►
From YouTube: Kubernetes SIG-Network Meeting for 20230427
Description
Kubernetes SIG-Network Meeting for 20230427
A
This
meeting
is
being
recorded,
hello,
everyone
and
welcome
to
the
April
27th
edition
of
the
Sig
Network
meeting,
just
a
reminder
for
everyone
as
usual,
that
this
meeting
is
governed
by
the
kubernetes
code
of
conduct,
which
boils
down
to
please
be
nice
to
one
another.
So
please
do
be
nice
to
one
another.
A
B
B
A
A
A
B
B
B
C
B
C
B
B
B
B
B
B
E
B
C
D
B
B
C
B
E
B
Yeah
right,
okay,
so
I
think
that's
it
for
now,
I'll
run
through
the
other
ones
to
see,
if
there's
any
that,
have
making
any
progress
or
need
to
be
moved
out.
This
is
the
time
where
I
remind
people
that,
if
you
have
caps
that
aren't
in
this
dashboard
we're
not
paying
attention
to
them,
or
at
least
I'm.
A
F
And
it's
it's
really
the
main
kind
of
goal
there
is
to
improve
quality
of
service
applications
by
enabling
like
mechanisms
and
Technologies
the
primary
and
for
qers
that
have
traditionally
been
out
of
control
in
kubernetes.
So
like
two
primary
usages
for
this,
that
we
could
enable
immediately
with
this
Gap
is
cache
allocation
and
memory
bandwidth
control
in
Intel.
F
We
have
this
kind
of
Hardware
technology
called
resource
director
technology
for
rdt
and
they
are
similar
in
AMD
and
arm
as
well,
but
it's
kind
of
in
the
hardware
sort
of
class
class
based-
and
we
also
have
implemented
in
the
runtimes
class
based
management
and
configuration
of
the
block,
ioc
group
controller
for
for
managing
throttling
and
prioritization
of
local
disk
IO.
So
this
would
be
the
kind
of
immediate
first
kind
of
customers
for
the
for
the
new
QRS
mechanism.
F
F
It
was
all
has
been
on
the
table
quite
quite
Lonely
Long
in
signaled
already.
Originally
it
was
tagged
for
125
but
then
dropped
because
of
reviewer
bandwidth
limitations
and
same
happened
to
126,
and
we
missed
127
as
well,
and
I'm
really
trying
to
well
get
awareness
for
this
clip
and
people
to
kind
of
plus
one
and
preview
it
if
they're
interested
and
then
yeah
get.
F
We
call
it
well
resource
typing,
Cube,
kubernetes,
so
kind
of
fundamental
new
resource
type
like
Qs
resource,
where
you
will
not
allocate
any
any
numerical
amount
of
something
but
but
just
kind
of
assign
the
class
class
identifier
to
a
container
or
a
pod.
So
the
resource
could
be
yeah
in
this
case
Network,
and
then
you
could
just
assign
this
network
class,
let's
say
fast,
slow
or
something
else
to
containers
and
then
so
it's
not
exclusive
allocation
but
allocation
by
Design.
F
F
So
the
container
runtime
would
initialize
or
or
or
discover
the
qos
resources
and
classes
in
the
available
on
the
system
and
then
in
the
step
number
two.
It
will
or
would
kind
of
inform
you
bullet
about
the
available
us
resources
and
the
classes
and
then
in
step.
Three
cubelet
would
in
turn
update
the
node
status
in
the
API
server.
F
F
It
has
some
requests
in
this
case,
two
requests
for
two
different
qos
resources:
hey
for
a
we
would
request
class
gold
and
of
course
it
is
high
priority
Plus
and
then
scheduler
picks
that
up
and
put
up
and
and
just
does,
the
kind
of
normal
normal
load
filtering
and
to
see
which
which
node
is
able
to
satisfy
the
QRS
resource
requirements.
And
it
says
that
okay,
no
X
it
can
provide
this
Gold
Class
for
a
and
high
priority
class
for
C.
F
And
then
it
schedules
the
pod
to
node
X,
the
kubernet
picks
the
top,
it
picks
the
Pod
up
and
then
in
in
Step.
Seven
then
sends
the
information
to
the
content,
runtime,
that
okay
create
this
port
and
these
containers,
and
with
with
these
QRS
qos
resources
and
classes,
and
then
the
runtime
in
the
last
step,
number
eight
will
actually
enforce.
F
F
So
then,
about
the
network,
us
proof
of
concept,
just
one
slide,
so
we
thought
that,
okay,
how?
How
could
we
or
how
would
would
it
be
possible
to
leverage
this?
This
mechanical
Network
and
we
came
up-
came
up
with
with
a
one
one
solution
with
or
yeah
proof
of
concept
type
of
solution.
