Kubernetes SIG Network, 4 Apr 2019

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Kubernetes SIG Network 2019-04-04

Description

SIG Network meeting for April 4th, 2019

A

And we are recording this- is the kubernetes SiC Network meeting for April 4th 2019 I think we probably want to get started with another round of bug, triage.

B

Sharing my screen.

B

C

Yep looks good right: oh I have opened a bunch of tabs, so let's go okay. I'm not sounds good on here. Alright, so let's get started so the first one.

B

Cute Lisbon, with limiting not working, so it looks like a TC.

D

Problem yep I responded to that will in feel free to assign me okay.

E

And as a reminder for folks after you volunteer, if you figure out that something is a legitimate bug, then remove the triage unresolved label, otherwise we'll revisit next week. So there's a bunch of bugs in our queue today that are gonna, be revisits from last time. So, if you're assigned- and you think it's bogus close it or or ask someone to close it, if you don't have the access or remove the label or ask some label and if it's still in progress, it's okay to leave the label.

B

F

It's a pretty urgent n 1.10.

F

G

It that nine months.

B

Okay, all oh I see so this is the like the other aquarium coin controller, where we've got.

H

B

H

B

I'm not sure if it goes back to one top. Ten I see okay.

F

Can you assign that to me Oh elliegator, to be fixed.

F

I

F

Cite the beeps.

B

B

Service 10 points yeah looks serious. What's.

F

The Virgin 1.11 area broke.

E

Eks shouldn't matter in this case can I get a volunteer to see if we can repro or get more details.

E

Volunteers, volunteers,.

J

Ideally, someone who can uzk us even better mm-hmm.

E

The triage will continue until all of the bugs are closed. I can.

K

Take this one I already have any cast cluster for testing. Who is that it's Andrew, okay,.

B

E

B

E

Will also say thank you to all the people we were looking through bugs this morning. A bunch of them are in active triage and people are following up on them. So thank you so.

B

I can take this disabled dependent head, but I probably did not disable it in the older version.

G

All right so cute proxy and I've come true. If you refresh this, one I think I closed this one earlier. Okay, it's cool, okay, thanks, so cute proxy IP EBS mode.

G

This one had some responses right.

C

Anyone has excited Jean.

L

Jean Francois was asking about this or Dora. Sorry.

E

Lauren are you here.

E

Okay I, this looks like there's questions out on it. I say we leave this open for another two weeks session and if we don't get any traction, we close it.

B

Proxy servers: 11; okay, yes,.

F

Are we not related you all cute Rockets did OTS the.

I

F

We go down live in. This probe is.

B

It because the cube box is dead.

M

No, this is adding magnets probe all.

F

M

There's a peeler they're hitting in DNS error, because the cube proxy.

L

Died and the one-ders thought it. Oh good, then no see if it died shouldn't it restarted, no matter what I did it like deadlock.

L

E

We have our assignee.

I

E

If they're using the demon set I mean it might make sense to to specify the liveness irradiance probe for it anyway, okay.

E

B

Do you this resolution fail? Occasionally, you have to upgrade, looks.

F

Like it already has an assignee and.

B

This is Chris. Is there any traction? No 14 days ago, cuz.

E

User hasn't responded so same I think we leave it for one more cycle. If we don't get any responses, we close okay, all right. That seemed like a good heuristic to people yeah one month, no responses from end user, as we close yeah I.

N

Think so it's probably worth trying to bump the thread. If you can, those people will forget mm-hmm.

D

Fairpoint quick question: do we have metrics enough metrics in a PVS proxy to track this kind of thing, I mean in other metrics in the iptables proxy and I'm, assuming they're those in IP vs as well? I, don't know the answer to.

E

That somebody here know the answer that, if.

D

Not I can figure it out later. Okay,.

D

That's on you, then no I was just curious.

E

It's a great question: I.

D

Mean we do have some for sink proxy rules, but we don't have metrics around specific operations except the giant right everything yeah.

E

If you're gonna look at that, it might also make sense to talk with Wojtek and sig. Scalability they've got some goals around getting better SL ice. This one basically looks like the one that.

F

They're, adding I, don't know what they're gonna add a GPS, because it's like I changed that point and then.

O

D

Don't you add me on that? One I've been working a lot in this area in the past couple of weeks on VIP tables and user space proxies. So it's something similar that you're just on this one. Okay,.

