►
Description
Join Andrew Sullivan, Chris Short, and the occasional special guest for an hour designed specifically to help the OpenShift admins out there. Come with your questions, leave with solutions.
A
Good
morning
good
afternoon
good
evening
and
welcome
to
another
episode
of
the
open
shift
administrator
office
hours,
I
am
chris
short
executive
producer
of
this
thing.
We
call
openshift
tv,
also
a
technical
marketing
manager
like
the
one
and
only
andrew
sullivan
here
with
me
andrew.
Please
introduce
yourself
to
the
audience.
Let
us
know
what
we're
talking
about
today.
B
Yes,
sir,
well
hello,
everyone
I
am,
as
chris
mentioned
andrew
sullivan,
also
a
technical
marketing
manager
with
cloud
platforms,
business
unit-
and
this
is
the
administrator
office
hour.
So
the
office
hour
is
a
weekly
show.
It
happens
wednesdays
at
11
a.m.
Eastern
time,
where
we
open
up
and
are
available
to
you
for
any
and
all
questions
right.
This
is
very
much
meant
to
be
an
ask
me
anything
style
of
session.
B
We
do
our
best
right,
we
do
our
best,
so
we
do,
of
course,
as
a
result
of
that
depend
heavily
on
you
all
on
our
audience
on
the
people
who
are
out
there
listening
to
us
now,.
B
Feel
free,
no
matter
what
is
coming
out
of
our
mouths
or
being
shown
on
the
screen
to
ask
your
questions
regarding
kind
of
anything
and
everything
right.
You
don't
have
to
be
asking
about
what
we're
talking
about
at
the
moment,
and
nor
do
you
need
to
wait.
It's
your
turn,
because.
B
Yeah
exactly
so,
that
being
said,
we
do
try
to
have
a
topic
here
that
we
can
chat
about
between
chris
and
I
in
in
the
absence
of
you
all
or
while
you're
pondering
your
questions
or
typing
them
up,
as
the
case
may
be.
Yes,
so
today
there's
a
couple
of
things.
Actually
I
want
to
talk
about.
B
I
know
chris
you
and
I,
as
we
were
preparing
for
the
show
I
mentioned
the
the
technical
thing
that
I
want
to
talk
about
today
is
is
networking
you
know
I'm,
I'm
always,
and
by
networking
I
mean
there's
a
couple
of
different
aspects.
I've
got
a
list
of
questions
that
I
came
up
with
off
the
top
of
my
head
that
I
see
pretty
commonly
asked,
but
today
is
also
mid-december
right.
It's
it's
the
16th.
We
are
quickly
approaching
the
holiday
season.
Yes,.
B
You're
you're
in
michigan.
That's
that's
expected.
I
know
one
of
our
one
of
our
teammates
mark
he's
he's
up
there
in
the
area.
That's
expecting
like
18
inches
of
snow.
With
this,
this
current.
C
A
B
Luck
with
that,
but
where
I
was
going
with,
that
is
so
it's
funny
that
you
know
I'm
a
vendor
now
right,
so
I
I
work
on
the
vendor
side
right.
We
we
work
with
our
customers
right.
We
help
them
to
understand
things
and
work
through
things,
but
for
a
long
time
I
was
a
customer
right.
I
was
an
administrator,
an
architect
and
the
holidays
were
not
what
they
are
now
to
me
right
now.
It's
it's
nice
because
you
know
I
I
take
a
couple
of
weeks
of
pto.
B
And
for
I
remember
for
four
years
running,
that
was
when
we
had
like
every
single
day
was
a
set
of
outages.
In
order
to
do
you
know:
maintenance
and
life
cycling
and,
and
my
my
favorite
one
was
when
I
first
became
a
storage
administrator.
We
had
a
netapp,
fast,
80
30.
I
think
it
was
nice
and
when
we
had
specked
out
the
system
it
was.
It
was
four
controllers,
two
aha
pairs.
B
A
B
And
when
they
had
done
this,
basically
they
had
matched
that
maxed
out
each
channel
so
that
we
couldn't
just
dynamically
add
it
in.
We
had
to
take
the
whole
thing
down
to
be
able
to
add
in
cards.
So
you
know
we're
talking.
You
know
many
terabytes
of
storage
at
the
time.
You
know
this
was
gosh.
It
was
2009
2010.
So.
B
B
B
Then
yeah
it
turned
into
a
24-hour
complete
site
outage
where
basically,
none
of
us
got
any
sleep,
none
of
us
yeah
it
was.
It
was
all
so
that
we
could
go
in
and
we
had
to
pull.
You
know
each
chassis
add
in.
I
think
two
cards,
two
fiber
cards.
You
know
into
the
back
of
the
chassis
and
run
like
half
a
dozen.
You
know,
cables
on
on
our
part
right,
our
the
work
that
we
needed
to
do
all
of
that
triggered.
This
was
like
15
minutes
worth
of
effort.
B
B
B
Changed
right,
it
was
still
new
and
all
this
other
stuff,
so
we
were
at.
You
know,
of
course,
one
of
the
questions
we
asked
him
is
you
know
what
is
devops
mean?
What
does
it
look
like?
How
does
that
translate
into
helping
the
operations
team,
the
developer
teams
and
his
his
answer
was
one
that
still
sticks
with
me
as
a
result
of
those
holiday.
You
know:
maintenance
windows,
which
is
devops,
returns
the
humanity
to
I.t
right.
