Kubernetes SIG Network, 31 Mar 2020

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Kubernetes SIG Network Bi-Weekly Meeting 20200331

Description

Kubernetes SIG Network Bi-Weekly Meeting 20200331

A

This is the kubernetes sig network meeting for march 31st 2022.. um I forgot to ask richard or tim: do you have any triage lined up? I have it up if we want to look at it.

A

That looks more like a cockpit also but you're facing the wrong way. Well,.

B

What can you do I mean I could turn around if you prefer it'd, probably be a nicer recording.

B

C

A window and the one is called delay, make sure I get the right one. Yes,.

B

Where you can see that, yes, all right, uh so we have a short list today, um went through them before thanks everyone who joins in that process.

B

uh It sounds like starting up cube proxy on windows is exceedingly slow, something something half a minute per service uh uh-huh I had dizzy dan's eyes rolling. I had the same reaction. uh I I have no context or expertise here is anybody who has the windows side of things uh on mind wants to sign this.

D

I know who we should assign it to so james stravant. It's a stu or st.

B

D

That guy yeah just a second and I'll, bring them okay,.

B

It would be nice to know like holy cow, that's wrong or yep. That's what we expect to happen. Sorry, the problem is I'm just like you. I don't.

D

Know right, yeah sure wait. Are you saying that microsofters don't all code windows? uh I missed. You know the the line to the install machine where they put a plug in your head and install windows. I missed that line, so I only do that.

E

We were sick that day.

B

uh This one cube proxy crash lube looks like it's a crash in ipvs mode, antonio, it wasn't clear. Are you saying that the getting rid of the port opener code fixes the bug or that it costs yeah.

F

That that's that's what happened. The the port opener was sending an event and- and it was near and crashing okay. So the pr is this. The pr then, is already in progress.

F

I I didn't follow up, but this is from the niche, so I think that they will follow up and emerge. I I I'm sure that maybe it's better to assign to you, because you, you have a problem.

B

I mean I I can approve it, I just don't. It wasn't clear to me that this uh is the fix to this problem yeah. It is.

F

Okay, all right, because there is no call that panic. When you I mean the call that panic was inside the port, open.

B

Okay, cool well, thankfully, that is gone uh all right, I'll I'll click through on that, um after um listening on, udp drops everything except the first packet uh antonio's already on it.

F

Yeah but I wanted to.

F

That download only sees one one way.

B

G

B

I don't know significantly what it means. I I think it has a different like there's, a bunch of parameters for timeout for udp and it's different, depending on which state it's in right.

F

Yeah now I'm I mean if they have some experience with with adding rules for this state that you only have you only have one direction so this this entity is never going to be established and it's because it's expected to to not be established.

F

F

And it's one way only so the entry is going to be always like this and reply right, and I I was wondering if, if somebody had this use case before so.

E

If it's true one way only, I mean I assume that that address of the pod is being used for the communication right. So so we don't have some flooding problems and stuff. Like that. I mean there must be some communication to to the ip from something in kubernetes, so we should allow it.

E

So if it's truly one way, then then there is no, I mean yeah and then the uh and the layer will have to flood the packet.

F

It's coming, it's not going out. It's coming.

F

I would rather need to eat and see what happens. I mean okay, this is something.

E

Antonio, wouldn't some of the test cases in the end to end freak out if just the first packet arrived at the view, the peace streams.

F

No, no, the thing is they: they, we always test with services that we that reply, so the contract.

E

I may test that's just one way: actually that's uh to to do the campaign, but uh I'll have to check how many packets I send. Maybe I send one.

F

E

F

Then I found the person. I knew that somebody here should be doing yeah.

B

Yeah so, but the other part of this was that it required the the policy to be drop, not allow right. Most of the time we do testing with allow.

E

I think I have a good excuse for not to get engaged. I think I'm having a hip replacement next friday, so I don't dare to say that I'm going to look at anything right now.

