Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / SIG Network / 10 Dec 2020
Kubernetes / SIG Network / 10 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Kubernetes SIG Network Bi-Weekly meeting 20201210

Description

Kubernetes SIG Network Bi-Weekly meeting 20201210

A

Welcome everybody to the sig network meeting for thursday december 10th, 2020.

A

And first on the agenda is, as always triage does anybody have triage queued up woohoo all right go ahead, bridgette.

B

Yeah, so I thought this was really interesting actually because we are doing an amazing job lately of triaging. um I will share this if it lets me.

A

uh I did enable.

B

Sharing fantastic.

C

Tim mentioned that he had done pre-meeting triage. So that may be why it looks like we're doing amazing, because he already.

B

Did it.

C

All he.

B

Did it was amazing, um let's see if there's more than the 15 that were we were down to okay, we're down to these 15, so one second latency in host service ipod with ib tables, so this person has issues well documented issues suggested fix blah blah blah uses ip tables. I think somebody was already looking at this.

D

Various workarounds, I think dan.

E

Was the person who was looking at the vxlan offload stuff yeah.

A

I was looking into that a long time ago. Yes,.

B

So what do we want to do with this.

D

Is the question.

B

Like.

E

Yeah, can you look at this and see if you.

F

Can.

E

Answer the I mean the question is really like. Is there a better answer sure.

E

Okay, sorry, I assigned you unilaterally, I didn't that's.

A

Fine.

B

Okay, so we're just leaving this one the way it is.

A

Yep, okay,.

B

uh And then we're going already to 29 days ago, oh my gosh, all right! This is already assigned service. Topology doesn't reject traffic. When there's no matching end point and it looks like andrew, do you have any ideas or do you want this to sign someone else.

B

If andrew is on the call.

G

Yeah I'll follow up thanks.

B

Okay, moving right along network policies are blocking a loud traffic. Oh no, okay, this one again, it's been people have been troubleshooting it for a bit uh jay. You want to update us on this.

H

Oh, this is totally done yeah we can close it. We have an e2e test, that's pending a pr for this new policy test and then we've got. I think this guy solved his problem yeah. This is totally yeah.

B

Okay, so this is a nine six. Three four one you wanna go update that.

H

Yeah yeah yeah.

B

Awesome, okay, cool proxy dash cleanup: it's not cleaning our ipvs rules. Let's see antonio, do you do you have thoughts here or.

I

It looks like andrew.

B

Owns it antonio commented on it back in october,.

J

Okay,.

K

Go okay.

J

Now.

K

This.

J

This is coming from a discussion that tim and andrew had in in that in that issue, so I think that only both of you are able to to answer this.

E

uh I read a little bit on the history of this. It looks like we made at one point. We made cleanup, not cleanup ipvs rules and there was a separate command that would that was needed to re to turn on clean up ipvs rules, and then we deprecated the ips cleanup entirely right.

J

Yeah, something like that so.

E

I'm not sure what the user, I'm not sure what the user really wants here.

J

Okay, I can follow up and ask some questions. Maybe some person just want to comment.

E

Something maybe I mean, maybe the answer is like we're just not doing that anymore.

B

Okay, so I'm gonna sign antonio, so you can follow up sound good. Thank you. All right, uh nf tables do not scale for services. Let's see, and we have tim uh asking what's going on here. What do we think.

E

uh I I ping this today uh I'd like to know what the what we think the follow-up is um it to me. It didn't sound like this was expected, behavior uh and, and it doesn't align with what other people have reported. um So I guess I want to figure out what the next investigation is.

B

Okay, what do folks.

B

Think looks like, but we grabbed this one.

G

Oh, I grabbed it to keep track of it. I think mache needs to post some more info.

A

um The version he should try to put a newer version of vip tables than that particular one. I know there have been performance fixes since the one he's referencing there.

G

I'll send him a ping to follow up if he's going to.

