►
From YouTube: Kubernetes SIG Network 20170126
Description
Kubernetes SIG Network Meeting from Jan 26, 2016
A
Ok,
tom
dooner
carrier
yeah,
so
I.
B
Think
one
of
those
concerns
was
you
are
saying
that
you,
you
see
it
as
a
problem
that
you
you
have
to
choose
a
plug-in
to
implement
host
port
mappings.
Basically,.
C
D
Or
returns
exactly
what
you
did
like
when
you
return
your
the
address
that
you
set
up
also
return
the
ports
that
you
map
right
like
and
then
like
as
it
as
it
currently
is
implemented
as
I
understand
it.
But
okay,
the
caveat
that
I
didn't
review
it
so
like
I,
may
be
wrong
in
detail.
Cooper
Nettie's
has
no
idea
which
CNI
driver
it's
really
using
and
has
no
idea
which
drivers
support
or
don't
support
this.
So
the
only
thing
you
could
do
would
be
to
try
each
driver
in
sequence,
lift
and
without
that
grammar.
D
Now
but
other
people
deploy
their
own
drivers
right,
I
mean
you,
wrote
your.
You
wrote
your
doctor,
one
which
I
right
but
the
couplet
reads
one,
and
it
only
tries
one
well,
there's
this
other
proposal
for
chaining
them
together
being
able
to
specify
a
network
config
that
actually
I
need
three
different
drivers
to
run
these
people.
E
D
It
that's
exactly
what
I
was
hoping
for,
so
being
able
to
return
that
life
as
a
result,
means
n
qubits
should
just
pack
the
host
ports
information
into
every
create
call,
and
if
nobody
reported
it,
then
culet
could
report
an
error
or
to
do
it
itself
or
it
could
ignore
it.
It
means
no
choice
for
the
run
time,
but
it
doesn't
mean
that
I.
B
D
B
Someone
has
to
know
details
about
that
plug-in
right
is
it.
You
know
using
a
selective
what
plugin
for
using
and
maybe
Cuba
natives
is
choosing
some
default
plugins
that
it
wants
to
use
that
you
know
it's
going
to
package
up
or
something,
but
there
is
still
some
one
has
to
know
someone's
making
that
decision.
B
D
E
D
E
E
E
G
D
B
C
B
C
H
C
That's
it
because
that's
what
existed
and
then
you
ladies,
should
memorize
it
and
the
rest
is
like
either
come
from
user
config
right
like
what
what
plug-in
you
use
and
then
what's
the
wow.
The
cni
path
is
slept
like
that
and
then
the
rest
I
feel
like
it's
cleaner
for
a
CN
I
plug
in
to
the
checkpoint
it
and
then
just
everything.
B
B
I
I
D
B
D
I
went
to
the
question
of
whether
plugins
should
check
point
or
not.
We
have
already
an
alternate
implantation
where
culet
will
do
its
own
checkpointing,
so
we
can
live
with
the
API
as
it
is
and
we
can
let
the
discussion
happen
at
whatever
pace.
I
want
that
and
then,
if
it's
in
the
end,
C&I
does
something
to
make
you
both
life
easier
than
great
and
if
not.
J
F
Right
so
it
sounds
like
they're,
a
couple
couple
of
issues
there
and
see
and
I
repo
that
people
can
come
in
for
that
discussion.
I'll,
stick
links
to
those
in
the
meeting
minutes.
Shall
we
move
on
to
network
policy
or
a
couple
Fred
yeah
they're.
D
D
We
can
take
that
as
a
separate
discussion
like
we
should
go
ahead
and
and
move
the
API
as
it
exists
to
be
one
I
know:
Dan
windship
has
a
PR
up
for
that,
so
you
can
go,
give
that
you
love
now,
and
then
we
can
consider
whether
we
want
to
add
a
service
name.
In
addition,
in
the
same
movement
or
whether
we
want
to
hold
off
on
that
until
v,
1.7
internet
ease.
D
We
also
have
the
open
my
proposal
to
add
a
cider
as
a
source
which
we
sort
of
postponed
until
we
were
all
happy
and
stable
with
the
API
I
think
we
can
consider
those
two
options
as
to
whether
or
not
we
want
to
put
them
in
16.