F

Okay, don't worry, this is.

E

F

This is not going to be.

H

Yeah when I set the filter forwarding policy to drop no communication at all works, not tcp, not udp, not not anything.

H

D

H

If something wrong with with my system or if, okay, how can it work? Because um I have traffic entering on one node, and that is fine. I can set whatever I want, but the port is on another node and if I set drops from that node it will not be forwarded to the pod. Not even the sin for tcp.

F

Yeah we have a uh in the the in the forward. We have rules that match on the contract state and we have one accept for new. So all these in packets should be affected.

H

Yeah, I saw your comment also and it you directed to the cube services chain, but in my system the cube services chain is empty. At least I.

F

I understand well, but I mean that's something that the people that configure that to take into account if they want to forward things that are not kubernetes, they need to have the rules for those things that are not kubernetes.

F

I mean you are doing that on purpose. No, I.

B

Drop yeah. I think I think that the point is what I was making before right. If, if we want to let cube proxy work with policy drop, we have to add an allow rule for every cube service for every service, ip port.

B

Why we? We might, we might turn on the state we match on new when we send it to cube services. But if there's no, no sorry, that's external services right here right, but there's nothing in cube services that says allow, and, at the end of the day, the forward policy is dropped, so it falls out the bottom and gets dropped.

B

F

What I would expect.

B

F

No right, okay, the thing is you you go. You enter in the north, you go to forward. You do that in that, because you match a service and then you are established and when you come back.

B

F

You know the dna.

B

Doesn't just the you enter the nat table, you you get you get assigned to dnat, but then you go into the filter table and you enter the forward chain. No, no! No! No! No! No.

F

You don't need you don't go twice through the.

B

Forward, no there's no forward chain in nat there's only forward in the filter, so.

G

Nat you go through.

B

You with your nat pre-routing right and then you go through filter forward right, which has a policy of drops, so you'll never make it to nat post.

F

But you have a policy of you, go to the cube services, but there's nothing in cube services. There's nothing! There.

B

That says, allow.

F

Yeah but that's the thing is: if you don't have q services, it's not a kubernetes problem. It's a system problem.

I

You have cube services, you just there's no rule in cube services that says dash j accept on a right thing. So if your default policy is drop, then every service will be recognized but still dropped because we never emit those rules.

F

So what I want to say is: if you have services, this is going to work. If you don't have services and you set policy drop, is you are decision.

I

Why do you say it works if you have services, given that nothing ever calls dash j except.

F

Because then the service is going to create a connection and it's going to be established and I know it'll.

B

Drop so let's be clear: there's two server cube services chains, there's one in the nat table and there's one in the filter table right. So we go through nat pre-routing, which will jump to cube services which will match.

G

On destination ip.

B

G

And it'll apply the dnat.

B

And then it'll go to filter forward, which will jump to cube services and find nothing and then it will get dropped.

F

Oh now I understand okay, I I was mixing the tables. Okay, yeah.

G

You're talking about.

F

The firewall okay, I will then I will test it this, because this is interesting.

B

And you know we could make this work by emitting j, allow rules for every service in every port, but that would be a lot of well, not a lot, but significant number of new rules.

F

We have plenty of rules, we have.

B

No shortage, we have no shortage of them.

F

Sorry, I I didn't get it.

H

Could I could I add something the discussion.

G

H

D-Net is where the packets enter, but I have problems where the packets end up in the node that doesn't do the dna. It just receives something because it's the same thing but more clear, because you have no traversing in dna tables at all. You just get the packet that should be routed to a to a pod, but you.

J

H

Drop and it just drops.

I

But but I think the answer here is kubernetes does not support setting the default policy on any of your chains to draw.

I

Well, maybe input but.

F

But now, just by curiosity, I'm going to test it and I'm going to document it, because this is just super confusing.

