►
From YouTube: Episode 14: Istio Debugging
Description
Join Yuval Kohavi in our next Hoot Live Episode! We will discuss how to go about debugging Istio, using tools and and techniques to quickly detect problems and find the source of issues.
About us https://www.solo.io
Questions? https://slack.solo.io
Code Samples: https://github.com/solo-io/hoot
Suggest a topic to cover here: https://github.com/solo-io/hoot/issues/new?title=episode+suggestion:
A
All
right
welcome
everybody
to
another
episode
of
hoot
today,
we'll
be
talking
about
debugging
ezio.
We
do.
These
hoots
shows
live
streams
every
year
around
every
two
weeks,
and
now
it's
some
conferences
a
little
bit
less
and
we
try
to
keep
this
interactive
I'll,
be
talking
and
feel
free,
I'll,
be
watching
the
chat
and
feel
free
to
talk
and
kind
of
ask
questions
throughout.
A
You
can
also
say
hi
introduce
yourself
and
we
try
to
keep
it
technical
so
doing
these
deep
dives
today,
we're
gonna
be
talking
about
debugging
izio
and
by
the
way,
if
everybody
can
hear
or
see
me.
Okay,
just
let
me
know
in
the
chat,
so
I
know
that
the
audio
is
coming
out.
Okay,.
A
And
let's
get
right
to
it,
so
I
prepared
some
slides
and,
as
always,
will
be
some
demos
and,
let's
start
with
the
site,
so
first
thing
in
order
to
debug
something
you
gotta
kind
of
understand
it
right
so
to
find
the
cause
of
a
problem
in
its
or
any
other
system.
For
that
matter,
we
need
to
kind
of
understand
the
system.
A
So
the
first
thing
we're
gonna
do
is
gonna
overview
kind
of
the
general
high
level
of
how
ezio
and
envoy
operate
in
this
context
and
then
we're
gonna
go
over
a
few
tips
and
tricks.
I
have
a
it's
your
setup
on
kind.
You
can
probably
hear
the
laptop
fan
roaring
from
all
the
containers
running
on
it
and
we're
gonna.
Do
some
live
demonstrations
of
how
this
all
works?
A
A
You
have
a
bunch
more
authorization
policies,
icod
formerly
known
as
pilot
watches,
all
the
crds
and
have
you
know
the
internal
state
of
the
crds
in
memory,
and
it
translate
that
to
an
xds
snapshot
that
anwa
understands
right
and
android
connects
to
pilot
using
xds
and
gets
these
configuration
updates
right.
So
you
got
to
remember
that
anvo
is
not
kubernetes
aware
and
it's
not
seo
aware.
A
So
the
main
job
of
vcod
is
take
this
user
level
configuration
watch.
It
make
sure
it's
always
in
sync:
translate
it
to
an
xds
configuration
that
I'm
going
to
understand
and
stream
it
to
envoy
using
the
xds
right
and
rem.
The
reason
I'm
saying
this,
because
once
you
understand
the
process,
you
understand
where
errors
can
happen.
So,
for
example,
in
the
translation,
it
could
be
that
you
have
a
problem
in
the
translation
right.
A
A
So
it's
important
to
understand
how
these
things
work
in
order
to
understand
where
the
problems
can
be
now.
The
other
path
of
the
of
the
data
flow
is
the
data
plane
right.
So
information
initio
is
we
all
probably
know
each
pod
has
a
sidecar
proxy.
It's
your
proxy.
You
can
see
it
in
izio
and
it's
a
android
inside
it.
A
So
again,
it
depends
on
what
problem
you
have
you
you'll
take
different
approaches,
but
it's
it's
good
to
keep
in
mind
those
points
where
the
service
mesh
interacts
with
the
user
and
interacts
with
data.
So
you
know
where,
where
problems
can
be
all
right
so
generally
stuff,
I've
seen
initial
that
I
need
to
debug
it's
some.
