Kubernetes SIG Network, 25 Jul 2019

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Kubernetes SIG network 2019-07-25

Description

Kubernetes SIG network meeting from Thursday July 25th, 2019.

A

And we're recording so this is the community Sigma Network meeting for July, 25th, 2019 and I. Think first on our list, we've got Valerie for issue triage.

B

B

All right, it's that shirt. Okay,.

C

Looks good okay.

B

So, external traffic policy look what type load balancer AWS lb health checks. Failing so is this other? Is this something we should punch to take AWS.

C

Does it mention if it's using IP, yes,.

B

See no because.

C

I know there's another issue around IP V s, note ports, help for 4lb health checks, not working because of the way the IP vs frost year, we'll add the LD IP and so like on the route back to the lb it it kind of black holes it because it's because it's a local route but yeah I, think probably pointing this to AWS or the AWS. Sub-Project is probably better.

B

Interesting, how do I assign it to the sub-project.

C

You could do that for now and I can follow up in okay, yeah.

B

I know the NLB ingress is not super stable in general, okay, failing unit test Oh.

D

B

B

Yeah, this looks like it might be signed specific. The same I want to have one volunteer to follow up or should I I'm guessing. This is not something that anyone else is reproducing at the moment.

E

Shouldn't work on Mac anyway,.

B

Yeah, it's a good point. Okay,.

B

Next to proxy a PBS and clogs fault on master cube, mark drop, missing.

F

Is cube, Allah started or.

G

What version of iptables do they have by the way? Does it say.

G

There'll be something good to ask him. Yeah.

H

G

It yeah or yeah is Qibla running.

B

Anyone want to volunteer to follow up more with us.

B

Okay, whose sign you.

H

Can assign that one domain Casey.

B

Alright, next, let the bouncer bind on schedule. Node.

F

It looks like the of the annotation, not there's a no annotation that thing we we talked about.

D

C

Actually kept open that proposes some changes to do this.

F

Yeah I have seen something related to this, so, like probably worth a discussion in the sake, is that is it reasonable to add, like a low balance or specific, no taint, so that, let's say all the no bouncers will react to that particular taint effect, because the current no taint has basically two or three types. One is no schedule, basically marker known as non scheduled and then no execute basically effectively just kick out all the parts on the node and then like right now.

F

There seems to be a lot of ask to flexibility to include a certain or exclude certain now from low bouncers. So does it mean we should have a more generic feature like some kind of a specific, no taint or something I want.

E

To second that so virtual cubelet is one of those scenarios where dress code and and the cloud provider that says all we have a we haven't even that. Basically a couple of others says: oh it's not that several complete note, then don't include it. Also.

E

There is the situation where the cluster spans, multiple resource groups or multiple deployment you and it's specifically, agile or others where most of the clouds will will try to bind the node in a specific network or a specific resource group and users may want to have other other with other nodes in other research group for security for and other stuff. So the we have also used the same label so we've been facing. This requirement have been dealing with it, giving custom labels. So what I'm trying to say is I. Second, that request so.

A

I think I think this is a known feature request, so we can probably mark it as resolved and maybe even close it as a duplicate, so I also kind of recall there being another if you're tracking this.

B

Kept handy or should I just say that we're working on it.

C

You can assign it to me. I can like the kid kept there afterwards, Andrew.

I

Yep, thank you.

B

B

And you to use Signet work services should be able to create a functioning node port service.

B

Men hundred.

B

John, yes,.

F

B

You're coming through a bit st. they're.

B

All right after you leaving the service cube proxy cannot delete the corresponding IP tables rules, sounds nasty.

J

So you can assign this to me dan Winship, ok,.

B

Is this anything you have like existing knowledge or suspicions honor not.

J

In particular, but I've been poking around the IP tables, proxy err in life anyway,.

A

Looks like I might even be related to that other. If you're saying a chain can exist.

B

Right next, one delete a service correspond to IP, yes, record, not removed when queue proxies in IP, vs mode.

B

Suns, it's kind of more I.

C

Can take this one and your second okay.

E

And through your putting us all in cement, your.

C

Ip vs person no well I've, been taking some of the issues. That's why.