B

D

C

D

I was looking at the IP vs honey.

J

No, no, no 73, 382, yeah yep.

D

Yeah that one this one right here.

B

Okay, let's close it up. Okay, next one services are not accessible to all masters using Newport.

B

True, because ask because the Masters is not running Q proxy wait.

F

How did they set this up.

E

What are they doing experimental so it's entirely possible that they're trying to run Q proxy online master. Lots of people are doing that masters. Okay, can we get our volunteer? Someone outside the normal group.

J

This one to me is that Casey yep thanks Katie cubes gray,.

B

All right next, one you'll be security who cannot be modified.

E

It's just is this simply because the Amazon controller doesn't propagate that into the security group to see that.

A

Actually I have fixed a you know. Pr, oh, is.

E

It attached to this.

K

It's not I have already fixed it. You know I PR, cool.

E

B

Bull fish, yeah, fish, okay, alright, let me assign it to you feel free to close it. If you in link or remove the trash link, all right cool next one, you need direction or UDP traffic to no poor service.

F

This is a contract thing, yep.

B

F

Another contract clean, but what's the cell phone OSE it won't keep the entry around because they didn't reply on it.

F

This is a rare uni-directional protocol.

D

Do you want to assign Jacob tenon bound to this one.

B

D

Yep keep going a B and then a T. That's not in your complete list! So oh shoot! He might not be an orc member just at him at the bottom. All.

B

Right G, could you.

D

Got over there, nice.

C

D

E

D

They're perfect yep.

E

Cool you see one of your folks. Yep cool, get him working membership yeah.

D

Yes, he's asked about that. We should make that happen. Awesome.

J

Anybody final smart here.

B

A

Could probably take this one too right: okay,.

E

Cool, please feel free to farm it out to people who have contacts.

F

Api server, oh there P or a toaster. This.

P

One's already assigned.

E

Yeah is this even C, Network I'm, not sure.

F

F

Takeoff network there, although it's a sign to the person who.

B

There's no poor not working.

D

Just a coincidence that there are a number of node port issues coming up here, I think.

E

It's a coincidence, because we're back into December 2018 now, okay, which is awesome, means we're chipping away at the backlog.

F

Okay, is there any others, though, right.

D

Is this IP vs or IP tables proxy.

B

E

All right volunteer someone just a probe follow-up, see what's going on uh sure, Thank You, Valerie, BLL.

G

B

E

Thank you for the bot Mellie.

O

Is this no I think this is a missionary.

F

J

Wait but they bucket it like that and then what it would help Jordan unassigned it for me, I'm hearing.

F

And then what happened.

F

F

O

Sig Network.

E

Okay, so can we get somebody to triage? This does not seem like a sig net work issue, but I would love for somebody just to poke at it for five minutes all right.

B

Okay, all right next, one.

E

Service, oh yes, this isn't! This is ongoing. This does not need triage. You can remove the triage there. Melissa say legitimate issue.

G

There's a discussion going on all right, cool.

B

Next one human set pods are being scheduled with duplicate IP.

F

One of the fixed issues.

J

E

We assign somebody to just see if there's follow-up, otherwise close.

M

K

The autofill doesn't work, so you just have to.

M

Not cached all right, you've.

E

Now added a node to the graph.

O

F

Okay, it's kind of a strange.

O

Refused and why.

J

Are they using.

E

A big tool and then you do test.

J

Some of the EPT tests used a I'm saying oh conformance test log is.

O

Minus two, because I'm.

G

B

Right cool next one cube proxy can I use, I mean yes mode. I think this is just.

B

Oh anyone confirm: is there a compatibility issue here.

G

When they will experience with IPS anyway,.

Q

For my DDS team here.

F

What is that linked issue? Anything else we need to know is that PR.

I

F

Santos doesn't go by the book. Can you assign to TJ okay.

G

Although he's been something with black holes for sure and I.

E

Can't say how much I appreciate you have names that I can pronounce.

B

F

I start keep a bi server daughter, it seems like you're giving in.

O

O

Unable to perform initial budget I love almost as Holly as he thinks it is yeah.

G

And it's trying to attach so what environment is yeah I think this is, are we should we should look at this? Not so.

O

Container, that's.