A
It's
I've
seen
in
in
this
category,
so
in
invalid
control,
plane
configuration
right,
you
create
configuration,
objects,
initial,
they
can
interact
with
each
other,
sometimes
explicitly
and
sometimes
implicitly,
and
you
can
actually
create
a
configuration
that
each
object
on
its
own
is
valid,
but
together
as
a
snapshot,
it's
not
valid.
So
that's
an
example.
A
You
can
have
invalid
configuration
on
the
data
plane,
so
that's
a
very
easy
to
achieve
with
an
envoy
filter
right.
You
create
an
analyte
filler
and
give
a
bad
filter
configuration,
and
we
will
reject
this
configuration
as
invalid
right
and
the
key
here
that
the
the
control
plane
has
no
way
of
knowing
ahead
of
time
that
this
configuration
is
invalid,
because
only
envoy
knows
that,
and
the
other
thing
I've
seen
is
that
you
have
unexpected
interactions
right.
So
a
lot
of
people
are
surprised
to
see
that
in
envoy
routes
are
not
automatically
sorted
right.
A
So
if
you
have
a
route,
they're
essentially
processed
linearly
one
by
one.
So
if
you
have
a
route
that
catches
a
perfect
slash
and
a
route
that
catches
perfect,
slash
foo,
then
that
second
round
will
never
hit
because-
and
we
will
always
go
to
the
first
round
right
if
you
have
a
more
generic
route
matcher
that
is
first
on
the
route
list,
it
will
always
catch
so
envoy
just
matches
the
routes
as
as
they
appear
on
the
list
right.
A
So
that's
kind
of
something
that
can
be
unexpected
to
people
that
they
don't
understand
the
behavior.
Therefore
they
apply
configuration
and
things
don't
work
the
way
they
think
all
right.
One
more
thing
I
want
to
say
when
we
debug
the
control
plane
logic
kind
of
like
that
first
slide,
I
showed
you
can
pay
attention
to
each
d
logs
android
can
send
knacks
on
bad
configuration.
They
also
appear
in
the
a2d
logs
and
we
have
a
stat
we'll
we'll
review
that
when
we
get
to
the
live
live
stuff.
A
Then
you
want
to
be
able
to
essentially
kind
of
see
the
configuration
as
it
is
in
the
proxy
right.
You
don't
want
to
see
a
configuration,
that's
kind
of
a.
Let
me
rephrase
this.
So
if
you
remember
the
first
diagram,
you
have
it's
your
aggregating
virtual
services
and
producing
android
configs
the
android
configure
gives
you
essentially
the
result
of
that.
A
A
A
A
A
A
And
you
can
see
that
I
have
all
the
booking
for
pods
and
you
can
see
that
this
two
out
of
two
is
important
because
usually
put
a
booking
for
has
one
container,
but
when
it's
injected
it
has
two
containers.
So
we
have
two
out
of
two
containers
ready,
which
is
great
now,
if
you
have
something
going
wrong
with
ezio
like
I
said,
the
first
thing
I
would
usually
do
is
you
can
use
the
ito
ctl
analyze
command.
So
it's
a
added
a
bunch
of
great
diagnostic
to
the
it's,
your
ctl
command.
A
So
when
you
do
it's
your
ctl
analyze,
you
can
see
that
I
have
here.
Bed
configuration
right.
I
am
referencing
a
subset,
a
subset
that
is
not
defined
in
the
destination
rule
right,
and
I
I
did
that
on
purpose.
Obviously,
so
you
can
see
that
if
I
get
a
virtual
service
you
and-
and
let
me
know,
if
you're
not
seeing
the
the
text
of
the
terminal
big
enough,
I
also
heard
that
sometimes
can
be
an
issue.
A
There's
no
destination
rule
that
contains
this
subset
right,
so
inizio
whenever
you
create
a
destination
whenever
your
destination
is
a
subset,
you
have
to
define
a
destination
rule
that
defines
what
is
that
subset
right
and
internally,
and
it's
you
this
translates
to
another,
a
cluster
configuration
so
basically
to
fix
this.
All
I
need
to
do
is
apply
the
destination
rules,
and
now
I
have
destination
rules.
Wonderful,
so
let's
just
take
a
quick
look
at
one
of
them
and
you
can
see
that
this
destination
rules
define
the
subsets
right.