B

Okay, community service sockets get disconnected if there's no traffic for a period of time.

J

Little TV I see a priority awaiting more evidence label, maybe stick to the end and see if we're waiting to hear back.

B

Yeah looks like we're still waiting and.

K

The short answer is yes, it does because most of it's done through contract and contract does have a timeout, but I think the time I was like five days.

B

Okay, does someone want to follow up with that? I can assign.

E

E

Get an idea that the first day I should.

B

Remember that every based off your branch is enough.

B

Okay, coup proxy failed to refresh IP tables IPS rules when the balance of services used ipv6, address.

E

What the hell I sent it to you as well: I love good. Looking we've been looking at ipv6 stuff.

B

All right all services losing endpoints after a couple of hours, long windows, node,.

H

Sync windows not.

E

Significant windows here you can do better, clang and I. Don't tell me, sits beside me just I.

H

Can Patrick Lane yeah.

B

Alright cool it start to fail for streaming server. It stopped unexpectedly.

B

Alright they're not about what can run. Where might be user misunderstanding you.

I

Can stick this one on me.

B

That rooms really testing my ability to remember whizzes.

B

It takes more than 50 seconds in average to add or move node by service controller. Oh.

D

It's already assigned Oh.

D

B

That's what I had the reminders for I.

B

Probably should have filtered on unassigned as well. Alright, core DNS, not working when replicated.

B

Sorry assign it to those.

B

All right, no sin eye gets installed, even though it was explicitly done. This might not be.

A

L

B

Dennis test suite for conformance and and.

B

Shawnigan yeah.

K

We do we consider DNS a target for conformance yeah. It's already in there.

M

B

Pretty necessary.

K

Speaking DNS is optional and you can run a cluster without it yeah, so is it really conformance or is it like DNS components.

M

Really like something that would be yes, yes,.

M

Okay yeah: this is just to test their ivory in. So this is like to test calls back. Okay, but eventually.

B

Okay, are we good on that one.

K

N

B

You all right, oopsie, teal, port forward, drops the connection after ten minutes.

K

That's either a cloud.

E

Provider was in line, it depends on the.

H

E

B

B

Previous proxy, a wrongly and binds address when multiple services have the same external IP,.

H

Why would multiple services haven't seen you lately.

B

Maybe different aliases the same back end.

M

With an external IP.

B

K

Why don't you assign to me and I'll, get to the bottom of the external IP thing? Okay, thank you all.

B

Right another failing the NS tests, it should provide easy hosts entries for the cluster.

D

B

I pay for pod. This.

O

Is stuff future requests yeah.

B

Sounds like they want stable set. Can just you.

K

Assigned to me I love, closed news.

B

All right service, yeah, no enhancement for s, IP service. Something tells me this is a similar deal. I.

H

Don't own table sh t I'll, set fire service for servers.

K

You can assign to me, we don't need to read it here unless we feel like.

I

B

A bike shed call ideally.

B

All right add limit of used stones and IPS for service cloud load, balancer.

H

That's yes, this.

B

Is the same person.

E

So actually he's linking it. Yes, he's the same person: okay,.

E

By the way, multiple people actually reference, the same discussion like I, wanted to my IP to be in a zone. I don't want it to be like multi zone, then stuff like that.

B

You know bickerson are more what people are doing with that exactly.

K

Answers always.

E

Busy there's we been busy.

B

K

This one I think, though it can be siga, WS, st.

I

B

We want to just remove Network time, yeah.

B

Sometimes culet airs when sable ipv6.

B

Definitely get more information on this.

J

This is talking about disabling ipv6 in the kernel and I think we don't really support that. So.

B

Even if it's running ipv4, it still needs kernel support for that.

G

You have to go out of your way to not use ipv6 in code when it is disabled in the kernel, gotcha.

J

Yeah, like you know, points to.

E

Both IPs, don't we have less than address I'm the flagged, so they can force to listen on diem for like zero, zero, zero, zero, two zero, two zero, two zero kind of story. Theoretically, the.

B

Impression I'm getting is that, like it's a little bit weak, you I mean.

J

The the warning there was from docker, so it doesn't, you know maybe something dr. Natale is doing. Okay, sorry, it's.