E

You can assigned to me that's fine. I'll, follow.

B

Okay, all right keep proxy IDs proxy mode.

O

Six no points.

F

But can you support dual stack yeah, no.

E

If I understand what they're saying do.

J

They expect to.

N

Be able to use.

E

The v6 port- and it's probably sitting on the v6 port, even though they don't want it to, but uh you can send this one to me, I think I.

G

Send to jr. three or four months ago, okay, send to me basically.

E

Is this the thing that just sits on the board yeah.

L

Yeah I mean I, that's.

E

What I was thinking but I'm also reviewing the dual stack kept so I'll, just ready to work on the dual stack or Microsoft guys I, don't.

O

E

Any of them are here, but there's a very nice cap in my EQ, then I need to think hard about.

G

Didn't I just triggers a memory of some.

B

E

We get a volunteer to triage and see if this is still an issue. My guess is: let's see what I was updated, we're seeing this and OpenShift origin the only s multi-tenant again, anybody from over chips well,.

D

Yes, there's a couple of us on Dan can be assigned to you to farm out sure.

E

If it turns out it's not at all openshift ish, then.

B

Yeah, okay, so can we close it yeah intended.

B

Cute proxy conflicts, no names and host names.

B

E

Lots of pieces of our system, conflate node names and house names- you can I.

J

Did the job of figuring out where it is if somebody from windows around.

E

Who can take a deeper look I.

D

I

D

Restricted Windows, probably not it isn't or it shouldn't be, like you said, Tim, there's a lot of stuff that does this the wrong way: yeah inflates the too, and usually you just override it.

N

D

Know like the hostname, override or whatever right.

E

Can you send some to me I'd like to take a look at it? I touched something here recently and hit the same problem in a different component. So, okay.

B

It's not working Tim.

D

Check by the way we got about three minutes left.

F

You signed it to the metrics but excited to me. Okay,.

B

Cue proxy, you failed to execute I think it was restore.

E

Assign this to me, I've actually got a I was just touching code in there today.

E

D

Feel like they could do a better job of logging errors list you. What is the actual error here out.

E

Of curiosity, I have I've seen occasionally Oh. What is the actual error message? Yeah.

D

I mean iptables restore line, 16 failed is at the end of it.

E

I think that's it like. We don't actually dump the error. We don't dump the iptables the state that we were trying to write when we have error and I ran into this just this morning and so I added that but I haven't sent anything.

D

So is this like: we think that it's writing the wrong iptables restore lines and there's some formatting error in there restore that could.

E

Be I feel like I've, also seen a couple of cases where I pee tables would spurious ly say that and then later accept it got. It I think the first thing I'm just like: let's get some logging and yep, we do one more one. More two more one.

B

D

Not ready go down to the bottom, I might have come into the sorority. Maybe I didn't.

I

G

Is now five months old, but there are updates in February.

B

I

A

Sorry, okay, see what, though, all right I can take this one.

B

Okay, one more last.

G

One who wish to be headers hosts in the lost after the drug I remember this I think I commented on it too scroll down. Oh.

B

So gol dang bug.

I

I'm saying somebody.

E

Why don't you sign it to me? I'll follow.

E

Okay, all right awesome we're at time we made it through. What do we open up? They'd open, like 5600 you're like you, enter like 48, bugs cool nice work, people I know sorry, just in terms of stats we pulled up this morning we had a net decrease from last week of 10, I, think and just as a starting point and that included seven or eight six or seven some somewhere in that range new, ountry oz bugs since two weeks ago.

E

So we actually, you know, put a small dent in it.

E

Thank you everybody. Next week everybody bring their volunteering shoes.

A

All right so I think next on the list was from Christopher. If he's on the call that.

P

Just a reminder to take a look at that I think it's mostly concerning some of the leads, but it has to do with the SKU tests and kind of where to move forward with them. I found it while triaging and that I don't really know what to do with it.

E

We started which thing is this I'm trying to the agenda? It's.

D

A human ace: this is lifesavers.

Q

N

D

Two three two, two.

F

Someone have the agenda yep.

D

Shared the screen will do.

D

Can you see yes.

F

Well, we're looking at github I, don't know if you wanted to share that browser. Yeah yeah.

D

Yeah, this is the one clarify key box. Excuse important upgrade process. Did you want to see the agenda doc instead.