But
I
would
not
at
this
point,
recommend
changing
network
policy
in
the
way
that,
like
in
the
dramatic
way
of
removing
conflict,
I
think
that
that
would
have
to
delete
arias
and
effect
on
all
the
implications.
J
D
D
E
All
right,
I
wanted
to
add
one
thing:
I'm
afraid
I
haven't
had
a
chance
to
catch
up
all
the
discussion
yet,
but
one
thing
that's
been
kind
of
bugging
me
is
I,
see
kind
of
a
drift
towards
quite
sure
how
to
put
it
without
being
to
purge
or
ative
or
don't
hold
that
arrow.
Well,
what
I'm
trying
to
say
some
other
things:
I
really
liked
about
Cooper
Nettie's
as
I
found
it
when
I
reexamined
it.
E
If
some
early
last
year
was
this
very
open
and
composable,
for
example,
I
didn't
have
to
use
services
right
and
calcite
was
the
last
coop
con.
All
right
and
I
have
colleagues
he'll
have
stuff
that's
using
netflix
OSS
they
use
eureka.
They
don't
need
no
stinkin,
Cooper
Nettie
services,
all
right
right,
so
I
don't
want
to
build
in
the
idea
that
Cooper
these
services
are
the
only
way
to
stall
the
relevant
problems.
E
Okay,
so
I
just
wanted
to
speak
for
continuing
to
keep
it
open
and
composable
pay
attention,
as
we
you
know,
is
it
gets
difficult,
there's
a
bit
more
functionality.
You
want
to
rely
on
other
things,
it's
natural
to
get
incestuous
and
start
to
get
to
there's
only
one
way
to
do
things,
because
we
know
how
to
build
on
that,
but
it
does
destroy
the
open
and
composable
nature,
which
is
ultimately
very
valuable.
D
E
So
far,
you've
only
describe
syntax
about
semantics
and,
as
I
noted
last
week
we
could
actually
get
into
some
subtle
semantic
trouble.
So
I'm
I
haven't
finished
thinking
through
what
I
would
actually
recommend
there.
Okay,.
D
D
E
D
K
D
Okay,
well
other
than
that,
there's
no!
Yes,
no
api
changes
and
that
one's
been
cooking
for
a
long
time.
So
we'll
just
hash
it
out
and
get
this
PR
in
and
then
see.
If
we
have
any
time
for
any
additional
changes
there
I
expect
they
move
to
GA
the
burden
of
the
work
to
be
mostly
in
the
docs
and
in
the
make
sure
that
the
tests
are
we're
happy
with
the
most
opening.
F
E
We
suggest
this
in
siga
thoroughly
ER
in
the
week.
The
problem
was
that
people
looking
at
this
PR
realized
it's
really
just
a
baby
step
towards
something
bigger
and
they
wanted
really
a
consensus
on
where
we're
going
to
go
before
we
start
with
a
baby
steps
to
make
sure
I
think
it's
a
baby
step
in
the
right
direction
on.
E
So
this
gets
back
to
the
multi-tenancy
discussion
you
know
and
and
take
off
I
emphasize,
because
I
think
I
ventured
here
before,
though
I'm
hearing
from
colleagues
who
are
developers
in
organizations
that
are
in
the
SAS
business,
so
they
really
have
a
two
dimensional
notion
of
tenancy,
so
you
can't
just
tell
them.
There
are
namespaces
and
then
groups
of
namespaces
of
isolation
between
groups
and
namespaces
that
doesn't
solve
the
problem.
They
want
controlled
access
between
the
rows
and
columns
of
their
matrix
like
against
a
well
one
dimension.
Is
they
have
different
growth
rings
notice?
E
They
have
different
customers,
so
that
makes
the
matrix
when
you
put
them
together
and
they
want
controlled
access.
So
that
is,
you
can
put
a
namespace
that
each
cell
in
the
matrix,
if
you
want
to
have
control
over
the
access
between
particular
cells,
they
want
to
have
control
over
who
can
control
the
access.
So
this
really
goes
together
with
both.
There
is
kind
of
an
are
back
discussion
to
be
had
as
well
as
a
napi
in
network
policy
and
DNS
discussion.
We
had.
D
E
So
I
was
I
submitted.
