Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / SIG Windows / 8 Dec 2020
Kubernetes / SIG Windows / 8 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Kubernetes SIG Windows 20201208

Description

Kubernetes SIG Windows 20201208

A

Hello, everybody and welcome to another sick windows. Meetup it's the 8th of december and as always, this is a recorded conversations pl. So please adhere to the cmc of code of conduct.

A

I am sorry I do not have a school overhead as jay. I actually I think I do have one around, but I need to wear it for when I used to travel up north in the us, uh but jay love the hat.

B

I don't know I it just felt good on my head. It.

A

It it does it just keeps you warm, I you know we have a couple of other folks from the valero team earlier they're like in the like, 10 20 degrees, uh temperature and their fingers are freezing. So, uh let's, uh let's go to our agenda folks. um One thing I want to kind of paul really quickly. um You know this year has been pretty tough for everybody. You know with covet virtual confidences everything that's going on with work and personal lives throughout the world.

A

You know social justice issues, I'm thinking that we probably likely can cancel the last two meetings of the year december. 22Nd and 29th. Is there anybody that has any significant objections to you than that.

A

All right, so we will execute on that. So no sequindos.

A

Meeting on december, there was a date I wrote here- sorry uh 27 29.

A

I will cancel the meetings if you're getting them from your calendar, all right mark new release out 20 h2. Why don't you take us on that?.

C

Yes, so um there's a new windows, server, sack or semi-annual channel release um that came out, I think, in november last month. um I wouldn't have normally raced that as a announcement here, but there is a little bit of confusion um that this has caused. Due to a naming update that I wanted to call out and um just mention to everybody.

C

So previously the sac releases were named like year year month month, so you'd have 1809 and 2004, and um we've decided to rename the sac updates to be um the uh the year year and then the half of the year that it got released in- and this is done largely to avoid some of the confusion around the fact that windows server 2019 is older than when the server 2004, despite the numbers, are newer.

C

um So there's a new naming scheme and that's what it is um and the confusion that this is raised is there have been some uh images for windows, containers that are published to the mcr and other places that are still using the 2009 kind of nomenclature, and I wanted to just uh let everyone aware that those two tags are interchangeable.

C

So if you see some container images that are published with the uh 2004 tag and some that are published with the 2009 tag, you can like chain those together in a build and run them on on the windows. Server, 2000, h2, host.

A

Thank you mark and very likely mark, uh probably the next. I don't know we didn't change uh 1.20, so we still support 2004 in 1.20 right. We didn't change the official docs yeah.

C

We'll um we'll update er, we have some changes in the works to start building, all of the container images that are used by kubernetes um and update those in the 121 vrs yeah, and also, I believe that they're I'm trying to find some public documentation I'll drop that announcement in the sig windows channel too, um when I find it so folks can see that there.

A

Yeah, if you search for 20 h2 there, there's like some of the documentation on microsoft, is basically saying that this is the the two sac releases for this year: 2004 and 20 h2. I like the 20 h2 better than 2004. I was like windows, server, coma version, 2004 yeah, all right. um Let's go to anything else on that mark.

C

uh Nope, if there's any questions, uh feel free to just ping, a segwindows channel, we'll try and get them answered.

A

Excellent uh amber you give us an update on uh privilege, containers.

D

um Yeah, so this is mostly to follow up. On the last time we brought up privileged containers uh to kind of give people an overview from the very beginning. You know we took a different kind of approach where we wanted to use job object, containers um and that allowed us to kind of get access to a lot of different host services or networking and and so on and so forth.

D

uh One of the kind of issues that was brought up later, as we were trying to approach 120, um was the question about different service mesh scenarios where uh originally our proposal was that we were going to go and require every like pods that contain privileged containers to be entirely privileged folks brought up different scenarios in which uh aligning a privileged container with the pod compartment and also then also enabling that privileged container in a pod networking compartment to have net admin access to be able to modify the host so within that same pod um is something that was essential for certain service mesh scenarios.

D

uh We did a different pursuit of investigating this specific um scenario right like aligning with the pod compartment and then, if it's possible for us to get that admin access and from that we delayed from 120 to 121.

D

After a lot of investigation internally, we've decided to scope that out of this initial kind of push that we're going to go through for privileged containers, uh we're not you know, there's some assessment going on. If this is something we could ever bring in being able to align with the pod compartment. But as it stands right now, it would kind of involve a lot more investigation and work on our side and is not kind of in scope for this current approach.

D

So moving forward with 121, we kind of scope down to the for alpha we're going to either um go out with runtime classes or have a kind of pod spec uh update, sort of included in alpha for 121.. um All of this work is kind of already included. It's prepared. We had this prepared for 120, but we did the assessment of this kind of pod compartment alignment at the time and then once we go into alpha in that stage, we are going to.