B

I think that is the real answer is like turning it onto setting it to drop means. You have to add rules for every pod in the allow chain right see what docker did in that like it's, it's a problem, okay anyway, this is on antonio. This is this issue. Let me know if you want uh cover on it uh next, so we've got two uh issues that are opened that are discussing this destination versus source model and how we route um stuff.

B

So in the last days of code freeze between uh dan and andrew, and I we basically rewrote that entire section of logic uh in cube proxy, I think at least in the in the ip tables mode I haven't confirmed in ipvs mode. I think we've now implemented the destination model. Is that right? Dan?

B

I

And it will work with the special case. I think we can close my pr, but I'm not sure about this one, because this was more about sctp and yes,.

B

This one was this is about sctp, so we need to figure out whether we should be flushing that, um but I think we can also close this one.

I

Yes, I think so.

B

All right I'll look at it afterwards. We're.

A

I

B

Not a bug uh right well, actually, it'll work now, because it'll jump to the external chain. No, because he's talking about ascending to a node port on another node, oh okay, I missed that part all right, so I'll revisit this one and see if we can close it um and there was another one.

F

Before crossing, we need, I need to eat, because otherwise we are going to regress for sure.

I

No, no, I mean it. We already have testing of that. It's just that ah then, okay, he was suggesting the existing behavior was wrong and we were deciding no. It is not.

B

Right um and sorry there's this one also which isn't for triage, but um can we close this now.

I

Or, should we write a doc on this scroll down to the bottom there? Oh actually, I do still have to update the docs. I started updating the uh the api docs and was so I'll submit a pr.

B

Okay, so this is the follow-up. Here is docs awesome um cool. uh That's all the issues that we had for triage.

B

If it's cool, let me stop share and if it's okay, I would like to run through the kepboard and see what we can move between columns, uh because that's kind of a celebration.

B

Let's pick another window.

F

Remember that the hosted piece was robert.

C

C

One second.

F

And one day you can explain in detail in 30 minutes on something how what what is the logic there, because I didn't understand the polar piece and I didn't understand the problem. Yet.

B

What is the logic for why we copy them to each other or no well? Why why it fails? I mean where is the program I the problem? The problem is deep down in cubelet, which reads from the api server an object that has host ips set and then it rebuilds status and doesn't set host ips, and so it starts throwing errors that the object in the cache doesn't match the object that it's trying to write and and.

F

So the cube right: this is the object with horse a piece and then it gra. He writes again without her sleeping and keeps on that's right, so we should not be setting.

B

This is this a debug yeah. uh This is why the the host ips uh downward api bug um that one got or that pr got reverted, um because it was a huge blow up.

F

I want to show you the the performance input. Let me try to find the link because it was impressive. What this thing could do for us.

B

Which said it was an easy one, it only took them a half hour to find.

F

Yeah- and there is a lot of people checking the ci in the mornings, so it's impressive.

F

A group of people ci signal something that is monitoring the jobs and they got it. Quick.

B

So I'm guessing that that one's just missed the boat entirely and we'll have to push it to 25..

F

I don't think that you get an exception with that history.

B

uh Okay, well, let's let's look at this, then, um let's start from the current, so did anything graduate and get the gate removed. I don't think so right, nothing 24. great things that move from beta to ga anything service, type, load, balancer class andrew did that move is andrew here.

F

Robert scott did, I think he.

B

F

Yeah something- or there was something that was supposed to graduate before and he graduated.

K

That was topology, it did graduate to beta in last cycle, but it wasn't default on until this cycle.

B

But the load balancer class did that yeah.

I

I'm not sure listed as as ga and 124 in cubefeatures.gov.

B

I was just going to look at that. Thank you, hooray, everybody, clap something graduated um all right. Nothing else moved from beta to ga right all right. What moved from alpha to beta.

B

uh Oh, I already moved this one I started doing this this morning and then I thought, oh, I should do it on the call. um Antonio's pr to reserve static ranges for or reserve ips for static allocations went alpha. Yay uh network policy status also got merged right ricardo.

