►
From YouTube: Kubernetes SIG Network meeting 20230216 (Part 1)
Description
Kubernetes SIG Network meeting 20230216 (Part 1)
A
A
Two
weeks
from
now,
thank
you
and
we'll
get
started
with
triage,
so
Antonio.
Why
don't
we
start
with
you?
You
brought
up
one
that
was
closed,
that
you
wanted
to
talk
about.
D
Yeah
I
I
want
it,
because
this
is
an
example
of
the
how
a
small
change
can
have
a
big
impact
and
and
how
long
it
takes
has
to
detect
it,
and
this
was
detected
by
chance
by
Patrick.
So
the
the
history
is
in
the
CI.
We
set
up
the
Q
proxy
habitable
scene
period
to
10
seconds
and.
E
D
Was
developing
a
test
and
that
can
become
racist
in
the
same
situation,
so
I
I
was
checking
some
graphs
and
doing
some
experiments
and
I
say
what
we
can
use
one.
Second,
it
should
be
good
and
it
seemed
that
it
was
good.
But
after
four
months
you
do
scroll
down
and
go
to
the
graphs.
You
can
see
that
we
reduce
the
latency.
D
D
The
good
thing
is
that
that
there
is
one
thing
from
then
we
see
it
as
we
use
the
latency.
The
higher
high
percentages
of
95
and
99
now
are
much
better
with
his
team,
so
this
graph,
the
graph
with
the
cycle.
So
you
just
see
the
latest
one,
the
95
and
99,
that's
the
type,
those
improve
and
and
the
other
way
that's
when
I
rejected
my
change.
D
Thanks
to
to
the
Parker
for
reporting
that
well,
that's
the
other
thing
is
for
people
that
want
to
test
things.
We
have
this
stuff
running
in
kubernetes,
so
I
mean
you
go
through
secret,
scalability,
understand
and,
and
they
will
be
happy
too,
to
show
you
how
to
run.
F
A
Alrighty,
so
next
up,
I
was
looking
at
issues
and
there's
only
one
that
was
open
recently
that
doesn't
have
an
owner,
and
that
is
Coupe
proxy
does
not
validate
Health
Z
State
when
answering
to
HC
for
EDP
local.
B
E
G
H
We'll
get
I
just
assigned
it.
Thank
you.
I
did
want
to
talk
about
one
other
one
for
triage
light
week
this
week,
which
is
kind
of
awesome,
the
other
one
that
I
thought
was
interesting.
Well,
there's
a
cni
issue
open,
which.
H
Okay,
so
Mike
you
got
it.
If
you
think
it's
a
real
bug,
triage
accept
it
then
the
the
new
there's,
a
new
bot,
you
may
have
noticed
the
new
bot,
goes
through
old
issues
and
untriages
them
forcing
the
sigs
to
re-evaluate
whether
we
really
want
to
look
at
these
old
bugs
or
not.
H
But
this
one
Network
policy
proposal
extend
network
policy.
Layer,
seven
is
a
is
a
50k
range
issue
from
2018
filed
by
none
other
than
Thomas
Graf
and
I
thought.
It
was
worth
talking
about
a
little
bit
here
at
the
Sig.
Is
this
something
we
want
to
consider,
or
should
we
close
it
out?
E
I
J
J
We
just
have
so
many
other
things.
We're
trying
to
prioritize
first
I.
H
J
E
Sorry,
team,
I,
I
I
I
think
that
I
I
kind
of
got
misunderstood
on
that
I'm,
not
pointing
that
this
should
be
Gateway
API.
What
I
was
saying
is
that
during
our
Network
policy
meetings,
we
were
kind
of
discussing
having
some
new
network
policy,
but
not
calling
that
V2,
because
we
are
not
never
gonna,
have
a
V2
right,
getting
compatibility
with
V1.
E
So
what
we've
been
thinking
actually
then
and
and
and
Andrea
was
creating
some
similar
thing
that
is
like
Network
policy
V2,
but
with
a
different
name
as
Gateway
API
was
like
the
Ingress
V2,
but
never
got.
That
was
never
the
Ingress
V2
right.
