►
From YouTube: Kubernetes SIG network meeting 2020-01-23
Description
Kubernetes SIG network meeting from Jan 23, 2020
A
C
D
F
B
H
B
H
Just
a
proof
of
concept,
because
the
problem
is
that
we
are,
we
have
limits
on
on
the
allocator
I'm
in
the
in
the
IP
allocator
and
submit
a
locator
for
ipv6.
I
I
went
to
one
of
these
all
the
issues
and
somebody
I
think
the
worst
kratom
suggested
to
implement
growing
big
bands
and
I
I,
put
request.
I.
Did
this
pull
request
to
to
test
it,
but
I
found
different
issues?
I
will
write
a
a
type
am
put
the
resort
so
darkest.
So
should
we
just
ignore
this?
H
B
B
D
This
one,
they
were
just
wondering
what
thee
the
threat
was:
I
guess
whether
warranted
looking
at
some
of
the
attached
issues,
it
was
like
people
were
having
some
problems
with
this
I
think
it
seems
correct
if
it's,
if
there's
bugs
and
that
current
release
or
if
it's
within
the
supported
release.
Okay,.
G
B
A
B
J
K
K
B
B
L
B
B
B
B
B
A
F
M
N
M
O
Okay,
great
hi,
I'm
Martin,
so
this
is
a
cross,
let's
say
cross
the
sick
cap
and
in
the
basics.
So
today,
when
the
pots
in
booster
wants
to
talk
to
the
to
the
API
server,
they
do
that
by
up
in
more
cases
by
automatic
discovery
via
the
environment,
variable
which
is
kubernetes
service,
hostname
I,
totally
forgot
the
name,
but
this
environment
variable
today
is
a
fun
IP
address
and
the
commands
API
server
when
he
starts
it
has
a
reconciler
inside
of
it
which
reconciles
this
advertised
IP
address.
O
O
The
two
problems
are:
they
is
that
cubelet
does
not
support
environment,
the
host
the
master
service
to
be
of
type
external
name,
or
ought
to
be
hostname,
not
an
IP
address,
and
the
second
problem
is
that
the
API
server
the
Rican
server
today
it
only
expects
an
IP
address.
It
is
that
the
full
equality
qualified
to
my
name
so
I'm
looking
for
for
reveal
some
heads
up.
There
was
some
concerns
in
API
machinery
for
that
this
could
lead
to
some
unspecified
behavior
or
some
something
wrong
and
optionally,
some
breakage
and
yeah.
O
P
P
O
Yes,
exactly
I
mean
it
only
targets,
this
explicit
service,
so
it's
not
targeting
any
other
services
of
type
external
and
we've
actually
run
this
thing
core
or
half
our
crystals
exposed
yeah
fully
qualified
do
my
name
for
quite
some
time,
and
we
want
to
make
things
smoother
just
to
get
rid
of
this
extra
IP
address
and
he
have
the
same
way
for
also
for
the
Inquisitor
munication.
So
far
we
haven't
had
to
have
any
problems,
all
the
clients.
O
R
Basically,
lots
of
advantages,
I'd
like
to
highlight
a
couple
of
really
big
advantages
in
comparing
to
the
IP
tables
and
the
first
one
is
the
API.
So
basically,
instead
of
wrapping
the
IP
tables
executable,
you
can
directly
talk
to
the
filter
using
they're,
not
linked
messages
which
expedite
significantly
the
process
of
the
programming.
So,
instead
of
going
to
the
reconciliation
cycle
as
it
currently
done
in
the
queue
proxy,
which
is
very
huge
and
extremely
inefficient,
then
you
can
basically
react
on
the
service
or
port
creation
deletion
immediately
in
the
real
in
the
real
time.
R
Basically,
it's
just
the
key
value
are
set
as
we
have
an
as
a
well
in
Google
rank
it's
called
map,
but
in
determine
terminology
of
not
enough
tables,
it's
a
set
and
map
it's
as
well
is
it's
a
set,
but
with
the
action
at
the
end.
So
if
there
is
a
match,
then
there's
a
verb
go
to
jump
drop
accept.