You
know
I,
encourage
my
colleagues
to
submit
this
baby
step
thinking
that
it
was
a
step
in
the
right
direction,
but
apparently
haven't
convinced
very
many
people.
So
in
fact,
I
come
to
realize
percolating
the
discussion
that
they
go
off.
You
know
we'd
really
have
some
collisions
here.
So,
for
example,
the
way
things
are
expressed
in
terms
of
API
access
is
in
some
sense,
egress.
It's
who
can
for
a
given
thing.
Let
me
be
system,
it's
actually
only
thinking
about
this.
No,
it's
really
for
a
given
user.
E
E
So
we
have
to
figure
out
whether
there
really
is
a
duality
we
can
exploit
here
or
not,
and
you
know
is
played
out
in
the
sig
off
discussion
that
there
really
is
a
big
alignment
between
the
need
to
look
up
stuff
in
DNS.
Emma
need
to
look
up,
I
mean
if
you'd
be
able
to
open
network
connections
right
because
it
was.
It
was
no
because
o
it
has
an
open
shift.
Augusta
plantation
and
it's
inherently
in
line
their
control
on
the
network.
E
D
E
But
anything
things
I
think
that
was
really
emphasized
in
the
sing-off
discussion
is
there's
I,
think
again
the
unity
between
dns
and
network
and
and
really
it
seems
to
me
there
ought
to
be
a
unity
between
all
three
and
right.
Now
we
have
this
opposite
ways
of
going
about
it.
So
I
am
really
not
sure
what
you
recommend
right
now.
D
D
D
We
went
through
I
would
do
all
of
our
example.
Docks
and
I
found
a
bunch
of
network
related
documentation
and
I
asked
him.
You
know,
rather
than
divvying
up
the
existing
docs
and
making
them
better.
You
know
what
should
we
do
and
his
general
answer
was:
don't
make
the
docs
better
in
place?
We
should
use
the
new
templates,
so
I
just
got
his
notice
that
he
couldn't
come
five
minutes
before
we
started,
so
he
sent
me
a
list
of
example
docs.
D
That
are
the
tasks
which
is
you
know
how
you
do
some
specific
thing:
tutorials,
which
is
slightly
I,
think
it's
slightly
larger
in
scope
and
concepts.
I
will
take
his
email
with
his
examples,
and
I
will
share
it
back
to
the
sig
this
afternoon
with
a
cross
reference
to
all
of
our
docs,
and
then
we
need
to
go
through
our
docks
and
try
to
break
them
up
into
tasks
and
tutorials
and
concepts.
I
feel
like
this
is
a
pretty
heavy
meeting
to
do
that.
D
Does
it
make
sense
to
pull
a
couple
of
volunteers
to
meet
on
a
smaller
scale
and
try
to
give
you
up
the
docs
into
a
new
structure
and
then
solicit
help
in
filling
in
the
content
I'm
happy
to
do
it
here,
I
just
feel
like
there's
30
people
on
the
call
and
doesn't
really
make
sense
to
end
time.
Talking
about
Doc's
in
detail,
yeah
can
I
ask
one
question.
D
D
So
I
with
I
wish
people
were
here,
there's
some
theory
that
users
don't
actually
need
to
find
those
things
that
either
operators
do
or
engineers
do
who
work
on
the
project,
but
not
necessarily
end
users
that
the
indictment
that
we've
gotten
on
a
lot
of
our
Docs
is
there's
a
ton
of
material
in
there
that
almost
nobody
ever
ever
needs
to
read,
especially
NDG
and
I
can't
disagree
with
that,
because
we
write
engineering
dogs,
but
I.
Don't
have
a
real
answer
to
your
to
your
real
question.
Mike.
E
Yeah
I
real
question
is
you
know
it's
one
thing
to
think
about
people
kicking
the
tires
and
yeah.
They
don't
need
to
know
all
the
details
because
they're
not
going
to
explore
every
corner,
but
as
soon
as
you
get
too
serious
users
and
their
writing
higher
level
stuff
for
which
this
is
just
the
platform
right.
There
clothing,
the
next
higher
level.
They
need
to
know
all
the
details
for
real.
D
F
D
D
H
That's
me:
can
you
guys
hear
me
I'm
on
my
phone
yeah.
