►
From YouTube: Kubernetes SIG Network bi-weekly meeting for 20210415
Description
Kubernetes SIG Network bi-weekly meeting for 20210415
A
A
B
We
did
all
right
all
right,
so
in
reverse
chronological
order,
I
did
filter
out
a
few
before
so.
If
anybody
looked
more
than
an
hour
ago,
you
probably
will
miss
some
here's,
a
user
who's
reporting
a
problem
with
graceful
termination,
but
it
wasn't
exactly
clear
what
the
issue
was.
So
I
I
followed
up
asking
for
a
bit
more
explanation,
but
I
could
use
a
volunteer
to
follow
up
when
this
person
responds
to
figure
out.
If
this
is
actually
a
bug
or
just
a
misunderstanding,
what
happens.
A
B
All
right,
http
lifecycle,
hook
tests
flake
on
multi-node
clusters.
The
interesting
part
here
is
this
one
sig
windows,
so
it
sounds
like
there's
some
assumption.
There's
some
comments
on
here
from
antonio
and
discussion
about
the
networking
model,
which
does
not
require
that
a
host
network
be
able
to
reach
other
pods
unless
the
platform
supports
host
networking
mode
which
windows
does
not
so
there's
already
a
response.
So
what
is
the
right
answer
here?
B
D
F
F
B
B
F
G
G
B
B
J
H
K
L
I
see
so
this
is
a
coop
proxy
bug
somewhere,
where
for
some
reason
it
doesn't
actually
create
those
endpoints
on
a
certain
version
of
windows.
I
suspect
it's
probably
related
to
like
a
windows,
patch
version
or
something
I'm
not
sure,
but
I
think
it's
assigned
to
me
and
it
is
james
yeah
awesome.
Thank
you.
B
B
K
B
K
B
K
B
K
B
Yeah,
it
might
be,
I
don't
know
what
else
there
are
other
other
ip
tables
rules
being
written
in
there.
So
if
it's,
if
it's
easy,
then
yes,
it's
worth
it.
If
it's
really
really
hard,
then
no,
it's
not,
and
the
truth
is
it's
probably
somewhere
in
between
yeah
flaky
test
services
for
should
function
for
service
endpoints
using
host
network.
L
J
B
G
B
Kubernetes
bypasses
external
firewall
ports.
This
was
a
really
fun
one
to
read,
apparently
we're
magical
and
we
can
bypass
firewalls
there's
information
missing,
so
I've
already
asked
for
more
help.
There
jay
also
commented
a
little
bit
so
I'll.
Unless
somebody
really
wants
this
one
I'll
just
assign
myself,
I
mean,
I
think,
that
one's
probably
just
going
to
wind
up
getting
closed
right,
because
I
it
can't
possibly
be
another
one
right.
I
my
suspicion
is,
you
know
the
firewall
rule
is
insufficiently
precise
or
something.
B
Okay
last
one
then
doctor
shim
defecation.
I
think
this
is
mostly
about
documentation.
Every
time
we
get
to
the
end.
Yes,
we
need
to
write
up
somewhere,
how
an
end
user,
who
was
using
docker,
shim
or
using
cubenet
before,
can
recreate
that
behavior
with
bog
standard
cni.
Does
anybody
know?
Does
such
a
dock
exist.
J
G
A
A
N
A
question
about
this:
I
see
that
we're
concerned
possibly
about
not
having
done
a
community-wide
update,
and
I
didn't
dig
in
far
enough
to
find
out
what
that
actually
is.
But
is
it
just
like
some
members
of
this
group
report
somewhere
else
in
some
form?
Yes,
if
that,
if
that's
the
case,
could
we
get
around
that
by
saying?
Well,
we
haven't
done
one
in
a
while,
but
we've
scheduled
it
and
I
volunteer
to
help
with
making
it
scheduled
and
happen.
A
N
B
A
B
A
B
B
A
L
L
L
B
F
L
L
B
B
L
Oh
yeah,
okay,
all
right!
Okay.
What
yeah
can
we
oh
yeah,
the
flag,
deprecation
thing,
so
we
were
talking
about
this
friday?
Is
it
okay
for
us
to
finally
start
deprecating
those
flags?
