►
From YouTube: Kubernetes SIG Network 20170406
Description
Kubernetes SIG Network Meeting April 6th, 2017
A
C
A
D
C
B
Yea
though
we
did
discuss
but
opted
not
to
do
until
we
had
a
stronger
these
case,
other
name
space
plus
other
pods.
It
seems
like
a
reasonably
obvious
intention.
Yes,
the
soda
I
guess
the
question
is:
should
we
try
to
standardize
on
new
space
selector
+
pod
selector,
as
the
mechanism
across
our
API
is
I,
mean
obviously
I
have
a
bias
towards
name
states
selector,
because
I
think
it's
a
more
natural
way
to
express
things.
B
C
Yeah
I
mean
I,
think
it
I
think.
It's
reason
why
I
hadn't
really
given
a
lot
of
thought
to
the
multi-tenancy
issues
and
it
sounded
like
people
could
have
some
concerns
in
that
thread.
But
I
right
I
think
it's
a
reasonable
way
to
standardize
on
okay.
B
C
B
A
E
Me
and
I
was
just
wondering
if
there's
actually
any
definition
aware
of
what
external
and
internal
I
know
dad
note
external
IP
admitted
c'mon,
see
where
I
couldn't
really
find
any
of
the
api.
Doc
and
I
did
look
into
what
GCE,
AWS,
OpenStack,
etc
seemed
to
do,
and
these
fear
seems
to
do
something
completely
opposite
reason.
Grenon
to
this
was
because
some
of
it
is
trying
to
stand
up
openshift
with
vsphere,
and
it
got
all
kinds
of
weird
note
addresses
out
of
it.
B
E
First,
what
they
do
is
they
actually
have
an
agent
inside
the
guests
that
scrapes
call
messes
from
all
network
interfaces
inside
the
guest
thing
like
dr.
20
and
any
other
virtual
interfaces
that
might
be
created,
as
well
as
the
actual
interface
that
gets
outside
of
the
guests,
and
that's
problem
number.
E
If
you
understand
what
I
mean
you
know,
so
as
far
as
I'm
aware,
internal
IP
and
external
IP,
both
mean
address
is
outside
of
the
node
itself
that
the
note
is
addressable
on,
whereas
an
external
IP
is
a
publicly
an
Internet
public.
Address
that
you
can
you
to
note
on
vsphere
is
treating
internal
IP
as
stuff
inside
the
vm
that
may
or
may
not
actually
be
accessible
from
anywhere
outside
of
the
node
and
then
epicenter
mikey
is
a
selected
network
that
may
or
may
not
be
public.
If
I
had
done
that.
B
E
There
I
didn't
look
side
of
like
two
bullet
and
everywhere
else
itself
to
figure
out
exactly
what
they
were
used
for.
I
know
what
they're
used
for
an
open
shift,
and
that's
why
I
was
getting
screwed
up
because
we're
expecting
any
kind
of
the
addresses
where
you
can
actually
talk
to
the
node
from
outside
the
node.
Obviously
I
was
not
the
case
in
peace
here,
so
I
mean
I
guess.
What
I
was
wondering
about
was
you
know,
is
the
GC
and
AWS
definition
of
these
types?
E
B
But
the
choice
of
words
here
is
probably
not
ideal,
but
I
think
that's
a
separate
issue
than
the
fact
that
you
fear
is
not
doing
the
same
as
the
other
providers
right.
I.
Think
that
you
know
the
right
thing
to
do.
I
guess
would
be
to
document
what
you
described
internal
is
an
external
is
and
send
of
either
PR
or
file
an
issue
against
the
vsphere
folks.
Yeah
I
did.
G
11
very
brief,
when
I
can
just
give
a
bit
of
background
that
external
internal
IP,
stuff
facts,
yet
I
assume
came
from
AWS,
which
I
assume
gcb
ended
up
copying
thanking
like
button
I
was
I.
Was
the
person
responsible
for
those
terms
in
a
delirious,
and
it
was
just
because
we
didn't
know
what
we
were
doing
and
each
VM
got
one
of
each
of
them
and
that
with
that
and
we
get
in
those
names,
so
there's
nothing
magical,
special
or
correct
about
them.
It
just
the
names.
A
H
Yeah,
that
was
me
and
the
the
first
item.
I
just
wanted
to
describe
a
problem
that
I'm
seeing
and
see
if
anybody
has
any
clever
ideas
on
how
to
how
to
solve
it
or
fix
it.
