►
From YouTube: TGI Kubernetes Episode 164: Deep Dive into L7 tech for Kubernetes: Contour, Nginx, HAProxy
Description
Join Ricardo Katz, Steve Sloka, and Jay Vyas as we dig into the internals of how Layer 7 is implemented in Kubernetes. Specifically, how Contour, Nginx, and HAProxy route external and internal HTTP/S/TCP/UDP traffic into pods. Also, we'll look at the emerging Gateway APIs.
0:00 - Introduction
3:00 - Week in Review
8:25 - SIG Docs is looking for help!
11:10 - The high level architecture of Ingress
15:40 - Getting Started with Contour
24:40 - Shoutout to Curiefense WAF
28:10 - Coming back to Contour and understanding its architecture
34:00 - Going deeper with complex Ingress Objects
38:30 - Watching what happens in Envoy
57:00 - Trying Gateway API
1:19:30 - About SCTP (going back to L4)
A
B
B
B
B
We
are
gonna,
make
some
deep
dive
into
ingress
layer,
seven
stuff,
and
I
think
this
is
going
to
be
fun
actually,
because
I
am
one
of
the
ingredients.
Maintainers
steve
is
one
of
the
contour
maintainers.
I
have
never
messed
up
with
with
contour,
so
it's
going
to
be
fun
because
I'm
gonna,
I
really
wanna
try
to
deploy
contour
before
trying
to
do
things
that
I
actually
know
right
and
hope
that
if
we
have
time
hey
jay
how.
D
B
I
don't
know
I
don't
know
from
germany,
yeah
cool,
that's
that's
late
in
germany!
So
so
thank
you
for
being
with
us
today
and
then
I
I
hope
that
we
we've
got
some
some
some
time
and
some
to
to
take
a
look
into
gateway
api
as
well,
and
another
layer,
7
stuff
right
so
before
starting.
Let
me
just
make
things
bigger
if
someone
thinks
that
we
need
some,
some
more,
some
more
phones,
some
increasing
the
size.
Just
just
let
me
know
being
ping
j
on
youtube
and
he
can
yell
at
me.
B
A
Yeah
we
were
we
getting
things
networking
fully
functional
in
our,
so
we
have
the
sig
windows
dev
tools
repository.
I
think
I've
announced
it
before
in
tgik
and
it
allows
you
to
spin
up
a
kubernetes
development
environment
from
source,
including
the
windows,
kubler
and
windows
coupe
proxy
and
we've
got
now.
A
We
had
andrea
support,
but
there
was
a
minor
bug
which
was
fixed
by
the
entry
of
folks
and
it's
going
to
be
in
an
upcoming
release
related
to
double
mix,
because
virtualbox
makes
multiple
knicks.
But
then
we
also
had
a
similar
issue
with
calico
and
my
good
friend
ameem
nabin,
just
fixed
that
up
and
actually
has
an
upstream
pr
into
calico
so
that
you
can
run
windows.
So
you
can
run
calico's
agent
on
an
arbitrary
nic
which
is
kind
of
cool
from
an
installation
perspective.
A
B
Jay,
hey
good
evening,
rykel,
the
next
one
I
can.
I
can
tell
a
little
bit
so
increasing
ginx
richie
has
reached
version,
one
zero,
zero,
ga
and
we
are
dropping
right
now.
The
ingress
api
version
with
better
ones.
So
we
are
gonna,
keep
support
for
the
next
six
months
of
the
the
legacy
ingress.
If
some
bug
or
something
like
that
happen,
but
then
we
are
planning
to
drop
support
for
legacy,
ingress
and
gen
x
and
just
keep
version
one
zero
zero.
B
That
now
has
dual
stack
implementation
for
iptables,
so
we've
made
we've
made
an
episode
on
best
about
kaping.
If
you
want
to
take
a
look,
I
guess
was
the
160
1
59,
I
guess,
but
capping
is
an
effort
that
sig
network,
which
we
are
part
actually
started
with
our
friend
mikhail
and
that's
an
effort
that
that
we
we
we
are
getting
to
to
improve
or
evolve
the
q
proxy
implementation.
B
In
kubernetes,
so
instead
of
relying
in
in
the
implementation
from
kubernetes
you
can,
you
can
rely
on
on
just
a
control
plane
and
develop
your
own
data.
Plane,
right
and
and
now
kaping
got
got
support
for
dual
stack
in
ip
tables
back
end.
So
do
you
wanna?
Do
you
wanna
talk
a
bit
about
that
as
well
jay
or
I
just.
B
A
No,
it's
it's
working!
It's
like
you
know.