A
So
I
have
your
name
v1,
and
this
is
the
name
of
the
subset
that
I
just
referred
from
the
virtual
service.
But
because
I
didn't
have
the
destination
rule,
it
didn't
exist
and
it's
you
didn't
know
what
to
do
right
and
you
see
the
subset
is
defined
to
be
the
labels
of
version
one,
and
this
is
pretty
much
the
the
vanilla
co
example
destination
rules.
I
just
wanted
to
see
wanted
to
demonstrate
what
happens
when
you
apply
them
out
of
order.
A
So
now,
when
we
do
it
to
analyze,
everything
looks
good
all
right
and
again,
if
there's
any
question,
I'm
looking
at
the
chat
feel
free
to
monitor
them.
Another
thing
that
a
is
a
nice
with
a
recent
version
of
it,
so
they
added
a
kind
of
like
how
envoy
has
an
unread
page.
They
added
something
similar
to
pilot.
A
A
9876,
you
can
see
that
it's
your
control,
z
interface
and
you
can
change
log
levels.
You
can
look
at
various
metrics
if
you're
trying
to
understand
what's
going
on,
for
example,
with
resource
translation
that
might
be
a
good
place
to
start
by
incrementing,
the
the
it's
your
log
level
and
saying
why
my?
What
might
be
the
cause
all
right
and
let's
see,
if
there's
any
questions
so
far,
so
good,
all
right.
Let's
move
on
one
sec,
let's
kill
this
coop
city
and
we
don't
need
it
anymore.
A
And
let's
open
coop
cdl
to
the
android
admin
page,
so
every
eco
every
envoy
is
configured
to
have
the
envoy
admin
page
and
we
covered
it
in
in
past
episode.
I'll
do
a
short
recap
now:
andre
has
an
advantage
that
allows
you
to
gather
debug
information
on
envoy
itself
right,
so
it's
in
every
itzy
injected
pod,
it's
available
in
port
15000.
So
now
this
will
essentially
forward
traffic
to
port
15
000.
A
And
then,
if
we
go
there,
surprise
it's
not
in
my
history
from
all
the
times,
I'm
using
it,
you
will
get
to
the
anvoy
admin
page,
and
here
you
can
get
a
good
information,
that's
related
to
what's
going
on
with
envoy
right.
So
if
we
look
at
the
config
dump,
for
example-
and
this
is
the
raw
config
dump-
it
coco
is
also
a
utility
for
that
which
I'll
show
in
a
second.
A
A
A
A
A
So
it's
a
has
compacted
the
ico
there.
They
allow
you
to
get
a
kind
of
a
short
version
of
this
config
dump.
So
you
can
here
we
go.
You
can
do
a
few
things.
So,
for
example,
you
can
do
it
cctl
proxy
config
clusters
to
get
the
android
clusters
over
certain
deployment
or
pod
right
same
for
listeners
and
routes,
so
I'll
show
listeners
next
right.
It's
your
cdl
proxy
config
listeners
and
you
can
see
one
sec
here
we
go.
You
can
see
the
virtual
listener
in
port
15006
that
transparently
proxies
the
pod
right.
A
So
everything
kind
of
goes
through
here
before
it
makes
it
to
the
pod
and
that
listener
captures
the
raw
traffic
all
right
and,
of
course,
there's
also
a
proxy
config
route,
one
sec.
Here
we
go
and
it's
similar
idea
right
now.
It's
your
proxy
config
essentially
helps
you
parse
this
config
dump,
because
it's
pretty
huge.
So
if
you
have
hclctl
near
you,
you
can
use
proxyconfig
to
make
it
easier
to
understand,
and
if
not,
you
can
just
go
to
the
admin
page
and
see
the
config
damp.
I
figure.
A
Why
does
an
acl
person
can
figure
out
show
disappear
out
because
th?
This
is,
I'm
not
sure
what
you
mean
by
tcp
ra.