So
basically
what
it
allows
you
to
to
have
is
symbol.
R
Rule
can
address
to
the
set
with
a
very
large
number
of
entries,
so
instead
of
half
rule
per
entry,
now
we
have
a
single
rule
referring
to
the
list
and
the
lookup
is
extremely
fast.
So
basically,
this
allows
to
have
a
sorry
and
have
tables
or
tables
of
constant
size,
a
regardless
of
the
number
of
endpoints
or
number
of
services
in
the
cluster
I've
done
some
preliminary
tests
and
the
results
were
are
so
surprising
and
positive
that,
basically
that
that's
what
triggered?
R
R
Instead
of
accumulating
those
changes,
so
right
now,
I
implemented
a
basic
functionality
of
whatever
I
could
find
in
the
Q
proxy
I
mean
I'm
I'm
positive,
that
there
are
some
corner
cases
which
I'm
missing
but
think
like
a
cluster
ap
external
IP
load,
balancer,
node
port,
it's
supported
and
I
mean
it's
working
well,
I
was
hoping
in
the
future
to
look
into.
There
are
more
corner
cases,
but
I
mean
by
the
time.
One
of
the
biggest
problem.
I
have
is
the
requirement
for
the
platform
so
basically
to
be
able
to
run
an
F
table
proxy.
R
You
need
a
VM
or
host
where
the
nf
tables
are
enable.
The
kernel
kernel,
model
module
is
enabled,
and
so
far
I
mean
I
couldn't
find
a
single
CI
which
would
support
it.
Basically,
all
the
CI
happens
on
my
local
machine
on
a
local
plastic.
So
that's
that's
kind
of
problem,
so,
if
I
could
share,
if
I
mean
I
could
briefly
show
you
how
it
looks
like.
A
R
S
P
P
I,
don't
get
to
make
all
the
decisions
on
my
own,
so
I
guess
it's
open
for
just
for
opinions.
For
other
folks.
My
inclination
still
stands
that
q
proxy
itself
is
overly
complicated
by
all
the
different
proxy
modes.
Right
now
it
might
be
better
sort
of
all
told
to
make
a
different
binary.
That
is
the
energy
tables
proxy.
That's.
R
P
R
P
P
P
P
To
Antonia
and
Dan
who've
been
involved
in
this
issue
in
Jordan
as
well.
So
as
an
as
part
of
turning
on
a
testing
dual-stack,
we
hit
a
couple
of
issues
that
helped
like
clarify
some:
the
vagueness
that
we
realized
that
we
had
never
really
dealt
with.
One
of
them
kind
of
is
the
dual
stack
behavior
around
cluster
IP
allocation
on
services
is
actually
kind
of
a
novel
case.
P
It's
one
of
the
few
places
in
kubernetes,
where
the
behavior
of
the
API
actually
depends
on
configuration
and
that
kind
of
helped
surface
a
couple
of
issues
as
we
were
digging
through
some
bugs.
Why
would
we
turn
to
a
stack
on
older
clients
for
failing?
We,
we
kept
pulling
the
the
thread,
there's
kind
of
three
or
four
points.
I
would
say
anyone
who's
interested
in
dual
stack.
I,
don't
know
that
you
should
be
looking
at
this
bug.
Antonio
and
Dan
have
been
really
going
to
know.
P
A
few
other
folks
have
been
interested,
but
it's
basically
around
the
behavior
of
a
complex
API
object
like
service
when
the
configuration
of
how
that
behaves
actually
comes
from
the
configuration
of
the
process.
That's
running
it.
So
whether
the
feature
gates
on
is
obvious
is
the
obvious
one,
but
the
more
nuanced
one
is
what
the
service
side
or
for
the
cluster
is.
P
If
it's
before
the
API
behaves
one
way,
if
it's
ipv6,
the
API
behaves
a
different
way
if
it's
ipv4
and
ipv6,
the
API
behaves
a
third
way
and
if
it's
ipv6
and
then
ipv4
names
a
fourth
way,
so
the
the
long
and
the
short
of
it
is
the
we've
covered
a
very
interesting
scenario
here,
which
is
because
services
can
change
type
and
we've
added
a
new
field.