Does
anybody
we'll
do
all
the
details
of
it,
but
is
it
in
general?
Are
people
okay
with
that?
Even
if
so
can
we
take
some?
Is
there
anything?
Can
we
just
do
it,
sorry,
which
flags?
I
don't
know
the
agenda?
L
B
L
L
Okay,
yeah,
so,
okay,
so
we'll
just
move
forward
with
that
on
this
cap
and
the
other
part
of
the
cap
is
making
sort
of
some
strict
like
failure
scenarios.
I
guess
where
you
know
somebody
puts
the
flag
in
the
flag,
doesn't
do
anything.
It's
gonna
break
right
right.
So
as
long
as
people
are
just
aware
of
that,
so
it
might
break
people
with
ansible
scripts
that
have
you
know
what
I
mean.
B
P
O
I'm
gonna
be
really
fast.
First
of
all,
sorry
about
leaving
my
mic
open.
I
click
on
mute,
but
it
keeps
on
building
sorry,
then
so
it's
I
have
started
some
some
effort
about
moving
q
proxy
outside
repo.
I
was
chatting
a
little
bit
with
antonio
and
also
with
our
group
in
in
into
proxy,
and
I
have
opened
so
far.
Four
pr's
me
and
casey.
O
So
I've
opened
four
pr's,
I'm
mostly
doing
some
small
small
movements
here,
but
and
but
one
that
that's
pretty
big,
and
I
would
like
to
ask
you
folks
to
take
a
look
into
that
review.
The
big
one.
It's
probably
just
you
can
approve
team,
because
it's
it
messes
with
api
and
other
things,
mostly
moving
constants
outside
the
api
machinery
theme,
but
yeah.
I
guess
it
is
I've,
seen
also
an
email.
O
I'm
gonna
probably
keep
updating
you
about
that,
and
the
last
thing
is:
if
you
people
think
that
we
should
open
a
cab
for
the
last
part
which
is
moving
package
slash
proxy
to
outside
of
the
repo
or
not.
I
have
an
opinion
that
probably
we
shouldn't,
because
I
always
listen
that
if
you
are
rendering
kubernetes
kubernetes,
you
are
going
to
suffer
and
have
some
pain
and
we
are
not
responsible
for
that.
B
And
capture
how
we
communicate
even
within
the
broader
kubernetes
world
right,
there
are
other
folks
who
might
have
feelings
about
this.
Who
aren't
here?
Who
don't
come
to
our
regular
meetings
but
would
see
a
cap.
So
I
would
say
yes
and
specifically
to
discuss
the
point
about
whether
it
should
go
live
under
staging
or
whether
it
should
actually
really
move
out.
O
L
That's
it
so
are
folks,
okay
with
this
here
and
it's
just
a
matter
of
doing
the
cap
or
is
there
anyone
who's
like?
Oh,
this
is
a
bad
idea
because
we're
like
could
do
it.
You
know
what
I
mean
it,
but
it's
not
really
much
point
doing
it.
If
there's
gonna
be,
if
people
don't
want
us
to
do
it,
but
is
everybody
else?
Okay
with
it?
B
B
O
B
I
remember
reading
a
pull
request,
for
I
don't
think
it
was
async,
but
it
was
something
similar
to
that
in
in
scope,
and
we
found
some
issues
that
were
like
actual
real
bugs
with
making
it
a
like
a
standalone
api
and
it
turned
out.
It
was
just
the
person
who
was
proposing
it
didn't
have
that
much
energy
and
had
walked
away
from
it
and
I
they're
still
bugs
those
bugs
still
exist,
but
they're
since
they're
entirely
internal
they're,
less
of
a
huge
deal.
O
Yeah,
the
async
one
cannot
be
moved
to
to
youtube
because
it
renders
another
kubernetes
repo.
Okay,
that's
client
go,
but
I
am
moving
one.
That's
called
slice
and
I
am
like
fighting
with
the
old
history
because
it's
a
pre-client
because
pre
license
agreement
and
pre
pre
merge
message.
So
when
I've
moved
with
all
of
the
history,
I've
got
like
a
lot
of
punches
from
pro
like
you
cannot
commit.
You
cannot
do
that.
