►
From YouTube: Kubernetes SIG Network Bi-Weekly Meeting for 20201029
Description
Kubernetes SIG Network Bi-Weekly Meeting for 20201029
A
Excuse
me
kubernetes
sig
network
meeting
for
thursday
october
28th
2020.
first
up
is
issue
triage.
Thank
you.
Bridget.
B
B
A
B
A
D
So
this
is
something
that
we,
I
recently
run
into
creating
clusters
on
a
systems
like
centos,
eight
plus
with
nf
tables,
enabled
and
q
proxy
in
place,
and
what
we
try
is
what
I'm
saying
the
repro
steps:
bigger
cluster
with
plenty
of
replicas
and
a
lot
of
services,
and
we
are
seeing
that
the
end
of
tables
kind
of
choke.
D
E
A
Yeah,
what
I
would
say
is
that
you
need
at
least
iptables
1.8.4,
and
I
noticed
it
said
centos
81
up
above.
I
would
not
recommend
that
combination,
because
I
recommend
at
least
eight
two
boy,
or
even
better,
eight
three,
which
probably
is
not
out
yet
for
centos.
There
have
been
a
large
number
of
fixes
since
then.
G
But
so
is
20.10
has
a
nf
table
based,
yes,
yeah.
It
defaults
to
iptables
and
ft
all
right.
H
A
It
should
be
somewhat
recent,
but
again
you're
going
to
want
at
least
1.8.4.
B
Does
somebody
want
this
assigned
yeah.
A
A
A
B
B
A
B
B
L
Yeah,
I
don't
know
if
this
might
not
be
a
bug.
It
feels
like
a
bug
I
talked
to
andrew
about
it.
I
don't
know
it
seems
really
weird.
I
don't.
L
N
N
L
N
Returns
an
error
in
the
initialization
and
of
the
controller
of
the
iphone
controller
and
that
cascades
all
the
way
out
to
to
another,
because
this
is
the
new
controller
code.
H
A
N
How
would
the
problem
is
cordoning
the
node
and
then
uncontrolling
the
node?
You
are
messing
with
something:
that's
not
user
intended
right,
user
antenna
is
for
this
to
function.
Usually,
users
should
not
have
this
situation
unless
they
manually
modified
podsider
or
they
change
the
bot
sider
after
it
gets
chunked
and
assigned
to
nodes.
The
point
I'm
trying
to
make
here
is:
there
is
no
way
we
can
recover
from
this.
P
N
Am
I
I
am
not
I
I'm
not
saying
I
don't
have
a
strong
opinion
like
this
is
not
a
hell.
I
would
like
to
die
on,
but
the
point
I'm
trying
to
make
here
is:
if
you
let
this
work,
and
you
start
assigning
pods
to
this
node,
you
will
randomly
get
traffic
disruption
to
pods
and
services
right,
so
don't
assign.
L
B
Time
jay,
would
you
like
to
follow
up
on
this
one.
A
Sure,
and
maybe
we'll
have
time
at
the
end,
all
right.
Some
questions
who
is
jay
is
that
you
jay
or
somebody
else.
L
A
L
Oh
yeah
that
came
up
somewhere,
someone
was
asking
about
it
and
then
I
just
figured
out
add
it
to
the
agenda
here.
I
don't
know
who
who
here
works
on
that,
but
I'm
just
kind
of
I
put
somebody
here.
F
This
is
pavitra,
I
can
look
at
it,
but
I
don't
know
which
cap
we're
talking
about.
We
have
one
with
status,
implemented
and
there's
the
beta
one
which
says,
which
I
have
a
pr
for
to
change
to
implement
it.
But
I
don't
know
if
there's
a
bigger
change.
F
L
No,
I
don't
remember,
I
don't
remember
who
asked
the
different
point
so
I'm
sure
between
I
can
look
at
it
again
after
the
meeting
or
something
I'll
pay
you
if
I'm
curious.
Oh.