E

No I, don't think I even saw this issue.

E

Can you whoever's got that screen up? Can you can you assign this to me? I do.

D

Not appear to have assign privileges in combining it slash website.

G

D

Interesting: okay,.

E

D

I just tag you with it: no I've got it here, I.

E

E

Alright, thank you. I'll talk to Jordan about what he wants. There.

A

All right, let's see next, we've got Cody Baker.

R

So the issue we have here is that coop rocks he has an optimization which rewrites traffic that's headed towards the load balancer from within the cluster who the backing service, but per the recommendation. We implement proxy protocol on that load, balancer and if the traffic's redirected, without ever, hitting the load balancers, the proxy protocol is not added.

R

It was a similar. The request was originally created by some and Alibaba iCloud user and they have key LS determination if there were balancer and we do as well as an option- a proxy protocol. Is there not their concern there and yeah. So we're trying to figure out what we'd like to propose a PR and address this, but I want to kind of find the right solution and turn away too so.

E

Just to clarify this is the service load balance or not ingress, right, yes, okay and which rule is so there's a rule. That's sending it to the backend for the load, balancer IP right.

R

Yeah, if the wool balancer status object, has a IP address, specified IP, vs and IP tables handlers in coup proxy will intercept and rewrite that destination to the services cost or IP.

E

Ice I have a very clear memory of fighting with this to make it do the opposite of that I thought good I swear I, remember beating on IP tables until it would not do that so that it would force load balancer traffic to go out from the machine to force it for exactly this sort of issue. It's.

R

It's also worth mentioning: AWS has support for both proxy protocol and TLS termination right I'll be, but they don't hit it because they specify a hostname as the return value in load balancer status, whereas we're looking at specifying an IP address.

F

But isn't this a layering violation because you're kind of mutating.

R

It's a consideration, but the I mean the recommendation on the kubernetes web page right now is that for source IP identification that we use proxy protocol.

E

You don't really have any other choice right because it's right mind. It is a proxy right, I'm, happy to look at PRS here or to look at further Diagnostics. I swear I fought with this issue before.

E

If you want to dig in a little bit and then reach out to me or file a bug, and we can talk about it and I gave me a chance to look at my history too and see if I can remember what happened with this. Okay.

R

And I guess I should say also there's kind of two idea: two different directions. We were considering taking this one, just adding a flag to crude proxy, which would disable that optimization entirely. You know obviously default to the current just behavior and then the second one being changing that load, balancer status, object or the service itself to have a internal traffic policy option that would default to the current behavior, but have a different behavior that allowed that hairpin. That's all a balancer mmhmm.

E

Yeah I, don't know, which is the writer answer.

E

Less flags is more better in general yeah, let's do a little bit of the homework or, if you've done the homework open up, go ahead and open a bug and tag me or assign, assign me don't tag me and we'll go from there. Okay, there's.

R

A bug there we'll open PRS on that cell, oh sure.

E

If you get PR is even better I'll have you know we can do that alright, so.

B

Last time I think we saw this was coming from the on-prem user and then I think the hack was to inject iptables rules to basically force the destination to be like, for instance, if the destination fall into the low bouncer IPS, then dunno track. So you just go right out. I think that was the hack I. Remember.

E

Fighting with us on GCE, because GCE assigns the load balance or IP as a local and I wanted it to go out to the load balancer. But you know it's possible that I never made it work or that we wanted to undo it for some reason. So, let's, let's look at what you've got and go from there.

R

Sounds good thank.

E

R

A

Goody next is anyone actively working on ipv6, dual-stack I think we said earlier that.

E

A

E

I've got a I've got an updated cap from lucky and Cal at Microsoft. Do.

D

You want to paste that link into the agenda Tim. If you have it handy, I, don't have it handy, but I can get it okay. Well, you keep talking I'll go find it. Let's.

G

E

So yes, I think the answer is, is yes they the caps back on me, it's a lengthy kept. So anybody who wants to help by reviewing it is totally welcome to.

A

Cool next is next steps for cube proxy cleanup fix a ballerina and Rio.

O

E

Literally the cleanup code- oh.