We've
had
some
private
discussions
with
some
people
and
they've
been
kind
of
encouraging
that
okay
looks
kind
of
that
it
could
work
out.
F
So
please
present
it
to
seek
Network,
and
that's
that's
what
I'm
now
doing
so
in
this
proof
of
concept,
the
kind
of
extend
the
CNR
config
in
a
sense
to
have
one
con,
one,
one
top
level
of
top
level
field,
so
utilize
and
the
capabilities
mechanism
to
express
qos
resources
or
other
classes
and
and
the
runtime.
Let's
get
gets
the
QRS
available
classes
from
the
CNR
config,
and
it
has
this
in
this
proof
of
concept.
This
qos
field
on
the
on
the
top
level
and
it
can
have
arbitrary
number
of
classes.
F
In
this
example
on
the
right,
we
have
fast
and
slow
and
then
something
else
and
basically
you
can
Define
or
specify
any
arbitrary
or
could
specify
capabilities
there
and
then
the
runtime
in
our
proof
of
concept
we
have
containerd
now
enabled
so
it
it
gets.
The
Network
us
class
that
is
requested.
It
gets
it
from
the
Hublot
at
the
sandbox
creation
time
and
then
just
sees
what
what
capabilities
are
are
set
for
the
class
and
then
passes
those
those
capabilities
to
the
CNR
plugins.
That
kind
of
are.
F
F
F
F
So
that's
how
the
node
looks
like
so
then.
First
simple,
simple:
example
of
a
pod
requesting
some
computers
curious
resources.
So
here
we
have
a
simple,
simple
pod:
doing
really
nothing
but
requesting
like
past
Network
and
then,
which
is
one
container,
that
request
this
cache
Dash
memory,
bandwidth,
plus
gold
and
block
bio
plus
match
priority
and.
F
F
F
F
E
F
F
F
F
E
G
F
A
F
A
Just
wanted
to
kind
of
point
out
the
time,
but
I
have
a
couple
of
questions
so
I'm
personally.
This
is
interesting.
I'm
personally
coming
in
this
late
I'm
like
this,
wasn't
really
on
my
radar
before
so
I,
just
cc'd
myself
on
the
pr-
and
this
is
probably
an
obnoxious
question-
but
I
just
didn't
catch
this
while
looking
anything
over
is
it
do
you
have
other
orgs
that
are
kind
of
interested
in
this
working
with
you
on
it?
Or
was
it
mostly
just
Intel?
So
far,
just
a
question
just
curious,
because
I
didn't
see.
F
F
Give
you
at
the
moment
that,
okay,
that
we
in
the
land-
let's
say
some
other
other
big
player,
are,
are
kind
of
driving
for
this.
But
this
kind
of
for
us
to
be
a
generic
mechanism
and
to
enable
enable
a
lot
of
use
cases
and
they're
yeah
in
the
cafe
released
someone
and
some
more
exotic
possible
future
Endeavor
as
well.
A
F
And
yeah,
and
one
one
yeah
of
course
comment.
So
they
of
course,
can
needn't
be
kind
of
any
like
fast
normal
slow
type
of
it
could
be
like
red
blue
type
of.
If
you
have
different
kind
of
well
you're,
not
a
network
better
than
being
me,
but
but
kind
of
have
have
a
fast,
fast
backbone,
Network
for
storage
and
then
like
not
that
fast
for
for
services,
and
then
you
could
kind
of
like
select.
Okay,
now
I
want
red
red
type
of
network
and
then
trying
to
schedule.
F
B
F
B
This
is
the
the
biggest
the
biggest
problem.
I
have
and
Marcus
I'm,
not
ignoring
you
on
slacker
I'm,
just
super
busy
I'm,
ignoring
everybody,
the
I'm
not
ignoring
you
in
particular,
but
the
problem
that
I
see
here
is
we
have
three
now
caps
in
Flight
that
are
all
roughly
describing
overlapping
areas
right.
This
is
a
explicitly
qualitative
API,
not
a
quantitative
API.
You
can't
request
one
gigabyte,
a
gigabit
of
network
traffic.
B
Gold
or
purple
or
triangle
right,
yeah
and
there's
the
multi-network
cap,
which
is
about
indicating
the
need
for
explicit
network
connections
right
I,
need
connectivity
to
this
exact
Network
and
there's
the
dynamic
resources
API,
which
is
about
connecting
to
specific
arbitrary
resources.
We
just
had
a
conversation
this
morning
about
trying
to
bring
those
ladder.
Two
in
line
I
had
not
been
thinking
about
this
one
as
part
of
the
multi-network
space,
but
now
that
you
bring
it
up,
I
can
see
the
potential
for
overlap,
and
so
we
need
to
figure
that
out.
B
My
biggest
fear
here.