The
problem
with
tcp
is
that
there's
no
request
concept
right,
so
there's
no
really
routes
to
talk
about
in
anway
rds
only
applies
in
the
context
of
http,
because
you
know
when
here,
for
example,
you
match
the
requests
that
start
with
slash,
there's
no
matching
of
a
request
in
tcp
right,
there's,
no
request,
it's
just
streams
of
bytes.
A
For
yeah
for
routes
to
happen,
you
need
a
notion
of
a
protocol,
an
application
level
protocol
with
requests
and
responses,
and
tcp
is
just
a
stream
of
bytes
now.
Another
thing
that
you
might
want
to
understand
envoy
has
something
called
bootstrap
configuration
that
defines
the
initial.
A
You
know
how
to
connect
to
the
control
plane
and
all
that
stuff
and
some
metadata
the
arm
will
sends
to
the
control
plane.
If
you
want
to
look
at
that,
it's
your
ctl
can
also
help
you
this
proxy
config,
a
bootstrap.
A
It
will
spew
out
the
bootstrap
config
and,
in
addition,
if
you
want
to
do
that
and
I'll
show
the
alternative
without
it's
just
like
into
the
itzyoproxypod
and
cat,
the
bootstrap
config,
that's
essentially
in
this
location
right.
So
this
will
return
the
same
thing
all
right
so
far,
so
good
any
questions.
A
All
right
another
important
thing
to
keep
in
mind
with
envoy
and
hco.
You
want
to
make
sure
that
if
you
remember
the
first
slide,
you
have
a
a
translation
loop
that
tastes
crds,
convert
them
to
an
xds
snapshot
and
envoy
watches
that
snapshot
and
syncs
on
it
right.
So
you
want
to
make
sure
that
envoy
is
in
sync
with
what
pylo
gives
it
right.
You
want
to
make
sure
that
nothing
interferes
with
that,
and
now
that
can
happen
for
few
reasons
could
be
loss
of
connectivity.
A
A
One
thing
you
get
an
error
and
it's
trying
to
test
the
ls
ingress
key
with
self
send
certificates
and
requirement
for
that
envoy
is
not
doesn't
really
care
that
much
about
certificates.
It
really
depends
how
ezio
configures
it.
If
you
define
envoy
with
a
verification
context,
it
will
try
to
verify
the
cert
now
certificates.
A
Basically,
there
can
be
a
few
places
where
this
can
go
wrong
right.
If
we're
talking
about
certificates,
when
a
request
comes
into
an
ingress,
you
got
to
make
sure
that
the
verification,
if
the
verification
context
is
set,
you
need
to
make
sure
that
everything
is
signed
properly.
If
you're,
I
assume
you
mean
that
you're
doing
empty
less
and
the
other
thing
is
some
some
certificates
that
kind
of
touch
you
with
the
fields
that
are
in
them.
A
You
got
to
make
sure
that
the
key
usage
is
set
correctly.
You
can
do
key
in
cipherman
that
the
I
think
he,
the
certif,
if
it's
a
certificate
authority,
has
to
have
a
ca
flag
in
it.
So
it
could
be
that
the
certificate
itself
has
an
issue.
So
in
order
to
debug
something
like
that,
I
would
take
your
certificate
and
I
would
take
just
simple,
vanilla
and
voice
static,
android
configuration
and
first
make
sure
that
envo
is
okay
with
that
certificate
on
its
own
without
unrelated
to
its
seo.
A
A
Let's
see
how
we
can
see
that
envoy
is
in
sync
with
the
listeners
right.
So
listeners
is
what
envoy
how
andre
listens
through
traffic
and
clutch
is
how
anway
sends
it
upstream
endpoints.
This
is
essentially
the
endpoints
in
a
cluster
and
routes.
These
are
routes
in
the
http
connection
manager
right.
So
as
long
as
all
these
four
are
synced
you're
good.
A
So
what
if,
for
example,
is
one
of
them
is
not
synced?
It
kind
of
gives
you
a
hint
of
where
the
problem
is
so,
for
example,
if
lds
is
not
synced,
it
might
be
there's
a
knack
because
of
filter
configurations,
because
filters
are
on
the
listener
right,
so
you
can
now
look.
