Kubernetes SIG Network, 18 Apr 2019

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Kubernetes SIG Network 2019-04-18

Description

Kubernetes SIG network meeting, April 4th 2018

A

All right we're recording I.

A

Want to kick us off with the sick, Network bug triage. Yes,.

B

A

B

C

Okay, you guys see my screen yep all right. All right number, one unified round-robin from users based on wind users, pains with those cue proxy. Oh.

C

The user space one it's sort of deprecated, it's.

D

C

A

This doesn't look like a bug. It's more of a code. Cleanup thing right, it's just great.

C

A

C

So anyone would pick this up.

E

I mean it is this basically an RF II, though somebody's saying that this would be great to do, but we don't have a PR for this right. Yep.

F

A

F

A

That, if the resolution is just please send PR.

G

C

Next one, so a merge should restore service port name originally and endpoints map. What is this referring to.

C

Talking about internal implementation, proxy yeah.

E

That's correct, it does merge and unmerge, but is this which proxy is this, for this is for the IP tables, IV, PVS, etc, or is it for I think both of them uses a yeah you're right.

G

H

Looking up so this guy follow that.

H

C

Right, let's see if the guy responded and then we'll come back next Q proxy does not exit after cleanup, so it's assigned to Valerie yeah.

D

I'm, a tiny bit suspicious, it could be related to our recent fixed I, want to take a look soon. I see.

C

Okay, I'll leave it to you all right. Next, one I think the freaking test. This resource is freaking.

C

I

Yeah you can, you can give it to me.

C

Okay, all right next one bill, porch, two endpoints mAb should use flat and value type. So again, it's like cleanup.

J

Well, or solicit yes, and attach.

B

Okay, all right next one, we've done support ipbs próximo, true.

F

D

It supportive yeah.

C

It should be just a flag right.

C

This is a support request, not I.

D

Imagine the person foot support because it is supportive and documented.

C

So it doesn't need triage.

D

Yeah, it looks like they just don't understand something: okay,.

C

So any IPS team- anyone from my previous team here that can quickly unblock this guy or.

K

Well, you can assign it to me and just like him all right. Thank you. Andrew.

C

Okay, next one slow connection, TCP transmits. We have no port okay, so which environment is.

J

Okay, this reminds me of another one that I started to look at. um Maybe I should try to take this one. Okay,.

B

Thank you, Mike.

C

All right so, please take us out and then we can revisit next time. Okay, next one I PDS UDP to garbage collection to garbage, collect real servers.

C

So I see it's sort of it's like a UDP black hole problem with the IP vs kill proxy.

B

Anyone from IPS.

C

C

Or we can assign someone from a bad team.

C

I think is m1 yeah m1. Okay, all right. Let's see you get a chance to take a look.

B

Hello services differ between user space and IP tables, proximal death.

B

At different behaviors, oh.

C

I see so it expect pain, so I, don't think, pin will work I.

A

Don't think they're actually using thing, oh they're, just using they're just using the word.

B

My group, ladies.

A

Is this difference in behavior just that one is working and one isn't so.

C

The IPPS, the iptables mode, doesn't work. Like all opinion, I mean works for the user. Proxy is not working, so I, think user, the user space proxy sort of like semi deprecated I.

J

Don't understand why our proxy is involved with a headless service.

A

hmm That's a good point.

J

So you should not work right, I'd be astonished if it, if anything happened with either implementation, doesn't make any sense.

G

A

Yeah, why don't you assign this one to me and I can try to monitor it for responses? Okay,.

G

E

You feel like neither the proxies should be doing anything with the service unless as a cluster IP or an external IP. So that's really curious. Okay,.

C

All right next one, the same name space, the pod cubic AutoCAD every cannot get.

C

A

No information here, yeah.

C

Nothing here just a title.

J

Am I missing something? What is fabric clothes.

L

Information: okay,.

E

Hey Casey on that last one link to the cube documentation on headless services, because there's a sentence that says cube proxy does not handle headless services and there is no load, balancing or proxying done by the platform for them. Well,.

A

They all sounds pretty clear.

A

C

Thanks one in order accordian.