A

Be able to try that yep yeah I mean I'm happy to work and try to get him an rpm that would maybe work better.

B

Okay, all right um range, allocator dot, go crashes, the entire world, or at least the entire kcm. If the setters are incorrect, first single dude.

E

Jay you are looking at this. Are you confirming that it is in fact a bug.

H

I think I thought it was a bug, and then we talked to dan and antonio about it. We had kind of a three-way debate. I think we kind of agree. It's a bug. We just I don't remember who owned, making the next decision about what to do about it.

E

Well, if you're saying that you can in fact crash the controller manager through an api object, update even a bad object update, then it's that yeah that's a bug. At the very least, it should not crash right.

H

That's what I thought yeah cause: it's a spec update and it's for a single mode. So, okay, all right.

E

uh I'll, let's I'll switch the labels on this. Let's confirm this as a bug. um If somebody wants to work on it, I don't know how hard it's going to be or or what the impact of trying to fix it will be I'll update this one. Okay,.

H

Okay, I mean maybe I can propose a a stupid fix and then, if someone has a better one that might help move them issue forward, so I might be able to look at it. We'll see. Okay, all right.

B

I know we're running low on time, but we also got started a little late. So just tell me when we should stop, but uh we've got pod pod low bandwidth, um wow we're back into october already all right. What do we think, mr.

B

Williams.

B

Possible pad to pod bandwidth limit.

A

Yeah, I did not have time to look into that one. Yet, unfortunately,.

E

Okay, it's hard to it's hard to call this in a bug, because I would expect it would be much more widespread, but it would be good if somebody who has some context could at least confirm that there's not something obviously wrong. Finland is on our team. Andrew, do we know anything about this. One.

B

um You want to be added as an assignee to talk to this individual.

C

You could probably assign them directly on them.

B

Sorry I couldn't hear that of like who to assign yeah.

H

Why don't you just assign honlin and um and then I can ping him internally and ask him if he wants to follow up or andrew can yeah.

B

Like so yeah sure all right- okay- oh we have jay, you reported excitement. Adventure tim has questions about your firewall choices.

H

Oh yeah, I I think we all agreed. This was probably the client we need to spread these yeah. We know what to do here. We just, um I almost feel like this is a good, getting started issue or something, but we know what to do here nobody's doing it. It's not hard. We just need to move. We need to make this test so that it so that it spreads the spreads the client around in a logical way.

E

I'm not convinced that that's really the solution, maybe I'm misinterpreting the bug, but if you have firewalls up and you're trying to run the ede tests like do we really expect it to work.

J

It's just the opposite. The problem is that he has the firewall up and the test pass, so it should fail.

F

It's the lack of.

E

Consistency, but we know we know that fabric level firewalls are insufficient for constraining pod to pod traffic, so anybody who's. I would argue that it's actually correct it's showing him that his firewall is not effective.

C

Right that that the problem is that sometimes, even if you have a firewall up the test pass and that's a bug, we're saying the test should fail consistently, rather than failing inconsistently.

E

um Yeah, it's just a consistency, then you always want to run it on the same node. You always want to go worst case.

C

Right right, we always want the the client pod and the server node to be different, so the traffic is forced to go over the network and will fail if you have a bad firewall.

D

Yeah, so we need to change this test.

E

Need to figure out are we trying to?

E

Are we trying to prove that the firewall works or that the firewall doesn't work, because I'm arguing any such firewall doesn't work because you, it doesn't contain pod uh same node traffic? So I would say the test would want to run them on the same node so that the test would always pass because.

C

No but the the argument.

E

Is.

C

That that the the person upset about this is running their tests in an invalid configuration and needs to stop doing that, so we should make it fail every time they try, rather than making it look like their configuration is valid. Sometimes.

E

I see so we should be testing both.

G

Well, what I did yeah, I was going to say.

E

Why not.

H

Both.

G

Yeah both.