Maybe
an
android
filter
go
wrong.
Something
like
that
right
same.
If
cds
is
not
think
it's
not
sync,
there
might
be
a
cluster
that
anvoyer
rejects
for
some
reason
right
so,
depending
on
which
one
of
these
are
not
sync,
you
can.
A
A
In
our
case,
it
says
that
everything
matches
and
if
it
didn't
match
the
nice
thing
with
its
uc
dl,
it
will
actually
show
you
a
diff
between
the
configuration
provided
by
pilot
by
hcod
and
the
configuration
currently
in
envoy.
So
it's
a
really
powerful
tool,
and
it
can
it
can
help
you
pinpoint
on
what
object
is
triggering
the
problem.
A
We
have
another
question
from
the
chat.
How
does
ezio
use
a
kubernetes
service
to
create
an
n-way
cluster?
Yes,
that's
a
great
question.
So,
in
fact
let
me
instead
of
talking,
let
me
show
you
kgs,
so
these
are
all
the
the
services
that
are
in
kubernetes
right
now
now
the
main
difference
between
a
kubernetes
service.
A
Well,
I
wouldn't
say
the
main
difference,
but
one
of
the
more
important
differences
between
a
kubernetes
service
and
an
android
cluster.
The
kubernetes
service
can
have
more
than
one
port,
but
in
android
cluster
it's
a
single.
You
know
destination.
You
tell
android
route
to
this
cluster.
You
don't
tell
it
route
to
this
cluster
in
this
port
right
so
and
you'll
see
that.
A
Why
is
this
imported
in
a
second
and
how
this
translate
right
so
and
kubernetes
cluster
is
pretty
straightforward
now,
in
addition
to
the
service-
and
let
me
just
focus
on
one
of
this
service,
so
it's
easier
to
demo,
there's
the
endpoints
right,
so
you
can
see
the
cluster
ip
here
for
the
service,
but
if,
instead
of
kjs's
kubernetes
get
services,
if
instead
I
do
kubernetes
get
endpoints,
you
can
see
the
endpoints
object
of
the
service
right
and
one
sec.
I
want
to
make
sure
everything's
good
here.
Yes,
perfect.
A
A
A
So
the
way
this
works
is
that
the
basis
is
that
services
are
translated
to
clusters
and
endpoints
are
translated
to
eds
endpoints
right.
It's
called
the
cluster
load
assignment
in
the
android
language,
and
we
can
see
this
right
here.
So,
for
example,
if
we
go
to
clusters.
A
Here
we
go
so
we
have
here
a
cluster
and
you
can
see
how
it's
your
converted,
the
product
page
service,
into
an
envoy
cluster
right.
So
because
there's
multiple
ports,
the
port,
is
added
to
the
cluster
name
right.
So
we
have
here
the
kubernete.
So
this
is
the
cluster
name.
Right
and
android
doesn't
really
care
what
it
is.
As
long
as
it's
unique
you
have
here
the
cluster,
the
original
kubernetes
service
name.
Since
we
have
destination
rules,
you
have
here
the
subset
name
from
the
destination
rule
right.
A
So
if
you
have
a
destination
rule,
it
can
actually
create
each
subset
in
a
destination.
Rule
is
represented
as
a
different
envoy
cluster
right
and
you
have
here
the
port
and
you
have
your
outbound
to
differentiate
from
inbound
involved
is
going
to
be
the
current
out.
App
and
outbound
will
be
pretty
much
everything
else
right.
So
this
means
that
this
is
going
outside
the
pod
to
a
different
pod
right.
A
So
if
you
define
more
subsets
in
the
destination
rule
for
each
subject,
you're
going
to
have
a
cluster
representing
the
subset
and
if
you
define,
for
example,
outlier
detection
in
a
destination
rule,
they
also
will
will
end
up
in
the
cluster
right.
So
an
android
cluster
is
kind
of
a
combination
of
a
kubernetes
service
and
a
destination
rule
right,
and
there
are
more
ways
to
create
android
clusters
from
ico,
for
example,
with
a
service
entry.
