►
From YouTube: Kubernetes SIG Network Bi-Weekly Meeting for 20220901
Description
Kubernetes SIG Network Bi-Weekly Meeting for 20220901
B
You're
on
cool,
this
is
a
sig
network
meeting
for
september
1st
2022.,
I
guess
we'll
start
it
off
with
triage.
As
usual,.
A
A
And
as
usual,
I
closed
a
few.
There
were
there
were
stale,
but
we've
got
five
that
are
worth
talking
about
today,
cube
proxy
and
non-privileged
mode,
so
this
person
is
trying
to
run
cube
proxy
without
privileged
they're
running
into
a
syscuddle
issue.
A
There
is
an
open
pr
to
add
a
flag
to
disable
the
route
localnet
syscuddle
they
reference
the
slack
discussion
wherein
antonio
was
encouraging
them.
I'm
not
clear
whether
this
will
ever
work
like.
I
know
we
set
a
few
differences.
Cuddles
and
I
don't
know
I
don't
know
how
much
time
you
want
to
spend
on
this.
I
didn't
close
it
out
of
hand,
but
I
don't
know
if
we're
going
to
spend
a
whole
lot
of
energy
on
trying
to
make
this
work.
C
But
let
me
let
me
add
some
context
here,
because
this
is
the
second
issue
that
that
people
try
to
open
things
against
the
cluster
add-ons,
keep
proxy
and
ensure
that
then
you
have
more
context
there
than
anybody.
So
by
understanding.
This
is
an
internal
thing
that
was
used
in
bci
for
run
the
dc
jobs
right.
A
I
mean
that
is
all
it
seems
to
be
using
it
anymore.
Originally
it
was,
it
was
a
precursor
to
cube
atom,
but
I
think
it
is
obsolete,
except
for
ci.
Now.
C
Yeah
and
that's
the
thing:
is
people
start
sending
patches
there
to
modify
this
configuration?
Actually,
this
is
this.
Is
this
patches
is
trying
to
do
that?
Oh
so
this
this
issue
is
about
that.
They
want
to
change
the
the
q
proxy
addon
in
the
classroom.
B
D
A
It
it
would
be
cool
and
I'm
not
totally
not
disagreeing
with
it.
I'm
happy
to
leave
this
open
and
triage
accept
it,
but
I
feel
like
it's
going
to
rot
if
nobody
feels
ownership
over
that
as
a
goal.
A
D
A
I
mean
we,
we
try
to
set
the
contract
hash
table
size,
at
least
right,
like
maybe
we're
getting
away
with
it,
because
it's
defaulting
to
the
right
size
or
something.
C
D
A
But
that's
I
mean
that's,
that's
a
pretty
fraught
path
to
tell
people
as
long
as
your
stuff
is
okay
beforehand,
you
can
run
it
non-privileged
I
mean
I
don't
know.
Maybe
we
just
document
it
that
way
or
maybe
the
right
answer
is
we
add
a
flag
that
says
don't
mess
with
my
contract.
A
C
A
I
mean
it
would
be
great
oops.
Sorry,
I
signed
myself
it'd
be
great.
If
we
could
say
yes,
it
works
and
here's
the
here's.
The
restrictions
be
greater
if
we
kept
that
as
a
test
for
the
future.
But
that's
a
good
question.
A
Cool
and
if
we
can
close
it,
then
great
endpoint
slice,
mirroring
controller
issue.
A
Yeah
something
about
restart,
maybe
missing
it
missing
a
case.
It
wasn't
clear
whether
this
is
actually
real,
antonio,
as
always,
is
there
before.
I
am.
C
I
was
checking
this
this
is
this
typical
corner
cases
that
we
have
that
somebody
creates
something
it
delegates
the
owner,
then
it
deletes,
but
I
think
that
in
this
case
I
mean
we
are
reusing
some
code
from
the
important
rice
to
the
mirror
in
the
slicer
right.
I
don't
know
it
should
be
if,
if
it's
easy
to
reproduce,
but
I
think
that
it
is,
it
should
be
easy
to
fix.
But
it's.
C
A
A
Okay,
next,
I
saw
a
pr
on
this,
but
I
don't
know
what
the
state
of
things
is.