You
stop
getting
called
well,
hopefully
you
stop
getting
called
in
the
middle
of
the
night.
B
You
stop
having
to
work
weekends,
to
manage.
You
know
your
maintenance
windows
and
your
outages,
you
stop
having
to
work
holidays
and
all
that
other
stuff.
It's
things
have
certainly
come
a
long
way.
I
think
we
as
an
I.t
industry.
You
know
our
applications
have
evolved
and
are
helping
to
make
that
happen.
B
B
Yeah,
the
collaborative
to
the
core
yep,
you
know
so
it's
funny
in
that
you
know.
I
still
have
conversations
with
folks
today
of
you
know
if
you've
interacted
with
red
hat
in
the
last
five
years,
you
have
probably
heard
about
containers
and
if
you
didn't
hear
about
containers,
you're
hearing
about
containers
and
then,
if
you
weren't
hearing
about
containers
from
containers,
you
were
hearing
about
kubernetes
and
containers
right.
We
spent
a
lot
of
time
talking
about
kubernetes
and
containers
and
openshift
and
modern
applications,
cloud
native
and
all
that
other
stuff.
B
But
reality
is,
you
know,
the
vast
majority
of
applications
are
still
in
vms,
right,
they're,
still
traditional
monolithic,
they're
still,
you
know
the
way
that
we've
been
doing
things
for
15
plus
years,
and
it's
not
going
gonna
change
overnight.
So
I
I
I'm
all
of
this.
You
know
all
of
this
wind
up
all
of
this.
B
For
me
to
say
I
I
I
sympathize,
I
empathize
yeah
and
while
we
all
enjoy
the
holidays,
you
know
don't
forget
about
your
sysadmins,
because
there
there's
a
good
chance
that
many
of
them
are
going
to
be
working
hard
over
the
holidays.
To.
A
Yeah
very
very
hard
one
of
the
coolest
things
that
ever
happened
was.
I
was
working
one
of
those
holidays
and
everybody
decided
everybody
that
wasn't
working
decided
to
bring
in
like
food
or
like
drink
or
something,
and
it
was
just
like.
We
literally
had
a
table
in
our
break
room.
That
was
like
10
feet,
long
or
something
it
was
just
full
of
food.
It
was
like
wow.
This
is
awesome.
B
Yeah
that
reminds
me
I
was
in
the
military
and
we
were,
we
were
working,
it
was
either
thanksgiving
or
christmas
doing
a
night
shift,
so
6
p.m.
To
6
a.m.
Yeah.
I
think
there
was
12
of
us
on
watch
and
we
ended
up
with
four
turkeys
and
two
all
of
the
senior
leadership
basically
was
like.
Oh
you
know,
these
guys
are
working
hard
on
a
holiday.
We
should
we
should
treat
them,
but
none
of
them
apparently
talk
to
each
other.
So.
B
All
right,
so
enough
of
me
running
my
mouth
and
rambling
about
and
reminiscing
about
the
days
of
olds,
so
networking
was
the
subject
that
I
wanted
to
talk
about
today,
and
this
is
something
that
you
know.
If
you
look
back
at
some
of
the
the
admin
hour
right,
the
open
shift
admin
hour
shows,
if
you
look
back
at
some
of
the
ad
hoc,
shows
that
I've
done
or
christian
has
done,
or
we've
done
together
or
restraint.
We've.
B
B
There's
always
different
things
that
are,
you
know
how
it's
configured
and
what's
available
and
how
the
services
all
interact
with
each
other
and
then
there's,
you
know,
add
on
the
complexity
of
you
know.
Well,
we
we
want
to
deploy
our
openshift
this
way.
We
need
this
type
of
resilience
or
we
need
this
or
we
need
that
and
it's
complex
and
that's
okay.
B
So
we
want
to-
and
I
tried
to
bring
this
up
as
a
somewhat
not
frequent
topic,
but
as
a
reoccurring
topic
just
to
help
answer
some
of
those
questions
right
and
refresh
folks
memory,
because
we
also
get
quite
a
few
new
people
right
coming
over
to
openshift
and
and
learning
how
all
this
stuff
works.
B
B
Yeah-
and
I
I'll
also
add
that
networking
is
you
know
when
I
when
I
was
on
the
op
side,
I
did
virtualization
and
I
did
storage,
but
I
had
to
rely
on
somebody
else
for
networking
right
and
that
seems
very
common.
It
seems
like
a
lot
of
you
know,
ops
folks,
do
they
don't
do
networking
or
their
networking
is
the
only
thing
that
they
do
and
they
do
don't
do
other
things
right.
So.
C
B
One
now
I
I
hope
that,
and
I
believe
that
many
of
our
many
of
us
have
a
decent
understanding
of
networks,
but
it's
not
quite
the
same
as
having
that
external
dependency.
So
it's
also
one
of
the
most
common
times,
the
other
one
being
storage.
Of
course
it's
one
of
the
most
frequent
times
where
we
encounter
well
my
my
admin,
my
organization,
you
know
whoever
they
only
do
it
this
way,
they'll
only.
Let
me
do
it
this
way,
right
type
of
thing,
and
you
know
oftentimes
and
and
I'm
you
know,
I
have
those
issues
too.
B
B
Hey:
hey,
there's
no
waiting
in
it's
right
into
the
deep
end
here,
yeah!
So
dhcp
is
you
know
it's
something
that
basically
everybody
uses
at
their
house.