A
But
let's
ignore
that
for
now
now,
as
far
as
endpoints,
you
can
see
them
in
the
cluster's
endpoint
here.
So
if
you
are
seeing,
for
example,
that
you're
routing
to
a
specific
subset,
but
it's
not
going
where
you
think
it's
going,
you
can
see
here
what
endpoints
make
this
subset
all
right.
So
I
hope
that
answers
this
question
er
all
right.
So,
let's
see,
let's
see
where
were
we
moving
on?
We
were
talking
about
thinking.
A
We
were
talking
about
ezio
ctl,
and
we
were
talking
about
how
you
can
see
the
status
of
a
pod
of
a
specific
pod
in
relation
to
what
the
control
plane
gives
it
and
now
the
one
more
thing
I
want
to
say
here
is
that
if
you
look
at
the
android
stats,
you
can
see-
and
I
really
recommend
you
monitor
this-
with
your
monitoring
prometheus
stackdriver,
where
whatever
it
may
be,.
A
Here
we
go,
you
can
see
this
stat.
This
set
is
very
important.
The
update
rejected
stats,
so
you
can
see
there's
one
for
cds
and
one
for
lds,
and
this
means
what
updates
andre
received
from
the
control
plane
that
it
actively
rejected
that
he
had
an
issue
with
on
the
configuration
level
and
rejected
them
right.
So
if
you
see
this
gets
incremented
too
much,
you
know
that
you
have
something
wrong
and
you
know
I
highly
recommend
you
know
setting
an
alert
on
that
stat
to
make
sure
everything's
in
order
all
right.
A
So
this
is
about
how
to
make
sure
that
you
know
envoy
syncs
correctly
to
the
control
plane
any
more
questions.
In
that
regard,
I
think
I'm
about
to
wrap
up.
Oh
one,
more
thing
I
wanted
to
show
is
debug
logs,
but
before
I
go
there,
let
me
know
if
there's
any
question
was
the
explanation
on
how
the
ico
and
kubernetes
services
translate
to
android
clusters.
Was
that
clear
or
any
clarification
needed?
A
Please,
let
me
know,
and
if
you
like,
it
obviously
hit
like
all
right
and
chat.
So
far
looks
quite
that's
so
that's
good!
I
I
guess
it
means
I
did
a
good
job
here.
So,
let's
move
on
one
more
thing
I
want
to
show
is
access,
looks
so
when
I
install
the
ico,
I
actually
let
me
show
you
how
I
installed
it
and
oops.
What
is
this.
A
I
install
it
with
mesh
config
access,
log
file
equals
std
out,
and
that
means
that
envoy
access
logs
goes
into
stdl
now.
Why
is
that
important?
When
I
apply
the
virtual
service
I
added
to
the
details.
I
I
added
a
name
to
the
route.
Now,
if
you
remember,
I
told
you,
routes
are
processed
in
order
and
if
you're
not
sure,
if
your
route
is
hitting
or
not,
this
is
a
technique
to
find
out.
So
you
give
a
name
to
the
route
you
set
up
the
axis
logs
and
then
you
will
generate
some
traffic.
A
So
let's
look
at
the
logs
of
a
pod
that
accesses
the
details,
and
this
is
the
a
product
page
part
right.
So
if
we
look
at
the
itzyoproxy
container
inside
a
product
page,
what
we
will
see-
and
let
me
just
do
a
quick
search
here-
we
go,
you
can
see
a
log
line
for
details
and
the
last
element
of
the
line
is
the
route
name,
and
you
can
see
that
my
details
default
route
and
did
hit
right.
So
this
name
exactly
the
right
name.
A
I
gave
it
in
the
virtual
service,
so
that's
kind
of
a
way
to
know
and
debug.
If,
if
and
when
your
routes
are
hitting-
and
oh
let's
see,
we
have
a
question
that
says
so:
cool
parks
is
not
used.
That's
correct,
not
only
that's
correct.
That's
a
common
problem
right
so
andrew
writes
directly
to
the
pods
no
coup
proxy,
and
that
is
important
to
understand,
because
that
means
that
kubernetes
readiness
probes
are
not
in
effect
right,
so
you
kind
of
have
to
use
android
mechanisms
for
that.