But
what
I'm
seeing
is
that
there's
a
hairpin
mode,
that's
used
on
when
there's
a
bridge,
a
virtual
bridges,
its
knees
by
the
network,
interface
and
couplet
is
turning
on
hairpin
mode,
and
this
is
disrupting
ipv6.
H
The
problem
with
these
six
is
that
women,
hairpin
mode,
is
on
it.
It
reflects
everything
it
reflects.
Every
packaging,
including
the
packets
used
for
ipv6
dupla,
could
add,
address
detection,
so
there's
neighbors
solicit,
solicited
messages
that
go
out
and
get
reflected
back
like
100
microseconds
later
and
and
the
pod
declares
those
to
be
duplicate
and
it.
You
know
that
that
feels
three
times
and
then
you're,
then
you're
dead
in.
I
H
E
I
guess
what
I'm
trying
to
get
at
is:
yes,
the
I
pam-4
v6
is
heavily
managed
by
the
orchestration
infrastructure
by
the
network
plugin,
and
you
can
guarantee
that
that
network
management,
whatever
it
is,
will
not
assign
duplicates.
You
might
be
able
to
just
turn
off
v6
to
forget,
address
detection
through
sis
controls
and
ignore
the
problem.
But
that
said
that
might
run
afoul
of
ipv6
standards
and
it
might
not
work
for
all
cases,
especially
if
you
want
to
do
something
like
the
local,
very.
H
J
L
K
H
H
J
H
B
We
we
can
probably
do
something
like
that
at
the
brit,
and
we
already
do
some
some
workarounds
for
this
and
before
with
promiscuous
mode,
probably
do
something
similar,
but
before
we
do
that,
I
would
really
like
to
understand
whether
the
colonel
all
people
who
own
these
drivers
feel
like
this
is
correct.
Behavior,
like
it
seems
to
me,
like
it's,
probably
exactly
what
whoever
was
just
speaking
before
said,
like
it
just
never
been
running
that
combination
of
features
and
if
you
presented
it
for
the
upstream,
colonel
hooks
and
call
they
say.
Oh
that's
stupid.
E
M
B
H
E
B
H
B
B
H
B
Me
address
I
guess
at
the
other
half
of
this
most
installations,
we
suggest
don't
run
in
hairpin
mode,
because
there's
some
other
bugs
in
kernel
that
cause
rest
helps
to
get
lost
with
hairpin
mode.
We
instead
added
this
promiscuous
bridge
mode,
which
we
like
education.
We
use
and
I
think
it's
the
default
entry
that
doesn't
have
the
same
headlock
infertile
I,
wonder
if
it
showed
you
the
same
problem
you're
having
here
I
did.
H
H
H
B
H
B
H
H
Yeah,
this
is
just
a
I,
don't
want
to
spend
too
much
time
on
this,
but
it
was
in
a
review
comment
whether
the
the
configuration
for
the
host
local
I
Pam
should
have
1i
Pam
section,
with
full
v4
and
v6
combined
or
an
eye
Pam
a
separate
I,
pamper
v4
and
a
pipe
m64,
v6
and
I.
If
anyone
has
opinions,
the
other
can
look
at
that
review.
E
B
And
I
saw
one
other
comment
from
clayton
on
one
of
the
first
pr's
about
the
bit
masks
that
we
use
for
the
for
allocation
for
services
concern
when
we
get
to
the
place
where
we're
doing
v6
for
services.
When
we
allocate
the
service
IP,
we
literally
keep
an
uncompressed
bitmap
in
ft
d,
which
is
fine,
because
most
service
ranges
are
like
a
/,
16
or
smaller,
and
will
not
probably
be
so
fine
with
music's.
H
Right
yeah,
so
we
had
some
discussions
here
about
whether
we
should
limit
the
range
of
the
service
and
ni
pees
in
general.
You
know:
do
we
limit
the
subnet,
that's
assigned
to
a
node,
2,
5,
64
and
so
on,
because
because
it
does
blow
up
objects
in
memory,
if
your
ranges
are
big,
as
I
can
be
with
v6
yeah.
B
A
F
F
F
I,
don't
know
what
kind
of
planning
we're
going
to
do
if
the
playing
doc
is
being
constructed
right
now,
but
it
would
be
good
to
basically,
if
you
have
a
3rd
party
plugins,
not
one
an
owner
or
a
basically
just
a
list
of
that
release
manager
pronounce
essentially
paying
or
you
know,
keeping
a
loop
when
the
release
is
going
and
then,
as
part
of
the
relief
home
for
17,
we
should
figure
out.