So
we
don't
have
this
kind
of
confusion,
and
probably
we
should
move
that
to
that
effort.
That's
that's
my
point
on
that.
G
We
actually
discussed
it
just
two
weeks
ago
when
we
looked
at
danvianships
doc,
so
how
if
we
should
add
in
layer
7
as
partners,
moving
forward.
I
H
H
Thing
exactly
like
look
at
what
like
istio
does
for
layer
7
policy
right
like
they
do
traffic
sniffing
on
inbound
packets,
to
try
to
figure
out
if
you're
speaking,
my
sequel
like?
Are
we
gonna?
Do
that
I?
Don't
think
so?.
G
But
we
could
offer
the
support
to
basically
forward
if
you
have
only
four
points
like
we
have
now
that
you
would
send
it
on
basically
service
chain
to
level
seven
layer,
seven
function
that
would
do
handle
that
to
be
able
to
evaluate
the
the
layer,
7
policy.
H
But
is
that
something
that
kubernetes
defines
or
is
that
something
that
some
other
implementation
defines
like
istio
already
kind
of?
Does
this
right,
yeah,
Bridget
you're,
exactly
right,
istio
kind
of?
Does
this
already
transparently,
like
you
as
a
user,
you
don't
need
to
know
that
you're
using
a
service
mesh
and
it
can
do
packet
sniffing
or
it
can
be
disabled,
to
figure
out
what
L7
policies
it
wants
to
apply
and
then
there's
a
policy
language
that
it
uses
to
Define.
What
is
a
MySQL
policy?
H
Look
like
as
different
from
an
HTTP
policy
right,
I,
don't
I,
don't
know,
I'm,
very
wary
of
kubernetes
opening
that
can
of
worms
because
there's
a
lot
of
worms
in
there.
A
I'm
particularly
wary
of
it
in
lieu
of
anybody
being
really
noisy
on
this
issue
like
doing
its
one
thing,
but
then
doing
it
when
nobody's
like
apparently
beating
down
our
door
to
do
it.
I
think
is
another,
so
I
I
would
lean
towards
we
close
the
issue
and
then,
if
somebody
really
wants
to
start
beating
down
our
door,
they
can,
and
we
can
reopen
it
and
talk
about
it
more.
E
F
F
F
H
It
there's
there's
an
opportunity
to
say
within
the
Gateway
framework.
This
is
where
you
would
attach
policy
resources,
but
policy
resources
aren't
defined
by
the
Gateway
API
and
standardization
doesn't
necessarily
mean
it
has
a
case.io
API.
It
could
mean
it
has
an
istio.io
API
or
it
has
a
psyllium.io
API,
because
those
are
both
cncf
projects
too,
like
we
don't
need
to
own
everything.
In
fact,
that's
poisonous
right.
That's.
G
That's
I
didn't
say
what
it
was,
but
I
mean
before
we
get
to
the
function.
That
can
do
it,
but
we
also
and
there's
nothing
here,
but
at
some
point
need
to
start
looking
at.
Should
we
try
to
do
something
around
quick
I
would
say
it's
really
really
hard
to
do.
Multiple
T
subp
we'll
have
more
and
more
encryption
everywhere.
So
so,
how
do
we
manage
that
from
a
from
a
service
perspective?
Are
we
asked
gonna
do
TCP
and
UDP
and
that's
it,
and
so,
where
would?
If
anyone
wants
you
to
do
quick?
H
For
the
sake
of
time,
I
think
we're
all
violently
agreeing
for
the
sake
of
time,
I'll
I'll
capture,
some
of
the
notes
of
what
we
discussed
and
I
will
go
ahead
and
close
that
issue
and
we'll
take
it
off
the
triage
board.
Back
to
you.
A
Extension
to
triage
and
I
think
we
should
probably
time
box
it
a
little
bit
for
backlog,
grooming,
finding
old
issues
and
bringing
them
up
that
we
started
doing
a
couple
weeks
ago.
Tim
I
think
I
already
have
this
one
open.
A
So
support
pull
ranges
are
whole
IPS
and
services
from
2016.
yep.