B

Yes, right all right, congratulations! Yeah thanks, that's fun and and uh proxy terminating endpoints. uh It was already alpha. We left it alpha right, andrew, but now it applies to both internal and external.

B

And uh didn't touch this mixed protocol.

L

I just looked at that one, that's on me. Apparently there was up here I needed to put in. I just have to go figure out what it is. I guess I was focused on docs and I wasn't focused on even though there's no code changes, I guess we have to go change it somewhere to say data instead of alpha, so they don't.

G

Know the milestone.

L

Because we, I didn't, do that and I need to figure out exactly what code change has to be made.

B

L

We just need to figure out what's wrong.

B

All right, I milestone it for 24 when, when you get that you can move it to the beta column or you can tell me and I'll do it yeah.

L

I didn't notice because github notifications.

B

It happens, um grpc did did that move forward is bowie.

F

I remember the this this guy from signal sergey. I think that he graduated did.

B

He dan, if you've, got cube, features open. Can you search for that one? What gate.

I

Grpc something something jrpc grpc container probe, yep yeah beta.

J

B

All right and things that moved into alpha this cycle uh admin network policy. Well that's out of tree, so that got postponed uh yeah. The.

G

Tag got dropped from that issue. I I commented on the issue um and they still dropped it, but I think that makes sense right. It's not.

B

In the release right so right, my attention will turn to that shortly. It's all good.

G

Dan has been helping and um casey gave a good review, so we got some reviews, we're eagerly awaiting your point of view.

B

Oh boy, um all right um what else uh node ipam to support multiple cluster sizers, so the api part of this went in, um but not the implementation, part of it and ordinarily. We wouldn't do that, but antonio suggested, and he was right. We can build the external implementation for this and uh prove that out with the api built in, so I'm going to move that into alpha, because it is congratulations to the folks who worked on that.

B

uh No all ports host ips got bounced and that's still up for discussion.

B

uh None of these made changes.

B

Okay, oh we got a.

C

Whole bunch of new ones.

B

We still okay, these aren't new. We just haven't fully evaluated them all right, uh that's it! I think, for all the ones that move did I miss any.

I

Can you move cleaning up iptables chain ownership into pre-alpha, because I think we we have actually started doing that now with the cube iptables hint all right.

B

Yes, good point.

F

Anything else and the dual stack api server done. That's for the next release.

I

F

I

I need to like tim, what are your thoughts on approving code in the api server, because the the api server team is kind of like not paying attention to my.

B

I'll I'll do it if I have to, but I can also uh shake the tree from the other side. I mean you, can you can you can shake um dave, edes right and I can just.

I

I tried, um I think everyone was busy so I'll.

B

I

Try to make more progress like once we're past this cycle, and everyone has more free time. Okay, let's.

B

Let's uh uh handshake pinky swear that uh this one goes in 25.

F

Yeah, it would be good because I people start to report things with the apa server not being able to listen on the list.

M

Yeah, uh I I have just added a comment that the metadata.name thing that we added for namespace selector. There is no featured date on that. So probably you can just move away.

M

Let me see at least I couldn't find the feature gate. I don't remember. We actually gated that theme.

C

Okay, moved. Thank you thanks. Thanks.

B

Cool, I will turn the floor back over to casey.

A

There's a there's, nothing else on the agenda unless bridget wanted to move her uh item back to this week,.

L

um I could I just I do have to leave in about 15 minutes and I wanted to make sure that there was enough time to do everything on the uh the board, but this one was just from last time.

L

um Basically, I want to make sure- and I know it's not getting obvious- it's not getting into this kubernetes release, but I want to make sure that everyone gets the chance to comment on this, just because this is one from um the cloud provider meeting that they were like signatures to weigh in on this yeah, and I'm not sure if everybody has gotten a chance to look at it yet so.

B

I haven't looked at it in depth myself. Other people have I'm happy to discuss.