D

uh You know continue to do investigation on pod compartments, but at least at output. It's going to be scoped here and, and the kind of goal is to make sure that we get at least the basic functionality for privileged containers out in the open for people to be able to use and start being able to to work with.

A

Very cool uh safe to assume that you're on track for review uh and alpha in version 1.21 doing all the things you just mentioned.

D

uh Currently, there's nothing that would block that now, um but you know there's still some, like you know, logistical stuff that we'd have to get so we're completely prepared, but uh we're getting to that stage and going through that process. Now. Luckily, we did a lot of this work or some of the work already in 120 and there's some updates and refinement that we'd have to do to the cap and so on and so forth. um But otherwise I think you know we're we're pretty much on track for that.

A

You'll probably push the cap for review as soon as possible. Yeah like go like I mean. I know the cab review deadline will be sometime in january. I don't know if they've published them, yet they haven't seen an email yet, but once they publish them will probably be sometime in january. We should try to see if we can have the cab ready to roll. Even now in december,.

D

Yeah yeah and that that's kind of our goal right now, so we kind of went to the process of coming to this decision. uh All the work that we're kind of doing for the remainder of anytime, actually be people being available in december, is going to be spent on on getting us prepared for that um and we'll roll into january, uh with, hopefully, every all the ducks in the row. So.

E

Perfect, thank you appreciate it and we would need. uh I think, windows help in once. We have the alpha out. uh We probably want to test the scenarios that we think works and we have validated or like we are propos putting in the proposal, but we want to make sure, because privilege container has a lot of dependency.

E

um I know deep you're thinking about csi proxy there's a lot of other stuff coming, so you want to make sure like what works in alpha, because now we're moving quicker and faster. Like ahead, um we, you know we we can get the feedback earlier as well yeah. So I.

D

Mean I could be waiting to try it out. Definitely yeah.

A

I mean I consider, like you know with every feature. Sometimes you have to think about the killer. App right. uh You know for windows, the killer, arable's office. uh You know that's how windows and office kind of banded, together and kind of dominated a big part of the industry for this scenario, the killer for this uh previous containers, your killer app, is csi proxy. To begin with, I don't know if there's anything around the world of cni. That would be necessary here.

A

That's that's worth exploring, um but you know we need to find a killer, app and kind of push for it and csi proxy seems to be that. So you know we need to band together. For that absolutely.

B

I have a quick question uh amber the so I'm just trying to make sure that we relay what we need to do with sig network. So are you all? Did you all decide that, like we're not gonna block on any api changes.

D

I mean so almost the changes for this particular implementation with the runtime class would only kind of be contained in like our hcs shim layer. Basically um so it doesn't, it doesn't touch too many things in like we can't get it out in a form which, wouldn't I think we wouldn't wouldn't necessarily require too much uh assessment from like thing, networking or so forth, so we're trying to go out with like the lowest friction form in alpha.

D

um I think what we've found, at least in a lot of discussions, is that, like there's a lot of information that you know, people bring up scenarios. People like provide different inputs, um but we're kind of all spinning our wheels trying to like think about how this thing would work uh in reality. I think it'll be a lot easier once we get it out and alpha for people to kind of approach this with something in hand. So um that is the that's the goal right, we're not trying to put too many.

D

We will see if we have a good guess of what api changes or um pod spec changes. We have in mind that we can propose for alpha if people have a huge allergic reaction to whatever we propose. We do have the alternative of runtime classes. Of course, like our team is still looking at, where the best place within the prospect to have it in for alpha is, uh but we do have a couple of options here, and it's mostly like we want to get like our goal is to get this out.

D

uh However, that kind of occurs, if we have more friction or less friction is, is something that we're going to have to look at.

B

Okay, so it sounds like to me: there's a black box solution that for for you all is maybe it's not the best case scenario, but it guarantees a guarantees getting something out there and you're not locked at all on sig network stuff, which is great news right and then.

D

Yeah, well, we can. We can be unblocked, at least for alpha. I think once we consider the graduation from alpha to beta. That's when we're going to have a better like a better understanding of what we want where.

C

Do we want this to.

D

Exist in the pods back right and that's when things you know get real. I guess, um and in that case, like we're kind of you know we're trying to unblock ourselves or you know not stop spinning our wheels and just trying to get to alpha. uh We understand that there is something to assess between alpha and beta and like we're developing a checklist for this. We have like our in-between checklist, at least in our own minds, and some of that includes. Like okay.

D

You know: we've made a decision on certain networking scenarios, um such as the one regarding the service mesh scenarios or aligning to a pod compartment. We've decided to rule this out, which is the way that I think networking was leaning towards anyway, at least at this time, but just making sure we kind of have alignment there just to do the meeting. Cadences and like you know, we're we're now in the holiday season trying to get to january to get us rolling into 121.