K

N

Sure so we've had the series of issues that came from how inherently bug and error-prone the cleanup process is because each mode has some intersections of how the rules work. We decided kind of at the last meeting and what it kept in to just remove the cross mode, auto cleanup. So now, if you want to switch coup proxy between different modes, you have to explicitly run like the cleanup single run or restart your node.

N

So we have a PR up. That is having some not very obvious test failures, but other than that, we're very close to having that done.

K

Yeah, so cherry-pick deadlines for one 14.1 is tomorrow, so if we want to get Patrick, listen, we gotta merge. If, ideally, today,.

E

Tim, do you still want to go with that route, or do you want if we can.

K

E

I mean I looked at the code and it was shockingly straightforward.

E

The only comment I had was something about an error message: string on one of the flags right, yeah.

N

I made sure that the IPPS clamp is properly deprecated. Now that it doesn't do anything okay, then I will go and approve it, there's just a matter of making sure the test passed though, but it's like a crash during cleanup, which seems many unrelated.

E

Yeah, there's nothing like your problem.

K

Do we also want to backport this to 1:13 112-111.

E

Seems plausible yeah I, don't see why not it's a legitimate bug.

N

Maybe backported, but not super super quickly, I'm just a little bit worried that, because this is a big change. If someone has a very bizarre setup that was relying on this, it would cause issues so kind of give it time to bake in a 14 patch and then push it back sure.

E

I'm skeptical that that's actually the case, but this seems like such a corner case in each functionality that I think you'll be fine, but you're right, strange things happen: I've approved.

A

Yes, next, we've got service garbage collection with finalized errs.

F

Yeah, so this is just Andrew and I were discussing this. Basically, we should be putting finalized errs on our service objects, to get the cloud providers to clean stuff up and we're gonna. Take this up in 115.

F

A

All right is there any call to action on that one.

F

If you, this is important to you, then look for it. Okay, it will affect all the cloud providers. So that's one thing: yeah.

K

I guess one thing worth mentioning for this is that in one release, we're not actually supporting finalizes, we're just gonna, add the code to handle finalizer so that, if a user's rollback, they don't have services stuck with finalized errs, but not the controller's handling it. So it's probably going to be a multi release. Feature that we're going to add incrementally.

A

And finally, we have the status of bandwidth, limiting.

D

Yeah I responded to that issue. As far as I know, it should still work I. Think it's just more of a do everything at this point. Unless anybody else knows exactly what's going on, there I tried all.

C

H

So the Covenanter cannot pass in the return videos from TC, so I don't know my door is do to our work.

H

So I just want to check what's the status of it, so I thought I know it. It's got implement the inclu night and unwise plugins. So we want to know the future plan and also it's done it's the pod animation. So if we updated our annotation, it's not Scott. He popped by the plug-in. So we want to know I mean.

Q

If you it doesn't, it doesn't belong in sanitation. We don't have a general.

E

Way of making plugins to this right now is: we have a use case. That's driving this. This is one of those features that was added really early without use cases.

I

Do on this animation is forecast is frankly it's not supported. Based on both can either run the bases, use, Ubuntu, and then you have them, and ultimately, okay.

H

E

I guess I would say: that's a bug like if it's, if TC versions changed and we need to change the parsing of that. Then we should just fix that. Whether we want to keep this feature or this annotation sort of for the future.

I

E

If we want to support it, we should figure out how to make it properly part of the API, and that means what it means for all: downstream plug-in employers.

F

Place when we park these API bugs, basically because this is just it's like an annotation. But what.

E

F

You mean it's like it should. Ideally, if it's a real feature, it should move towards yeah non. Yes,.

E

F

E

As the seg need to decide, if we think that it's a real feature that we can really support and to do that, I think we need to do a little bit of thinking about how would look as a real feature and what does it mean for non you Metin on container II or non namespace e based environments? What does it mean for other plugin implementers, those robots, I guess.

F

I had a better question: where do we park stuff like that issues issues, but they get closed in one so freeze it?

F

Okay, maybe it's worth buying it.

E

Yeah I mean people, don't use lifecycle frozen enough like for filing a bug that is really a bug and needs to be addressed, set it frozen. Alright.

A

Alright, that was the last item on the agenda: I, throw.

E

Out one one more quick topic: of course, there's we actually had a meeting last week to talk about our Signet work, maintainer track session. It's an 80 minute session in Barcelona split in two halves. One is the introductory session and the other is the deep dive session. We started an outline of this and we will hopefully refine the outline and start turning it into slides in the next couple of weeks.