So
my
question
about
that.
E
A
bunch
of
you
know
not
so
useful.
The
bots
won't
let
the
pr
merge,
because
the
old
commits
are
are
not
up
to
snuff
we.
So
we
I
had
done
a
a
a
pr
to
move
bounded
frequency
runner,
which
is
probably
one
of
the
things
that
that
you
were
looking
at
in
async
ricardo
to
to
utils,
and
you
had
approved
it,
but
it
couldn't
merge.
And
then
we
were
like
oh
we'll
deal
with
this
after
freeze
and
then
I
keep
forgetting
and
vegetable
actually
just
closed
it.
This
morning,.
B
G
G
I,
the
problem
with
util
is
you're
telling
people
you
can
vendor
that
which
means
you're,
creating
a
contract
around
that
api
and
I'm
not
talking
about
api
rest
api,
I'm
talking
about
golang,
api,
yep
and,
let's
just
say
the
ground
at
least
the
apis
I've
looked
at,
is
not
exactly
the
cleanest
right
and
it
has
things
like
so
with
this.
These
are
things
we
can
always
observe
and
the
way
we
use
them.
B
So
the
the
line
I
mean,
unfortunately,
the
way
the
go
ecosystem
works
is,
if
you
can
see
it
and
it's
not
in
an
internal
directory.
It's
fair
game
which
we've
at
least
written
in
in
various
places
like
don't
vendor
kubernetes
kubernetes,
because
we
won't
support
you
right.
All
of
the
other
repos,
though,
are
less
well
defined.
Less
bright,
liney
util
was
explicitly
done
so
that
people
could
take
useful
stuff
out
of
the
kubernetes
ecosystem
and
use
it
and
like
part
of
the
the
meaning
there
was.
B
We
will
support
this
whenever
we
bring
something
into
utils,
we
hold
it
to
a
generally
higher
bar.
None
of
it
is
perfect.
There's
some
things
in
there
that
I
look
at
too
and
I
go.
I
wish
we
hadn't
done
that,
but
we
do
hold
it
to
a
higher
bar
for
testing
and
for
documentation
and
for
api
cleanliness
than
we
do
for
internal
stuff.
You
know
something
like
async
is
big
enough,
that
it
might
just
warrant
its
own
repo.
G
My
problem,
my
problem
with
offering
these
things
for
people
is,
you
have
no
control
on
what
these
things
can
vendor
in
so
let's
say
we
are
in
a
situation.
We
can
use
these
things
in
cooper
nets
kubernetes,
but
they
vendor
some
weird
thing
and
we're
okay
with
that,
and
we
understand
it
now.
If
we
offer
it
to
external
people,
then
it
becomes
a
shared
like
even
the
vent,
like
even
the
stuff
that
you
vendor
into
you.
The
stuff
that
you
build
into
your
tools
becomes
something
we
need
to
worry
about.
I'm
just
yeah,
not.
B
Utils
is
supposed
to
be
like
almost
import
free,
there's
supposed
to
be
very
few
imports
there
and
so
and
there's
a
rule
that
it
can't
import
other
kubernetes
repos
so
like.
If
we're
really
vendoring
client
go
which
boggles
my
mind,
I'd
have
to
go
figure
out
what
the
heck
we're
doing.
There
then
yeah.
That
is
not
a
candidate
right.
B
So
I
agree
with
you.
I'm
agreeing
something
like
async
is
big
enough
and
subtle
enough
that
we
don't
want
to
copy
it
internally.
We
want
to
find
a
place
where
we
can
share
it
amongst
each
other
and
vendoring.
Kubernetes
is
not
a
starter,
so
we
have
to
find
a
place
for
it.
Even
if
we
put
a
big
thing
in
the
readme
that
says
this
is
really
project
internal,
please
don't
mess
with
it.
B
B
A
E
Out
but
it
could
you
know
people
can
start
commenting.
I
realized
that,
since
it's
going
to
be
behind
a
feature
gate
that
means
that
it
talks
about
some
pain
and
flapping
connector
or
services
and
stuff
like
that,
but
that's
mostly
for
the
early
adopters
once
the
feature
goes
ga
it
should
all
work
pretty
smoothly.