B
I
actually
don't
know
who
added
the
important
links
thing,
but
that
was
not
related
to
this
one.
That
was
a
different
bullet
point.
I
didn't
add
it,
but
I
was
going
to
edit.
So
whoever
it
was
please
say
things
about.
B
A
A
You
were
there
any
other
questions
about
the
important
links
section
or
just
feature
spreadsheet.
A
All
right,
if
not
back
to
j
for
cubelet
net
controller
questions.
L
A
A
K
K
Well,
there's
a
cap
about
improving
that
situation,
but
I
just
filed
a
pr
which
I'll
paste
in
chat
about
documenting
what
all
this
means.
A
Historically,
it's
been
inconsistently
implemented
between
cloud
providers,
especially
the
entry
ones,
I'm
not
sure
if
the
situation
is
better
now
that
some
of
the
cloud
providers
have
moved
out
of
tree,
but
partly
it's
because,
like
the
public
cloud
providers
had
a
more
defined
well
had
a
better
definition
of
what
these
things
were.
That
was
more
consistent
between
cloud
providers,
but
then,
when
we
started
adding
other
things
like
vsphere,
openstack
and
other
stuff
that
got
a
little
bit
muddied,
not
really
consistency.
A
What
I
mean
is
that
at
least
the
cloud
providers
had
some
notion
of
the
vm
has
like
an
internal
ip
address,
which
all
the
other
nodes
can
talk
to
it
on
directly
and
an
external
ip,
where
that
node
may
or
may
not
be
exposed
to
the
public
internet
or
somewhere
like
publicly
outside
the
cluster.
That
was
like
what
the,
as
far
as
I
understand,
the
traditional
meaning
of
those
two
things
was,
but
that
got
muddied
somewhat
when
more
cloud
providers
showed
up.
P
A
Okay,
all
right-
and
we
answered
your
question
about
the
invalid
range
pod
cider.
So
next
up
bridget,
you
have
some
accolades
to
hand.
B
I
just
want
to
make
sure
we
all
take
a
moment,
because
we
had
so
many
of
these
meetings
where
we
talked
about
the
dual
stack.
Pr
of
you
know
amazing
ginormousness,
and
I
wanted
just
to
have
a
round
of
applause
for
cal
and
everyone
on
this
call
who
got
that
merged
and
it
was
enormous,
take
go
look
at
the
diff
on
there
and
then
just
think
about
reviewing
that
and
think
about
giving
yourselves
all
a
round
of
applause
for
all
the
reviewing
you
did
on
that,
because
that
was
huge,
yep
for
sure.
N
A
So
on
that
line,
what
are
the
outstanding
things
now
that
that
pr
has
merged?
We
still
have
like
the
node
addresses
thing
cleanups.
I
think
dan
that
you
had
a
referenced.
Do
we
still
have
the
load?
Balancer?
A
Well,
sorry,
that's
external
ips!
We
still
have
the
health
checking
cap
stuff
outstanding.
N
Yes,
so
feature-wise
feature-wise,
you
can
start.
We
can
start
moving
this
to
be
the
as
soon
as
possible,
because
nothing
is
stopping
us
from
actually
start
serving.
These
things
from
feature
completely
completeness
completeness
perspective.
We
need.
We
do
need
two
things:
the
node
ips,
because
the
node
ips
means
that
host
network
on
the
host
network
pods
will
get
dual
stack
correctly.
N
So
my
next
next
action
item
is
to.
I
think
there
is
enough
people
thinking
about
the
preference.
I
think
we
need
to
start
thinking
about
the
beta
aspects
of
this
as
soon
as
possible,
like
stabilizing
any
anything
that
needs
stabilization,
and
we
have
what's
very
comforting
to
me
is
we
have
plenty
of
tests
out
there
for
us
to
just
look
at
them
and
watch
them
being
green
or
red,
and
that
will
give
us
enough
confidence
in
what
we're
trying
to
do.