You
know
what
kind
of
management
work
management
we're
going
to
deal
with
flakes.
Oh
I,
don't
know!
Oh
you
guys.
F
N
F
A
E
F
D
F
You
guys
want
to
move
this
forward
like
I,
we
could
volunteer
or
just
start
up
a
document
for
the
17,
because
I
think
we
need
to
start
planning
that
anyways
right,
okay,
well,
I,
think
probably
move
the
discussion
towards
the
evil,
17
release,
lock
and
so
who's
going
to
pick
up.
Creating
that
thing.
Initially,
all
gears.
I
F
A
A
E
Well,
I
was
gonna,
say
we
do
sort
of
have
it
for
cube
net,
but
we
don't
have
any
black
plugins.
Essentially
that
aren't
connected
straight
up
CNI
there's.
Probably
the
next
step
is
to
figure
out.
You
know
what
kind
of
plug-in
witness
an
existing
331
or
whether
it's
a
dummy
plug
in
would
be
used
for
essentially
CNI
driver.
We.
B
E
A
There
was
a
second
issue,
I
think
we're
odds
are
getting
started
before
any
C&I
config
was
installed,
which
came
came
prior
to
the
3rd
party
plugins
and
that
would
have
caught
that
issue.
Yeah.
F
It
like
there
needs
to
be
introducing
the
release
process.
Some
I,
don't
know
how
you
felt
like
a
drop
to
the
third
party.
The
kind
of
then
signal
that
hey
this
release
is
coming.
You
guys
probably
need
to
figure
out
what
to
do
to
consume
it.
I
don't
know
it.
There
is
no
formalized
process
right
now.
Someone
correct
me
there's
no
matter.
Okay,.
B
F
L
B
Also,
I
we
should
pick
for
all
these
so
that
they
wear
run
both
cube
net
and
CNI
bridge,
or
that
they
only
run
see
an
average.
You
need
to
figure
this
out,
I
mean
we
don't
we
all
want
to
get
rid
of
two
met
in
the
medium
term
anyway,
right
the
first
of
all
guesses
who's
going
to
drive
that
and
who
unlikely
we
double
our
test
load
is
I
mean
we
have
one
extra
test
suite.
What
was
the
actual
I
feel.
E
Like
it
probably
would
want
to
do
both
cube
net
and
C
and
I
bridging
term
everything
that
rich
test
can
be
targeted
so.
M
And
I'm
go
yeah
what
why
we
ran
another
sweet
within
the
note
III
like
because
it
doesn't
require
a
whole
cluster
and
then
know
if
we
already
run
like
eight
virgins,
okay,
yeah
and
then
one
version
can
be
with
the
stand:
I,
never
plug
in
woodbridge
inn
or
being
crippled,
and
then
all
the
single
mode.
That's
not
a
terrible
idea.
Yeah.
B
M
I
added
this
item,
so
it's
mainly
for
getting
feedback
regarding
the
next
steps
for
your
proxy.
So
the
near
term
is
to
like
improve
and
expertise,
performance
related
problems
with
iptables,
secure
proxy
and
then
get
it.
Okay,
no
stable
state
and
then
a
long
term.
Is
that?
Because
we
get
a
lot
of
like
other
alternative
like
I,
PBS
and
VPS
and
other
implementation
of
to
proxy?
M
E
One
thing
I
noticed
the
other
day
was
the
various
and
interplay
between
cubelets
and
the
proxy
in
terms
of
iptables
rules.
So
it
might
be
good
to
try
to
separate
some
of
that
if
you
do
end
up
moving
post
courts
in
to
see
and
I
and
out
of
cube,
'let
itself,
and
we
might
run
into
some
issues
with
rural
compatibility
between
iptables
proxy
and
then.
B
What
interplay
are
you
seeing
between
two
proxy
and
keywords,
I,
believe
they.
B
Intentionally
the
cube
mark
mask
in
the
cube
mark
drop
a
min
hata
added
those
as
because
we
wanted
to
use
them
in
both
places.
We
just
said
like:
let's
just
make
them
a
utility
that
cube
'let
offers
these
rules
exist.
Anybody
can
jump
to
them
they're
part
of
cube.
'let
they
don't
do
anything
on
their
own
and
they're,
not
called
on
their
own
but
they're
available.
B
Now,
if
we
move
host
ports
to
see
and
I
or
when
we
move
host
ports
to
see
and
I,
obviously
that's
not
going
to
fly
because
they
can't
make
that
same
assumption
right
right
on
yeah
I!
Think
that's
what
what
are
you
getting
at?