B
A
B
B
Make
sure
that
port
security
is,
you
know,
allows
the
new
mac
address
and
then
it
just
dhtps
and
done,
but
in
the
data
center
dhcp
is
still,
I
wouldn't
say
it's
rare,
but
it
is
not
common
right
and
most
often
this
is
attributed
to
the
security
team.
B
Right,
let's
you
know
the
security
team,
for
whatever
reason
has
trepidations
about
things.
B
Can
plug
into
the
data
center
network
and
it's
to
some
degree
I
get
it.
You
know
especially.
B
C
B
Plug
in
but
it
doesn't
take
a
physical
connection
these
days
right,
I.
B
Up
a
virtual
machine-
and
you
know
I
can
have
that
up
and
running-
I
can
spin
up
a
container
for
that
matter
and
have
things
up
and
running
and
it's
a
very
different
world.
So
I
I
understand
the
trepidation.
I
don't
always
agree
with
it
and
it's
something
that
you
know
we.
We
can
and
should
work
to
understand
both
sides
of
that
coin
and
if
a
compromise
can't
be
reached
which
is
ideally
something
like
a
controlled
dhcp
rollout,
maybe
that's
static
dhcp.
B
B
What
exactly-
and
that
brings
me
to
the
the
second
question
which
is
or
question
1
1.5,
which
is,
can
I
convert
my
dhcp
nodes
to
static
ips
and
the
answer
there
is
technically
yes
right,
you
could
go
in
and
use
something
like
a
machine
config
or
the
nm
state
operator
right,
there's
a
couple
of
different
ways
that
you
could
go
in
and
do
that
one.
B
You
would
want
to
make
sure
that
the
ips
don't
change
right,
so
there
you're
just
taking
the
dhcp
assigned
ip
and
assigning
it
as
static,
but
two
you
probably
don't
want
to
do
this,
and
the
reason
for
that
is
because
it's
more
complex
and
more
time-consuming
and
more
brittle
to
do
that
right,
boot,
the
node
give
it
a
dhcp
address.
Now
I
gotta
go
in
now
I
got
to
create
a
machine
config
for
that
node.
Now
I
got
to
assign
it
to
that
node.
B
Now
I
got
to
do
all
these
other
things
right
and
then
what
happens
if
I
need
to
scale
the
cluster?
What
happens
if
that
node
goes
down
right?
If
I,
if
I
have
to
destroy
it
and
recreate
it
right,
there's
all
of
these
other
things
that
if
you
need
static,
ips,
just
start
with
static
ips,
and
you
know,
especially
with
the
modern
deployments
so
things
like
vsphere
upi,
you
know
I
can
assign
those
ips
through
or
or
provide
the
configuration
for
those
ips
without
ever
having
to
go
to
the
console
right.
B
And
now
that
being
said,
if
you,
if
you
want
to
use
static,
ips
with
ipi
you
you
can't,
you
can't
have
a
subset
of
nodes
that
are
statically
configured
right.
Basically,
all
machine
config
pools
all
machine
sets
need
to
be
dhcp
yeah,
so
dhcp
can
optionally
be
used
with
upi.
B
You
know
it
kind
of
behaves
exactly
as
you'd
expect
note
that
you
can
use
machine
sets
with
upi.
So
I
I
know
vsphere
supports
this.
I'm
pretty
sure
rev
supports
it.
I'm
almost
positive
that
openstack
supports
it
bare
metal
or
physical
does
not.
There
is
no
physical
upi
right
now,
but
essentially
what
that
means
is
I
deploy
a
upi
cluster
user
provision,
infrastructure
administrator
provision,
infrastructure
cluster.
B
So
why
would
I
do
this?
Why
is
this
important
so
one
with
ipi
and
on-prem
ipi?
We
use
an
internal
rate,
load
balancer
and
some
other
services
that
may
or
may
not
meet
the
requirements
of
your
organization,
in
particular
things
like
router,
sharding
right.
All
of
the
ingress
traffic
goes
into
one
router
instance.
So
if
you
ever
need
to
exceed
the
capability
of
that,
it
would
be
a
bad
fit.
B
B
You
know,
and
then
I
want
to
have
worker
nodes,
also
spread
across
cluster
one
cluster,
two
and
cluster
three
with
ipi
they're,
all
in
the
same
cluster.
You
don't
have
a
choice,
so
you
can
deploy
upi
cluster
and
then,
after
the
fact
you
can
add
in
machine
sets
where
you
can
do
that
node
auto
scaling,
you
can
do
the
the
you
know,
dynamic
configuration
or
excuse
me
creation
and
destruction
of
those
nodes.
B
Unless
you're
doing
machine
sets
to
do
dynamic,
node
management,
in
which
case
you
need
dhcp
and
then
what
we,
the
docs,
call
bare
metal,
but
not
bare
metal
ipi,
which
I
I
try
to
refer
to
as
the
non-integrated
installation
methods.
Right
is
really
much
like
upi
your
choice,
right,
you
can
do
dhcp
or
static
ip
assignment.
A
B
So,
most
of
the
time
it
comes
down
to
like
with
dh
using
dhcp
you're,
not
using
dhcp,
not
using
dhcp,
so
a
lot
of
times,
it's
just
the
I
want
to
automate.
You
know
the
deployment
of
my
cluster.
I
want
to
automate.
You
know
all
of
these
things
as
much
as
I
possibly
can
you
know.
Why
is
there
not
an
api
or
why
is
there
not
a
way
for
me
to
feed
that
information
into
my
my
nodes
right,
which,
with
some
installation
methods
vsphere
being
one
of
them?