J

Okay, sorry, antonio, go ahead. Yeah, that's the thing we should test, but if you use node port, you are expecting to use it from to receive traffic from outside. So the minimum has to be to validate that people can reach out the node port from outside. No.

J

If I deploy my cluster, I expect that people can reach the node ports on the node ips, not my pods. In the same.

G

That's right.

J

Many more, I think that we should the minimum should be from outside to the to the north part, and of course we should do what.

H

Yeah, I guess bridget, could you just say either test both or just do from you know outside to node port, because either one of those, I guess, is probably going to be help us move forward, and then we can just someone can do a pr it's not like. Maybe I can do it at some point.

E

Antonio, I forget now: do we have a mechanism within the ede framework for testing from outside the cluster.

J

Yeah well, yes, we have. um We have a a way to schedule the parts in different nodes. This is what we are using in several e3.

E

Well, but we don't have a, we don't have a machine, that's not part of the cluster that we can launch testing.

J

No, no, no, the trick is always to to use different nodes in the crust.

C

Wait is that true, I I thought ede.test itself runs on a host which it might be part of the same like gcp, vpc or whatever, but it's it's not part of the cluster.

J

No, but so I think maybe, but the the e2e is not guaranteed to reach the cluster.

H

And you're not.

E

Guaranteed that I can probably eat in a pod right right, I can run the ede on my desktop.

C

Right, I'm pretty sure that there are tests that will fail if ede.test cannot reach load, balancers and external ips yeah, but.

J

The thing okay, balancing external ap- is a different beast, because this crowd provided specific.

H

For this one, it's so easy, though literally we just pick the first note. If we just pick a different note, it would be like solve most of this issue.

J

I'm I'm going on. I can I want to to do something with a3. We need to do something for the dual stack and I will take on these two and and we'll try to to.

B

Are we saying this.

J

Yeah.

B

All right.

B

um Let me know when we should stop and go to the agenda because there are agenda items, so I'm just looking at the time.

B

Today,.

E

And the I think ping this person today and they said uh they will try to get it they'll try to take a look at it. Oh.

B

Okay well we'll see, then.

A

Yeah, we should probably stop triage. Do the rest.

B

Of the agenda.

A

And then come back if we.

B

Have time.

A

Left at the end.

B

Perfect. Thank you.

A

All right uh thanks, bridget and thanks everybody else too. um Next up danman chip, endpoint slice and proxy modes.

C

Yeah so um it I was just doing some planning stuff and it occurred to me that probably at some point we will want to not have duplicated code in cube proxy once everybody is supposed to be moved to endpoint slice, um and I wasn't sure if anybody had thought about that already.

L

Yeah, that's thank you for bringing this up. That's a good point uh and I think the questions you added here are are great and relevant. I don't know of any plans right now to add support to user space proxy for endpoint slices and I don't know of anyone using the user space proxy either, but I other than openshift uh like you mentioned there, um but but with that said, uh I'm I'm open to it. I'm sure anyone else is too, um but I I don't personally have plans.

C

Right I I guess I should have clarified that for anyone who doesn't have the agenda up so the the questions was, you know one. Is anybody planning to port the user space proxy to uh endpoint slice and two? Does anybody know of anyone? Even using the user space proxy.

H

I use the linux windows 1, but I don't know how long I'm going to be using it, but I use it right now. We use it. Android uses the windows, users.

L

That that has the same issue where endpoint slices have not been ported to windows user space- uh some some folks on the azure team, ported it to win windows kernel, uh but it has not made its way to windows user space.

L

So yeah there's a lot to be done.

H

There I have a cleanup pr for the windows user space, one by the way, also kind of in flight. I was, I remember andrew mentioned this as well uh a related one, there's a lot of stuff to do on those user space.

C

um So yeah, so the other thing- and I see andrew just responded in chat, is, is wondering I mean: do people think that we should get rid of the duplicated code in cube proxy, because if people are happy keeping both sets of code, then none of this matters anyway,.