B

G

That seems more super thing is not really call dns, but the way to set up.

M

G

G

B

So take it off the list.

G

All right next.

J

G

J

Question here, what is triage guys support me? I.

C

Thought it would mean support request. Yes,.

D

The kind we used indicate the song is a support request, so.

J

Yeah, what is it so.

A

I thought we were closing support, requests.

D

Ideally, sometimes I think we try to be polite. Well,.

A

We close it and say I'm happy to continue discussing with you, but only on this closed issue instead of an open one. How.

J

Exactly do we define support requests, I asked because another one I've got might be that so I want to know exactly whatever it is or not. If.

D

It's something where it seems to be they've done something wrong and not a bug enough or having a little behavior than it's probably support. Well,.

J

Usually at least one swear I've seen us close it, it looks like it makes. Actually I can't tell I mean I mean there's the one I've got I can't tell yet there's not enough information. So you.

L

Can't tell them you probably ain't even open because come on yeah.

D

We should err on the side of finding out more information. First.

J

Lanisha yeah, okay, thank you. Okay,.

C

Let's continue parse ciders and initialization of proxies.

C

So it looks like the internal cleanup again, okay, so there's.

M

C

So it's already there, okay, so it doesn't need triage. Okay, all right all, right, UDP, packets from same source port do not round robin and a kubernetes service so which próximo did this.

B

It doesn't say so.

C

I think this is a problem in general if we use IP tables and contract to do netting for UDP, because if the socket get reduced, then it's gonna, basically yeah the connection. The contract entry will never get expired so that you will never get round robin to a different destination.

C

J

We're the first off IP tables doesn't even try to round robin yeah.

C

You yeah it's probably mr. Pro yeah, it's random and then once it establishes pink. Yeah then pick one mate so because the source matches the contra entry, then you should so like it's.

J

All what flow right! It's not supposed to get split up.

L

C

I'll sign to myself I'll.

L

C

L

C

So pod doesn't have I need six on interface, I. Think I. Think we owe this is a new one.

M

C

Working as intended.

C

Anyone from the IPV 16.

C

It looks like it's working as intended. He's.

H

Used to work before upgrading encounter.

H

D

A couple known issues, I think with the recent my tables versions and networking I.

E

Don't think that would play in here, though, there's also issues with docker for a while, depending on your docker version, it did not enable ipv6 inside containers. You had to do something special for that. This.

J

Is a pretty recent talker? Okay.

E

J

E

J

Anymore, but still I mean great I, don't know how recent is recent you're thinking you dam.

E

Also, what networking are they using? That would be something good to ask.

G

A

Sounds like we can't close it so, and somebody want to follow up on this.

D

Put me down I guess alright,.

G

C

All right, thank you. Alright, next, one that transparent, called bridge proxy support.

A

Definitely sounds like a feature rather than a bug.

B

Sounds like a feature request.

M

Sounds like something a security team or hey.

J

This sounds like things: mixing levels looks like it's mixing level, 7 and layer 7 in later for yep.

L

Yeah you say he wants to go to the proxy automatically look like the kubernetes cluster is using the proxy ability.

L

D

Just politely suggest that they file a cap and it probably won't happen.

C

All right next, one companies like this cannot visit service by DNS.

B

C

Thing I think this is working as intended because yeah, because it's on its the cube, llege executing the liveness probe when Cuba doesn't have keep DNS right. It's using the.

J

Hole but the points like this probe is on a pod not on a service right buzz.

C

But in yes, yes, you're right, yes, the live news is on the pod. It's almost not on service and then it's executed on the cubelet, so cube really will not have your DNS DNS, yeah I. Think.

J

It doesn't make sense to have a life, that's probe go to a service and the point of life is Provost to probe a pod. It doesn't I think that they're.

C

B

One has two loopback host port failed on non 96.

C

M

C

Want to take a look, it looks like a valid valid problem.

C

Anyone want to take up type II, v6 stuff.

C

L

One, oh hey that reminds me we talked about so so.