The
interpretation
of
that
field
needs
to
be
clarified
a
little
bit.
P
But
if
the
cluster
were
to
change
that
configuration
under
the
covers,
clients
wouldn't
actually
know
which
way
to
behave.
So
the
long
and
short
of
it
is
anytime
that
we
add
a
new
field
in
the
future
that
could
change
based
on
config,
we'll
probably
have
a
new
set
of
API
review
guidelines
that
will
kind
of
help
clarify
this,
but
we'll
probably
get
to
the
point
where
we
find
a
default
behavior
or
we
introduced
the
field
and
that
default
behavior
shouldn't
depend
on
config.
P
So,
like
the
argument
here
probably
is
that
IP
family
should
have
always
default
Addai
pv4
like
if
we
could
go
back
in
time
and
undo
this,
we
probably
could
have
said
IP
family
is
always
ipv4,
except
in
these
cases
and
clients
that
don't
see
IP
family
can
just
assume
it's
ipv4
today,
because
of
the
way
that
the
config
could
change
it.
We
can't
actually
go
back
and
undo
time
and
do
that
because
it
could
mean
ipv4.
P
It
could
be
that
beautiful
six,
so
so
the
problem
with
that
claim
is
that
there's
Luster's
that
only
have
v6
in
this
cluster
that
only
had
before
so
anymore.
Before
we
supported
v6,
we
should
have
defined
IP
family.
So
the
problem
was
not
that
we
support
ipv6
as
a
weak.
We
added
a
field
that
depends
on
config
when
we
could
have
added
a
field
that
like
when
we
turn
when
you,
when
you
went
to
an
ipv6
cluster,
it
would
have
just
returned
IP
family
for
you
automatically.
P
So
the
ID
family
was
still
defaulted
to
the
clusters.
Config
detectives
right,
but
the
field
would
have
existed,
and
so
there
would
be
no
excuse
for
an
old
client
like
an
old
before
we
could
have
changed
the
config
and
implicitly
done
it.
We
would
to
go
through
a
release,
so
we've
said
old
clients
that
don't
CIP
family
can't
do
anything.
Arguably
adding
the
the
new
field
is
complex.
This
is
actually
kind
of
an
easy
one,
because
if
you're
a
component,
that's
working
with
a
cube
cluster,
you
had
to
go.
P
Do
work
to
support
ipv6
anyway,
and
so
this
would
be
like
any
other
ecosystem
component,
which
is
an
ecosystem
component,
can
choose
not
to
upgrade
API
versions,
but
then
people
can
also
choose
not
to
use
that
ecosystem
component.
So
I
think
network
gets
a
little
bit
away
with
this
for
free
because
most
times
networking
is
relatively
closely
coupled
and
obviously,
if
you
have
a
component
that
integrates
with
services-
and
you
don't
support,
ipv6
you're,
not
gonna
work
anyway,
so
just
in
the
longer
the
short
of
it
is
we'll
have
some
new
rules.
P
We're
gonna,
be
updating
the
ipv6
docs
and
cap
with
some
of
the
fallout
from
this.
But
if
anyone
is
interested,
please
please
get
involved
now,
because
we
probably
one
of
the
issues
with
this
PR
and
what
we
found
was
that
we
can't
turn
on
the
gate
to
enable
dual
stack
until
the
release
after
we
get.
These
rules
clarified.
Otherwise,
someone
upgrading
from
a
single
stack
to
a
dual
stack
cluster
with
C
different
behavior,
so
we're
just
trying
to
get
this
eyes
on
this
as
soon
as
possible
so
that
it
doesn't
hold
dual
stack
unnecessarily.
A
A
T
T
T
T
So
one
interesting
isn't:
a
forties
at
winning
starts
to
generate
is
in
Tokyo
Drift
and
you
ever
ng.
While
you
have
even
count
what
is
rising
over
time,
but
it
doesn't
actually
change
our
calendar,
so
it
seems
that
it
could
lead
to
twenty
I
economy
in
time
for
all
the
readings
they
have
much
much
less
events
to
respond
to
and
the
radiators.