C

But tim, you think it's a good yeah, I'm almost done muting but then not saying anything.

E

I'm always happy to see duplicated code get removed, I'm not familiar with how reusable the code there is.

L

So, for a little bit more context right now, there's a kind of coup proxy local data structure uh that both endpoints and endpoint slice map into, and then each proxy here uses that data structure. Well, each of the non-user space proxyers use that data structure.

L

There is more duplicated code for the user space proxiers, but it's it's not a huge cost but like like has already been alluded to. If we imagine there's a time in the not too distant future, where people just won't be using endpoints in kuproxi, uh then it may not be worth the value of keeping it around forever.

C

Okay, that that so I added to the end of the thing it sounds like nobody is really cares that much about getting rid of the old code for now, at least so that that resolves. That.

L

Yeah, I think, that's reasonable. I think the so the feature gate, that's guarding endpoint slice. Implementation in coupe proxy is probably one to two releases away from being ga, and if it's anything like the controller functionality, we've said we wouldn't deprecate anything related to endpoints. Until after uh the endpoint slice, functionality went ga and that's a long path.

C

Right I mean yeah, I was uh I had it meant. This was all post. Ga stuff, like you know, once the feature gate is locked on, there would be no way to turn off endpoint slices in cube proxy.

J

Yeah yeah and what happened with the node name, topology thing, because this this was a last minute thing: bro yeah.

L

That's.

J

Okay,.

J

Okay,.

L

Yeah, it's a good question.

L

uh This is something like I had been trying to graduate the endpoint slice api to ga and the 120 cycle, and I had a pr that that did that and uh got some questions and some hesitancy around the topology field, because it was no longer being used essentially by by any of the active proposals, and we were wondering well, hey: can we can we get rid of this and obviously you can't get rid of a field at the same time or you shouldn't at the same time as going to ga, uh and so we decided to uh well that there's there's some discussions on github on the on the pr around this.

L

um But but the general idea. As as I remember it was let's try and pull topology out and instead just use node name to mirror what endpoints already has uh and and use slice level labels for topology keys, like zone and region and and subsetting based on that, is that what you're asking about.

J

Yeah, so that means that we need more release cycles to to have parity within points, because the local traffic and distance are using the endpoint node name or- or this thing no.

J

I think the cube proxy uses the the host name in or the node naming and points to to regulate local traffic or something like that.

L

Oh, I see what you mean: yeah yeah, there's. uh There is a way that it can be converted uh in a backwards compatible way. I I forget the specifics of it, but but there should be a way to to make that work as part of an upgrade.

J

Okay,.

E

Are we I didn't think the plan was to upgrade it was to automatically transmute that, though I thought we were adding node name and saying this: is the ga form topology with alpha and it's going away.

L

Right but we talked about that.

L

Yes, I I yeah I'll need to go back to my notes on this one. As far as somehow, I thought that a field that, like the topology, no name equivalent field, could be true, no yeah you're right that that got too messy um yeah I'll. Look back at my notes on that. One.

L

I'll make a pr to update the cap. I know there's already been some updates, but uh I'll go through and make sure it's a little bit clearer, what's happening cool thank.

L

You.

E

Everyone.

A

Yeah, it looks like we're up to tim for a couple of cves external ips cve first and revisit localnet cve was the next topic after that. So go ahead. Tim great. So thank.

E

You um so I'm sure most of you saw the external ips cbe drop this week. It's not new. Actually clayton filed a bug against it in like 2016., um so it's it's known. The problem is that it's just an overly powerful feature that, uh because of our compatibility guarantees, we can't just unilaterally break so I'm I wrote a small cap this week to propose that we add a new built-in admission controller to disable the use of external ips and people cluster admins can opt in to disabling it.

