►
From YouTube: Kubernetes SIG Network Bi-Weekly Meeting for 20201029
Description
Kubernetes SIG Network Bi-Weekly Meeting for 20201029
A
B
B
A
B
A
D
E
A
Yeah,
what
I
would
say
is
that
you
need
at
least
iptables
1.8.4,
and
I
noticed
it
said
centos
81
up
above.
I
would
not
recommend
that
combination,
because
I
recommend
at
least
eight
two
boy,
or
even
better,
eight
three,
which
probably
is
not
out
yet
for
centos.
There
have
been
a
large
number
of
fixes
since
then.
H
A
A
A
B
B
A
B
B
L
L
N
N
L
H
A
N
How
would
the
problem
is
cordoning
the
node
and
then
uncontrolling
the
node?
You
are
messing
with
something:
that's
not
user
intended
right,
user
antenna
is
for
this
to
function.
Usually,
users
should
not
have
this
situation
unless
they
manually
modified
podsider
or
they
change
the
bot
sider
after
it
gets
chunked
and
assigned
to
nodes.
The
point
I'm
trying
to
make
here
is:
there
is
no
way
we
can
recover
from
this.
P
N
Am
I
I
am
not
I
I'm
not
saying
I
don't
have
a
strong
opinion
like
this
is
not
a
hell.
I
would
like
to
die
on,
but
the
point
I'm
trying
to
make
here
is:
if
you
let
this
work,
and
you
start
assigning
pods
to
this
node,
you
will
randomly
get
traffic
disruption
to
pods
and
services
right,
so
don't
assign.
L
A
L
A
L
F
F
L
B
B
A
L
A
A
K
A
Historically,
it's
been
inconsistently
implemented
between
cloud
providers,
especially
the
entry
ones,
I'm
not
sure
if
the
situation
is
better
now
that
some
of
the
cloud
providers
have
moved
out
of
tree,
but
partly
it's
because,
like
the
public
cloud
providers
had
a
more
defined
well
had
a
better
definition
of
what
these
things
were.
That
was
more
consistent
between
cloud
providers,
but
then,
when
we
started
adding
other
things
like
vsphere,
openstack
and
other
stuff
that
got
a
little
bit
muddied,
not
really
consistency.
A
What
I
mean
is
that
at
least
the
cloud
providers
had
some
notion
of
the
vm
has
like
an
internal
ip
address,
which
all
the
other
nodes
can
talk
to
it
on
directly
and
an
external
ip,
where
that
node
may
or
may
not
be
exposed
to
the
public
internet
or
somewhere
like
publicly
outside
the
cluster.
That
was
like
what
the,
as
far
as
I
understand,
the
traditional
meaning
of
those
two
things
was,
but
that
got
muddied
somewhat
when
more
cloud
providers
showed
up.
P
A
B
I
just
want
to
make
sure
we
all
take
a
moment,
because
we
had
so
many
of
these
meetings
where
we
talked
about
the
dual
stack.
Pr
of
you
know
amazing
ginormousness,
and
I
wanted
just
to
have
a
round
of
applause
for
cal
and
everyone
on
this
call
who
got
that
merged
and
it
was
enormous,
take
go
look
at
the
diff
on
there
and
then
just
think
about
reviewing
that
and
think
about
giving
yourselves
all
a
round
of
applause
for
all
the
reviewing
you
did
on
that,
because
that
was
huge,
yep
for
sure.
N
A
N
Yes,
so
feature-wise
feature-wise,
you
can
start.
We
can
start
moving
this
to
be
the
as
soon
as
possible,
because
nothing
is
stopping
us
from
actually
start
serving.
These
things
from
feature
completely
completeness
completeness
perspective.
We
need.
We
do
need
two
things:
the
node
ips,
because
the
node
ips
means
that
host
network
on
the
host
network
pods
will
get
dual
stack
correctly.
N
So
my
next
next
action
item
is
to.
I
think
there
is
enough
people
thinking
about
the
preference.
I
think
we
need
to
start
thinking
about
the
beta
aspects
of
this
as
soon
as
possible,
like
stabilizing
any
anything
that
needs
stabilization,
and
we
have
what's
very
comforting
to
me
is
we
have
plenty
of
tests
out
there
for
us
to
just
look
at
them
and
watch
them
being
green
or
red,
and
that
will
give
us
enough
confidence
in
what
we're
trying
to
do.
K
N
N
That
means
everything
the
one
one
part
that
we
really
need-
and
I
think
dan
is
working
on-
is
the
node
addresses
for
on-prem
those
techniques,
because
dual
stacking
is
on
cloud
is
covered
again,
it's
of
referencing
the
same
discussion.
We
just
had
the
cloud
providers
just
have
a
clearer
meaning
of
what
ibr,
what
not
ipr.
J
K
Yeah,
so
you
can,
you
can
continually
override
it.
It
won't
auto,
detect
it
and,
and
okay
still
the
problem
for
clouds
that
some
people
think
that
the
cloud
shouldn't
return.
Ipv6
ips
in
a
single
stack,
ipv4
cluster,
because
it
might
confuse
other
components
to
see
ipv6,
ips
and
node
addresses
so
there's
still
some
figuring
out
to
be
done.
K
A
N
N
A
N
Oh
yeah,
I'm
not
saying
that
you
don't
want
to
do
that.
I'm
just
saying.
Usually,
people
are
very
specific,
and
today
you
can
do
that
by
the
way
having
two
services
using
the
same
selector,
two
different
families.
You
get
the
same
results
right,
they're,
just
tying
them
to
a
single
resource,
because
clouds
deal
with
ip
as
ip.
They
don't
deal
with
ips
dual
stack
rp
like
you,
don't
go
to
azure,
for
example.