K
Going
back
to
what
dan
was
saying
about
the
health
check
thing,
we
agreed
to
do
nothing,
leaving
open
the
possibility
that
we
might
revisit
it
later.
The
the
cap
was
closed
or
well.
The
cap
was
merged,
saying
we
still
only
health
check.
The
first
iv.
N
N
That
means
everything
the
one
one
part
that
we
really
need-
and
I
think
dan
is
working
on-
is
the
node
addresses
for
on-prem
those
techniques,
because
dual
stacking
is
on
cloud
is
covered
again,
it's
of
referencing
the
same
discussion.
We
just
had
the
cloud
providers
just
have
a
clearer
meaning
of
what
ibr,
what
not
ipr.
J
K
Yeah,
so
you
can,
you
can
continually
override
it.
It
won't
auto,
detect
it
and,
and
okay
still
the
problem
for
clouds
that
some
people
think
that
the
cloud
shouldn't
return.
Ipv6
ips
in
a
single
stack,
ipv4
cluster,
because
it
might
confuse
other
components
to
see
ipv6,
ips
and
node
addresses
so
there's
still
some
figuring
out
to
be
done.
K
A
N
N
A
N
Oh
yeah,
I'm
not
saying
that
you
don't
want
to
do
that.
I'm
just
saying.
Usually,
people
are
very
specific,
and
today
you
can
do
that
by
the
way
having
two
services
using
the
same
selector,
two
different
families.
You
get
the
same
results
right,
they're,
just
tying
them
to
a
single
resource,
because
clouds
deal
with
ip
as
ip.
They
don't
deal
with
ips
dual
stack
rp
like
you,
don't
go
to
azure,
for
example.
N
A
All
right
who
added
the
part
about
need
to
think
about
beta
for
121
asap.
B
A
Yeah
brainstorming
there.
What
is
the
criteria
to
get
to
beta?
At
this
point?
I
know
in
the
past
a
couple
of
meetings.
We
had
talked
about
lack
of
confidence
in
the
api
because
nobody's
really
using
it
at
this
point,
and
obviously
I
don't
expect
anybody
to
have
used
it
in
the
last
like
couple
of
days
since
cal's
pr
merged,
but
you
know
where,
where
do
we
go?
A
Do
we
just
need
some
more
time
from
the
fields
and
people
to
get
comfortable
with
it
and
get
the
other
pr's
merged,
or
is
there
stuff,
above
and
beyond
that,.
B
K
A
A
A
A
A
K
I
mean,
or
we
could
come
up
with
a
more
concrete
set
of
of
criteria
like
bridget
was
saying
sure
this
many
network
plugins,
and
this
many
cloud
providers.
B
N
I
am
more
of
if
you
have
something
that
has
to
be
there.
Let's
talk
about
it
now,
and
and
otherwise
somebody
go
and
come
with
the
list
and,
and
we
either
say
good
enough
or
no,
it's
not
good
enough
and
we
move
forward
and
by
the
way
as
we
move
forward.
If,
if
we
want
to
declare
this
beta
and
somebody
beat
with
it
out
with
a
good
reason,
absolutely
yes,
it
doesn't
matter
if
we
have
a
green
checklist
right,
so
the
right
to
v2
before
good
reason
is
always
there.
Q
Q
A
It
all
right
does
thanks.
Does
anybody
have
anything
else
that
they
would
like
to
talk
about
for
the
agenda
before
we
go
back
to.
N
Just
a
comment,
antonio
found
out
a
way,
a
very
easy
way
to
exercise
and
test
the
api
machinery
stuff
as
part
of
the
testing.
Most
of
our
current
testing
today
is
an
e2e.
The
problem
with
italy
is
two
things.
You
cannot
run
them
locally
unless
you're
like
a
test
wiz
and
we
are
not
all
right.
There
are
ways
I
discovered
that
was
talking
and
going
while
talking
with
the
success
folks.