H
H
S
S
S
B
S
One
example
that
comes
to
my
mind,
I
think
government
is
working
on
something
like
a
dns
policy
resource.
I
know
jay
ricardo.
We
are
all
talking
about
a
v2
for
network
policy,
which
may
be
a
different
resource
by
itself
kind
of
an
evolution
for
the
network
policy
v1.
Okay.
Now
they
are
all
not
necessarily
related
to
each
other.
Rather
I
mean
it's
not
something
that
will
you
know
graduate
together,
but
again
they
fall
under
the
umbrella
of
network
policy.
S
H
B
So
I
think,
there's
two
issues
one:
should
we
try
to
coordinate
one
group
across
multiple
efforts
and
repos
and
two
should
it
still
be
using
x
case,
like
I,
I
believe
at
some
point
in
gateway.
We
said
we
we
need
to
decide
at
some
point
in
the
future,
whether
it's
going
to
stay
as
xkates
or
kate's
right
yeah.
B
So
you
know
the
the
distinction
between
x,
kate's
and
kate's.
Being
things
under
x.
Kate's
are
not
subject
to
the
kubernetes
api
review
process
and
things
under
case
I
o
are
my
feeling
would
be
that
we
should
probably
move
it
under
kate's
that
I
owe
for
a
gateway.
I
don't
know
how
coordinating
across
different
repos
would
work.
We
need
to
have
some
coordination
scheme,
but
it
could
work.
B
B
So
then
the
question
is:
could
we
coordinate
one
namespace
like
that
across
multiple
projects
we
would
need.
We
need
something
somewhere
to
say
you
know,
hey,
I'm
using
the
fubar
name.
Nobody
else
can
use
it
right.
Some
some,
I
don't
say
a
spreadsheet,
but
like
a
git
repo
somewhere
that
lays
claim
to
names
within
that
namespace.
F
B
B
Yes,
I
mean:
that's,
that's
one
way
to
do
it
right,
it
could
be,
it
could
be
gateway.networking.case.io
and
policy.networking.com
yeah,
but
within
within
policy
there
would
be
three
separate
projects
creating
different
crds
yeah.
Now,
there's
a
new
issue
that
just
popped
into
my
head.
There,
like,
I
know,
you're,
not
allowed
to
share
an
api
group
between
crds
and
built-ins,
but
I
don't
know
if
that
applies
to
suffix
sharing,
I'm
presuming
it
doesn't,
but
I've
never
tried.
B
S
B
C
B
C
E
M
Yes,
I'm
here
a
quick
note
about
the
cap
for
all
board
services
support.
This
is
a
work
in
progress.
I've
dropped
a
link
in
the
agenda,
but
thanks
to
everyone
that
already
reviewed
it
and
and
offered
alternative
approaches
as
well
it'll
be
great
to
get
some
more
comments
on
it,
mostly
about
the
use
cases
for
all
port
services
around.
M
F
L
Like
does
anybody
know
who
would
work
on
that
or
if
people
care
about
doing
that,
it
would
allow
you
know
coupe
proxy
and
everything
else
to
not
have
to
go
through
load
balancers
and
it's
an
issue
that
we
were
triaging
in
the
net
paul
sub
project
or
in
the
coop
proxy
sub
project,
and
I
was
like
I
asked
if
we
could
close
it
and
then
somebody
yelled
at
me.
So
I
figure.
L
B
If
we
changed
the
format
of
it,
we
didn't
define
it
as
an
array,
so
we'd
have
to
like
there's
multiple
levels
of
discovery
that
happened
there
for
the
the
the
the
endpoint
ips
right
like
if
we're
talking
about
the
ips
that
come
out
of
a
cube,
config
versus
the
ips
that
you
find
in
the
what's,
it
called
anywhere
environment,
yeah,
any
yes
in
the
environment.
Thank.
G
F
Yeah
they
want
this
because
they
want
the
the
use
cases
I
want
to
to
use
this
with
for
two
process
example,
because
you
cannot
have
a
service
until
you
have
to
process
it.
Oh
and
I
don't
want
to
put
a
lot
of
water
in
the
control
plane.