G

The internal docker shim yeah.

B

Someone want to with that I.

E

G

Take care of it yeah we probably do not listen. Ip probably doesn't carry through to the internal docker shim. That.

B

B

Proxy, better metrics or failed actions, I.

A

Think this is one we raised as a result of.

G

Last meeting there is another issue: Tim you had opened an issue a while ago that was about somehow adding a returning, the last service state to the debug and- and we already have metrics now for the last time the proxies synced. So.

G

What what is this one doing that those two might not do.

K

That's a good question: I.

K

Don't I don't know the answer. I would have to go back and look at exactly what the metrics we have are reporting and figure out. If there's a gap.

B

Does anyone want to follow up with this yeah.

G

Just leave it with Casey and I guess, since he and Winship and I'll work and the same team will talk about it eventually.

J

Casey, meaning sqweep yeah.

D

B

All right last couple option to keep source IP address for traffic destined to cluster IP from outside the cluster.

B

So it looks like a real quest.

M

A

Can give this one the main.

B

Was that kisi yeah.

A

B

Other one, this time, yes.

K

You sorry, can you also assign me yeah, first overlapping, some of the multi cluster stuff, so I'd like to follow along I? Think.

E

That related to the same discussion, we had that I think to think meetings ago about control over society before they exist. It's the same discussions right, yeah.

K

This is for ingress not regress, though I think.

B

It's kind of a similar family of stuff, though I think.

K

It sounds like they want other dozen external policy, local foster.

M

K

G

How would that actually work, though I mean, if you're running cute proxy, for example, you'd.

K

Have to only advertise nodes that could that had backends for the service right. Okay, the same as we do for external traffic policy on cloud load, balancers, yeah,.

P

K

Have to advertise through GP or something I assume: that's why they reference the calculation that you.

A

Know that node X.

K

Can service cluster IP? Why? Because it has a back-end flag if that back-end moves and that bgp route would have to are done right.

P

You only wanted to advertise the ones that have.

K

Today, if you look at the IP tables rules, if you send traffic through a cloud load balancer to a node that doesn't have a back end and you have traffic policy level right.

K

X and y and z right I'm, just saying you could actually just advertise one strategy, you could in fact this.

M

Is that's what they're.

K

Saying yeah: yes, there are a bunch of things out there that advertise the cluster IP. But if you want to do going to retain source IP, you have to have the only local got.

A

It so we're about thirty minutes in the.

B

Actual agenda, we.

A

Have two other items on the agenda? I say: let's go to those and we will probably have time to come back and finish the rest of these off.

A

Thank you for that Valerie. Yes, thank you very much and then we'll Yogi's yeah.

G

I just wanted to bring up that kind of point from some of the ipv6 dual-stack stuff and I was kind of getting discussed on that PR.

G

Did you want to talk about that at all Cal.

E

Or do you want to like I? Can I can talk, so we can. We can drive the discussion from the use case or we can drive discussion from certain limitation ISO and select away Cooper lattices I like these two services, both will get get us to the. Why it's done like max of two. So I don't mind converting max of two into a max of two entries in a single like left, comma separated kind of story.

E

I just want to bring them with that people attention to the fact that services guy piece should always be to be more than that from a user can use case perspective is really it's a fictitious ip's right. It's all fact it doesn't have any existence whatsoever anywhere.

E

Even if you do stuff like what we just talked about BGP, it's always around an IP pointing to to APOD what users will worry about is really that the IP of the pot that the service is selecting right, whether the family or as we break out into multiple, like n number of papaya trees. I want to listen on the on the third or the IP labeled.

E

In a certain way, but it's nobody really bothered about hey I, have this set of my piece for function and other set of IPs for a different function, because it's just full service discovery, other thing and I detailed that in the comment I laid out and then just one Sandro, the other thing, I didn't say out loud on the comment, because I thought it would be a bit confusing the trays inside the master.

E

There is a thing: that's in the registry that assigns IP Zen snapshots, the entire set of IP used, and all of that, if we started using multiple sets, then this natural process is gonna, hang add a lot of latency to the way services, work and so on and I. Am it me a bit of time to change the code? Not because of anything is because of being afraid of adding latency? That's not needed right late doing.