H
Yeah,
hey
this
Chris
Marino
Thanks
yeah
I'm,
just
a
very
quick
update
on
this
I
am
miss
last
meeting
and
I
volunteered
to
just
capture
some
ideas
and
thoughts
for
holiday
on
the
priorities
for
ipv6
and
so
forth.
A
couple
of
folks
volunteered
and
I've
got
a
little
email,
alias
that
I've
used
a
couple
of
times
anyway.
H
The
short
update
is
I,
think
I
bit
off
more
than
I
can
chew,
after
simply
lifting
some
very
obvious
and
rudimentary
use
cases
and
listing
the
obvious
areas
of
necessary
enhancement
and
relevant
rfcs
I
kind
of
realized
that
I
didn't
have
enough
detail
to
take
this
to
the
next
level.
So
I
sort
of
asked
for
some
help
among
the
group
and
chris
from
segera
generously
a
volunteer
to
help
share
this
burden
and
we're
probably
going
to
tackle
a
little
bit
more
of
it
in
the
next
two
weeks.
D
M
E
Admit
that
I
care
I
started
reading
what
I
started
reading
and
posted
comments
on
one
of
the
docks?
It
was
one
maybe
one
of
the
baseline
docks
that
the
ones
you're
looking
at
refer
to,
but
I
realized
that
there's
been
a
whole
lot
written
about
this
and
I
haven't
had
time
to
digest
it
all
right.
O
Was
trying
to
make
that
to
that
dock
and
there's
a
lot
of
console
to
go
through
I'm,
not
sure
that
the
you
know
there's
a
proposal
for
the
HTTP
proxy
as
a
new
object,
and
that's
seem
more
in
line
with
adding
all
the
features
that
you
that
you
would
want
for
an
ingress.
What
is
the
sort
of
take
on
the
fact
that
the
current
aggressive
shoulders
don't
do
reg
ex
matching
correctly.
M
So
the
only
thing
less
conformers
to
do
is
convert
red
X
into
the
subset,
and
the
issue
today
is
there's
no
synchronous,
validation
pipeline
part
of
the
API,
so
you
have
to
go
big
in
the
artifact
awkward.
If
I
net
will
happen
so
I'm.
Your
comment
is
right
on
point:
do
we
want
the
configuration
between
10
chase
and
then
how
much
flexibility
to
getting
the
intent
and
this
the
environment
can
eat
the
intent?
What
is
the
behaviour
of
the
environments?
Try
harder
or
the
be
more
ideal.
M
M
Most
people
came
to
be
doing
to
work
around
these
limitations.
Is
they
layer,
another
soccer
properties
behind,
but
my
blog,
if
they
care
about
these
features,
I
wrote
something
in
one
of
the
docs
about
trying
to
having
a
much
more
flexible
and
temporary
solution
where
we
say
that
two
days
to
see
the
finding
the
intent
and
we
make
the
controller,
try
and
meet
it
and
that
meaning
injecting
a
layer
of
proxies
we
wanted
to,
but
that
cause
people
nervousness
yeah.
M
So
how
do
we
do
yourselves
out
of
this
hole?
The
only
other
option
was
to
say
that
L
that
configure
implementation-specific
was
basically
Alliance
referring
to
and
that
you
can
/
environment
effectively
say
what
the
environment
could
say
days
and
then,
when
you
move
between
Anbar
you'll
pop
the
hug
over
and
if
we're.
D
Going
to
go
that
far,
one
of
the
things
we
talked
about
at
the
very
beginning
of
ingress
was.
We
would
eventually
come
to
this
point
when
people
would
want
customer
/
back
and
features
so
much
that
we
will
be
forced
to
implement
and
we're
either
left
with
an
API
that
is
disjoint
across
all
of
the
implications
or
we
say,
look
we're
just
going
to
fragment
the
API
and
say:
there's
28,
guys,
there's
an
egress
and
there
is
an
engine
X
ingress.
D
M
M
E
E
M
So
what
which
of
those
two
do
people
prefer,
but
the
one?
Obviously,
if
you're
going
to
have
implementation,
so
they
can
fig
you'll,
probably
be
forced
down
at
past,
where
you
want
implementation,
specific
impacts,
configuring,
nothing
because
they
generally
tend
to
favor.