N
The
second
thing
is
when
you
submit
it,
takes
a
good
half
an
hour
in
order
to
get
results
to
the
thing
which
makes
them
very
unusual
to
an
inner
loop
like
test
and
then
come
back
with
results.
So
the
integration
test,
part
of
the
apr
there
is
a
huge
integration
test
battery.
He
created
it.
I
just
modified
it
a
bit
and
there
is
a
lot
of
wins
in
there.
You
can
run
them
locally,
they
are
easytron.
All
you
need
is
local
hcd
and
they
are
easy
to
run
and
they
gave
you
result
almost
instantaneous.
N
So
my
advice
to
you,
if
you
are
working
with
api
changes,
anything
that
has
to
do
with
validation.
Oh,
I
need
to
test
that
this
thing
is
created
and
updated
correctly
or
created
and
updated
treated
correctly
and
so
on.
Please
do
look
for
integration
all
right.
Please
do
look
for
integration,
it
will
save
your
life
and
it
will
save
our
life
as
as
we
quickly
test
these
things.
A
Comment
all
right,
jay,
you
had
another
comment.
L
Yeah
was
just
talking
andrew
about
this.
I
is
there.
Does
anybody
know
if
anyone
is
using
either
the
windows
or
the
linux
user
space
could
proxy
actively
at
all.
A
A
No,
the
proxy
posts
an
event,
I
think
to
say
I.
K
L
But
it's
not
using
system
d
yep,
it's
the
way
to
do
it.
Okay,
cool!
I
was
just
curious.
I
may
have
some
questions.
I
may
ping
you
in
slack
at
some
point,
I'm
just
going
through
the
code
trying
to
figure
out
how
it
works.
Yep.
A
I
would
say
that
the
user
space
proxy
is
not
particularly
well
maintained.
We
do
fix
bugs
when
open
shift
finds
issues
with
it,
but
most
people
don't
really
touch
it
and,
as
far
as
I
know,
it's
not
particularly
well
used
outside
of
openshift.
A
I
don't
think
so.
We
test
it
in
openshift,
downstream
ci,
but
also
we
kind
of
have
a
hybrid
proxy
mechanism
where
some
things
services
that
can
be
idled
use
the
user
space
proxy
and
those
that
aren't
titled
use
the
or
something
like
that.
I
forget
the
details.
Okay
and
you
don't
know.
L
J
K
L
K
R
No,
who
said.
A
Has
been
triaged
well,
if
we
think
it
is
a
relevant
issue,
then
we
will
accept
it
by
applying
triage
accepted.
Do
we
think
this
is
a
relevant
issue.
K
Not
necessarily
okay,
maybe
it
does
need
to
be
assigned
to
someone.
Then
all
right,
I
I
haven't
taken
any
you
can
assign
it
to
me
dan
winship.
L
L
Yes,
I
don't
think
he's
here
today,
but
I'll
I'll
ask
him
to
come
to
the
next
cig
network.
B
I
A
J
L
Yeah,
I
think
chris
put
a
pr
in
to
improve
some
of
those,
and
I
don't
know
we
brought
this
up
last
time
about
how
we
at
some
point
want
to
orthogonalize
these
tests.
I
guess
this
is
more
of
a
placeholder
until
we
figure
out
how
to
do
that.
C
C
At
it
now
I'll
do
triage
accepted.
You
know
there
was
okay.
H
C
J
J
B
N
No,
no
it's
about
you.
So
we
should.
You
know
we
need
to
judge
the
cni
folks
are
already
tracking,
I
would
say
they
have
a
reference
somewhere.
H
A
Yeah,
there's
a
pr
to
fix
it.
I
it's
probably
good.
I
just
wanted
to
make
sure
so
you
can
leave
this
one
and.
L
If
this
isn't
helpful,
I
don't
know
if
it's
useful
or
not
antonio
mentioned
it
might
just.