E

I believe that you know anecdotally, like 99 of clusters, can probably opt into this and will never use it and everybody else who really does need. It can not opt in and they can either leave it the way it is or they can apply policy through opa or whatever other policy mechanism they're currently using, which is strictly simpler than what the open shift. um Openshift has a controller. That's similar to this, I guess, um but it actually allows some cider checks and things like that.

E

I'm saying you must not even bother, but I wanted to throw it out here and see if anybody like fundamentally objected to that plan.

E

I'll take silence as no um the cap is out there I'll link the cap in the chat. Let me find it um it's a small one, and I think I just need to convince the api machinery, folks that this is worth having another built in for.

E

So then, the second one there's the cap, I just linked it. um The second one is this older uh tim.

G

I had a question: uh yeah go ahead, do we think do we think we should think about deprecating that feature or we just kind of leave it and that's it.

E

We, I don't know, um usually when we say deprecation, I want to say you know, here's the thing you should use. Instead, we don't have a thing to use instead, so for now I'm not I'm not recommending that we deprecate, I'm just saying we should just block it for most clusters and then we can figure out from there whether we want to really deprecate it or not. Disagree.

G

Yeah, I wonder if we should, I guess that, will push people wean people off of it.

E

uh I hope I hope so. I think there are still some people who are legitimately using it and I'd like to hear from those people, so we can think about better solutions and then we could possibly deprecate it.

C

So in openshift we had been using it as kind of like you know, a cheap way of getting load balancers on bare metal clusters. But at this point it's basically a legacy feature and we're moving towards using metal lb or something- and I think that's probably the right answer for a lot of people.

E

Yeah, I agree and between that and like multi-cluster services, with the other use case, that I'd heard of people who are migrating between clusters.

E

It seems like most of the use cases that I know of are going away.

K

Yeah we've been using this with the with calico, so I think it it. It would be good to ask also for casey, because in our case we are using this as external ip and announcing as an anycast load balancer for ingresses, but that that's just the case.

E

Yeah and truthfully, if, if enough, people are using it and they're going to complain about it, I don't mind bringing back a different feature that does the same thing, but in a more controlled way, right or or honestly, we can just leave it and tell people. This is a really powerful feature. You probably shouldn't use it, but if you do like meet my friend oppa.

E

Great okay, um so the second cva that I threw on the agenda to revisit was this old localnet cve um and just to refresh people's memory. Cube proxy and iptables mode enables a syscuddle in linux that allows the 127 network to be treated like a routable network which is in violation of the rfc and uh it what it allows is node ports on localhost now ipvs doesn't allow node ports on localhost at all and ipv6 doesn't allow node ports on localhost at all.

E

So what we've got in now is iptables, which does allow it and everybody else who doesn't. Actually, I think user space does too, and I can't actually speak to the windows kernel mode.

E

Most there's not a lot of use cases for supporting it at all. uh I do know that there were some people who were using it for things like insecure doctor registries on local host colon 5000, and they were using it as their.

E

How cubelet would pull images that feels like a gross hack, but I don't want to break people so uh we've been discussing in one of the issues and I'll have to find that one also. um How do we actually want to tackle this.

E

And I was hoping to maybe get more brains on this. I just posted the link to the discussion there.

E

I just wanted to bring it back to people's uh front of their brain as we wrap up the year. It would be nice to uh not let these linger too far into the new year.

J

There was a bearing cubelet to block all the martians with local horse.

J

Is not this, that's not valid, we need more.

E

Why is it not valid not.

J

Asking so why.

C

So.

J

So the.

C

Issue is: is that the the cbe fix blocked some people's use cases.

J

uh Okay, so I was.

C

All.

E

Right yeah, so I I wanted to just throw this in front of people again um to see. If there are, you know more creative answers for how to do this, or if it's really just something that we should start weaning people off of, which is mostly what the thing I just linked to says for the life of me. I can't find a way in ip tables to do what is currently being done with the route localnet without route localnet.