P
P
T
R
P
C
First,
one
is
about
ingress
GA,
we're
still
hoping
via
ingress,
be
one
in
four
one,
that
eighteen
and
on
the
last
call,
which
was
a
week
ago
now
there
was
some
pushback
around
the
concept
of
ingress
class
and
ingress
class
is
a
resource
that
would
allow
additional
configuration
for
a
given
ingress
class
that
can
be
associated
with
any
number
of
ingress
a--'s.
So
it's
keeping
the
same
ingress
class
concept,
but
adding
an
additional
resource.
C
So
there
was
some
question
of
how
how
time
you
were
to
this
in
ingress,
v1,
so
I
know
a
lot
of
people
have
lots
of
feelings
on
this
I,
just
kind
of
wanted
to
get
some
feedback
from
in
front
of
a
larger
audience
as
to
how
people
feel
about
the
idea
of
an
ingress
class
resource
as
part
of
ingress.
We
want.
G
C
C
Next
is
also
mine
and
that's
related
to
a
cap.
I
have
proposed
that
suggested,
adding
a
protocol
on
ports
for
services
and
endpoints,
and
this
is
something
that
came
out
of
several
long-standing
issues,
be
discussion
in
that
pyaare
came
to
my
suggestion
of
there
are
lots
of
use
cases
where
multiple
app
protocols
are
relevant
for
the
same
port.
C
Is
there
a
reason
we
would
want
to
limit
this
to
specify
a
single
application
protocol
as
opposed
to
multiple
app
protocols,
or
at
least
allowing
multiple,
a
protocols
that
sustainably
kept
right
now
and
since
the
enhancement
freeze
is
five
days
away.
I
just
wanted
to
get
general
feedback
on
the
idea
of
instead
of
a
single
protocol,
multiple
protocols
per
port
optionally.
K
G
The
thing
is,
the
consumer
is
kind
of
outside
of
anything
that
currently
there's
nothing
inside
that
kind
of
triggers
on
it
right.
It's
almost
like
a
pure
description.
It
is
key
research.
Not
almost
someone
would
have
to
find
a
compelling
example,
and
we
do
know
how
to
polarize
these
rights.
That's
what
we
see.
P
B
A
B
Alright,
so
so
there
was
problem
with
iptables
one
aid.
It's
two
different
modes
and
containers
like
cube
proxy
and
network
plugins
having
problem
on
recent
Fedora
and
rel
and
debian,
where
they're
using
a
different
mode
than
the
container
is
expecting.
We
finally
worked
around
it
in
cube
117
with
rapper
scripts
in
the
queue
proxy
image
and
now
I've
sort
of
abstracted
that
out
created
a
repo
so
that
other
people
who
need
to
use
it
like
Network
plugins.
That
watch
be
able
to
support
multiple
distros.
B
It
could
just
grab
that
rapper
and
get
support
and
I
wanted
to
get
this
adopted
as
a
cig
project
so
that
we
could
have
it
moved
into
a
kubernetes,
sig
repo,
and
that
requires
you,
know
official
sponsorship
and
approval
from
the
sig
which
actually
has
to
be
in
written
form
somewhere.
So
I
guess
I
probably
have
to
send
email,
and
then
you
know
the
sig
leads
can
respond
to
the
email
and
say
yes,
we
approve
of
this.
B
B
L
E
A
C
Last
one-
and
this
is
just
on
service
topology
and
seeing
if
there's
anything
we
want
to
get
into
the
next
release,
I
think
right
now,
there's
not
much
one
of
the
things
that
seems
obvious
right
now
is
there's
no.
What
endpoint
slice
is
what
service
topology
is
based
on
in
its
current
iteration
and
endpoint
slice,
currently
just
hard
codes,
understanding
node
is
owned
and
region
topology
keys.
So
the
whole
idea
with
service
topology
keys
is
that
you
could
support
arbitrary
keys
beyond
that
and
endpoint
slice
does
not.
C
So
a
question
is
isn't
worthwhile
to
have
an
point.