F

This is not the one that is cloud provider, I mean this is.

F

This is cloud provider, sorry.

L

um So this is the one that, um after we discussed it in cloud provider, then the question was like: oh should we be talking about this? You know like this. Is uh I think andrew psycham said. Maybe we should discuss this insig network if it touches any of the things that they're discussing and if we think it does not, then that's fine, but I wanted to make sure we had a chance to weigh in on it this route controller, updating routes with when the node ips change.

F

This is related to how they know that there is another thing.

B

Yeah, I know that he's changing it's such a mess.

F

Okay, I got, then I went from.

L

Yeah so andrew sidekim said you know, this is a touches that wider discussion we're having a sick network instead of it getting decided over here in cloud providers, should really bring it there.

B

He's probably right, I haven't read it.

B

We, we probably ought to just make a statement of we do support node, ips, changing and anything that looks at node. Ip should be updated.

B

And we've caught a bunch of them already, but I don't think we've made a concerted effort to find all those places.

A

Were there any other topics that people wanted to talk about.

B

I had one question I wanted to ask the group see if anybody knows the answer to, um because I raised this in one of the code reviews, but I could not, for the life of me find an answer on the internet.

B

Iptables has counters for every chain, but for non-built-in change for any user-defined chain. The counters are always zero. As far as I can tell I now it has counters per rule and counters per chain. The counters per rule are actually incremented the counter for the chain.

B

If you say iptable save well, it always shows zero zero and we have code, not a ton of code, but a little bit of code spattered throughout the code base that if we see that we have it that we're declaring a chain that already existed, we'll go read it from the old one, so we can preserve the counters, but they're always zero.

B

So the question I had is: am I just doing it wrong? Am I am I not looking in the right place or are they actually always zero? I can't find an answer anywhere.

I

It's possible that this is something that changed between iptables legacy and ip enables nft. So maybe it used to work and- and now it silently doesn't.

B

I don't know if it ever used to work, because I remember looking at it and filing an earmark in my brain of like I should go figure out how to make these counters work, and I spent time on it and looking at your code review and I I could not find an answer anywhere on the internet that showed me how to do it.

B

Or that told me whether it does or doesn't work.

B

I guess the short answer is, nobody here knows for sure. Maybe I'll have to go spill on through the kernel and figure out.

F

Or open the bag with the vaccine in that field in the net filter back here, and I make something one of the cameras.

B

Okay, I'll take a note and I'll do that, because if it's, if it's always zero and that's fine, then we can just delete. You know 20 lines of code throughout q proxy, not a ton, but I'm on a deleting kick right. Now.

B

Hey anybody who's ever looked at the ip tables cube proxy code in the past should go look at it again after dan got through like bringing out the real meat of it and and then we shaved off a bunch of crap and and like it reads much much better now, I think I'm actually very proud of the result of those pr's together, looks pretty darn good.

F

It's just that you spend like one week changing names to the rules, traffic policy.

B

F

Traffic traffic policy we fixed with this camera with.

B

You didn't have to do all those rebases I kept having to rebase that whole stack of commits.

B

Anyway, it got merged, so I'm happy um now dan. I guess we're going to follow up with your tests. Pr.

I

Yeah, I did everything except the writing functions to parse the the regular expressions thing, because, like each time, I thought about it. You know, if we're going to do this, like it's not at all specific to the unit test. We just want to have like a general like you know, we would want to be doing this everywhere. Right.

B

You're just going to bust out a a lex grammar for it and then we'll be all right.

I

B

C

I

Like make more changes there, but you know I I added variables to so that it's not you doing, you know just match cult or bracket one. You know stuff like that. So.

B

If you still don't like it.

I

I can I can change.

B

It more I've got it open here. um I've got a bunch of meetings today and tomorrow, but I'll get back to it next week.

B

Okay, I'm done. I have nothing else to add.

A

Well, in that case, I think we get a bunch of time back all right, see you all next time.

L