E

Maybe somebody knows it better than me or or can figure out some other way of expressing it anyway. So I just wanted to pop it back to the top of everybody's.

E

Deck.

E

Did I have one more on the agenda? I forget.

A

Yep service rest overhaul help needed.

E

Oh yes, uh so uh I took a a couple of weeks uh sort of off of my uh normal day-to-day responsibilities at work, and I focused just on getting some upstream issues pinned down specifically the cal, and I spent a lot of time together, finishing off the dual stack stuff in late october, early november.

E

It went in in looking at that. I realized just how awful the rest code around service is.

E

It's some of the oldest rest code in the system, and it does things that no other resource does and uh it's written it like. It just hasn't, been updated as the best practices have evolved, um and so it's just it was just horrible. It's got this two-layer cal says he's being nice, it's worse.

E

It's got this two-layered rest thing that ends up calling validation and strategy stuff twice, so there's actually some validation code that allows things that shouldn't be allowed because it gets run once before, validation, once after or once before, allocation and once after allocation, um it's a it's, a it's a real mess and so cal and I brainstormed on how we could do better and how we could actually bring it into a single layer and make it look more like the rest of all the other resources.

E

So to that end, um I started on a pr and um I've proven and and that we can't actually move it down into one layer, um but the pr is getting unwieldy and um I'm here to say, if anybody has some free cycles and they'd like to learn a new area of the code that they haven't played with before and help write some tests and port some test cases and clean up some stuff.

E

I could sure use help on it and I'll link here, the pr that I have in progress and uh anybody who opens that will realize that it's a there's, a lot of work to be done still.

E

So uh anybody who wants to pitch in and help out on that a lot of what I need to do is just making sure that the test cases are really sufficient like in in. I did the create path, and I found some test cases that weren't covered before and in fact I found bugs um so. The update path needs help on test coverage and then there's just a lot of cleanup and stuff to do in there.

E

So anybody who wants to help drop me a note and I'm happy to discuss what what and how we can collaborate.

E

And that's all I yield my time.

J

Do you have another vr related to this or is not great.

E

I I had a couple that were like attempts at at solving it in different ways. This is the the one that I think we should actually do, um and it builds on a different pr that is also not merged yet against the api machinery. So that's all included in there and I'm discussing getting that api machinery patch merged separately from this.

J

Okay, so.

E

There's a change we need to do in the api machinery that the api machinery folks basically agree to, but it's not merged yet, um and then this builds on top of that.

J

Okay, the the decorator and all the okay, the one that david eats and and, ladies.

J

Is before this.

F

Yes,.

J

Okay, okay, I got enough okay.

J

Right what about the discussion that we had the last cycle with uh daniel daniel smith and then winship with the service submit daniel proposed to to move the allocation to uh a mission controller, or something like that kind of be the balloon volume provisioning? And these things I was working with that idea, and I think that we can do it in with an emission controller too, and remove the.

G

Allocators.

J

Of the ap of the apa server.

E

um We could accept the admission controllers are not called if an operation is rejected. So if you, the user, sends us in something that will be, that will fail validation and then we go ahead and we allocate ips and whatever for it. And then it fails validation. We don't get a callback to say, oh by the way it failed validation undo whatever you just.

I

Did.

J

Thank you just take me one or two days so.

E

This is a it's a mess like honestly. The fact that we did all these allocations um synchronously makes it all that much harder. But at this point we can't change that, so we just have to try to make it as as like well protected as possible.

E

And it's made more, it's made worse by the fact that the the amount of permutations of all the different fields around type and cluster ips and cluster ip family- and uh I I p family policy um and ports and all those like all the different ways. Those things can can permute against each other, makes a very large uh test. Matrix um and update. Is that squared so.

E

Put another way I wrote a program to generate the test cases for the test to test the code.

J

This is going to be funny like this, with the stack, so car is on board with this. No sorry, this is going to be funny like with the dual stack so.