Slice
controller
set
arbitrary,
whatever
topology
keys
match
be
serviced,
and
on
that
note,
if
that
makes
sense,
should
they
only
match
whatever
set
in
the
service
and
exclude
anything
that
isn't
solely
as
an
example
of
topology
caves
are
empty
on
the
service?
Don't
set
anything
inside
the
end
point
slice,
topology,
I
know
what
Andrew
had
also
mentioned
something
along
these
lines.
So,
if
he's
on
the
call
interested
in
feedback
there
as
well
I.
I
C
Is
there
value
in
having
a
base
set
of
topology
keys,
such
as
the
ones
that
are
already
set
always
being
set,
regardless
of
what
the
service
specifies
so
for
a
given
endpoint
slice?
You
know
end
point
in
an
endpoint
slice.
You
know
the
known
zone
and
region,
even
if
the
service
doesn't
say
upfront
that
it
cares
about
that,
or
is
that
too
much
of
a
stretch,
I.
E
C
In
a
sense,
it's
actually
decreasing
the
level
of
information
or
downgrading
the
level
of
information
available
in
an
endpoints
list,
because
going
from
always
having
no
zone
and
region
to
maybe
having
those
if
they
happen
to
be
specified
on
the
surface.
Admittedly,
nothing
is
being
done
with
those
keys
right
now.
C
I
One
other
topic
that
came
up
the
last
release
was
whether
we
need
to
create
a
special
case
for
or
if
we
need
to
create
an
equivalent
case
in
service
topology
for
external
traffic
policy.
Local
yeah,
because
yeah
like
it's
gonna,
have
a
policy
book
was
like
a
special
educator
you
have
and
if
the
user
specifies
only
the
community's
hostname
as
that
polity
key
then
do.
We
should
be
treated
as
a
special
ed
case,
or
is
it
or
is
it
just
a
generic
case
yeah
so
I
think
we
need
to
hash
that
out
of
it,
yeah.
P
P
C
A
G
Kim
Connie
you
about
our
deep
dive,
intro
session
I.
You
know.
Unfortunately,
they
said
we
can
only
give
you
a
35
minute
session.
Yeah
we
in
session
I
emailed
back
asking
probably
won't
fit
I,
will
send
out
more
information
about.
If
you're
going
to
be
there,
then
we
can
see
you
who
is
interested
in
probably
presents
35
minutes.
You
have
to
talk
real,
fast
35
minutes
for
what
we
used
to
do
in
I.
P
Think
I've
been
reading
all
the
threads
in
with
CSF.
It's
very
ambiguous.
The
wording
around.
What's
going
on,
I
read
it
as
all:
SIG's
get
one
session
and
cloud
provider.
Some
projects
as
a
special
case
get
a
set
a
session
independently,
but
no
other
sub
projects.
So
anyone
clustering
can
people
I
think,
are
frustrated
because
they
wanted
to
assess
some
session.
It's
not
see
cluster
lifecycle
than
just
clustering
yeah
and
they
were
told
no
right,
but
I
thought
that
every
sig
was
going
to
get
a
session.
35
minutes
for
joint
intro.
G
P
The
last
thing
I
read
from
CNCs
staff,
is
there's
a
shortage
of
room
number
of
states
and
projects
that
want
to
talk
and
I'm,
not
inclined
to
fight
real
hard
to
at
a
longer
session.
I
think
we
should
take
our
35
minutes
post
court
on
this
and
figure
out
like
as
a
community.
Why
is
Q
Khan
to
pole
for
Q
projects
to
talk
and
we
can
move
forward?
So
35
minutes
is
in
neutral,
excited
yeah.
G
P
P
P
If
you
sorry
for
people
who
are
up
against
the
future
breeds
if
you
are
waiting
for
me,
this
is
Tim.
If
you're
waiting
for
me
to
touch
your
cat
feel
free
to
ping
me
on
slack
or
other
and
I
will
do
my
damnedest
to
look
at
it.
If
the
cap
is
not
assigned
to
me,
I
probably
will
not
see
it.
So,
if
you
want
me
to
look
at
it,
make
sure
it's
assigned
to
me
and
then
thingy
and
don't
be
shy.