A
For
example,
you
want
to
probably
define
health
checks
and
outlier
detection,
or
I
think
I
think,
if
you
run
it
in
endpoint
size
mode.
This
also
might
help,
but
no
no
guarantees
there.
I
might
not
know
what
I'm
talking
about
here,
but
yes,
yes,
that's,
that's
true!
We're
not
going
through
coup
proxy.
A
The
reason
we're
not
going
through
cool
proxy
is
that
who
proxy
is
a
tcp
level,
a
proxy
right,
and
if
you
want
all
those
http
level,
retries
features
metrics
excess
log.
You
can't
use
cool
proxy
right.
You
have
to
understand
stuff
on
the
http
level
right,
so
if
you
want
to
do
load
balancing
on
a
pair
request
basis,
that's
not
something
that
coolproxy
lets!
You
do
right
when
you
connect
to
cool
proxy,
you
connect
through
a
virtual
ip
of
the
service,
and
it
connects
you
to
a
single
code
throughout
the
connection's
lifetime.
A
So
if
an
endpoint
does
not
pass
health
check
would
be
shouldn't
remove
yes,
yes,
it
should.
It
really
depends
how
the
control
plane
helps
handles
it
right,
because
if
an
endpoint
is
instantly
removed,
it
might
have
consequences
on
basically,
because
everything
is
eventually
consistent.
You
can't
guarantee
that
if
an
endpoint
is
removed
from
the
control
plane
that
the
data
plane
will
observe
it
immediately.
A
I
hope
that
answers
the
question.
Yes,
the
the
answer
is
yes
envoy
will
detect
it
through
the
control
plane
that
an
endpoint
was
removed,
but
it's
not
through
cool
proxy.
So
if
you're
relying
on
cool
proxy
functionality,
you
know
I
mean,
if
you
have
a
readiness
probe
that
or
that
temporarily
makes
it
not
alive
in
coup
proxy.
You
have
to
make
sure
that
this
information
propagates
to
android.
A
If
you
implement
your
own
control
pane,
it's
also
a
problem
you
need
to
solve,
but
yeah
no,
a
coupe
proxy
is
not
not
involved
in
here
all
right
and
one
more
thing
I
wanted
to
do
before
we
wrap-
and
I
hope
that
answer
your
question.
I
know
it's
a
bit
all
over
the
place
here.
So
let
me
know
if
that's
a
good
answer,
if
you
have
a
follow-up,
while
I
prep
the
last
demo
for
the
day
is
showing
some
android
debug
logs.
A
I
guess
the
conclusions
of
this:
is
you
gotta
test
everything
yeah
all
right?
So
first
thing
we
do.
Is
we
turn
on
debug
those,
but
using
the
envoy
admin
page
right?
We
go
to
logging
and
do
level
debug
and
of
course,
I
forgot
x
post
here
we
go.
You
got
to
make
a
post
request
to
mutating
requests
on
the
admin
on
the
android
admin
page.
A
A
A
A
A
All
right
here
we
go
now.
If
I
refresh
get
product
page
making
a
request,
you
can
see
the
requests
flowing
through
android,
so
you
can
see
that
a
product
page
made
a
request
to
reviews.
You
can
see
the
method,
andre
prints
out
the
whole
request,
and
you
can
see
that
it
came
from
product
page
right.
So
if
you
have
a
really
low
level
issue
to
debug,
you
know
you
don't
understand.
Why
is
the
request
misbehaving?
A
A
A
Hey
I
see
for
it's
here,
we
don't
need
the
other
answers.
Beside
of
a
red,
instant,
eleven,
you
gotta
unrelated
to
everything
we
just
said
you
gotta,
be
careful
with
the
liveness
probe,
because
when
a
live,
verse
probes
fails,
I
believe
the
pod
gets
terminated
as
far
as
health
checks.
In
theory.
Yes,
in
practice
there
is
this
eventual
consistency
right,
even
if
you
have
readiness
probes.