E

Yeah, the dual stack is part of what makes that's part of what makes the permutations worse is because we want to really test against every form of gate, enabled gate, disabled cluster configured as single stack, 4 single stack, 6, dual stack, 4 6 and dual stack, 6 4 multiplied by all the other permutations.

E

And, like I said I found I found bugs that way so, but also I timed out unit tests.

J

Do you have an area in mind that you want to cover? I want to to play with this, but.

E

uh The the tests around update are right now, I'm well. First of all, I could use anybody's eyeballs to look at the tests around create. I think I have a good representation of the various interesting cases through create.

E

I could use help generating the same list for update, there's already some tests that exist. It's a matter of like cleaning them up and making sure that they're that they cover enough that we're happy with them.

H

Okay, I will are, they are some of these like? Are these carved into issues, or is it like? You want someone to take the pr over or what like? What's the.

E

No, I've got this pr open and I'm saying like if somebody is interested in it, then let's talk about how we want to collaborate. I don't know we could open a bunch of issues. We could start a dev branch. We could just pr each other against our own private forks. Like I don't really care. We can figure that out. If nobody says they're interested, then I'll just keep plodding along at my own pace.

J

Yeah I'm interested this is going to be all.

E

Right we'll take a look, and then we can talk about how we want to move forward.

H

At some point, do all these test permutations need to move? I know antonio, you had mentioned, there's a service apis test throughout a tree and like is there some point like a new set of tests that need to be out of tree? I was wondering for for some of this stuff once the e2e tests get like for once, all these permutations start becoming important, or is it all going to go and treat the weight?

H

Well.

E

One of the things we need to figure out is sorry, antonio, go ahead.

J

No, I mean for this. The best thing is the integration framework. So you you can really test everything, because we are not doing any data playing testing here.

E

Right so I did. I wrote all these tests as unit tests, which really just call into the rest stack and then verify the results. So I thought unit tests would be the smallest scope and therefore probably best, but I'm open to arguments about why integration would be better or why testing at different levels gives us sufficient confidence in it.

J

We need the different levels because of what you ma maintained before we need to to make it fair in you know in one of these conversions or stages, so, for example, failing to go to it, see it cd, what happens, how it recovers.

E

Oh well that that's an entirely different case that I hadn't even really spent any time on I I was looking at be like what happens. If I say it's a v6 cluster and I ask for a v4 ip address. Does it correctly give me an error right.

J

Yeah, well, that's quite insane it's different layers, but you mentioned it before what happens.

G

If.

J

If you are, you know allocating a need facing in the transfer. I think that jordan commented inside of europe yeah, something like that.

A

Can can we move further discussion to pr or mailing list?

A

Please, okay, let's do that not to cut things off, but we have eight minutes left and one more agenda item so dan yeah I mean when beta when network policy still exists. Questions.

C

I was reviewing uh ricardo's uh end port pr and noticed that he was updating the api types and extensions and I was like: why does this still exist um and christopher luciano responded to some of my questions, but um did we drop the ball? Did we forget to delete stuff? We were supposed to have deleted or.

E

um Maybe.

C

Or, or is there some.

H

Good observation delete it or.

M

Yeah I put in there- I I don't know if you remember tim, but soon after we officially put in egress into v1 of network policy, there was an issue created or something about. What do we actually do as far as deleting old code, uh for instance like extensions or something like? Is there a point where we can actually delete it? Because we can do things as.

G

Mentioned.

M

In there, by not serving them and then even putting the option of you can't even re-enable serving them at all, but we still have to contribute to the code. Past tests and stuff.

E

uh I I think the standard answer is for a beta api. Is we announce the deprecation say we announce it in uh 21 and we keep it through 21 and 22, and then we can get rid of the beta api. We just didn't do that.

M

Like I get rid of, do we mean actually delete the code as well? Is that what you're asking.

A

So you said, tim announced.

G

Deprecation.