L

Can anybody who's willing to take an issue regardless of a specific issue but who's willing to take the issue, put your name in the zoom chat and then we'll just sign up new people. If there's nobody volunteers, you just yeah that way. We don't end up with this. Nobody.

C

All right cool, thank you all right, I'm gonna be go all right. Thank you all right! Next one kill proxy, hands-on API server errors, I.

K

Left a few comments on that and looks like iptables restore, was airing out. I know Tim Hockey mad at a PR to add to logging so recommended that they try with that patch. Okay,.

B

All right, let's come back next time, Cupid.

C

Been with the meeting not working so oh yeah, so it's not like working as intended, because there's no I think.

A

We triage this one too and last time, yeah.

E

We did last week, okay, I really talked about it last time. What was the end? Oh, never mind we're on a different one, already yeah, never.

A

Mind I, don't know that we got there and I think we just assigned it to you, got.

E

It yeah Exide coming to done anyway, so that's fine, so.

C

This one kill proxy running in IBBs mode costing celia mode I. Think we yeah I asked the question last time: okay, the guy still hasn't respond. Okay,.

G

C

One kill proxy ID vs mode with the external IP, resulting it is connected workers.

L

Anybody in IDs a PDF on a call.

B

Looks like still.

G

Somehow I found it.

B

Yeah, let's, let's just ping, it.

C

And see anyone from IPS can pick this up all right. Next, one DNS resolution fail occasionally I've got great natural coordinates. It's.

G

All already assigned to crease here on I think the video replay.

C

You know nobody replied.

A

So didn't we say we were gonna close these if nobody replied yeah this one's from early March. So maybe we just closed it.

B

C

Okay: two more to use code really container networking plugins repo for Windows clusters, I think.

A

We did this one last time, yep.

E

And we've also talked about this in the CNI maintainer x', and we're moving forward on this. So I think just leave this. What open for a little bit and it should be solved in the next couple of weeks. Okay, all.

C

Right doesn't need to triage. Okay cannot access service from within the pod after.

A

That last one be assigned to you. If it's being done on the sea and I said I.

E

Know you can leave it as David if it's assigned to him more Patrick, I, guess I, don't know either that are assigned David to it as well da shot da SCH. He might not be an organ umber, though shoot okay, yeah just to say me.

B

A

Want to make sure it's yep with somebody who's on it cannot access service from within the pod. This.

C

Looks familiar yeah she's still alive, okay, so reopen.

C

Okay, okay, last one keep rocks at you, yes, updates, are slow and seems to be affected by it. No I think last time we double-check. We check this.

C

Is there any fix or anyone anyone try anything new I.

D

Believe this is the issue where we took out some of the photo clean up from good proxy. So there is a fixer by means of getting rid of that. Behavior I see.

C

Okay, so it doesn't need triage okay, so we are on time. Alright, let's proceed to the next.

A

Yeah we have a few more things on the agenda, but I have a hunch. We might end up with a time at the end, for a little bit more triage.

A

So next is John to talk about external DNS. Oh.

L

Yeah I know you saw on the Signet work mailing list, the the external DNS team, which has been a cube. Incubated project needs to move out of Cuba generator, since that's not a thing anymore, and so they were asking if sig network would sponsor them. For that much my opinion seems very reasonable. We go under kubernetes, SIG's and just means they would become part of our our domain to attract that I. Don't want to get people's opinion.

L

Do you know what the project or should I explain it? It basically watches ingresses and I, think I think load balancers services and reconfigures an external DNS service.

L

There are some sort of concerns with it because I it talks to many different vendors, api's and the you know the community see I doesn't have access to all of those different vendors equipment running so there's a limited. Not all of those providers can be part of the CI and it also needs right now. The images are in the windows docker hub dr. registry, so they're looking for GTR Cades. If you know official place to live.

A

Yeah I mean at first glance it sounds like a reasonable thing to do without knowing much more about the project, like presumably there's a set of criteria, it needs to meet in order to graduate either set by us or by someone else.

L

Well, I, don't think it's graduating in any sense, incubation is going away, so it needs a place to live. So it's just kind of does it get to live under the kubernetes organization or keep things organized information and if it does- and we have to decide that we're okay with that, because I mean which means that if there are bugs with it, they're probably going to show up in our in our you know, buck sprouts and and that sort of thing Wow, and so it's adding load to this team. Do.