You
know
you
you.
You
can
pick
from
multiple
different
cni
providers.
We
have
csi
support
through
csi
proxy.
It
supports
container
d.
Now
network
policies
work.
You
know
we,
I
layer,
seven
stuff.
You
know
you
know
I
have
never
tested
on
it,
but
I
I
know
other
people
have
have
used
various
layer,
seven
technology,
obviously
with
it.
So
like
you
know,
those
are
usually
the
things
that
you
would
you'd.
A
A
B
Cool:
hey
hello,
alex
from
from
smoking,
not
not
northern
california,
so
yeah
and
yeah.
So
next
one
is
a
pull
request
that
that
got
into
kubernetes
website
which
improved
the
the
kubernetes
dock
site
generation
generation
time
in
more
than
80
percent.
So
it's
a
cool
pr
for
folks
that
are
not
actually
related
to
goal
coding,
but
with
using
hugo
and
static
site
sites
generation,
and
it's
it's
actually
cool
to
to
try
to
understand
that
just
one
line
improves
so
so
much
the
the
the
website
generation.
B
So
if
you
are
interested
in
documentation,
if
you
are
interested
in
tech
writing,
if
you
are
interested
in
in
in
helping
users
and
and
thinking
actually
that
documentation
is
only
the
one
thing
that
is
allowed
to
to
be
used
in
kubernetes
certification,
please
jump
in
sick
dogs
and
kubernetes
slack
because
they
are
looking
for
for
some
help.
All
right,
hey,
hello,
hello,
rajas
is
here
jay
all
right.
B
So
then
the
last
one
for
the
weekend
review
is
a
medium
that
I've
put
here.
If
someone
want
to
take
a
look,
so,
let's
flashy
from
from
microsoft,
he
wrote
a
bit
about
the
new
gatekeeper
for
those
that
don't
know
what
what
gate
gatekeeper
is.
So
gatekeeper
is
a
a
validation
web
hook
that
you
can
write
rules
in
open
policy
agent
for
for
your
kubernetes
cluster
and
the
gatekeeper
now
supports
mutating
as
well.
So
this
is.
B
This
is
a
a
pretty
common
scenario
when
you
have,
for
example,
an
image
and
you
wanna
you
wanna
change
that
image
for
is,
instead
of
always
using
latest
using
latest
blah
right
or
you
wanna,
take
any
any
of
the
you
wanna
take
any
an
image
which
have
like
run
as
user
root
and
instead
of
just
block
you
wanna
mutate
to
run
as
you
run
as
user
a
thousand
and
one.
So
this
is
what
mutation
web
hooks.
B
They
do
and
that's
a
a
really
interesting
article
about
how
how
to
use
gatekeeper
and
to
do
that
and
a
a
curious
thing
about
that
is
that
gatekeeper
actually
choose
not
to
use
open
policy
agent
for
the
mutations.
So
the
gatekeeper
started
just
to
be
like
an
easier
and
to
make
it
easier
to
to
use
open
policy
agent
in
kubernetes,
but
they
are
not
using
open
policy
agent
for
the
mutation
part.
B
A
Could
we
started
this
because
ricardo
doesn't
have
an
ipad,
so
all
right,
we
started
doing
a
sort
of
like
a
little
high
level
thingy.
So
all
right,
where
does
in
here,
I'm
a
user
and
I'm
accessing
a
pod
and
my
pods
downstream
of
here
over
here?
So
what's
the?
What
happens?
How
do
I
get
through
contour
to
here
like
normally
right?
A
C
B
C
If
you
had,
you
know,
100
applications
you're
going
to
put
100
different
load,
balancers
100
different
node
ports.
You
know
a
lot
of
holes
in
your
cluster,
so
an
ingress
controller
lets
you-
and
this
is
generic.
This
isn't
contour
specific,
but
it
runs
at
the
layer,
seven
of
the
stack
right.
So
you
can
route
application
traffic
right.
So
now
you
can
inspect
the
the
host
name
and
the
path
and
then
take
action
on
that.
C
A
B
C
Yeah
a
couple
of
things
yeah
when
you
want
to
get
traffic
to
you
know
to
your
your
proxy.
In
our
case
it's
envoy
for
contour,
but
there's
you
know,
there's
ways
you
can
route
traffic
to
that
local
instance,
and
that's
that
external
traffic
policy
and
there's
ways
you
can
use
the
the
the
cluster
to
route
across
horizontally
across
different
nodes
and
again
depends
on
where
you
have
your
your
proxies
running
and
how
often
you
have
this
those
configured.