K

Two transactions, instead of one it.

E

Does it's it so the way it works? Is it snapshotting every every every so often all right and it's not the way my snapshots so far is there is a registry there is a sub-sub key or subtree inside they to be full service IDs, and now there is two of them. If we make it end, then we're basically looking at serious effort and snapshotting and maintaining these sets, but that's not shot per IP, IP side or side by side. I can point you to the code. If you want no.

K

I I'm familiar with that code, but I don't never need.

O

More than two right I, don't think that's what what do you mean more than two I mean.

K

We're saying it's one per family and I mean realistically there could be another IP family, but probably not during our careers. That's.

E

Not it cider is website that not per family. So if I have two sixes, then I will have two sided to to to snap shutters. If I have five fours and two sixes and I'll have seven snapshot.

P

E

P

K

G

I was gonna, say just to be clear that I was thinking more along the lines of just the command-line argument types so.

D

That's fine I can I can do that too.

G

As a max I just wanted to I, guess, I'd personally prefer seeing it in the same argument and just making that argument into a comma separated list as opposed to adding a another argument and variables everywhere. All.

O

Right, that's fine by that's! That's not agreement there. Okay.

J

O

Of the reasons.

J

That Dan and I were talking about the stay, which, I think is why it ended up in agenda. Is there is a use case for having multiple sliders of the same type, which is that we keep having users who say: oh I, realize that I need to make my service site or bigger. How can I do that because I started with like just a slash, eight or something, so how can I do that without taking my cluster down and right now? The answer is: there's absolutely no way to do that.

J

You have to take your cluster down and rebuild it from scratch and and one idea that we had had was, if you could have to service signers, then you could add one move all of your services over and then delete the old.

E

I'm quite sure you can change the sort of a site or the start, API server and you're fine. As.

K

Long as you grow the cider like, if you end right, you double down or double it, but.

J

Some people are like nope I need to move it from 170 to that seventeen to attend, on whatever end like like we're on.

A

J

Of this problem- and there are always users who screw up and need to be saved later- that's.

E

It's a kind of worms because the same will apply for polite bees right yeah. Yes,.

G

E

Invest our in multiple parties.

G

Lester ciders already, yes,.

K

So we have customers who have these same problems, although less on the cluster side, the service side, our side and much more on the cluster cider side, we have started to investigate what would it take to allow multiple disjoint ciders at the cluster level and at the node level we haven't really thought about it. At the service cider.

E

So the disjoint.

A

E

For polite people, when you're losing the EPC or the beam, let's talk about eyepiece is another problem that everybody yeah I.

K

Would think you say for now we're not tackling that at the same time, not in the same breath anyway. Right now, the limit is one cider per family, and if we want to consider multiple ciders of the same family, we will have to retool the way the snapshot is done either to carry multiple dips or some other data structure. That is more amenable to that and that's a totally different camp I.

E

So a lot of the discussion, the action items is changing. The this Eli secondary yada yada into the primary becomes a comma separated once across baby I server and the controller match. That's yes, I could, over time.

J

Yeah, we remember really thinking that the multiple service ciders thing could be solved now, but just that the decisions we make now might make it easier or harder later and and and so it's possible. We should avoid the decisions that will make it harder to do later. All.

E

Right think that makes.

L

E

Point: ok, because you're making sense right, I was just worried about the snapshotting piece that Eli yeah I can do that yep to change the stop shopping. I would.

G

Snapshotting, we'll do that later. All.

E

Right we're gonna yell at me because of the field names please at least give me the field names. What like agreement on field, name, field, names and values for the service type spec, like IP family, feel alright and right now it's not the best and I would like to because this will require like a refactoring, the changing the field name, but it's a compiler something I can catch all the compiler I'm not worried about it, but I just wanted like an agreement on the field. Name and field values is.

G

This the comment where there was some redundancy in the name is that what you're talkin so.

E

That the field right now is service, IP, family and it carries ipv4 or ipv6 VP for service ipv6 service or cluster default right. All right, that's like I have a feeling that mr. term would look at this and it's not yelling it so I just want to get through the yelling port. So I can do this.