A

We have do we have people who know the project well,.

L

I'm here on behalf of Rafael, because it's like I'm peein or something like he hasn't be able to be here but I, don't think they're, saying they're gonna pull out uninvolved, so they would still be involved. I guess maybe maybe what our our take home here should be. As we should decide. If there's criteria, they need to meet commitment, they need to make or something to make it make sense for us, but.

L

You know definitely some involvement by them around a bug fixes would be one key criteria. Carry on.

G

Any other comments do they need a kept where this ordinal is just uh that's another private science, it's not an existing project. So it's.

L

G

L

It's not changing the core cover Nadya see. No, basically, the things are pretty empowered. We can just decide and we get to decide on how we decide so I think you don't have a formal loading structure and usually Jim just so. Maybe we just you know, there's no objections.

L

A

I think that's probably right. It would be good to I had to fire any things that we think we should do once it happens like moving the docker registry and and whatever right.

L

Okay and I guess actually it would be how we could just note that there were no objections here and and.

L

I'll talk to Jim, where I put something on the mailing list and he's on vacation today and tomorrow and I'm going on vacation next week. So.

G

Thank you thank.

A

You we've got Cuba and EU sig presentations next, that you Valerie.

D

Yeah not a lot to say on the subject. We had a meeting the other week to kind of hash out some rough outlines of what we're gonna do. I have a very V one version of a inte representation up, basically going through, like the basic network stack and tracing like what the service components are and how to debug it. A bit I, don't know who's taking on the deep dive, stuff, Tim and Bowie. Both sounded like they might be doing something, but I, don't wanna, go and tell them well, they're absent.

G

G

D

Guess some I'll check in in a bit about that and definitely some eyes. The intro would be helpful.

C

Sure you--you'll is the.

C

G

C

We can, we can.

A

Cool thanks for putting them together, Valerie um yeah anybody's interested. Please go and do a do, a review of those slides and then last we've just got endpoint slice proposal. Yes,.

C

This is me again speaking again: you guys see my screen.

C

Yes, we can yes, so we have been cooking up this proposal for quite a while and then right now we wanted to share to a community and start getting feedback, so the main goal. So so there are multiple problems with the existing endpoints API, so it basically has asked element. Scalability limit bounded by the city.

C

Right SED by default can only store up to one megabyte for first single object, but then, if you have all the endpoints in one object and eventually we're going to run out of basically hit that boundary and then secondly, because we put all the endpoints in one object, it suffers from the n square problem where one endpoint change will result in distribution of all the endpoints to all the nodes.

C

So- and this is happening a scale when there's many nodes and there are many endpoints and then an old rolling update, happens and then aggregated by its transmitted through the network is quite high. So so we wanted to propose a new API can solve these kind of problems, that's kind of any problems in order to support like tens of thousands of endpoints on a cluster of thousands of nodes and leave some room for like foreseeable extensions. So that's the the main API part is.

C

The main idea is to shard the big endpoints object into multiple objects, so so each endpoint slice will contain, like part of the endpoint, like only portion of the endpoints up to a hundred. So so, if you have more than a hundred end points behind a service, it will get sharded among multiple endpoints lysed objects by whom, by the controller, so there will be a new controller, employ slice controller that basically implements this this api and translate the pod and then service label selectors and then into multiple endpoints. Lies objects.

J

So this is the controller produces endpoints analogous to the previous slices analogous to the controller produces endpoints. Today.

C

So so we in the intersection of this later section of the dock, we basically say the existing endpoint controller will keep running because there are always third party consumers. We don't know about watches the end coin, object right. Yes, so he will be kept running but like starting from beta. We will start throwing like error, warning events and then eventually, probably capping. The number of end points in one endpoint object to some some number, let's say 500 or even 100, and then, if you have more endpoints, then use the new API. Instead, today.

L

I think if you, if you get about that CD size, limit, break yeah.