E

I, don't know what time it's at, but if anybody's going to be in Barcelona and wants to come and dig deep, what we're proposing for the intro is an overview of some of the basic concept, services and DNS and endpoints and to proxy and ingress and how the pieces all fit together, but at a very high level and then for the deep dive.

E

We've proposed four topics: one ingress v1 and the path to GA to the DNS node cash, three service topology and for ipv6 and dual stack I'm, not sure we'll get to all four topics inside the 40 minute half, but we're gonna start writing up slides for that. So anybody who wants to help is welcome to help. Otherwise, we'll just chip away at it.

A

If somebody wants to help, should they just reach out to you? Yes,.

E

If somebody wants to help, they should reach out to me or Valerie, and we can get you access to the dock. The docks a little rough right now, so I won't open it up to the world yet, but can do that. Hopefully, before the next time we meet.

M

A

Anything else for the last 10 minutes work.

D

Triage works for me, mm-hmm, let's get him done, there were like six or eight tabs left in that window. Let's not come down.

B

Okay, the first one. Now what you said, TCP closed, wait! Timeout!

B

Let me do it's a test flick! Oh.

F

What a 2 I is valid, syntax.

G

Parsing folk boat.

F

Cool entry has disappeared.

F

I wrote this test signed a boy's.

B

Default Cisco in configurations.

D

This seems more like an RFP.

E

It's sort of halfway between your RFP and a proposal, yeah.

E

Okay, I mean the right, people are on it, it looks like it, maybe doesn't even need triage whoa. Can you can you freeze it life cycle frozen and remove triage.

F

Space looks like there's a new Cisco tool to improve upon termination merged what you see that come in there.

F

You proxy /I PBS Oh, No, okay. But that's not our repo.

R

Yeah, what does Q proxy slash? I forget work crumbs.

G

And slash time, yes, oh.

E

It is us okay, I, said something.

P

I, don't get a.

E

Word or something that was terrifying for just a.

B

Proxy clearly incompatible with.

D

Yeah, so this might be an interim version of iptables 1:8, and if this isn't fixed already in iptables itself, then it needs to be fixed there and not in queue proxy mm-hmm.

E

I think I remember this: can you see there.

D

Was a core OS go iptables issue a long time ago, like last fall, but that got fixed upstream in IP tables and then core OS I, don't know if they backed out that workaround or not. Okay,.

E

Can you assign this to me and I'll I'll follow and close since I least remember it yeah.

D

But and I mean at the end of the day, Tim just to let you know if there is anything needed from IP tables upstream, let me know: ok, we have people that will fix that, since we are mostly responsible for the IP tables, nf tables thing eh,.

I

D

B

This works about enable 90s mode or the King proxy by default. Oh okay, so this is a tracing.

B

R

Is the tracking ID.

B

G

That one any hit.

B

N

G

I close, this I mean obviously I didn't, but.

G

Yeah I think just close. This there's really no way that we can fix this and we don't really want to anyway.

I

B

In this switch, this.

D

Doesn't seem like a network thing, does it I mean its DNS related, but.

E

Yes, is it really our problem or should do I, don't.

N

Think it's our problem. Yeah.

E

I really don't think so, either no I actually I would just say, I think this is not a crannies problem. I think like if your image wants an S which you should provide in a switch yeah.

N

Build your image with its dependencies.

E

We should fix our images. Oh yeah I feel like this is an image problem.

B

E

Can always be reopened.

G

E

More two: more changing node its cider mask, sighs, yeah.

E

As intended, so this.

B

Should not change.

B

B

G

F

The range alligator doesn't work if you change it change that flag, I, don't think.

G

Don't close it just assign to me I'll respond we're good thanks.

M

B

Boom balance of target board, not four hundred demons at hoes board or not saying that's horse boy. What.

I

N

B

Yeah for sure it is like the hospital and she's for to contain target or not the.

I

G

E

Seen you follow.

D

Me that's right. Fifty more, we got three minutes. We.

E

Made it through fifty old bugs and six or seven new ones, that's the highlight of my week, y'all slowly but surely awesome. Thank you, everybody. Thank you see.

A

You next time, bye.

O

Alright, thanks.