L

L

E

To get through it, honest just then, because I know it's not the best field, name right and I. Looked at the API spec look trying to get an inspiration, and that's it, but it's not there like. Should it be ipv4 service or ipv6 service and cluster default becomes cluster default service? What's the value is.

O

Good all right I will take close attention to that.

E

Right, that's really it and that's the last thing: I asking asking people to take a note office. I know it's peak summer time, but good freeze is August. 29Th.

E

So just keep that in mind.

C

A

So does that that's a good lead-in to the next item. I guess some timeline for reviews, I think.

G

That was the discussion. There is the.

E

Discussion I.

G

E

Buy only chance to ask people to commit to anything, not because of anything, although that it's summertime and people are off, and things are crazy right now. I just want to make sure that everybody understands. When is the good fries.

A

Okay, so we weren't actually agreeing on intermediate deadlines between now and code. Freeze, just just learning, folks at code phrases, August, 29th and.

K

Actually, I'll go one step less abstract, that's four weeks right, so anybody who wants to be part of these reviews or wants to get something through or weeks, that's too little more see, yep.

E

Yeah no questions.

B

A

So do we feel confident that the right people will have the reviews at the time to review the dual-stack stuff by then.

A

Thank everybody is everybody not on vacation for four weeks, sir.

B

I'm not on vacation, so I can definitely review the like main portion, however I'm starting to stress a bit about getting the proxy or stuff done, because that feels like it's at the very tail end. But we saw with phase one like there's a very huge, almost done stretch that happens and then review can take a long time.

E

Your effort in creating the PR, it's probably more valuable to the group, but it's your choice. Okay,.

B

I can focus on that one yeah.

E

I, don't want you to have iptables nightmares and their nightmares because of viewing my code, so one set of nightmares is I. Think it's good enough. It's up to you already I'll focus.

B

E

The rest of the team, however, doesn't have any types of iptables nightmares, so we should cuff up reviews.

A

Sorry can't say: I, don't have any type of videos like this.

E

So then, then, technically speaking, he gave a pseudo pseudo ng TM, aside from that's a lie, which is to me, is a good good indication that were actually in a better state then like after the first part of the phase, one was a bit harder than this one. The fact that we have like a pseudo led I'm early enough in the phase, means that at least the code review is gonna, be easier.

K

Of course, it will be there's no API changes now.

B

K

B

A pretty big part this one yeah.

G

Service, like any family I.

B

Mean I'm making a API changes at.

I

Admittedly, like the trivial, once it's still yeah.

K

I'm fairly, confident that we can still pull this one together.

A

Okay, all right, in that case we've got 18 minutes left.

G

Maybe if anybody else has anything to talk about, otherwise we could go back to triage I.

E

Want a heads up, I wanna, probably there in two weeks or so we go I'm just gonna, ask people to think about the English IP story and have some basic ideas on how we approached that lost. Last week this week, I had a meeting with some of the people who speak, whose customers as a daily job and the number one of the number one priority is. We need control over type is used by a by a pause as they come to our network.

E

Oh go to the outside, be they have partners like a customers have partners, they do IP like lasting and all of that, and even on them printing it to turn on off sort of IP Fargo firewall rules for those IDs. So it's becoming a blocker to some of the seriously enterprise-e.

N

Business kind of again control- that's already, there is not good enough, I mean precise or more what a narrower range of IPs. Yes,.

E

Do you want to know? Do you want to know? Do you want to know exactly? Do you want to have at the the Ignis IP be either static or predictive? All right, like I, want to actually static. I want to do spots.

E

I want those go spots, belong to, let's say a financial app doing the AP account payables and I want them to carry this IP and the same set also set that sorry, the same nodes may carry different pots so that work for a or account receivable and I want them to carry the FRA P. So.

G

In other words, instead of having the nodes IP for the egress traffic to have a egress IP per pod or potentially egress IP per service, probably the.

E

Way, I the way I that I talked about it. It's a selector sort of look at the ingress controller. I know it's notorious, but it's similar concept like egress with a selector sort of like I, have absolutely no ideas on how this will work yet, but think of a concept called the English controller, and then it has selected and then select bounce with certain labels. That way codes can belong to different services, different apps different deployments, and then they go out with the third.