C

It just breaks it wouldn't even persist into a city and then no Q proxy will get updated ever for that service. So eventually that will get stale and then functionality will just break.

C

So we went through multiple iterations of the proposal and then this is what we end up with and then the estimation is sort of. So the question becomes how how large should each shard like how many endpoints should each jar has right each slice? What's the optimized number.

A

C

A

Determined that.

C

Like okay, so there are estimations for why we think having 100m points per slice is a good enough design to like me now go so so. Here's a estimation between the current endpoints object and the endpoints lies with 100 endpoints and endpoint slice, with only one endpoint.

C

So the simple case is 20 20 thousand endpoints on the 5,000 node cluster right. So on creation, both the endpoint slides like the endpoint slides, the API, will have a write amplification because it has to write like 1200 endpoint slice object instead of 1 poins object, but the total amount of data you should be around roughly the same because they contain the same amount, end points in it, but when, after the service is created on any endpoint update, the data transmitted and the right QPS would be much better than the existing end points object.

C

So there are estimations of like, for instance, if we use the if we use the existing API and there's a single endpoint change and behind the service we will end up transmitting, like 10 gigabits, around 10 gigabits of data, think about gigabytes of data and then versus the new API is like 50 megabyte and then, if we consider rolling update, which means that every single endpoint gets updated and then recreated so that it's even more like it's more, it's gonna transmit more than 200 terabytes of data. If we keep using like today's API.

C

So so mostly the proposal is to address the scalability and performance issue coming from like come from original design of the API and- and there are some caveats which we wanted to. There are also some other problems we want to address with the new API. One is that the support is no longer like required field, because if we require the port for you what that means, we have to basically honor the port remapping for the service right. So what if one day we have service v2 that doesn't support like optionally support port remapping right.

C

So that's one minor change and the second change is that each instead of having two lists of endpoints, one like ready list of endpoint Indiana, is unready lists and point that basically translate to for each endpoint. It only has it can only have two states either ready or not ready, but but in reality you have the like the pod lifecycle.

C

There are more States than ready and not ready, like graceful termination and things like that, so it doesn't block and it basically blocks us from adding more states into the endpoint for into like basically each individual endpoint. So instead we added a list of endpoint conditions associated with each endpoint and initially we only have one condition type, which is ready. It can be either true or false, basically inherits the current behavior to describe for like whether the endpoint is ready or not ready.

C

So that's the main two changes, but the differences between the existing API and the new endpoint slice API.

C

C

We would like to switch the internal consumers, especially queue proxy, because it runs on every single node to consume. The endpoints lies our endpoint slice API instead of the endpoints API, and keep the endpoint control of the existing classic and point controller running to produce the endpoint object up to certain limit. So that's basically the proposal so I know it's only a short amount of time.

C

So please take a look at the proposal and get a feedbacks and we can discuss in the Signet were meeting and then and then I will convert it to a cap. Yep.

B

So any questions I.

K

Don't want to bite chat too much on naming, but have you considered like naming the API endpoint shard instead, because you've been using both term sliced and charred.

C

We we used to name it like m point subset, but then we don't want to physically conflate the sub setting and slicing, like basically sharding. So that's why we end up with employee slice but like I, don't have a strong opinion either I.

L

Like sure implies partition, yeah.

C

Oh yeah yeah, there's no overlap. That's true.

L

Usually, in this case I think there is, we talked about the idea.

C

Yes, and so I have also included another more advanced idea, basically a dynamic sub setting. So the idea is to like, instead of always sending all the endpoints to all the nodes only send a subset of the endpoint to a group of node so that this basically further reduces the overhead. But since our goal is only to implement like tens of thousands of endpoint like millions or tens of millions of endpoints, so we like, we basically determined that this is too complex and at this point our weights the gain.

C

So we did not pursue it, but the API self. The end point: slice API itself does not determine that. There's no overlapping endpoint like in a slice so potentially in the future. Let's say we get to that scale. We.

B

C

Basically, implement it without too much change thanks.

A

Cool is there a link to this in the meeting notes? Yes,.

C

I will also send and send out an email to the Sikh network so that everyone gets a perfect.