N
B
A
Yeah
brainstorming
there.
What
is
the
criteria
to
get
to
beta?
At
this
point?
I
know
in
the
past
a
couple
of
meetings.
We
had
talked
about
lack
of
confidence
in
the
api
because
nobody's
really
using
it
at
this
point,
and
obviously
I
don't
expect
anybody
to
have
used
it
in
the
last
like
couple
of
days
since
cal's
pr
merged,
but
you
know
where,
where
do
we
go?
B
K
A
A
A
A
A
B
N
I
am
more
of
if
you
have
something
that
has
to
be
there.
Let's
talk
about
it
now,
and
and
otherwise
somebody
go
and
come
with
the
list
and,
and
we
either
say
good
enough
or
no,
it's
not
good
enough
and
we
move
forward
and
by
the
way
as
we
move
forward.
If,
if
we
want
to
declare
this
beta
and
somebody
beat
with
it
out
with
a
good
reason,
absolutely
yes,
it
doesn't
matter
if
we
have
a
green
checklist
right,
so
the
right
to
v2
before
good
reason
is
always
there.
Q
Q
A
N
Just
a
comment,
antonio
found
out
a
way,
a
very
easy
way
to
exercise
and
test
the
api
machinery
stuff
as
part
of
the
testing.
Most
of
our
current
testing
today
is
an
e2e.
The
problem
with
italy
is
two
things.
You
cannot
run
them
locally
unless
you're
like
a
test
wiz
and
we
are
not
all
right.
There
are
ways
I
discovered
that
was
talking
and
going
while
talking
with
the
success
folks.
N
The
second
thing
is
when
you
submit
it,
takes
a
good
half
an
hour
in
order
to
get
results
to
the
thing
which
makes
them
very
unusual
to
an
inner
loop
like
test
and
then
come
back
with
results.
So
the
integration
test,
part
of
the
apr
there
is
a
huge
integration
test
battery.
He
created
it.
I
just
modified
it
a
bit
and
there
is
a
lot
of
wins
in
there.
You
can
run
them
locally,
they
are
easytron.
All
you
need
is
local
hcd
and
they
are
easy
to
run
and
they
gave
you
result
almost
instantaneous.
N
So
my
advice
to
you,
if
you
are
working
with
api
changes,
anything
that
has
to
do
with
validation.
Oh,
I
need
to
test
that
this
thing
is
created
and
updated
correctly
or
created
and
updated
treated
correctly
and
so
on.
Please
do
look
for
integration
all
right.
Please
do
look
for
integration,
it
will
save
your
life
and
it
will
save
our
life
as
as
we
quickly
test
these
things.
L
K
L
A
A
L
J
K
L
K
A
K
L
B
I
J
L
C
H
C
J
J
B
N
H
A
J
Okay,
yeah,
I
got
it
so
the
thing
is:
if
you
click
there
you
need
to
for
flakes,
we
need
to
have
a
stressful,
I
mean
if
it's
not
failing
two
or
three
times
in
a
week.
It
is
not
worth
the
effort,
you
know,
because
you
are
going
to
spend
hours
and
maybe
you
are
not
going
to
be
able
to
reproduce
and
maybe
is
the
ci.
J
J
L
L
L
B
I
A
B
L
Yeah,
so
this
is,
this
is
an
interesting
one.
We
have
this
issue
where,
when
we
probe
certain
things
from
the
e2e
client,
depending
on
how
your
firewalls
are
set
up,
you
can
have
totally
different
test
results
based
on
whether
or
not
you
can
like
access
a
node
port
through
a
local
host
port
versus,
because
we
we
set
up
a
probing,
client
and,
depending
on
the
location
of
the
probing
client,
you
get
different
test
results,
which
means,
for
example,
in
this,
you
should
update
node
port
udp
test.
L
You
know
you
might
run
it
five
times
and
three
times,
it'll
pass
and
two
times
it'll
fail,
because
the
client
will
come
up
if
you'll
pass,
for
example,
if
the
client
is
on
a
different
node
than
the
the
server
so
to
make
it
consistent.
One
thing
we
could
do
is
just
always
spin
the
client
up
on
the
first
node
in
the
cluster,
which
seems
to
be
a
pattern.
We
do
that
in
other
places,
where
we
fix
a
particular
node.
L
K
Here
is
that
we
have
to
make
a
requirement
of
the
test
cluster,
be
that
new
imports
work
and,
and
they
only
work
with
an
unlimited
range
of
ports
or
whatever.
But
like
I
mean,
because
you
know
we,
we
make
other
requirements
about
the
cluster
that
you're
running
the
tests
on
right,
and
I
think
this
just
has
to
be
one
of
those
requirements
that
you
don't
have
a
firewall
set
up.
That
blocks.
Node
ports.
J
L
Yeah,
okay,
just
if
anyone's
interested
the
the
reason
we
saw
this
is
actually
in
cluster
api.
You
know
like
for
for
aws
and
stuff,
we
have
udp
pretty
locked
down
in
certain
cases,
and
certain
customers
want
that.
So
that's
why
that's
an
important
test
for
us
and
having
consistent
results
in
it
would
be
useful
to
us.
N
J
J
B
R
B
H
H
H
J
So
the
the
the
guy
said
that
that
he's
running
a
asymmetric
routing
and
some
of
these
packets
are
declaring
invalid.
So
he
wants
to
move
the
the
current
ip
table
rules
and
what
I
asked
him
is
he
can
set
in
the
kernel,
tcp
liberal.
So
I
mean
I
don't
feel
that
we
should
move
all
the
ip
table
rules
just
because
one
scenario,
and
that
I
mean
I
don't
know
how
bad
it
is-
that
scenarios.