You
basically
can
right.
B
If
I
have
automation
that
is
deploying
the
ova
I
attach
that
vm
property,
and
that
has
the
ip
equals
you
know
line
in
it
right
and
it's
up
and
running.
If
you're
doing
physical
servers,
though
right
there
is
no
way
for
us
to
pass
that
information
into
them.
So
usually
the
stumbling
block
is
that
automation
piece.
You
know
I
want
to
be
able
to
automate
the
deployment,
the
creation,
the
management
of
the
clusters
and
with
static
ips.
B
Yeah,
so
I
I
will
extend
the
dhcp
and
say
that
you
should
also
have
dhcp
doing
dynamic,
dns
updates
right
so
effectively,
because
the
nodes
will
send
their
host
name
with
the
dhcp
request
right.
So
when
the
dhcp
server
it
will
respond
back
with
its
ip
address,
then
the
host
responds
back
with
its
ack
and
then
the
dhcp
server
will
update
dns
with
that
host
name
and
ip
right
forward
and
reverse
lookup.
B
I
I
have
heard,
but
have
not
personally
validated
that
with
ipi
the
on-prem
ipi
solutions,
you
don't
need
to
have
the
dynamic
dns
updates,
but
I've
also
heard
of
some
folks
having
issues
with
that.
B
So
the
background
there
is
with
on-prem
ipi
we
deploy
a
load
balancer
service
which
is
keep
alive,
dnha
proxy
based,
and
then
we
also
deploy
a
multicast
dns
service
right
all
of
the
nodes,
that's
what
they
use
to
do
their
node
to
nodes,
hostname
lookups.
B
So,
theoretically,
it's
not
necessary
in
practice.
I
have
heard
mixed
results
at
best,
so
having
having
a
having
dhcp.
Do
the
dynamic
dns
updates
is
the
best
solution
christian.
I
can
technically
add
a
static
host
to
an
ipi
install.
Yes,
as
far
as
I
know,.
B
C
B
B
There
so,
let's
see
blah
blah
blah,
so
let's
talk
a
little
bit
about
so
while
we're
on
the
subject
of
dns
and
I'm
pretty
sure
christian.
This
is
why
christians
started
chiming
in
he.
B
So,
while
we're
on
the
topic
of
dns,
so
what
dns
entries
are
required,
so
let
me
do
something
here:
let's
share
our
screen.
B
Them
and
beginning
yeah,
I
was
reminded
of
a
funny
story,
the
other
day
of
a
guy
who,
I
think
was
a
home
depot.
They
called
the
bomb
squad
because
some
guy
walked
into
the
bathroom
and
was
like
I'm
going
to
blow
this
place
up,
and
he
was
talking
about
using
the
bathroom
and
the
other
patrons
misinterpreted.
That.
B
A
B
B
So,
let's,
let's
pick
on
vsphere
here
so
dns
entries
that
are
required,
so
this
is
going
to
be
different
based
off
if
you're
doing,
ipi
or
upi
and
effectively
the
bare
metal
or
non-integrated
is
going
to
be
the
same,
but
we
can
visit
that
as
well.
So
let's
look
at
installing
a
cluster
on
vsphere.
B
This
is
just
the
generic
right,
the
the
very
basic
I'm
going
to
accept
all
the
defaults
of
installing
ipi
to
vmware
and
if
we
scroll
down
through
here
one
thing
to
note,
while
I'm
on
the
page
here
this
is
confusingly
worded
you
don't
we
don't
require
nsxt
here,
it's
just
if
you're
using
nsxt
make
sure
it's
one
of
these
versions
right
or
later.
Excuse
me
all
right.
So,
let's
scroll
down
here
to
our
networking
requirements,
so
you
can
see
we
have.
B
So
that's
all
that
we
need
to
do
or
all
that
we
need
to
manually
create
in
the
external
dns
system
right
the
nodes,
don't
necessarily
need
to
have
external
lookups.
As
frank
pointed
out
straight,
it's
it
should
work,
but
again
your
your
mileage
may
vary.
So
I
don't
want
to
promise
that
it
will
work
where
those
are
helpful
are
if
you
are
trying
to
connect
into
the
nodes.
B
So,
for
example,
if
you
want
to
connect
to
right,
you
expose
a
node
port
or
something
for
your
application
or
bad
practice
right
ssh
into
the
node,
and
you
want
to
use
the
node
name
for
that.
You
would
want
it
available
in
external
dns.
So
and
yes,
I
kind
of
mumbled
their
bad
practice
to
ssh.
A
No
debug
is
awesome
and
jp
data
is
just
kidding
about
his
question
so,
but
the
question
was
for
folks
that
missed
it:
how
about
nested
networking
nsxt
with
openshift
sdn?
On
top
of
it.
B
That's
that's
actually
a
good
question.
That
is
not
one
that
we
haven't
heard
a
number
of
times.
So
there's
two
ways
to
look
at
it,
so
one
is
you're
more
than
likely
going
to
be
fine.
If
you,
you
know
layer,
the
sdns,
so
if
I'm
using
nsxt
for
vm
to
vm
communication
and
then
openshift,
sdn
or
ovn
kubernetes
on
top
of
that,
so
where
it
potentially
becomes
an
issue
is
at
the
edge
cases
around
things
like
latency
and
throughput,
especially
throughput
right,
so
the
higher
I'm
driving
my
throughput.