So
at
some
point
in
time
we
added
support
for
search
dot,
which
I
didn't
know
was
a
thing,
but
apparently
it
is
a
thing
that
system
d
has
added
for
some
cases
now
that
we
propagate
it
through
it
breaks
muscle.
A
A
Okay,
I
will
type
up
my
question
after
we're
done
with
triage
and
stick
it
on
the
end.
Here,
endpoint
slice
objects
fails
to
affect
service
objects
that
previously
had
selectors
this
again.
So,
oh
sorry,
antonio
you,
you
duped
it
to
an
issue
that
is
closed,
so
I
don't
know
what
you
meant
to
do
with
that.
I
don't
know.
A
It
sounds
again
like
some
state
transition
is
being
missed
somewhere
in
one
of
the
controllers.
We
have
an
old
old
issue
that
was
like.
If
I
have
a
endpoints
object
and
then
I
remove
the
selector,
should
I
delete
the
endpoints
object.
A
C
A
And
then
the
last
one
for
today
dan,
I
lost
the
threat
on
this
last
week.
I
I
had
to
go
heads
down
on
something.
Can
can
you
tell
us
what's
going
on
with
this?
Do
you
know.
D
Windshield,
oh
yeah,
so
we
had,
we
had
talked
about
it
and
then
I
realized
that
it
was
kind
of
messier
than
we
thought
because
we
were
thinking.
Maybe
we
should
just
revert
this,
but
if
we
do
that
we're
going
to
break
people
on
a
you
know,
1.24.4
to
1.24.5
upgrade
uh-huh,
because
there
are
probably
already
people
taking
advantage
of
the
new
behavior
uh-huh.
D
A
B
Cool
thanks
tim
antonio,
you
have
all
the
rest
of
the
agenda.
Yeah.
C
Well,
the
the
first
one
is
for
for
the
triage
to
is,
I
don't
know
if
you
remember
this
fact
that
it
seems
to
happen
with
gc
prevention
or
knowledge
that
the
node
of
the
change.
Thank
you
very
cute
proxy
is
using
a
an
all
sider.
Then
it
excludes
the
the
port
tools,
because
the
current
pod
side
that
assign
it
to
the
node
is
different
and
well
fixing
that
is,
is
a
lot
of.
C
After
factoring
and
language
made
a
good
point,
because
q
proxy
depends
on
some
things
on
the
note
on
host
name
on,
I
don't
know
the
ip
addresses.
So
what
I
I
wanted
to
to
to
ask
is:
what
are
the
content
that
you
proceed
has
with
the
node,
and
then
we
may
simplify
this
problem
to
say
this
is
not
my
node,
I
proxy
I'm
going
to
reboot
myself
instead
of
just
checking
now
check.
If
this
is
outsider
and
I
have
local
sider,
I
just
want
to
simplify
the
logic.
C
A
I
think
there's
two
there's
two
cases
when
pod
sider
can
change
right,
one
is
when
it
was
empty
and
then
it
got
a
value
and
the
other
one
is
if
the
node
object
itself
was
deleted
and
then
recreated
with
the
same
name.
A
But
we
don't
allow
that
field
to
change
from
value
to
value
right
so-
and
I
think
I
know
the
case
that
you're
talking
about
in
gce
and
I've-
I'm
not
super
happy
that
it
exists,
but
yeah
and
I
think
that's
the
case
of
the
node
being
deleted
and
recreated
with
the
same
name.
I,
the
idea
of
just
aborting
and
coming
back
up
clean,
sounds
fine
to
me.
I
think
like.
Maybe
we
should
just
cache
the
uid
of
the
node
and
that's
that's
different.
C
A
A
D
A
A
I
was
going
to
say
in
addition
to
uid,
but
I
guess
I
would
like
antonio.
I
don't
know
exactly
what
the
contract
is,
so
I
don't
know
which
you
know
five
or
six
fields.
We
look
at.
I
know
that,
with
the
changes
around
readiness,
we
might
look
at
more
of
them
locally.
A
That's
what
I
don't
know
right,
I
I
would
have
to
go.
Look
at
that.
So
if
it's
possible
that
there's
a
mutable
field
that
we
don't
handle
properly
and
that
the
only
sane
way
to
handle
it
would
just
be
to
explode
and
come
back,
then
hashing,
uid,
plus
these
mutable
fields.