Okay,
okay,
I
buy
that
I
was
curious.
Did
you
find
any
other
places
there
shouldn't
be
any
other
cross
dependency?
I?
Don't.
B
So
on
an
I
PQ
proxy,
rather
I've
spent
some
time.
The
last
week,
I
had
a
couple
of
patches
that
were
sort
of
pending
that
I
polished
off
to
get
in
to
make
the
rate
limited
iptables
restore
run,
so
I've
got
one
PR
that's
merged
today,
one
PR,
that's
open
still,
that
needs
to
be
rebased
and
then
I
will
have
one
more
on
top
of
that.
That
will
add
the
rate
limited
icicles
on.
B
E
B
Them
with
area
cape
crafting,
probably
didn't
okay
I'll
go,
find
it
yeah,
thanks
and
so
Natalie
I
think
that
will
read
eight
one
of
the
big
iptables
performance
issues.
I
know
that
Quinton's
here
and
I
know
that
he
has
a
thread
going
about
his
ipps
based
implementation.
I
haven't
actually
looked
at
it
in
great
detail
yet,
but
it
sounded
promise.
B
So
I
have
a
question
now
for
the
folks
who
are
actively
maintaining
cube
proxy,
which
is
not
me.
Do
we
want
to
keep
extending
q
proxy
with
new
proxy
modes
or
do
we
think
at
some
point
we
want
to
say,
like
you
know
what
just
make
a
different
program
that
does
the
IP
like
just
pick
on
the
ipps
one
right?
Maybe
it
should
just
be
a
different
service
configurator,
the
mid
name,
Q
proxies
I'm
misnomer
anyway.
B
F
Yeah
I
would
like
not
really
counterpoint,
but
it
would
be
ideal
like
a
Kiki.
Frothy
has
two
major
pieces.
There's
one
that
kind
of
taste
consumes
the
cube,
API
and
then
sort
of
tells
you
what
the
services
you
want
to
set
up
is
then
there's
another
one
that
uses
the
system
a
primitive,
such
as
IP
tables
or
a
TBS
to
explore
the
instantiate
those
services.
It
would
be
good
that
the
first
piece
is
kind
of
common
as
much
as
possible
to
avoid
sort
of
like
reinventing
the
wheel.
There
I
mean.
B
B
Urgency
team
it
it's
not
on
fire
and
adding.
You
know
if
the
IP
ds1
works
and
it
fits
as
another
proxy
mode.
I,
don't
think.
That's
particularly
egregious,
but
eventually
we'll
have
like
VPS
implementation
and
the
DPS
implementation
is
very
different
as
I
understand,
and
you
know
what
happens
when
network
vendors
want
to
do
entirely
different
implementations.
Do
we
absorb
them
into
us
and
put
ourselves
in
between
up?
B
B
B
Belong
to
so
there's
already
some
people
who
are
doing
their
own
thing
right,
which
is
fine,
I
think
in
the
limit
like
I,
think
that's
probably
the
right
thing
to
do
is
to
have
small
single
purpose.
Configurators
that
use
the
particular
configuration
mode
that
they
want
to
use
I'm,
not
sure
we're
there
yet
like.
We
don't
really
have
a
notion
of
a
committees.
Distribution
right,
like
a
lot
of
people,
still
depend
on
upstream
and
having
everything
is.
G
Monitoring,
oh
yeah,
I
was
just
wondering
and
I
haven't
liked
him.
I
don't
think
I
have
a
strong
opinion
either
way
at
this
point
I
was
just
wondering
I
mean
we
have
to
ship.
The
default
could
be,
ladies,
were
they
default?
You
know
whatever
we
call
this
thing,
which
you
know
they
factor.
I
guesses
is
cute
proxy
configured
as
using
iptables
at
the
moment,
and
maybe
I'm
speculating
now,
but
maybe
I
PBS
is
like
strictly
better
than
that.
G
B
B
B
B
I
don't
know
if
there's
a
way
to
do
whole
IP
pass
through
I,
PBS
I
think
it
wants
to
listen
on
a
specific
part
and
forward
to
that
specific
port
not
receive
that
whole
idea.
I
could
be
wrong
on
this
because
I
mostly
played
with
it
in
math
grade
boat,
not
direct
mode,
but
but
then
beyond
that.
You
could
imagine
that
people
only
want
to
accept
ports
1000
to
2000
and
not
pass
through
anything
else.
I'm.
G
O
B
And
my
understanding
of
I
PBS
is
it's
very
old
established
technology
that
would
probably
be
not
met
would
not
be
met.