H
We
got
as
far
as
actually
having
a
cap,
and
then
we
didn't
follow
through
with
it,
because
it
was
hard
and
there
wasn't
a
ton
of
obvious
demand.
I
think
everybody
thinks
yeah.
We
probably
need
to
do
this,
but
unless
somebody
feels
like
I
need
to
do
this,
it's
not
getting
done
and
I
will
note
that
it
is
currently
marked
as
life
cycle
Frozen,
which
I'm
going
to
remove
right
now
and
force
us
to
reevaluate
this
issue
periodically.
H
C
I
H
I
mean
what
I
recall
was
Port
ranges
were
simply
not
implementable.
In,
like
ipvs
like
there
isn't
a
affordance
in
ipbs
for
doing
a
range.
You
can
do
a
whole
IP
with
a
sort
of
weird
the
persistent
flag,
and
you
could
do
a
single
port,
but
you
couldn't
do
ranges
and
in
iptables
you
couldn't
do
remapping,
which
I
think
is
okay.
We
could
ignore
that
we
could
wave
that
feature
away
with
in
the
face
of
ranges,
but
you're
looking
at
NF
tables.
What
what
are
the
capabilities
of
NF
tables
here.
I
G
Use
it
as
a
notation
right,
that's
a
short
form
today.
What
you'll
do
if
you
want
to
automate
this?
Probably
that
you,
you
have
a
function
that
runs
over
you
sort
of
the
definition
with
the
port
with
the
range
and
makes
one
I
mean,
makes
it
the
single
entries.
You
could
do
the
same
thing
in
the
back
end
right.
Yes,
you
cannot
use
the
port
range.
G
You
will
have
to
generate
the
rule
for
every
port
in
the
range
which,
of
course,
can
be
very
costly
if
the
range
is
like
3000
ports,
but
anyone
doing
3000
ports
should
be
well
the
source
problems,
because
if
we
added
here,
you
also
probably
want
to
do
something
with
the
service
audio
map
interest.
You
want
to
have
a
service
over
ranges,
so.
H
G
Application
that
doesn't
work
for
this.
It's
just
a
matter
of
easiness
and
perhaps
so
ease
of
ease
of
reading
and
so
I
think
just
leave
it
if.
G
H
H
Yeah
I
I,
don't
think
that's
a
practical
answer.
I
I
think
we
could
get
away
with
saying
here's
how
you
specify
the
whole
IP
will
be
forwarded
with
no
remapping,
but
I.
Don't
think
we
can
get
away
with
saying
like
realistically,
it's
either
list
your
specifically
list
your
ports
and
they
better
be
a
relatively
small
number
or
that's
it.
H
G
H
G
Would
you
then
say
that,
okay,
you
set
the
it,
but
if
you
want
to
do
a
service
that
we
would
be
specific,
Port
specific
course
for
the
service
assume
that
default
has
implemented
that,
even
though
it's
not
possible
then
to
map.
Of
course,.
H
G
H
A
Yeah,
it
sounds,
it
seems
like
this
falls
into
the
Fairly
common
category.
We
have
of
things
that
are
open,
but
won't
be
moving
that
we
talked
about
last
time
and
we
need
to
come
up
with
some
kind
of
solutions
for,
but
like
removing
life
cycle.
Frozen
for
now
may
be
good
enough
as
an
action
I
think,
and
then
we
just
need
to
keep
following
up
on
how
we're
going
to
better
organize
some
of
these
issues
that
need
Champions,
which
I
think
this
is
basically
the
problem
that
we
have
here.
H
I'll
I'll
capture
some
notes
in
this
one
too,
just
to
indicate
that
we
a
we
talked
about
it,
so
that
the
bot
will
be
happy
and
not
bring
it
back
to
us
and
to
suggest
if,
if
somebody
wants
to
pursue
this,
we're
not
against
it,
we
just
know
that
it's
some
challenges
is
that
fair.
H
G
A
Roger,
that
is,
anybody
opposed
to
Jumping
forward
and
saving
some
backlog
grooming
for
next
time.
Given
the
time
that
we're
at
go
for
it,
then
I
would
like
to
open
it
up
for
Antonio.