D

uh we're just trying to kind of get into a state for alpha um that doesn't necessarily wouldn't like you know, raise too many hairs on people's like back of their necks, and this is.

B

Controlled by sig windows right all the apis, we're changing are owned by sig windows. At this point,.

D

We believe so yeah.

A

No, no, not the pod spec, but the rest of it. Yes,.

C

Well, I think, specifically, one what we're.

A

Kind of.

C

Entertaining and what we're kind of kind of circling around is having a privileged field on the windows security context and not um messing with any of the other pod security policies like postports host network and and that, at this point,.

B

Yeah, so it's totally self-contained, so nobody can stop. Nobody can stop us from doing this right. It's that's kind of what I'm getting at right is that this means there's nothing upstream blocking us, which is always the hardest part right. So that's great yeah.

C

I don't think there's gonna need to be any like, like discussions or contentious arguments about like if host. If the host network policies work the same on windows or not, there won't even be any arguments because it's a sig windows.

B

Controlled thing right period: nobody can okay, great cool, sorry for oversimplifying. I just wanted to make sure I understood it yeah. I think that makes sense.

A

All right, we have a packed agenda. um David dsr update. Please.

F

Yeah sure uh so must inform me that there's some confusions on the dsr load balancing mode. So I.

C

Wanted to give.

F

An.

C

Overview.

F

Again about the two different modes, so can I actually share my screen? That'd be okay.

A

I'm trying to make you a co-host hold on okay. Okay, if I could find you on the list, oh you're, by alias.

A

You're good to go.

F

Okay, great.

F

Can everyone see my screen.

F

Yeah, yes, okay, great uh yeah, so um I actually have a little graphic here so uh for windows and in coop proxy we have two different load balancing modes, one is called dsr and one is called non dsr or well. It really doesn't have a name because it's the default configuration and the original implementation so in uh to give an overview of what the traffic flows look like before we jumping into advantages and disadvantages and the non-dsr flow and the default flow that q proxy uses for service traffic.

F

Any service traffic goes through a host v-neck that was created previously during setup, which acts as a mux and contains all the load balancing rules at the host phoenix so that we select the right back end tip when trying to load balance, traffic for service across back-end pods and as a consequence of the default implementation.

F

This results in the kind of the source part ip being obscured to the ip set in the host phoenix.

F

um So, as you can imagine, is caused to some some surprise to users when they try to monitor packet flows, and then they see incoming traffic is coming in as the host phoenix as opposed to the actual originating pod ip in the dsr flow.

F

That is the new mode where the ip fix ups and all the load balancing rules occur at the pod or at the container v-switch port directly such that the service traffic arrives with the source ip set as the originating pod ip.

F

So users can enable the dsr mode by passing the following flags to coop proxy and there's a few advantages to enabling the dsr mode one is that there's a greatly reduced resource footprint and the consumption of ephemeral ports by by essentially kubernetes.

F

So if you have 100 plus services in your cluster, you should start thinking of transitioning to running to proxy and dsr mode, because in the default implementation you could run out of ephemeral ports on the hosts, which can cause various networking issues and network connectivity failures.

F

The other advantage is that there's a better data path, performance and you know, reduced network latency. Since you don't have to go for the intermediary hop basically here and do all these expensive operations, uh the other advantage is that there's improved transparency of the network traffic flows, so the traffic flow is just simpler. You can see on the right-hand side and it is also recommended for kubernetes network policies.

F

So if you're using you know calico or some solution like that, you should probably run coproxy in dsr mode. Otherwise, um you know the obscuration that happens here can can get uh cause issues when you're trying to apply network policies and you're trying to reach out through a kubernetes service and the ip gets obscured, and also the dsr mode is required for advanced network configurations such as client, ip preservation or destination ip preservation.

F

Now the drawbacks of the dsr is that first, and primarily it is not as well tested as the non-dsr flow that has been there from the get-go from the beginning. So there's actually one active regression here.

F

Basically, the regression is that if you have dsr load balancer policies and you try to delete all the network network resources, all the hms resources on a node, you need to make sure that you clean up the policies before you delete the network belonging, like that's associated with those policies.

F

Any questions on that point. Basically, you have to stop couproxy. Then you have to remove hns policies and then you can remove the network uh previously. Sometimes you know you could just delete the network and the non-dsr for non-dsr policies. That would be fine. It would clean up the policies itself. Everything would be gone, but in the dsr load, balancing policies you have to clean them up. First, before deleting the associated network.

F

Does that make sense.

E

Yeah this makes yeah. This is super helpful, we're talking in chat david. We should probably do a coupon presentation here, but I think there's a lot of confusion. Do you want to cover it on like what works in 2019 with the kubernetes 120? What does it work sure so yeah so.