Well,
with
requests
for
change
like
I,
don't
think
we
could
twist
the
upstream
kernels
arms
to
a
drain.
All
photos
so
I
mean
I,
guess
we'll
never
know
unless
we
try,
but
I
hope.
Yes
has
been
around
for
15
years
right,
so
they're,
just
just
two
years
ago,
switch
to
anyway
many
possibly.
G
B
G
B
B
G
E
O
O
E
B
G
B
Mean
the
truth
of
the
matter
is
the
only
reason
I
didn't
use.
Ipds
for
the
implementation
initially
was
because
I
didn't
really
know
it
existed
until
I
just
about
finished
the
iptables
version,
so
I'm
familiar
I.
Think
I've
been
in
the
record.
Seven
positions
you
before:
okay,
other
topics
I
have
one.
If
there,
if
you
run
out
there.
E
A
E
A
L
L
He
has
kept
it
because
I
couldn't
find
an
alternative,
for
you
know
to
signal
the
chief
users
that
a
particular
network
is
accessible
for
me
to
do
something
like
he'll
text
or
linguistic
or
for
that
matter,
any
host
bit
to
that
wants
to
I
to
the
poor
or
he
needs
to
know
which
which
of
the
network
is,
can
access.
So,
ideally,
if
the
necklace
we
had
a
very
signals
back
to
give
legs,
I
could
have
been
idea
so
that
they
don't
have
to
configure
this
in
the
necklace
back.
L
But
in
the
absence
of
that
I
don't
see
any
interviews.
E
L
I,
don't
know
that
we
can
relate
fully
on
TNA
later
because
30
meters
to
another
driver
as
well.
So
yes,
so
but
but
I
mean
something
again.
You,
okay
do
I
had
it
within
in
the
logistics,
so
I
did
need
the
development
guide
and
that's
a
that.
Api
has
to
be
pushed
as
a
separate
comment.
So
does
it
mean
that
I
should
generate
two
separate
vs
one
for
the
safe
alternative,
particular.
B
L
B
There's
a
group
working
on
a
API
process
for
credit
that
the
PR
for
that
is
I,
think
approved,
but
maybe
numbers
yet
that
would
lay
out
like
a
template
docket
for
you
to
fill
in
about
what
is
your
API?
What
are
the
reasons
for
it?
What
are
the
criteria
for
moving
between
alpha
beta
those
sorts
of
things
that
I
would
love
to
make?
This
be
the
first
thing
to
consider
it?
Okay,.
B
E
L
J
L
B
L
B
B
I
explicitly
went
through
all
of
the
local
interfaces
and
made
a
separate
rule
for
each
interface.
That
was
not
a
loopback
and
not
a
link-local,
and
that
allows
me
to
avoid
overlapping
with
things
like
the
load.
Balancer
IPS
that
are
in
use
and
I
didn't
have
a
better
answer
and
I
still
don't
have
a
better
answer
and
I
made.
This
comment
on
the
CNI
PR
for
host
ports
also,
but
there
hasn't
really
been
any
chatter
on
it.
E
B
It's
open
by
me,
you
can
my
PRS
I.
Don't
have
that
many
open,
ok
and
it's
there
I'm
not
like
I,
said
I'm,
not
real
happy
with
it,
but
I
don't
have
a
better
way
to
express
I'm
depressed
and
maybe
I'm
trying
to
express
it
wrongly
like.
Maybe
we
actually
need
two
more
about
whether
those
semantics
actually
do
overlap
at
the
problem.
Yeah.
E
B
P
M
P
As
an
alternative,
I
wanted
to
get
some
feedback
in
terms
of
what,
if
we
do,
this
outside
corner
add
in
the
form
of
a
rapper
that
basically
supports
multiple
ni
plug-in
simultaneously.
That's
something
that
we
did
as
a
prototype,
and
we
are
working
on
right
now
and
I
wanted
to
get
some
time
for
the
next
meeting.
To
share
that.
With
my.
B
G
K
Yeah,
we
don't
think
we
got
into
what
karen
is
trying
to
bring
up.
So
so
maybe
if
you
want
a
particular
discussion
on
a
particular
idea,
you
might
raise
it
as
a
separate
I'm.
Still
working
in
catching
up,
I
mean
there's
so
much
chatter,
that's
been
on
this
topic,
I,
don't
know!
Maybe
someone
wants
to
try
to
write
it
consolidated.
You
know,
taking
everything
into
account.
Here's
what
we
currently
think
that
might
make
a
lot
of.