So
they
have
varying
features
and
during
ladies
expecting
an
important
to
the
haters
or
you
can
still
find
our
more
expressive
to
when
any
setbacks,
but
still
declare
that
the
features
within
that
found
our
implementation-specific
you're
a
little
bit
more
prescriptive,
but
only
slightly
more.
But.
D
You're
also
as
transparent
about
when
you're
using
non
for
the
features
right,
if
you
say
I'm,
we
can
write.
Yes,
we
fall
into
this
trap
today,
right
the
path
is
or
the
path
or
something
whether
one
of
these
is
is
a
string
and
on
Cloudland
bouncer
is
a
string,
the
only
source,
prefix
and
on
everything
else
is
the
regex
and
people
put
reg
ex
is
in
and
they're
surprised
when
it
doesn't
work.
I,
don't
like
surprises,
they're,
never
happy
right.
E
E
D
D
Maybe
I'm
transparent
but
I
lean
towards
the
having
a
specific
type
being
a
more
obvious,
less
surprising
way
of
doing
it.
It
is
more
cumbersome,
I
think,
overall
for
the
developers
it
went
types
but
I
think
that
it
is
the
only
way
that
you
get
to
a
place
where
users
are
not
surprised
when
they
spell
out.
You
know,
google
cloud
ingress
and
they
put
in
a
red
Jac's
and
we
say
we're
sorry
reg
ex
was
more
right
or
maybe
that's
a
bad
example.
E
E
M
Right
and
we
found
what
exercise
recently,
as
you
know,
to
find
a
lot
of
property
and
they
publish
email
in
lightly
for
configuring,
the
property
and
it
takes
place.
Details
like
what
you
want
to
do.
I
derange
matching
our
source
even
more
going
to
do
this
exactly
matching
on
source
and
I
would
like
we're
formatting
a
string
which
one
is
that
it
tends
to
pile
up
pretty
quickly.
M
D
Yeah
it's
a
great
question.
This
is
the
same
web
question
I'll
share
doc
with
you
from
the
before
in
grants
existed,
and
we
wrestle
with
exactly
the
thinking
at
the
time
was
we
could
give
them
a
at
least
44
in
grass
right
edge
of
cluster.
Now
it
may
not
be
true
for
each
other
right
as
we
cannot
fit
for
the
edge
of
puncture
sorting
dress.
We
could
give
people
a
sixty
to
seventy
five
percent
useful
solution
that
sixty
to
seventy
five
percent
of
users
could
be
happy
with
the
portable
version.
D
M
Right
so
in
the
inner
world
of
open
source
proxies
they're,
actually
much
more
broad
enough
right,
not
the
any
part
edits.
So
the
other
option
is
to
say
well,
ingress
is
for
the
open
source
fact,
as
you
want
to
find
one
of
these
cloud,
lb
xenium,
actually
implementation-specific,
I'm
alexi
fewer
lilies
I'm.
You
know
they're
probably
easier
to
manage
both
given
the
fact
that
people
are
already
typically
sitting
in.
On
top
of
that.
You
liked
our
internal
revving.
It
already
won't
be
living
right.
M
B
O
Okay
and
then
I
would
be
interested
in
seeing
what
that
new
resource
would
would
would
end
up.
Looking
like
we're
sorry
pulling
along
a
lot
of
baggage,
with
the
current
ingress
that
it's
hard
to,
you
know
see
what
that
that
mash,
syntax
and
routing
configuration
would
should
be
in
that
in
that
world.
Yeah.
M
N
D
M
I
guess
we
have
a
choice
of
either
keeping
this
thing
in
rats
and
we
have
it
be
too
long
before
things
better.
One
by
a
controller
in
your
environment,
I
had
a
new
resource
for
the
problems
for
the
malaria,
and
if
we
make
ingress
just
the
stuff
of
the
cloud
I'll
week,
then
we
should
dumb
down
the
side
bikes
markets
like
or
documented,
but
it's
basically
implementations
too,
so
they
have
to
have
implementation
weather
for
them.
There
is
a
pity
not.
D
D
You
know
I
don't
work
quick
to
cancer
discussion.