A

Sorry in 1.21 and then remove when.

E

We keep it through 21 and 22 and we get rid of it in 23 or if we're feeling generous 24. But given that this has been a long time.

E

I mean, ultimately, we want extensions to be deleted right.

A

Right: okay, I just wanted to capture that in the meeting.

C

Notes, okay and if it turns out that we did actually already announce like because there's a comment that implies that that we announced it was going to be removed as of 116.. If we find that we did announce that you can just safely delete the code, uh did we do that?

C

I don't know, but I'm saying if we, if we, you know the old announcement and, like you know the old release, notes or something.

E

I feel like we should give. If we did that, and then we forgot to repeat ourselves, we should probably repeat ourselves one more time so in the case that we found that we should say in the release notes for 21. That 21 will be the last version to support extensions, b1, beta1, okay and then we can get rid of it in.

E

22.

A

Do those notes look accurate dan.

A

I, what I put down was tim said announce deprecation, keep v1 beta1 through at least 1.22 kill in 23 or 24, or if we did actually announce removal, but we never did it. Then re-announce removal keep for 121 remove for.

A

1.22.

C

Sounds okay to me, okay andrew is asking on in the chat: don't beta apis get automatically disabled removed. Now it's not literally automatic um they're, they're supposed to be, and and people are supposed to go in and find and for some reason the cap that started that process did not look at extensions at all.

E

So, yes, I I know that jordan will dance a little jig when extensions gets deleted completely.

C

We're not the only ones still there, so we're we're, not the ones blocking it.

E

No, but we should get out of the way.

E

Okay, great.

G

Observation. Thank you.

A

All right, we have a few more minutes. Is there anything else to talk about today.

M

Just quickly I put in the chat, I found the announcement or not. I found me talking about announcing it in 2018. A few links to that also happened there. The issue that I was referring to in our meeting notes: it's under the storage upgrade mechanism issue.

E

But if we did, we put sorry did you say we put it in the release, notes.

M

um I'm trying to remember if I did or not mainly, I was wondering about the issue that I just linked in there. Five two one, eight five.

E

Everybody's linking each other can't click them fast.

C

Our much is no longer served. Oh look, I'm cc'd in that issue. I guess I should have known. I guess I should remember this from three and a half years ago.

M

Yeah I tried to I, for whatever reason I just remember: 2017 is when we added the egress stuff, so I thought it was around there, but I had no idea how to look for it.

E

um So, does that mean that you can't actually use the extensions v1 data api for network policy? If so, we should just remove it.

M

I think yeah uh that was the original thing that I posted in there. You can't, as of 118, even put a flag on to make changes to it.

C

Awesome well then, but in theory people might still have objects stored in that format.

M

uh Don't.

D

We.

M

Yes, oh but yeah, that's what that storage upgrade mechanism thing is it's it's saying? Okay, so how can you force all of them to upgrade, though, if it was created say way back when.

E

But that's a general problem anytime. You remove something right.

C

Yeah I mean that seems to be what is saying: it is not safe to remove api object versions, so we are installing a moratorium on api object version removal until this system is in place.

A

Was it ever put in place.

C

The issue is still open, so I'm assuming now.

A

All right uh well, it sounds like we have a couple more things to figure out here, so I assume dan and chris. Maybe you guys can take a look at what the current situation is yeah and then figure out how to proceed. Based on the advice tim has given so far,.

B

I dropped the relevant links from the zoom chat into the google doc.

A

All right thanks bridget and thanks dan and chris. um We are out of time.

A

So unless somebody has something very pressing, uh we should also say that the next meeting is canceled, because that is likely a holiday for a lot of people.

B

Yep, I already updated the doc. So if you scroll to the top you'll see we're cancelled.

A

On the 24th.

B

We meet on the 7th of january.

A

All right, so thanks again everybody and we will see you in january.

B

Happy happy merry merry. Thank you.

A

Thanks bye.