A

So we've got about 10 minutes left and were there any other topics we wanted to talk about that weren't on the list, or should we do a few more bug, triage 'iz.

A

Sounds like triage time all right.

C

All right, first one staple pod staple set pod can that service slow? Oh it's already assigned to my Express, sir yeah.

J

That's the one I was asking about earlier: I guess I'm asking for clarification here, I think.

C

Okay, well, we can wait for another round and then they still doesn't apply them. Look closer okay,.

B

C

Provision condition for b1 service, so I don't think this needs to be triage. This is a valid feature: request. Okay,.

B

So newly directional UDP traffic to a known for service is not handled properly. How is it not handled properly, I.

A

Do feel like he looked at this one too. What's the latest comment on it is.

E

That the one we tossed to Jacob yeah he's still looking into it. He hasn't had as much time as he's like, but leave it with him. Okay, all right.

C

This one, it looks like it's already.

C

It's a support request, but let's leave it there, so demon said pods are being scheduled when freakin either I think we also had this one.

C

All the time cannot reproduce the issue.

H

B

M

Let's understand /.

G

Okay: okay, all.

C

Right era, adding networks, yeah and remember this is also have you got time to look into it. I think it's a gorgeous.

L

C

Sounds like a support issue: okay, I'll live it to them. I will still here.

C

Okay, alright, are the mini, keep proxy conflict, no name and hostname. Oh I think yeah.

G

Okay, alright, this one I see once.

C

That are signed, okay,.

B

Ip BSD for Cisco knows and configurations.

G

It looks like our IP vs expert is still looking at it.

C

Alright, next one I want to use sirs and pod to connect external, my single, but not use.

A

I, don't know what that means. It.

D

Sounds like asking for a headless circus.

B

D

Am I mr. memory or is there no cluster IP with a headless service.

D

Sounds like expected, behavior.

H

So I think we're all right. There are some people, Arlene I. Can you gotta sign? Can you Fred I can follow up on this as to some people register Sandra.

F

B

C

Ip 10% tree for cube DNS service, don't match my piece.

H

This is a door.

G

Anyone familiar sounds like your practice: man changer, update.

A

Yeah, it doesn't sound as your specific, though.

H

A

On probably needs more investigation, I can.

H

Try to reproduce every single! It's not that specific to a woman's.

G

H

It looks like several people have the same problem: yeah.

F

H

I can take a break okay.

G

Alright, thank you. I.

K

Remember there was a another issue somewhere about Q proxy crashing or like hanging for like a few minutes before it crashed or something that could be related.

H

C

But if the endpoint did not change, then I.

M

K

I can find issue and then reference it back to that one. Okay,.

G

C

So unregistered net device- oh this one- is.

H

C

One is the Asian one.

F

C

Come back and I think.

H

C

So so some background, so we have seen this tons of time and every time is a different problem and then the kernel always throw out the same error message. It just means that error, the kernel lose reference to one of the like yes, and this can happen anywhere inside a kernel. So it's sort of a generic symptom for different causes, so sometimes upgrading that to a different Linux kernel would just solve the problem.

H

Mr. Jung can also comment in it. Yeah.

C

G

This one is already closed.

C

Yeah, let's ping and see if there's any updates, ok.

B

Two more I think it's X. Only cluster equi interesting issues.

C

It looks like folks are already on it.

D

Yeah I should probably remove the unresolved label.

C

D

He just went through and added it to everything at one point: I've set up automation to have bug people if there's a Sinese and the label sits on for too long people just forgot, mm-hmm.

C

Well, cause kernel, panic.

B

So, which kernel did yeah.

C

It should be a it should be a issue open against the kernel.

C

Okay, so we can come back next time if it's still there, we can close.

G

H

A

I'm this one to me, I, was looking at a similar one. It.

H

A

H

That, after they're done grading, they're fine yeah.

B

H

Offer me halves like.

C

All right last one contract entries for SCTP are not flushed committed service, important yeah. We.

B

C

And I think this is working as intended.

C

Okay, we're on three o'clock.

A

C

A

You everyone yeah, everyone, see you again in two weeks. Thank you.