B
You
know
if
I'm
approaching
multi-gigabit
type
of
throughputs
to
my
or
between
nodes,
right
crossing,
the
double
sdn,
that's
where
it
can
start
to
encounter
issues.
So
the
other
aspect
is:
if
you
do
have
issues
your
network,
guys
will
hate
you,
and
I
say
that
because
it's
double
encapsulation,
so
you.
B
Two
sets
of
packets,
if
not
three
sets
of
packets,
because
there's
still
a
physical
layer
underneath
right
in
order
to
try
and
figure
out
what's
going
on,
so
it
can
make
troubleshooting
dramatically
more
nightmare.
B
So
yes,
so
vmware
nsx
is
fully
supported
as
an
sdn
right.
You
can
drop
in
and
fully
replace
the
openshift
sdn
with
nsxt
in
that
in
that
respect
so,
and
I
think
just
be
conscious
of
the
compatibility
versions
right
so
ncp
version
3.0.2
works
with
openshift
4.5
and
ncp
3.1
works
with
4.5
and
4.6.
I
believe
nice,
so
dns
records
for
ipi.
B
B
B
Yeah,
I
I
I
started
to
suggest
a
reorganization
of
the
docs
and
it
quickly
got
out
of
hand
to
make
them
a
little
easier
to
read.
Yeah,
oh
boy,
so
I
finally
got
down
here
table
six
required
dns
records,
you'll
notice
that
this
is
a
much
longer
table
right.
We
we
have
our
api
and
we
have
our
star
dot
apps,
but
you'll
notice
that
there's
a
couple
of
other
records.
So
this
api
int
is
also
inside
of
there,
but
note
that
that
only
needs
to
be
accessible
right.
B
It
says
over
here
it
only
needs
to
be
accessible
from
the
other
kubernetes
nodes.
It
should
not
be
publicly
accessible
right,
there's
a
very
good
reason
for
that.
So
anybody
unauthenticated
can
hit
that
api
ins,
machine
config
port
and
pull
down
what
is
effectively
the
ignition
config
for
your
machine
config
pools.
So
you
do
want
to
protect
that
api,
endpoint
and
limit
access
to
that
to
only
the
appropriate
nodes
so
down
here.
We
also
have
our
rate.
B
A
So
yeah
ronoslav
asked:
is
it
possible
to
do
upi
with
self-hosted
load
balancing
for
api
keep
it
id
like
ipi
has
and
christian
comment
is
not
possible
now,
but
it's
something
we're
looking
into
kind
of
thing.
B
Yeah,
thank
you
christian.
Yes,
so
it
is
not
possible
nor
supported
today,
to
do
that,
although
it
is
something
that
they
are
looking
at
inversely,
they
are
also
looking
at
making
the
ipi
load
balancing
stuff
more
flexible
as
well,
so
where
we
first
expect
to
see
that
surfaced
up
is
going
to
be
with
the
assisted
installer.
B
So
today,
if
you
do
the
assisted
installer
with
ipi
right,
it's
basically
a
standard
ipi.
What
they
expect
to
be
able
to
do
is
configure
right,
hey.
I
want
ipi,
but
I
want
to
use
this
external
load.
Balancer
right,
don't
deploy
the
internal
one
or
I
want
to
use
rate
these
other
services
for
those
types
of
things
so
yeah.
Unfortunately,
there
is
no
no
internal
load
balancer
for
upi.
That
being
said,
I'll
also
take
a
moment
to
give
christian
appropriate
kudos
for
the
helper
nodes.
So,
yes,
hang.
A
No,
I
don't
have
one
of
those
yet
notice.
I
said
yet
because
I
said
to
my
wife
earlier
this
this
month.
One
of
these
would
be
incredibly
helpful.
B
B
A
what
are
those
ones
that
the
musicians
use
the.
B
B
Hacking
it
to
do
that.
Oh
that'd
be
interesting,
anyways,
so
yeah,
so
the
helper
node,
if
you
don't,
have
a
load
balancer
right.
If
you
don't
have
a
physical
or
virtual,
you
know
citrix
f5,
whatever
you
want
to
use
christian
created
the
helper
node,
which
is
a
set
of
automation
to
deploy
those
services,
including
you
can
granularly
like
hey.
I've
already
got
dns
and
dhcp
just
turn
those
off
you
know
and
then
utilize
dha
proxy
config.
That's
in
there.
B
I
use
it
in
my
lab.
You
know
I
deploy.
I
don't
know
how
many
clusters
a
week
a
month
inside
of
there
and
the
helper
node,
is
extremely
helpful
and
yeah
helper
node
v2
is
in
alpha,
so
everything
is
containerized
on,
I
think
or
rel.
I
don't
know
what
it
is
now.
I
forget
which
one
yeah.
B
A
B
B
So
the
other
thing
so,
and
the
only
reason
why
I
keep
up
with
this
row,
I'm
aware
of
this
is
because
they
asked
me
to
review
this
so
inside
of
here
they
added
and
I'm
going
to
scroll
up
here
to
the
toc
and
see
if
there's
a
direct
link.
B
B
So
it's
been
a
few
weeks
now
or
a
couple
of
shows.
I
showed
doing
this
here
on
the
admin
hour
we
can
see
if
we
can
dig
up
the
link
to
that
at
some
points,
but
yeah.
So
I
showed
how
to
do
this
before
it
was
only
loosely
documented
in
the
release
notes.
So
we've
got
not
that
fixed
now,
and
you
can
see
that
awesome.