If
it's
only
immutable,
you
said
it
in
the
chat
boy.
If
it's
only
immutable
fields,
then
uid
should
be
fine.
D
Yeah
I
mean
I
feel
like
for
immutable
fields
like
the
code
ought
to
just
deal
with
it
changing,
but
so
so
as
it
is,
podcider
is,
I
think,
the
only
field
that
we
actually
look
at
in
the
node
object,
but
q
proxy
is
started
up
with
some
command
line.
Flags
that
may
have
been
derived
from
the
node
object.
D
B
B
Oh,
I
see
interesting,
it's
not
just
direct
reading,
it's
actually
the
invocation
itself.
A
C
E
We
should
consider
just
preemptively
canceling
those
meetings
because
I
don't
know
about
y'all,
but
I'm
not
gonna
be
working
those
days
so
yeah
I
mean
I'll,
be
working
at
kubecon,
but
you
know
what
I
mean
like
I'm
not
gonna,
be
on
this
meeting
those
days,
and
possibly
a
lot
of
you
are
not
going
to
be
on
these.
This
meeting
those
days.
A
Okay,
so
antonio
who's
going
to
do
this
work,
is
it
you
or
do
you
have
somebody
that
you
want
to
stick
with
it?
Somebody.
C
C
The
the
next
one
is
one
that
I
I
found
out
yesterday
when
in
this
track,
and
it
seems
that
they
signal
that
the
new
field
to
the
both
conditions
both
has
network.
I
linked
the
cap,
and
I
was
checking
and
reading
the
cap
and-
and
this
is
going
to
have
an
impact
because
they
they
are
listening,
people
that
is
working
for
multiple
interface,
multis
and
and
these
kind
of
things
because
pulse
has
network,
I
mean
with
multiple
interface.
C
These
things,
when
you
create
a
body
through
starts,
it
creates
several
times
and
a
good
name
is
based.
So
this
conditions
changes
too
often,
and
there
are
cni
plugins
that
that
consumes
the
pod
api
too.
So
I
don't
I'm
worried
if
this
kind
of
looped,
so
that's
what
I
want
to
to
turn
to
the
cni
implementation,
calico
and
all
the
people
with
your
eyes
to
check
this
this
field
and
provide
feedback.
Because
before
this
go
to
beta,
I
mean
yeah,
yeah
yeah,.
A
E
I
mean
at
at
the
basic
level.
It
sounds
interesting
because
it's
effectively
giving
you
better
metrics
and
latency
for
pod
setup,
and
I
think
it
would
be
great
to
know
how
long
does
the
sandbox
take
to
set
up.
But
one
issue
I
found
with
it
reading
through
was
that
they're
calling
it
like
pod
has
network
and
the
latency
there
would
likely
cover
the
entire
sandbox
setup,
not
just
networking.
E
So
that
might
be
one
interesting
thing
because
it
does
seem
a
little
bit
misnamed.
But
then
the
second
thing
is
it's
not
clear.
What
else
would
consume
this
based
on
the
cap?
And
there
is
some
indication
that,
like
custom,
pod
controllers
and
operators
can
use
this
condition
for
better
decisions
around
reconciling
a
failing
pod,
but
I
feel
like
maybe
that
should
be
fleshed
out
a
little
bit
more
because
sure
it's
great
to
have
the
metrics.
E
B
A
C
No
problem-
and
the
last
one
item
that
I
have
is
just
you
know
that
we
created
this
small
change
in
the
service
ip.
I
locator
to
to
not
allocate
the
first
eyepiece
of
the
range
by
the
four
and
try
to
allocate
the
hydro
ips
first
and
it's
very
small
change.
I
don't
know
if
we
need
to
go
through
all
these
bureaucracy
or
we
can
just
ga
at
the
beginning
of
this
cycle.
C
B
C
B
A
C
B
B
We've
got
nothing
else
on
the
agenda,
so
it's
I
think
it's
fair
to
open
up
to
other
topics.
F
B
C
A
Sounds
like
similar,
but
maybe
worse,
because
the
one
I
opened
was
about
specifically
about
node
ports,
which
you
could
access
one
services,
node
port
on
a
different
services
load
balancer.
F
F
A
So
this
adds
weight
to
the
idea
that
we
should
have
some
logic
that
runs
through
in
the
filter
chain
and
drops
everything
that
isn't
expected.