F

Next, the next thing to consider is, if you're, using dsr mode, there's a special case where, if, if a pod tries to access a service and the service redirects back to the pod itself, you need to add a configuration to your cni. I actually have a link here. It's called loopback dsr and you have to basically set this config inside, like you have to set the setting or this field in your cni config. Otherwise, the traffic will get dropped for this special case.

F

uh So that's that's one thing that has caused some confusion as to why. Why is traffic being dropped? If it's being redirected back to itself, you know usually users try to like spin up one service and it's like redirecting back to itself and they try to demo it and say well. Pod access doesn't really work uh so yeah. This needs to be added um in the dslr.

C

Mode flag in the cube proxy, too correct.

F

This uh well, that's how you enable it originally so yeah you need to pass. This is how.

C

You enable.

F

Dsr mode, if you plan on using this flag, then also make sure you add this into your cni config and.

C

To make sure you're running with at least the windows server, 2019 november, security update or cumulative updates. Yes, yes,.

F

Yes, so yes I'll get to the os there's one.

C

More thing.

F

So these are, if you want to use the advanced features like client, ip preservation, you need to run ndsr mode if you enable client, ip preservation, routing mesh so note to note. Forwarding will also not work. That's the same behavior as on on linux, to my understanding.

F

So, basically what that means is, if you have, uh if, if you have like the the traffic, if the traffic hits a given node, you need to make sure that the pod is running locally on that node, since the traffic will not be forwarded across nodes because the client ip needs to be preserved.

F

So I don't know if we have enough time, I could show maybe a diagram of sorts.

F

I could open paint or something.

F

So if you have two nodes and you enable client ip preservation- and you have let's say you usually have a load- balancer, some external load balancer in the dsr flow- if traffic is coming in.

F

Basically, the note to note forwarding is disabled, so usually you might have you know some pods here and you might have you know no like the traffic could be directed to either node right and what I'm saying is: if traffic gets redirected here, it's not going to forward to this guy because the client ip needs to be preserved. If we did this, then the client ip would need to change.

F

So you need to make sure that you have like your pods running on the target node locally. It will only load balance to this to the into on a per node basis. Basically, it's the same on on linux as well. Does that make sense any questions.

A

Hey david, uh we're almost running out of time here as well, so so a couple of things came up david. uh You should submit a session for this on cubicon independently to talk about networking in windows and advances if, for some reason it doesn't get approved, then we'll probably dedicate either half or then tires in windows. Talk for the next cubicon for you to just do a networking deep dive. Like you know, level, 400, networking.

F

Okay, okay, yeah, okay, then the last thing just really quickly. You need uh kubernetes 1.20 for client, ip preservation, 1.19 just for dsr mode, and you need to make sure you're running windows, server, 2019 and you know, use at least the november patch tuesday update- and this is.

D

Mark.

F

Mark submitted a doc update to reflect that as well. Yeah.

E

So if somebody's running 120 with 2019 uh november patch or 2004, they should have the the client, ip preservation and dsr everything should work for them. If they are configuring, it right right.

F

David yeah, so the dsr mode will work for client ip preservation. There is a there's one thing that is missing there. If you're using external load balancers the health checks seem to not be implemented so.

A

Jeremy.

F

Has a pr up for that? Let me link that in the discussion and some of the tests are still failing there, so it's not been merged.

F

I think next time we meet, we should discuss what we can do to land land that either in a 120 miner release or in 1.21. We will help with that.

A

Thank you sounds good. Hey we'll skip the triage now.

C

If you don't mind, we don't have time for that. Yeah, yeah and.

A

uh Mark who can probably skip the docker stream uh depreciation and I mean, if you guys, don't mind, I.

C

Was going to just mention that there's going to be a discussion in meeting immediately following this meeting to discuss some of the doctorshim deprecation. So, if anybody's interested, uh please join the sig node meeting.

A

Okay, all right um so aravind. Do you mind if we push yours to next week or is this we can do it in one minute.

B

No, we can butcher the next week, no.

A

Don't.

B

Worry at all.

A

Okay- um and we can probably uh talk since the shortest kind of coin, but the shortest item is the no problem. Detector jeremy, give us a quick update.

G

uh Sure so, basically, uh I'm I'm starting to submit their first couple of pr's for it and then I'll be handing it off to um somebody. That'll actually be working on it for the portion of our time, but um just real quick. If anybody has any feedback or anything they want to add to it or if they want to contribute.

G

um You know, please do so. The links are there, so you can, you know, click on them and dig in, and you can also reach out to me, of course, on slack.

A

Sounds good! Thank you all right! Everybody we'll write about out of time next week. Arvin, apologies, you and maz and mark will get your updates here um and uh well. Thank you all and I'll see you all for the last meeting of the year uh next week appreciate it bye. Everybody thanks. Bye thanks.

D

Bye, bye.

C

Thanks.

B

Hi folks.