Note
that
you
don't
need
to
use
govc
or
govc.
B
C
B
Show
it,
but
you
can
go
directly
into
the
vm.
You
know
through
the
vcenter
gui
and
set
the
correct,
vm
property
inside
of
there.
You
don't
need
to
do
through
gov
c
or
through
power,
shell
or
power
cli
or
anything
like.
C
B
So
the
other
thing
it's,
I
don't
know
that
it
is
completely
supported
yet,
but
you
can
attach
the
the
bootstrap
ignition
config
file
in
the
same
way
as
a
virtual
machine
property,
instead
of
as
a
v-app
property
right.
So
vap
properties
are
limited
in
size.
B
The
virtual
machine
properties
are,
they
are,
but
they
aren't
basically
vmware
says
that
they
are,
but
they
we
don't
know
how
big
they
can
actually
be.
Just
be
aware
that.
A
B
B
Are
looking
at
how
to
you
know,
they're
they're,
adding
the
testing
and
the
validation
to
be
able
to
fully
support
doing
that
without
the
v-app
property?
I
think
no
promises,
because
you
know
road
map
and
I'm
I'm
also
not
you
think
so
yeah
that
that
will
actually
make
it
easier
to
to
do
some
automation
right,
because
I
can
now
add
that
directly
to
the
vm
as
opposed
to
having
to
go
through
that
via
property
nonsense.
So
I
think
that's
a
net
good
thing.
B
So
if
you
have
any
concerns
about
somebody
accessing
your
data
store
and
being
able
to
access
those
vmx
files,
if
you're
concerned
about
sensitive
data
being
in
you
know,
that's
that
ignition
file-
even
you
know.
Yes,
it's
base64
encoded,
whatever
that
means
from
a
security
perspective,
but
it
would
be
accessible
in
that
manner,
right
all
right,
so
dns,
pretty
straightforwards,
you
know
for
ipi.
You
only
need
the
two
dns
entries
for
ingress
and
for
apps
or
excuse
me.
Ingress
and
apps
are
the
same
ingress
and
api
api
yeah
for
upi.
B
You
need
a
bunch
more.
So,
in
addition
to
those
two,
you
need
the
api
dash
int
internal
as
well
as
entries
for
each
one
of
the
nodes
in
your
cluster
note
that,
as
of
openshift
4.4,
you
no
longer
need
the
pointer
records
and
the
srv
records
for
fcd.
B
Thank
you
so
yeah
that
came
when
we
moved
to
using
the
xcd
cluster
operator
to
instantiate
the
cluster,
and
we
can
talk
more
about
that
some
other
time.
B
B
A
B
Yeah
it's
srv
records,
despite
being
I
mean
they're,
not
uncommon,
they're
used
fairly
frequently,
it
seems,
like
most
people
aren't
familiar
with
creating
them
and
stuff
like
that.
They're
often
created
automatically.
B
B
So
the
two
reasons,
or
the
two
main
reasons
that
I'm
aware
of
are
one
a
very
red
hat
reason,
which
is
community
openshift
sdn,
is
only
used
by
openshift
and
the
community
around.
It
is
therefore
only
openshift,
so
sd
excuse
me.
Ovn
kubernetes,
on
the
other
hand,
is
used
by
a
much
much
larger
community,
both
in
and
out
of
red
hat
right.
So,
for
example,
ovn
is
used
by
openstack.
It
is
used
by
red
hat.
Virtualization
rated
is
used
by
many
other
projects
out
in
the
community
as
well.
B
A
B
Christians
are
he
he's
our
execution
team,
we'll
put
it
that
way,
right.
B
Yes,
windows,
containers,
christian,
and
I
know
that
he
probably
is
already.
I
don't.
I
see
at
least
one
mention
of
windows
containers
in
there
yeah,
so
those
are
the
two
sdns
from
red
hat.
However,
they're
not
the
only
sdns
available.
A
A
Will
only
have
one
account
the
admin
account
okay,
there
you
go,
there's
that
and
then
next
question
I'm
still
running
a
311
cluster
with
the
subnet
plug-in
to
provide
project-based
egress
types.
Is
it
possible
with
four-five
or
higher,
or
must
I
change
the
default
sdn
plugin
again.
B
I
don't
know
the
answer
to
that
off.
The
top
of
my
head,
so
egress
ips
are
possible
whether
or
not
there
is
a
plug-in
that
can
assign
those
dynamically.
I
don't
know
going
back
to
our.
Let
me
a
moment
ago.
Christian
actually
is
the
one
who
has
the
most
experience
with
the
eager
sips
on
our
side.
So
christian,
I
hate
to
keep
leaning
on
you
when
I,
when
I
know
that
this.
B
Show
yeah
so,
oh
while
chris
is
reaching
out
to
christian
I'll
I'll
finish
my
thought
around
sdns,
so
sdn
as
well
as
csi
plugins,
are
not
listed
in
our
documentation.
We
rely
on
our
partners.
That
being
said,
there's
a
couple
of
different
places
where
you
can
find
some
additional
information,
so
one
of
those
is
the
marketplace.
B
So
if
I
go
to
simplymarketplace.redhat.com
and
we
make
it
larger,
thank
you.
So
if
we
look
inside
of
here,
there's
a
couple
of
different
product
categories
in
here,
including
networking
and.
B
So
this
is
one
place
where
you
can
go
right
where
you
can
get
some
additional
information
around
available,
plugins,
available
capabilities
from
a
network
perspective,
so,
for
example,
here's
traffic
from
a
load
balancer
that
you
can
deploy
into
the
cluster.