You
know
that's
the
use
case,
so
I
I
just
take
the
cry
and
go
into
proxy
to
to
go
to
these
three
api
sets.
L
B
B
F
L
What
should
we
do
as
we're
going
through
issues
like
with
stuff
like
this?
That's
just
not
going
to
be
solved,
but
it's
not
an
invalid
request.
Like
is
there
a
label
for,
like
you
know
like
a
bike,
shed
label
or
something
like
where
you
could
say
like
okay?
Well,
we
can,
let's
just
keep
talking
about
this
forever.
B
Well,
no,
because
we
don't
I
mean,
there's,
I
think,
there's
two
categories
there
there's
the
ones
that
we
don't
know
quite
what
to
do
yet.
We
think
they're
valid.
Let's
leave
them
open
and
see
if
we
can
discuss
them
later
and
there's
the
ones
where
we
agree
are
valid,
but
we're
never
going
to
do
it.
So,
let's
just
close
it,
because
why
have
6000
open
bugs.
L
How
do
we
prove
to
someone
that
we're
never
gonna?
Do
it
like?
What
do
we
what's
the
bar
there
like?
Do
we
just
do
I
just
I'm
happy
to
just
bring
him
up
like
every
like
here,
every
once
in
a
while
and
just
be
like
so
for
this
one
specifically,
should
I
just
say
that,
because
I
feel
the
same
way
like
antonio
mentioned,
like
I
don't
feel
like
it's
ever
going
to
happen,
but.
E
B
S
N
S
G
It's
not
even
a
fix,
it's
a
feature
request
right.
Another
thing
I
need
you
to
like:
I
need
us
grounded
a
bit.
We
have
the
luxury
of
clouds,
so
low
balancers.
Are
there
yeah
bare
metal,
it's
harder
and
I'm
guessing
whoever
pushing
for
this?
It's
a
very
metal
deployment
because
that's
where
you
suffer
the
most.
G
I'm
not
saying
we
shouldn't,
we
should
say
we're,
not
gonna
fix,
I'm
just
saying:
let's
keep
it,
let's
think
about
it
all
right.
If
it's
one
of
those
things
that
will
require
a
large
service
area,
then
we
need.
We
need
to
schedule
it
in
a
way
and
people
understand
that
yeah
it's
a
corner
case
and
we
would
like
to
add
it,
but
it
will
take
time.
B
How
long
yeah,
unfortunately,
these
are
the
sorts
of
issues
where
we
ask
people
to
file
a
cap,
and
then
we
spend
three
months
pounding
on
the
cap
and
then
they
get
frustrated
and
walk
away
from
very
often,
and
it's
not
that
we
should
change
the
process.
It's
just
you
know.
This
is
what
happens
sometimes.
G
L
L
O
Yeah
I
I
was
going
to
say
that
probably
this
could
be
something
as
like.
I
am
an
on-premises,
very
metal
user,
and
this
could
probably
be
like
best
practices
for
on
premises
like
you
can
run
an
aj
proxy
and
keep
alive,
and
this
is
the
way
that
we
suggest
you
doing
this.
It's
not
like
the
end
of
the
world.
I
know
that
that
there
is
a
case
of
of
the
edge
computing
thing,
but
for
mostly
the
bare
metal
one,
probably
we
should
say
hey
we
can.
O
B
B
Fix
his
or
maybe
we
need
a
different
way
of
denoting
like
ideas
that
we
would
love
to
do,
but
we
used
to
have
a
we
used
to
have
a
version,
two
accumulator
bug
where
every
time
somebody
came
up
with
one
of
these
like
this
would
be
awesome,
but
it's
so
challenging.
It
requires
a
v2
and
just
go.
Add
your
ideas
to
that,
and
then
it
just
became
like
a
it's
like
screaming
into
the
wind.
It's
like
a
venting
place.
B
Where
did
that
go?
It's
gone.
I
think
the
issue
itself
might
still
be
around,
but
like
nobody
takes
it
seriously,
it's
not
it
like.
There
isn't,
there's
no
plans
to
make
a
v2
that
breaks
things
in
any
fundamental
way.
So
a
lot
of
those
ideas
are
just
non-starter
ideas,
they're
just
too
big
to
be
worthwhile.