A
So
the
problem
is
that,
even
if
you
have
readiness
probe
in
kubernetes,
you
don't
know
when
the
information
will
propagate
to
envoy
right
and
you
can
have
a
bunch
of
failure
scenarios.
Let's
say
it:
cod
crashes,
all
of
a
sudden
and
the
pod
starts
to
go
down.
Let's
say
you
have
a
readiness
port,
a
readiness,
a
probe
that
does
a
health
check
on
the
on
the
pods
health
check
right.
A
It
might
not
propagate
to
envoy
in
time
right
and
in
that
sense,
because
envoy
is
not
aware
of
the
kubernetes
readiness
probes,
you
might
want
to
add
a
second
layer
of
protection
by
enabling
something
like
outlier
detection.
I
hope
I
hope
that
makes
sense
you
basically
in
this
distributed
world.
You
have
this
eventual
consistency
that
there's
nothing
really
you
can
do
to
prevent
it
in
the
end
of
the
day
right
and
when
I
mean
to
say,
android
is
not
aware
of
the
kubernetes
readiness
probe,
usually
use
the
readiness
probe
to
check.
A
You
know
you
check
the
pod's
health.
You
see
that
it's
ready,
you're
ready
to
serve
traffic.
You
flip
the
switch
right
now,
all
good
and
well,
let's
say
the
pod
about
to
start
going
down.
The
readiness
probe
starts
to
fail.
There
is
no
guarantee
that
this
information
will
propagate
to
envoy
on
time
right.
A
A
Maybe
someone
messed
up
the
policy,
the
network
policy
and
there's
no
connection
right.
A
lot
of
things
can
go
wrong
and
that's
what
I
meant
when
I
say
you,
the
readiness
probe
anvi
is
not
aware
of
it
right.
So,
on
a
on
a
healthy
scenario,
it's
all
going
to
work.
Fine,
the
readiness
pro
will
take
the
end
point
from
the
endpoints
object
and
hcl
will
propagate
it
to
envoy,
but
there
could
be
failure
scenarios.
A
A
A
A
A
A
But
but
if
you're
not
talking
all
right,
that's
actually
a
good
point,
I'm
not
sure
if
you
can
configure
active
health
checks
in
ico,
there
is
a
way
to
tell
android
to
fail
health
check
immediately
right,
so
you
can
have
if
you're,
using
the
health
check
active
hashtags
in
android.
You
can
set
a
header
x.
So
I
feel
something
like
this.
Let's
see
if
I
can
find
it
real,
quick.
A
There
is
a
header
you
can
set
in
their
response
to
let
anway
know
to
fail
health
check
immediately
and
not
to
wait
for
the
health
check
to
fail.
You
know
gradually,
and
I
think
this
should
enable
the
header
blah
blah
blah
here
we
go
so
if
you're
you're,
if
you're
using
onway
health
check
and
envoy,
sees
this
header
and
there's
a
configuration
to
also
set
it
on
every
response,
not
just
on
a
health
checker
response,
but
normally,
if
this
is
return,
then
anway
immediately
fails
health
shake.
A
A
A
All
right,
unless
there's
any
more
questions,
I
think
we'll
wrap
up
for
the
day.
I
think
next,
who
scott
will
be
doing
you
can
sign
up,
obviously,
for
our
channel
for
updates
come
to
our
slack
and
talk
with
us.
We
try
to
engage
the
community.
A
If
there's
more
questions,
you
can
feel
free
to
leave
comments
on
the
video
I'll,
try
and
monitor
comments
in
the
last
few
days.
I
watch
them
and
answer
the
examples.
I'll
upload
to
the
github
hoot
go
to
the
github
solo,
ios
shoot.
You
can
find
a
show,
notes
and
code
examples
for
you
know
to
review
later.
A
Also
the
slides
will
be
there
so
feel
free
to
check
out
the
ripple
and
again,
you
know
show
us
you
like
what
we're
doing
hit
like
hit
subscribe,
start
the
repo,
and
we
will
see
you
in
a
couple
of
weeks,
goodbye
everybody.
Thank
you
all
for.