I
I
want
to
go
talk
to
people
who
are
you
to
me
grip
because
I
only
know
the
Google
side
of
things
I've
only
barely
scratched,
but
it's
really
useful,
for
maybe
we
can
reach
out
beyond
the
network
thing
to
mark
the
user
group
or
or
slack
or
someplace.
We
don't
really
have
any
place
where
we
can
scream
and
everybody
and
just
get
some
feedback
on
some
targeted
questions
and
survey.
Design
is
officer
a
very
tricky
science,
but
you
know.
D
Maybe
if
we
write
some
well
those
questions
we
can
get
written
back
on
which
we
think
would
be
more
impactful.
Additionally,
maybe
we
can
go
out.
We
have
google
of
pre-sales
and
dev
rel
and
other
people
who
we
can
talk
to
you
or
on
the
field
talking
to
customers
every
day.
I
don't
know
if
anybody
else
on
this
call
has
the
ability
to
try
to
gather
some
of
that
ground.
Truth
information.
You
know
kelsey
pops
into
my
brain.
He
talks
a
lot
of
customers.
F
A
kickin
grass
go
ahead.
Do
a
time
check
so
left
left.
We
only
have
two
more
issues
left
on
the
agenda.
I
think
they'll
go
pretty
quick,
but
we
can
shake.
D
D
D
I,
don't
think
they
are
here
the
omitted.
Do
you
want
to
talk
about
it?
Heal
me
to
talk
about
it.
Real
quick
sheriff
go
ahead,
so
there
were
at
least
three
different
implementations
of
things
that
would
take
a
community
service
or
critique
ingress
and
program.
Some
external
dns
source.
There
was
one
that
was
built
into
the
Amazon,
a
load
balancer
controller,
which
was
program,
amazon,
blood
load,
balancer
dns.
D
There
was
one
that
was
built
as
part
of
chaos,
and
there
was
one
that
was
built
separately
as
a
tool
called
Nate
and
as
we
were
staring
it,
whether
we
should
add
this
to
the
google,
unbalanced
or
controller,
it
seemed
like
those
names
along
place
for
it.
So
we
got
everybody
together
and
everybody
sort
of
agreed
that
that
will
work
on
a
incubator
based
dns
controllers,
they'll
define
a
set
of
standard
annotations
for
a
set
of
known
resources,
and
those
annotations
will
drive
the
controller
to
program
external
units.
D
So,
for
example,
I
can
create
a
service
that
I
can
say
this.
External
dns
name
is
fubar
calm
and
it's
going
through
controller
x
and
controller
x
knows
that
it's
configuring
route
53
dns.
So
it
then
take
that
changes
to
that
service
and
it
will
update
route
53
in
an
appropriate
way
to
make
sure
that
that
hostname
references
that
server.
D
It
seems
like
a
neat
decoupling
to
me
and
it's
cool
with
you.
Two
projects
designed
to
work
together
so
I'm,
not
sure,
there's
a
lot
to
say
beyond
that:
they're
still
in
the
preincubated
stage,
but
soon
we'll
create
an
incubator,
repo
for
them
and
they'll
start
porting
over
code
from
the
two
projects.
Hopefully
maybe
in
17.
We
can
see
this
available
as
a
an
add-on
that
people
can
run
and
try
it
out,
but
I'm
going
to
make
successful
ogre.
D
I
think
the
incubation
process
requires
a
sponsoring,
thinks
I
volunteered
sig
networks
into
the
cns,
but
I.
Don't
because
anything
to
do
here,
short
of
watch
and
pay
attention
and
be
aware
and
like
Mike
said,
if
you
have
you
know,
potential
interest
in
this
may
be
in
the
form
of
you
have
a
DNS
provider
that
you'd
like
it
to
support,
and
now
you
know
what
exists.
Q
This
I
was
doing
this
for
the
storage
safe
last
week
and
we
were
looking
for
today.
I
think.
The
only
thing
that
schedule
for
16
is
esic,
PGA
and
so
I
think
nice
thing
you
need
to
get
in
there
and
with
the
future
priests
date
with
Tuesday's
that
I
guess
we
could
kind
of
stick
it
in
there
and
we're
going
to
be,
as
a
team
group
going
over
it
on
Monday.
Do.