
this
license
in
coordinates
to
have
the
wealth
stack,
so
rob
scott
is.
Is
that?
Do
you
mind
if
I
pin
you
in
a
slack
because
he's
asking
for
some
questions
regarding
the
slice.
A
B
A
Cool
well,
that
was
the
last
item
on
the
agenda.
Was
there
anything
else
we
wanted
to
talk
about
as
a
group.
I
I
had
that
question
I
just
put
in
zoom
in
general.
I
I
ran
into
this
the
other
day
for
a
release
that
we're
validating
and
I
keep
kind
of
scratching
my
head
over
it
like
when
we've
got
service
proxy
kind
of
intertwined
in
a
bunch
of
tests
not
explicitly,
and
I
keep
wanting
to
like
do
like
an
av
thing
like
like
like
like
I
feel
like
it
would
be
nice
if
I
could
just
filter
all
the
gingko
tests
by
by
ones
that
use
the
service
proxy
and
ones
that
don't.
I
But
there's
no
way
to
do
that,
and
I'm
not
sure
what
like
whether
we
should
have
a
way
to
do
that.
But
it
seems
like
a
natural
thing
that
we
would
want,
because
I
always
there's
all
these
new.
You
know
load
balancer
situations
coming
up
right.
As
we
all
know,
some
of
us
are
cni
providers
and
we've
got
ideas
around
that,
and
sometimes
you
just
want
to
know
whether
coop
proxy's
broken,
because
that's
happened
to
me
before.
I
B
You're,
like
you,
are
not
the
only
person
jay,
I
said
before
that.
A
medium-term
goal
that
I
would
love
to
see
us
take
would
be
to
break
cube
proxy,
treat
it
more
like
a
separate
component
like
I
know
right
now.
We
release
it.
I
Yeah,
that's
exactly
what
I
was
hoping
for
so
yeah
to
to
work
around
this
I've
curated
the
list
of
things
that
couproxy
needs.
I
think
I
pasted
them
in
a
blog
or
something
I
think
it's
about
a
third
of
the
tests.
It's
either
a
third
of
the
test
or
two
thirds.
I
I
keep
forgetting
which
one
but
it's
since
it's
one
of
those,
but
I
don't
know
so
I
have
like
a
shell.
I
don't
know,
okay,
I
I
just
wanted
to
make
sure
someone
else
cared
about
doing
that.
D
Yeah,
but
when
you
have
the
discussion,
the
thing
that
is
not
clear
to
me
is
services.
For
you,
it's
a
cube
proxy
theme
or
services.
Is
you
know
I
mean
what
do
you
mean
what's
that?
If,
if
my
understanding
in
one
of
the
conversations
past
week
with
you
is
that
you
and
and
we're
saying
that
services
is,
is
something
related
to
cube
proxy,
not
to
kubernetes.
D
I
I
L
Part,
which
is
that's
the
kill
proxy
stuff,
any
traffic,
the
skill
proxy,
and
then
you
have
the
control
plane
stuff
which
around
the
endpoint
selection-
and
I
like
the
standard
stuff
in
point
and
point
slice
the
correct
ip
family
like
release
and
locate.
Is
it
really
like
what
happens
if
I
try
to
get
outside
of
the
range
all
of
those
stuff,
happy
stuff
for
the
immutability
and
all
that
that's
the
whole
control
plane
and
then
there's
the
extended
service
stuff
right
that
that
goes
into
the
topology.
L
D
B
B
What
we
also
have,
though,
is
a
ton
of
tests
that
are
part
of
the
kubernetes
battery
that
are
testing
cube
proxy
specific
stuff
right,
like
there's
one
test,
that'll
ssh
in
and
wipe
the
ip
tables
and
expect
that
cube
proxy
brings
it
back
like
that.
Doesn't
really
belong
in
a
kubernetes
test
that
belongs
in
an
proxy
tests.
I
I
D
That's
that's
the
the
thing
that
I
kind
of
understand
the
services
tests
are
conformant,
so
you
need
to
be
able
to
create
an
old
port
and
to
pull
the
the
endpoint
and
and
reach
the
depos
through
the
service.
Node
port,
that's
conformance
but
yeah.
But
do
you
do
you
don't
have
to
use
this
q
process?
You
can't
have
your
j
proxy
doing
that.
D
B
Go
ahead,
I
was
just
typing
in
the
chat.
Anything
that's
defined
by
the
kubernetes
api
should
be
covered
by
kubernetes
tests,
whether
that's
conformance
or
not,
is
a
different
discussion
right.
So
does
the
service
work?
Yes,
that's
a
kubernetes
test.
Does
a
node
port
work
yeah?
That's
a
kubernetes
test,
like
I
said
the
examples
of
restarting
cube
proxy
and
making
sure
that
it
worked
that
the
services
still
serve.
B
That's
a
cube
proxy
test
right,
and
so
I
guess
it
would
be
great
if
we
went
through
and
just
tagged
those
tests
separately
so
that
people
could
exclude
them
and
maybe,
in
the
fullness
of
time
we
could
actually
move
them
to
a
separate
battery.
That,
like
is
only
for
running
cube
proxy.
You
don't
need
a
whole
cluster
to
do
that.
I
B
I'll
say
I
I
talked
to
you
about
that
separately,
but
I'm
making
more
time
to
unblock
some
of
these
big
caps
and
pr's
that
have
been
in
front
of
me
and
stalled
in
part
on
my
ability
to
make
time
for
them.
So
for
the
next
couple
of
weeks,
I've
just
cancelled
almost
all
of
my
like
regular
meetings
at
work
and
I'm
just
focusing
on
getting
these
caps
and
prs
reviewed
and
merged
great.
G
L
L
H
D
L
Yeah
the
answer
to
this
is
two
parts.
The
first
part
is
we're,
worried
all
right
and
what
worries
me
is
we
don't
have
a
test
today
that
you
can
churn
and
do
exactly
what
you're
trying
to
do
and
as
I
asked
as
you
asked
around,
and
you
told
me
that
this
part
of
the
test
suite
is
broken
for
now
at
least
now.
The
second
part
of
this
answer
is
the
following:
we
have
had
lars
killing
this
thing,
but
again
I
cannot
have
lars
as
an
entry
in
the
tester.
L
That's
sweet,
but
we've
been
focused
so
much
like
this
time.
We've
learned
the
lesson
about
like
oh:
this
is
a
new
q
proxy
connected
to
an
api
server,
although
api,
server
or
old
controller
manager,
new
api
server
or
a
new
api
server,
all
the
client,
so
there's
plenty
of
code
and
tests
made
for
that,
and
even
some
integration
tests
around
what
happened.
D
G
D
J
J
B
L
L
So
this
time
I
think,
we've
there
are
specific
things
out
there.
So
I'll
tell
you
what
let's
work
together
on
this:
okay,
everything
if.
L
B
Thanks
all
take
a
look
at
the
the
bugs
there's
still
plenty
to.