I
love
this
idea
by
the
way
and
and
as
a
qualitative
metric
I've,
definitely
heard
customers
over
and
over
and
over
again
asking
for
Priority
Access
to
networking.
So
I
I,
like
the
the
idea,
I'm
just
super
concerned
that
we're
throwing
three
huge
things
at
the
scheduling
subsystem
all
at
the
same
time,.
H
Well,
Tim,
you
mentioned
what
it's
theoretical
possible
to
bring
cuadier
and
this
multi-network
cap
together
yeah.
So
hopefully
it
will
be
like
one
thing:
it
was
the
scheduler
and
it's
already
like
implemented
problem
for
this
one
like
according
to
what
Marcus
tried
it's
it's
not
that
big
impact
of
a
scheduler,
because
it's
like
we're
countable
resources
and
the
same
like
no
status
part
so
should
be
not
problematic.
B
H
Pos
for
like
for
this
kind
of
network
setup,
is
it's
more
for,
like
more
formal
parameter,
passing
to
to
exist
in
setup
or
existing
like
think
like
black
maltos,
it
might
be
more
helpful
rather
than
annotations
and
and
for
this
multi-network
interfaces
with
explicitly
a
requesting
the
interface
yeah.
We
had
also
in
our
plans
to
talk
with
Sig
Network
multi-network
folks.
Unfortunately,
we
missed
two
millions
yesterday
but
Antonio
who
directed
us
what
we
will
talk
to
him
anyway
and
foreign.
B
A
Yep
sounds
like
we're:
we
are
running
low
on
time.
It
sounds
like
the
next
follow-up
here
is
to
kind
of
connect
the
dots
between
these
three
kepts
Marcus.
Thank
you
for
bringing
this
up.
This
was
a
great
presentation.
I'm
also
I
also
think
it's
really
cool,
but
a
little
bit
more
of
coordination,
I
think
sounds
like
is
what
we
need
to
do
next,
to
keep
you
moving
forward
all
right,
so
that
is
pull
enhancements.
Number
3004
if
you're
interested,
that's
the
pr
please
join.
In
the
conversation
there.
G
G
It'll
be
good
to
know
like
hey.
This
isn't
a
valid
type
anymore.
Don't
include
that
in
the
Upstream
test
performance
test
and,
alternatively,
for
me
in
the
kinita
sense
like
how
do
I
as
a
person
writing
or
targeting
kubernetes,
as
like
the
platform
for
these
higher
level,
crds
that
we
have
how
do
I
program,
the
dnf
that
way
I
can
program
gateways
to
point
to
these
services
that
are
I
would
consider
manage
only
solely
by
key
native
and
not
end
users.
So
that's
sort
of
like
I
hope
to
summarize
the
discussion.
G
B
B
But
by
going
through
the
proxy
you've
now
enabled
access
to
something
that
you
shouldn't
have
enabled
access
to,
and
that
was
the
big
cve.
That's
why
we
shut
down
or
tried
to
shut
down
all
the
external
name,
support
like
people,
you
shouldn't
you
shouldn't
be
doing
that
external
name
is
just
a
way
to
get
around
that.
B
It's.
Why
Ingress
doesn't
have
a
namespace
field
on
the
service,
and
it's
why
reference
Grant
exists
in
the
Gateway
API
right?
So
the
the
question
then,
is
a:
is
this
a
legitimate?
Is
there
a
legitimate
use
case
for
wanting
a
to
be
able
to
export
an
endpoint
that
is
in
B
and
sounds
like
K
native
has
a
use
case
for
that,
and
then
what?
G
Yeah
and
I
can
highlight
key
native's
use
case
for
those
on
the
call
we
do
a
bunch
of
fancy
stuff,
like
L7
traffic
manipulation
like
splitting
and
rollouts,
and
things
like
that,
and
we
also
want
it
to
be
done
within
the
cluster
like
for
potentially
like
one
key
native
I'll,
just
call
it
application
in
namespace
a
wants
to
call
a
community
of
application
in
namespace
b,
but
they
there
might
be
traffic
splitting.
So
what
do
we
do
there?
G
B
I
G
I
I,
don't
care
if
this
takes
like
two
years
or
whatever,
because
I
know
in
the
meantime,
I
can
I
can
like
shim
in,
like
one
services
like
cluster
ID
into
the
other's
end.
Point
right,
like
that,
like
I,
have
a
workaround
which
isn't
ideal,
but
we
already
have
to
do
that
for
Contour
because
they
completely
turned
off
external
name
support
like
istio
chugging,
along
which
is
great,
so
I'd
rather
yeah
like
like
to
your
point.
G
B
And
I
think
the
problem
here
is
that
I
mean
I
I,
agree
with
Rob
that
that
seems
like
a
likely
outcome,
but
there's
a
chain
of
questions
that
we
need
to
answer
before
we
can
get
there
like
the
service.