So
none
of
these
are
sdns,
however,
so
I
also
believe
we
can
go
to
catalog
redhat.com.
B
And
we
look
at
our
certified
software
and
in
particular
we
go
to
the
certified
operators
page
here
we
will
find
kind
of
the
list
of
all
of
the
certified
operators
that
are
available
from
inside
of
openshift
and
again
we'll
find
a
number
of
different
things
that
are
interesting
here.
So
you
see,
I've
already
got
the
networking
tag
checked
on
here,
so
f5,
strix,
adcs,
right
nginx,.
B
B
C
B
Ultimately,
you
know,
like
you,
haven't
seen
any
mention
of
calico
right
of
tigera
right
right,
but
if
I
do
a
calico
open,
openshift
right,
if
I
just
do
a
simple
duck
search
of
this
right,
there's
a
number
of
things
that
come
up,
not
the
least
of
which
is
a
blog
post
from
earlier
this
year.
Right
or
excuse
me,
a
webinar
from
earlier
this
year,
showing
the
integration
between
the
two
companies
right
and
calico
tigera
is-
is
a
fully
certified
fully
supported
plugin
for
openshift
right
here's,
the
link.
B
I
was
looking
for
right,
install
an
openshift
cluster
with
calico
there
you
go
so
a
lot
of
times
it
comes
down
to
you
know.
I
I
want
to
use
this
sdn
vendor
is
that
is
that
supported
by
openshift
and
our
responses?
Well,
please
ask
the
sdn
vendor
right
just
as
many
times,
however,
we
get
asked
it.
What
are
my
sdn
options?
And
you
know
it's-
we
don't
have
a
good
list
of
that,
so
hopefully,
and
if.
B
So
yeah,
thank
you.
Whoever
posted
that
on
youtube.
A
B
Yeah,
so
it
depends
on
the
sdn
right
so
for
something
like
calico
that
is
using.
You
know,
layer,
three,
it
is
going
to
assign
them.
Let
me
rephrase
that
most
frequently
it's
going
to
be
the
cni
that
is
assigning
them.
You
can
connect
a
pod
directly
to
an
external
network
right.
It
could
get
a
dhcp.
B
Public
dhcp
server,
but
most
often
it
is
going
to
come
from
the
cni.
So
what
does
that
actually
mean
so
with
openshift
sdn,
which
I
will
admit,
is
the
one
that
I
am
most
familiar
with.
Essentially
it
uses
a
subset
of
the
ips
assigned
to
your
network
address
all
right.
So,
let's
start
at
the
beginning
there.
B
So
this
install
config-
and
let
me
make
this
just
a
one
or
two
lines
longer
so
this
install
config
here
has
let
me
move
it
up
as
well
this
networking
section
here,
so
this
is
providing
information
into
the
installer
about
what
subnets,
what
networks?
I
want
you
to
use
and
there's
some
important
information
here.
So
the
first
one
is
the
machine
network
slider.
B
So
this
is
the
subnet
that
the
nodes
are
expected
to
receive
an
ip
address
on.
So
if
my
node
has
one
network
adapter
right,
it's
expected
to
receive
an
ip
address,
either
statically
or
dynamically.
That
is
on
this
network.
If
it
has
two
network
adapters
or
three
or
five
or
50
network
adapters,
there
should
be
at
least
one
that
gets
an
ip
address
on
this
network.
B
Why
is
that
important?
It
will
choose
which
network
interface
to
set
up
things
like
the
sdn
based
off
of
that
value.
It
is
also
really
really
important,
arguably
the
most
important,
if
you're,
using
a
cluster-wide
proxy,
so
the
cluster-wide,
if
you're
using
a
cluster-wide
proxy,
it
will
automatically
set
this
network
to
be
not
proxied.
B
So
we
see
a
lot
of
issues
with
folks
who
are
doing
proxies
and
they
don't
configure
this
machine
network
cider
and
they
end
up.
You
know
the
clusters
trying
to
proxy
to
get
back
to
itself,
which
of
course
doesn't
work
and
note
that
if
you're
doing
ipi
on
prem
ipi,
it
doesn't
ask
you
for
this
information.
B
It
defaults
to
10.0
16,
and
unless
you
go
in
and
correct
it
right,
it
won't
use
the
correct
one.
The
only
time
that
you
would
notice
that,
because
if
it
has
a
network
adapter
that
isn't
on
this
right,
basically
no
network
adapter
falls
under
this
machine
network
outsider.
It
basically
chooses
the
first
one
is,
if
you're
using
a
proxy
there's
a
couple
of
other
features
as
well.
B
B
It
is
going
to
assign
a
slash
23
out
of
this
range
to
that
host
and
then
that
host
will
use
that
block
that
slash
23
to
assign
ip
addresses
to
each
container
as
it
comes
up
right,
and
that
is
how
the
ip
address
gets
assigned,
or
that
is
where
it
is
assigned
from
so
remember,
with
openshift
sdn
we're
effectively
using
ipa
tables
with
masquerade,
so
we're
doing
that
to
access
those
pods
on
that
cluster,
and
it's
all
handled
inside
of
that
node
nice.
So
the
last
one
that
we
have
here
is
the
service
network.
B
So
anytime
you
create
a
service
inside
of
the
cluster.
It
will
get
an
ip
address
assigned
from
this
particular
range.