E

G

At that point, though, how do you restrict access to those egress IPS, because anybody can tag their pod with whatever they want? So it's like.

N

G

Security issues there with random users, hijacking an egress IP. It.

E

Becomes a story of our back and stuff like gatekeeper, okay, yeah.

G

I mean that's the standard answer to that question by.

K

G

K

Introducing the topic you have it advertently decided to have sation I think we should, if we're gonna start it somewhere, I'd like to start, if I could, with a background doc of what you think, the requirements that you're hearing are. Certainly there are many I in fact, didn't somebody just assign me a static, IP, odd one, so I think there's lots of issues here that we should accumulate.

K

There is a came.

P

A couple of weeks ago, I think with exactly this. Yes,.

P

It might be good to dig that up and.

P

E

The problem is even more complex on a cloud because on a cloud where you do not find public, IP store notes your egress to buy a load, balancer IP thought of so it's even more complex when you add provider than different load balancers on different platforms story. Yes, well,.

K

I agree: that's why I think it's important to get to what we think the requirements are before we start designing. Yes,.

E

So I'll take care of that, but in a couple of weeks all right- let's just Shepherd the the backstop and then then we we look at that. I I.

K

Would like to say not probably not the next meeting, but the one after maybe the last one on this cycle before code freeze or maybe the first one after code trees, but soon I'd like to do a review of all of the sort of keps that are in flight under our umbrella and other issues that are like significant and make sure that we all agree that we're still doing them and that they're appropriately making progress and prioritized etc.

K

Just because I think we've got a lot of balls in the air right now and I would like to just go over it. Once I.

G

Think that would be September 5th. That's the first one after code freeze, something.

K

Like that sounds great.

G

All right, edit notes the agenda for that meeting.

A

So it looks like the topic about an endpoint slice. Cap has snuck onto the agenda since.

F

Enhancement threes is coming up any more requirements. Ask that you guys wanted to tag on and then.

K

We should probably get the cap merged and we can iterate on it. We like.

M

K

I know the release folks keep yelling at me in particular about not polishing caps too much getting the merged and then building extended.

K

Well, that's fine, I think, like the enhancement, we can make reasonable changes to caps after the amount on a deadline. It's like lifting in and agree on. It I think maybe every on the violin, maybe I'm, bending the rules there. We shouldn't get clarity but okay, Manhattan floors, yours yeah.

F

So, like I think we have addressed most of the comments. Like all of the comments. I don't seem new asks, mostly I, think the confusion now is surrounding the support for topological services and then I think solution is good enough or because the topological service itself is not implemented.

F

So it's sort of hypothetical at this point, but I think the API can fully support it and if there's no more ask I think the Alpha API is good to go and then we can implement in and see how it comes and then actually test it out in scale test and try to get it in in 1.16 timeframe. So yeah. If there's no objections, we can get the kepp merged and then alpha implementation get it going. I'll.

K

Make another pass through it: ASAP, okay,.

F

All right that that's it.

A

Go thank you. Shall we try to knock off another few? If you triage sure, let me pull that back. I.

B

Might not have ten minutes more queued up.

A

Criminis I.

B

Have stuff to run into as soon.

I

As this is done, people file some.

K

B

All right so external traffic policy, local, has no effect on their quest made from the node local addresses.

B

Sorry did we come.

G

D

It's just gonna make that merriment external.

G

Traffic is not no local traffic sounds a feature request well.

K

I think what they're really asking for is apology services, yeah.

G

They want to go to the back end that is closest yeah.

K

You can assign to me and I'll link it back to the service de Paula G. Oh, it's already linked yeah.

G

And Reed already did that huh should.

I

We just close one.

B

And done next, cluster port name is used as an implicit, important selector.

D

Cluster source.

B

This seems odd.

K

Oh I think I understand it. If you have a named port in the service definition and you don't reflect the name in the endpoints definition and don't know how to map them together,.

D

K

Does that sound reasonable.

B

A

B

Reasonable design, what is or.

A

Is it saying that we do map them together now and we shouldn't.

B

Yeah, it's complaining that.

I

We map them like that. You can assign this one to me.

K

Feel free to weigh.

I

In feels like it might working as intended.