F
F
To
ipvs,
okay-
and
it's
it's
not
very
large,
because
when
I
started,
I
was
afraid
that
it
would
like
be
a
huge
undertaking,
but
it
turns
out
that
the
same
logic
that
sets
and
removes
addresses
on
the
ipvs
interface
can
be
used
to
end
and
remove
from
an
ip
set
also
at
the
same
time.
Basically,
so
it
was
quite
easy
to
to.
A
F
F
C
F
A
All
right
I'll
take
a
look
and
see
if,
if
I
can
approve
it.
A
I
think
the
cubecon
one
is
is
fine,
although
maybe
we
leave
the
meeting
up
if
anybody's
not
at
kubecon,
wants
to
get
together
and
talk
they
can
likewise.
I
mean
I
don't
know
anybody
object
to
canceling
them.
I
don't
want
to
be
too
u.s
centric,
but
many
of
us
are
in
the
u.s
and
won't
be
in
either
of
the
first
two
that
took
october
and
november
20,
something.
D
B
A
Okay,
all
right,
I'm
fine,
canceling,
the
first
two
december,
22
I'll,
probably
still
be
working,
I'm
fine
to
cancel
it.
If
people
want
to
scrap
it,
it's
just
means
that
we're
canceling
three
out
of
the
next
six
meetings,
we'll
be
down
to
once
a
month
for
the
rest
of
the
year.
B
B
A
To
keep
december
22.,
I
feel
like
in
the
dev
cycle,
it'll
probably
be
useful
to
touch
base.
If
nobody
shows
up,
then
nobody
shows
up.
That's
fine
too,
but
maybe
cancel
the
first
two.
Then.
Yes,
all
right
somebody
just
posted
in
in
chat.
Do
you
want
to
talk
andy
yeah.
B
I
just
I
recently
started
using
this
internal
traffic
policy
and
I
saw
that
it
was
a
beta
feature.
That's
been
in
beta
a
little
while
I
just
was
kind
of
wondering
if
there
was
a
ga
expectation
of
what
might
be
holding
it
up,
but
I'm
happy
to
talk
on
slack.
If
that's
just
figured
I'd
drive
in
here.
A
Yeah
thanks.
No,
this
has
been
one
that
we
really
want
to
push
forward.
The
main
person
who's
been
driving.
This
cap
is
andrew
and
he's
been
out
on
new
baby
leave
for
the
last
couple
of
months,
and
so
we
missed
this
release
largely
because
of
that,
if
you
want
to
participate
you're
more
than
welcome
to,
I
would
love
to
see
this
one
complete.
B
A
Okay,
sure
yeah
I'll
have
to
page
in
the
state
of
it
because
it's
been
a
while.
The
other
person
who
has
context
on
this
is
rob
and,
like
bowie,
said
earlier,
rob's
on
vacation
this
week.
B
C
Yeah
but
but
there
are
things
that
that
are
risky,
so
all
the
booty,
strap
logic
is
complex
right
now,
it's
a
mess.
This
kind
of,
I
think
that
solves
some
of
the
problems
and
I
keep
the
the
bootstrap
much
cleaner,
but
you
know
if
this
is
seven
years
old
and
I'm
afraid
of
I
mean
we
need
to
to
be
sure
not
breaking
anything
and
then
the
reconciliation
between
services
siders
between
what
is
the
other
ip
addresses
and
services,
is
full
of
edge
cases.
C
C
No,
but
I
I'm
splitting
it
so
so
I
can
have
personal
reviews
so,
for
example,
the
api
right
now
is
is
is
ready
for
review.
The
controls
are
not.
The
other
thing
that
is
important
is
the
performance
of
the
allocation
is
much
worse,
but
I
don't
know
what
is
the
rate
of
service
I
mean
in
in
the
first
in
alpha.
We
can
live
with
current
implementation,
but
I
did
some
benchmark
and
you
know
you
create.
A
C
C
I
have
to
clean
a
few
things,
but
the
api
should
be
ready
to
review
in
next
week
and-
and
that
will
I
mean
if
I
can
have
the
api
review
without
this
at
this
time
of
the
release,
the
rest
of
the
things
are
mechanical.
I
mean
our
controllers
tests.