So,
generally
speaking,
you
want
to
make
sure
that
these
are
not
externally
addressable
ip
ranges
right.
So
if
your,
if
your
enterprise
network
is
using
10.128
14
or
some
subnet
thereof
somewhere
publicly,
you
would
want
to
avoid
that
network
yeah.
B
It
will
probably
work.
You
might
encounter
some
quirks
depending
on
a
couple
of
things,
but
you
would
definitely
want
to
make
sure
that
these
two
are
not.
I
feel
like
the
quirks.
B
B
So
hopefully
that
helps
to
answer
your
question
effectively.
It
is
going
to
depend
on
the
cni
if
we're
talking,
openshift
sdn,
it
is
controlled
by
it,
is
controlled
by
openshift
sdn
itself,
which
uses
iptables
to
do
the
assignment.
B
You
can
create
custom
cni's
right,
so
you
could
use
like
the
so,
let's
switch
back
over
here,
which
one
of
these
is
my
documentation.
Here
we
go.
So
if
we
search
for
and
I'm
trying
to
think
of
the
term
that
I
want.
B
I
want
to
say
that
in
you
can
essentially
create
additional
cni's,
because
and
with
the
other
cni's,
you
can
use
policies
for
things
like
mac.
What
I'm
trying
to
think
of
the
name
of
him?
It's
mac,
something.
A
B
A
A
Yeah,
I
mean
it's
the
way
forward
right
for
a
lot
of
people
in
the.net
world.
Please
consider
moving
that
way
very
quickly,
because
I
feel,
like
microsoft
is
going
to
push
harder
and
harder
as
the
years
go
on.
Net
core
is
also
cross-platform,
so
right
so
you'll
be
kind
of.
B
A
B
B
Very,
very
nice,
okay,
so
sdns
kind
of
the
core
stuff
we're
down
to
only
just
a
couple
of
minutes
left.
B
Yeah,
so
so
really
the
last
thing
that
I
want
to
touch
on
and
it's
a
pretty
big
topic
that
has
a
really
terrible
answer,
and
that
is
how
do
I
choose
an
sdn
and
it
really
comes
down
to
well.
What
are
your?
What
are
your
requirements?
If
you
don't
know,
then
basically
go
with
the
default
right?
That's
that's
what
it
comes
down
to,
in
my
opinion,
if
you
have
specific
things
that
you
want
to
do
right
then
take
that
feature
list
and
compare
it
to
what
the
vendors
offer.
So,
let's
look
at
calico.
B
So
if
we
go
to
the
calico
home
page
here
right
and
we
look
at
you
know
they
have
all
of
this,
why
use
calico
right?
Well,
they
have
all
of
these
capabilities.
All
these
features
right
so
putting
pods
directly
onto
the
onto
the
external
network.
You
know
everything
is
layer,
three
base,
there's
no
encapsulation
right,
which
helps
reduce
complexity.
B
You
know-
and
I
calico
is
the
one
I'm
second
most
familiar
with,
which
is
why
I
can
talk
a
little
bit
about
them.
You
know
their
security
policies
right
all
of
these
things.
It's
effectively.
Do
I
need
these?
If,
yes,
then,
okay,
you
know
go
from
there.
B
If
you
don't
know,
if
you
don't
need
those
things,
then
much
to
jp
dade,
who
said
you
know,
use
apply
the
kiss
principle,
which
is
you
know,
the
the
simplest
and
the
most
robustly
tested
is
often
going
to
be
the
safest
and
I
say,
robustly
tested,
because
with
openshift
we
test
every
single
release
thoroughly
using
both
openshift
sdn,
as
well
as
sdn
or
ovn
kubernetes.
A
There's
a
question
here:
does
memory
management.net
work
well
with
containers,
no
issues
like
what
the
jvm
had.
I.
B
A
Answer
to
that
one,
let's
assume
there's
not
that
bad
of
an
issue.
B
Yeah,
I'm
not
terribly
familiar
with
that.
That's
a
that's
a
langdon
question
from
a
developer
perspective.
I
don't
think
so.
I
would
I
well
let
me
rephrase
that
I
would
expect
it
to
behave
exactly
the
same.
So
if
dotnet
is
you
know
managing
the
heap,
it
is
doing
trash
collection,
et
cetera
or
garbage
collection
et
cetera.
You
can
tell
I'm
not
a
developer.
B
I
would
expect
it
to
behave
the
same
across
all
of
those
platforms.
However,
that
is
a
gigantic
assumption
based
off
of
at
best
anecdotal
experience,
so
I
I
would
definitely
recommend
and-
and
if
you
would
like
to
please
reach
out
to
me
via
social
media
or
email,
so
practical
andrew
on
twitter
or
andrew.sullivan
redhat.com.
B
If
you'd
like
to
reach
out
to
me,
we
can
connect
over
with
langdon
and
get
that
question
answered
or
you
can
watch
the
level
up
hour.
So
the
level
up
hour
happens
wednesdays.
A
A
B
Please
do
memory
profile
proliferated
that
sounds
terrifying
from
a
security
perspective.
A
Yeah
yeah
yeah,
so
yeah,
let's,
let's
get
some
email
going
there,
please
tanoa
and
we'll
get
your
question
and
figure
it
out
all
right
folks,
coming
up
here
in
a
few
seconds,
we've
got
the
openshift
commons
briefing
with
profit
store
and
we'll
be
switching
over
to
that
here
in
just
a
few
seconds.
So
thank
you
all
for
watching
and
stay
tuned
for
another
stream.