K

B

It's working as intended. The question is just: is that a gun or not at least that's my cake.

K

N

Know I agree with what you said: I.

K

I'll look at it and figure out, if maybe there's an accommodation for special casing single okay.

B

Keep practicing his IP vs mode IP set error definitely need more information on this I think.

A

I'm done this one.

K

Didn't this one get fixed by the upper casing, the protocol name like wasn't that.

M

K

Right 32 signed Andrew, since he seems to do everywhere all the time.

I

Yeah I guess I. Think yes, is this problem now I.

K

Mean not exclusively, but thank you for stepping up. It's.

B

Seriously the main one who's taking them so another IP. Yes, the proxy command line, not in effect skim to this, but I didn't follow up properly. With that, this.

K

Is this is a case where, between the config file and the flags, they can click file wins? And if you scroll down I, think I asked myself and.

K

B

So config winning out makes a bit more sense the grand scheme of things but I guess it's a case of like what is the most formal user, behavior I'm.

K

A complaint of view I think the flags should win.

K

Yeah, that's what we decided on at least for cubelet.

K

The question is whether we think it's worth fixing at this point for cute proxy or just the real answer is in general. You shouldn't overlap them yeah.

K

Maybe we can provide a warning or something if you blow the lab.

B

That makes sense I.

K

Don't know how to do that, since the person was.

M

B

Might be very messy to do.

K

It's already assigned to you right: let's, let's let it cook for a little while might just move. So you know.

B

I'll look back at this again if I have time with dual stack, stuff right connections to service cost, ready, we'll know, endpoints are not rejected. I thought we solved this a while ago, Dan.

G

Already anyway, yeah.

J

We thought we fixed it closed it and it got reopened in, haven't, looked at it since then, I sold.

Q

It for the floating IP stuff for darts service return. That was it's it's possible that we didn't it's just usurer, but anyway, I will look at it. Ok,.

B

All right, disallowed, mutating finalizing service objects.

B

Anyone have more contacts on this yeah.

K

There was I forget what led up to me filing that bug, but I was surprised to find that an object that is in the finalizing stage, was still mutable, so I filed a bug and then I was disavowed of the notion that it that it should be immutable at least not globally and so I guess she hung file this got if we should the services immutable.

R

Once they are finalized, so the.

K

Contact is we added support.

R

For finalizar protection on so it's Billabong, sir yeah, but attaching the final object to the service object and they have been assured all the little dinosaur results are cleaned up before the object. Actually, then team, one of some problem that oh, we do delete the service and then you've edited to some other type or maybe change the port, and they may. You may have impact on how the results are cleaned up and it could be problematic so and that's what we have the usual I.

P

Mean y-you could potentially others you can solve otherwise, not be able to figure out what this we know, because they do three employment. My right definition.

K

So I think it would be a reasonable thing to do or is to try to say if the deletion timestamp is set, then disallow any mutation.

K

R

But but Brian put up the mother point dad because adding the service and then you immediately delete it, and that is similar to the situation similar to the situation here, because he went into the service controller as a division. Operation.

R

Yeah so yeah, so you many of you disallow you taking funnel I.

K

R

It's object, disengage.

P

Where it was trying to like you.

R

K

R

K

I think I think the root of the problem is that we don't do a great job, reconciling against cloud providers for load balancers, mostly because the naming and API rate limits made it so we should have. Maybe we can generalize this into the? How do we close the race around deletion of an service when it has announced resources.

E

I'm surprised that that we were the only people on this issue, like other objects and system, doesn't have the same problems. No.

B

They probably there's a master issue, I think yeah.

E

Let's go these I.

K

Mean it's a it's like it's a race that you have to lose and you have to have the controller restart during that window. Otherwise, like things will be okay, it's just there's a potential data loss. If you have all the right things which probably does happen, but nobody notices.

P

K

Right, it's not going to do anything really bad, except leak. A load balancer, which you won't notice.

B

Until you get your milk.

K

B

I'm just about to get kicked out here, sir.

K

It wasn't this.

I

K

Can you generalize this bug.

R

A

L

That wraps us up for today.

A

Thank you. Everybody I'm gonna, get in two weeks.