Ip
stuff
is
still
sort
of
under
discussion
about
there's
a
I,
don't
know
who
we're
talking
about
today,
but
there's
a
big
open
issue
of
how
it
overlaps
with
the
pod
cider
allocations
and
literally
I
use.
B
The
word
overlap
on
purpose,
because
that's
sort
of
the
core
of
the
problem,
like
I,
don't
know
that
we
can
really
decide
on
what
we're
going
to
do
with
DNS
resource
until
we
have
a
clearer
picture
of
what
we're
doing
with
this
service.
Ip
allocation
and
I
desperately
want
service,
IP
gateways
right.
Rob
knows
this.
I
never
shut
up
about
it,
but
yeah
I
I,
like
in
the
in
the
thread
we
discussed,
maybe
there's
an
alias
kind
of
service
and
that's
a
way
to
use
reference.
B
Grant
I,
don't
really
know
how
that
would
work.
I
just
was
spitballing.
You
know
I'm
I'm.
What
I'd
like
is
to
encourage
is,
let's
think
about
some
creative
answers.
Instead
of
just
trying
to
shoehorn
in
the
things
that
we
know
don't
work
but
paint
off
the
corner
cases
right
if
we
can
find
a
different
way
of
representing
it,
if
we
can
get
to
the
core
problem
statement,
how
do
I
denote
that
something
is
safe
and
something
else
is
not.
A
G
G
If
this
label
exists
on
these
services
with
external
name,
then
we
know
we
can
trust
this
I
don't
know
if
and
then
I
could
be
like,
for
example,
a
an
operator.
You
can
create
a
web
hook
that
prevents
that
service
with
those
labels
and
generic
and
generic
name
spaces,
but
it
allows
it
in
some
places
or
I
assume.
Also
the
weapon
can
look
at
the
role
of
the
user,
potentially.
E
I
Remember,
who
else
mentioned
it,
but
you
know
reference
Grant,
as
it
gets
into
cigar,
and
moves
more
and
more
to
authorization
is
also
a
possible
solution
here.
But
I
I
don't
know
but
I
you
know
any
any
kind
of
label
or
something
that
it
feels
like
is
is
not.
It
is
really
just
kind
of
a
hack
or
a
workaround
yeah.
G
I
I
A
A
I
Yeah
I
mean
just
this.
This
is
a
huge
set
of
projects
here,
so
it
you
know
there
is
lots
of
opportunity
to
help
out.
If
this
is
something
you
want
to
see,
succeed,
we're
going
to
need
some
help,
so
there's
a
series
of
things
that
we
want
to
get
in
here,
including
a
custom
authorizer.
So
again,
just
this.
This
is
really
just.
This
will
happen
eventually,
but
it
would
happen
sooner
if
we
had
more
people
to
help
so
yeah.
B
Careful
what
you
ask
for
yeah
I
mean
I
I'm,
watching
it
trying
not
to
get
super
involved
because
I
don't
think
I
have
anything
unique
to
offer.
But
what
I'm?
Seeing
really
is
the
you
know
kubernetes
as
a
project
is
maturing
in
regards
to
permissions
and
security.
You
know
still
this
feels
like
a
you
opened
a
can
of
worms.
B
That
is
actually
much
a
lot
more
worms
in
there
than
you
thought
and
we
are
now
entering
a
space
where
yeah
we
really
do
need
this,
but
what
we
need
is
sort
of
an
order
of
magnitude
more
sophisticated
than
what
we
needed
for
Gateway,
which
is
great
it's.
You
know
unfortunate
that
it
will
slow
things
down,
but
I
think
it's
great,
that
the
the
larger
off
folks
are
now
looking
at
it.
Yeah.
A
Interesting
metaphor,
I
would
have
not
gone
for
can
of
worms.
I
would
have
been
like
box
full
of
cats,
but
you
had
no
idea
the
cats
were
in
there.
It's
like
this
is
going
to
get
very,
very
interesting
and
just
the
the
sheer
the
future
of
potentially
having
apis,
where
it's
like
I
do
this.
It
can
get
an
entity
and
like
provide
it
with.
Our
back
is
enormous,
so
yeah
definitely
jump
in
into
the
conversation.
A
I
Yeah
I
think
so
yeah.
You
know,
there's
gonna
be
a
lot
of
work
in
the
next.
You
know
we're
getting
into
the
next
cap
and
enhancement
cycle
and
that's
going
to
be
where
a
lot
of
this
discussion
has
to
happen.
I
think
we've
agreed
on
a
general
plan
and
so
I'm
hoping
we
can
get
the
cap
finalized
this
this
cycle,
but
there's
a
lot
of
work
that
kept
will
require
yeah.