J
Okay,
yeah,
I
got
it
so
the
thing
is:
if
you
click
there
you
need
to
for
flakes,
we
need
to
have
a
stressful,
I
mean
if
it's
not
failing
two
or
three
times
in
a
week.
It
is
not
worth
the
effort,
you
know,
because
you
are
going
to
spend
hours
and
maybe
you
are
not
going
to
be
able
to
reproduce
and
maybe
is
the
ci.
L
Yeah
yeah
yeah.
J
L
Okay,
so
when
we
see
signet
flakes
that
are
related
to
sig
network
tests,
we
shouldn't
file
those
as
issues
unless
there's
like
a
unless
they're.
J
L
L
Oh
yeah,
you
can
yeah,
maybe
you
could
just
say
in
there
that
it's
you
know
whatever.
I
don't
have
enough
data
to
really
say
this
is
a
real
bug.
L
B
I
B
Still
listed
as
is,
is
this
basically
is
this
triage
accepted.
A
B
L
Yeah,
so
this
is,
this
is
an
interesting
one.
We
have
this
issue
where,
when
we
probe
certain
things
from
the
e2e
client,
depending
on
how
your
firewalls
are
set
up,
you
can
have
totally
different
test
results
based
on
whether
or
not
you
can
like
access
a
node
port
through
a
local
host
port
versus,
because
we
we
set
up
a
probing,
client
and,
depending
on
the
location
of
the
probing
client,
you
get
different
test
results,
which
means,
for
example,
in
this,
you
should
update
node
port
udp
test.
L
You
know
you
might
run
it
five
times
and
three
times,
it'll
pass
and
two
times
it'll
fail,
because
the
client
will
come
up
if
you'll
pass,
for
example,
if
the
client
is
on
a
different
node
than
the
the
server
so
to
make
it
consistent.
One
thing
we
could
do
is
just
always
spin
the
client
up
on
the
first
node
in
the
cluster,
which
seems
to
be
a
pattern.
We
do
that
in
other
places,
where
we
fix
a
particular
node.
L
That's
one
solution.
The
other
solution
is
we
could,
you
know,
run
the
test.
I
don't
know,
there's
other
solutions.
I
don't
know.
K
Here
is
that
we
have
to
make
a
requirement
of
the
test
cluster,
be
that
new
imports
work
and,
and
they
only
work
with
an
unlimited
range
of
ports
or
whatever.
But
like
I
mean,
because
you
know
we,
we
make
other
requirements
about
the
cluster
that
you're
running
the
tests
on
right,
and
I
think
this
just
has
to
be
one
of
those
requirements
that
you
don't
have
a
firewall
set
up.
That
blocks.
Node
ports.
J
L
Yeah,
okay,
just
if
anyone's
interested
the
the
reason
we
saw
this
is
actually
in
cluster
api.
You
know
like
for
for
aws
and
stuff,
we
have
udp
pretty
locked
down
in
certain
cases,
and
certain
customers
want
that.
So
that's
why
that's
an
important
test
for
us
and
having
consistent
results
in
it
would
be
useful
to
us.
A
So
what
version
of
key
were
they
using
here
again,
116?
Did
it
say.
N
J
J
H
B
A
Don't
think
this
problem
is
fixed
in
120
before
as
well.
R
B
H
H
J
So
the
the
the
guy
said
that
that
he's
running
a
asymmetric
routing
and
some
of
these
packets
are
declaring
invalid.
So
he
wants
to
move
the
the
current
ip
table
rules
and
what
I
asked
him
is
he
can
set
in
the
kernel,
tcp
liberal.
So
I
mean
I
don't
feel
that
we
should
move
all
the
ip
table
rules
just
because
one
scenario,
and
that
I
mean
I
don't
know
how
bad
it
is-
that
scenarios.
K
So
so
yeah
the
the
issue
has
sat
around,
but
it's
not
because
we're
waiting
on
the
reporter
really
it's
because
we're
just
not
moving
on
it.
So
I
would
say:
oh,
although
tim
added.