That's
why
we
call
them
examples
in
contour,
because
there's
so
many
ways
you
could.
C
A
A
And
this
is
a
damon
set
right.
Okay,
so
for
those
that
don't
know,
that's
how
you
normally
do.
This
you've
got
a
daemon
set
and
it's
running
on
all
your
nodes,
all
right,
so
all
right
cool.
Can
I
just
so
real
quick.
So
it's
it's
sitting
there.
So
now
what
I'm
an
end
user
over
here
and
what
do
I
do
do
I
do
I
do
I
make
an
external
load
balancer
and
have
that
load
balance
everything
to
contour
or
does
some
do?
I
do
something
else.
C
So
so
contour,
specifically
we
use
envoy
as
our
data
path
component.
So
all
traffic
is
going
to
route
through
envoy,
so
contour
itself
is
essentially
just
a
configuration
server
and
its
job
is
to
send
configuration
to
envoy
so
you're
gonna
run.
All
traffic
through
envoy
on
contour
itself
does
not
route
any
traffic
or
do
any
kind
of
data.
A
B
B
Should
try?
Okay,
cool
okay,
so
just
to
be
clear,
I
I
I
I
never
use
it
on
volume
contour
as
well,
so
I
will
probably
make
something
wrong
but
yeah.
So
I
am
here
on
the
side
and
I
want
to
go
to
the
get
started
so
why
contour
quick
start
yeah?
So
quick
start,
I
like
quick
start
so,
but
I
I
I
don't
have
kind
installed.
I
have
this.
Where
is
my
cluster
here?
I
can
use
it
here.
Let
me
increase
my
screen.
A
C
Yeah,
that's
a
good
starting
place.
So
so
we
give
you
a
couple
ways:
you
can
spin
up
your
cluster
if
you
need
to
they're,
not
by
many,
you
know
by
any
means,
you're
not
required
to
do
it.
Those
way,
they're,
just
you,
know
easy
ways
to
get
started.
If
you
don't
have
anything
but
ricardo,
you
already
have
what
you
said.
Yours
is
a
cube
admin
cluster.
C
A
A
C
C
C
A
B
C
B
C
Yeah,
so
what
you
got
with
that
quick
start
was
envoy
runs
as
a
daemon
set,
so
every
node
in
your
cluster
is
going
to
run
envoy
envoy
scales,
typically
very
well
with
cpu
threads.
So
if
you
ran
like
100
envoys
in
one
node
you're
not
going
to
get
much
better
performance
versus
running
just
one,
so
that's
why
you
get
one
per
node
and
then,
if
you're
running,
host
ports
like
we
are
in
the
example,
this
ensures
that
only
one
pod
is
going
to
have.
You
know
those
ports.
A
C
C
C
A
A
Poor
steve
this
is
like
okay.
Here
we
go
coupe
ctl.
Let
me
see
see,
look
at
this.
I've
never
seen
this
error
before
I've.
Never
seen
this.
It's
like
cube
api
access.
It's
like
a
something
is
happening
when
it's
coming
up
and
it's
trying
to
the
kubelet.
Oh
wait.
No,
this
might
be
a
windows
specific
thing.
C
Contour
cert
yeah,
so
we
so
the
other
thing
is
we.
We
auto-generate
self-signed
certs,
because
contour
and
envoy
don't
run
in
the
same
pod.
They
run
separate
so
to
secure
that
traffic
between
them.
We
create
our
own
self-signed
certs
folks
can
override
those
if
they
want,
but
it
looks
like
that
error
is
that
contours.
Third
error
is
what
you're
getting.
C
A
Hope
it's
not
when
it
could
be
windows
related,
but
it
shouldn't
be
secret.
Oh
I
see
so
so
the
way
so
that
the
problem
is
that
the
cert
isn't
coming.
So
my
problem
was
windows
specific
because
so
because
my
contour
search
gen
tried
to
come
up
on
a
windows,
node
right
and
so
coupe
ctl
delete,
because
I
don't
have
my
windows
nodes
painted.
So
I'm
going
to
delete
my
contour.
C
The
other
thing
that
might
be
it
might
be.
We
recently
just
did
a
patch
to
fix
some
security
things
in
envoy,
and
I
wonder
if
that
might
cause
an
issue
as
well.
So
we
run,
we
run
the
the
envoy
admin
page
as
a
unix
domain
socket
because
there
is
an
exploit
with
external
name
services,
so
folks
use
external
name
services
and
an
ingress
controller.
It
allows
you
to
you,
know
reference
any
dns,
name
and
contour
supported
that,
and
someone
actually
found
an
issue
where,
if
you
made
your
external
name
localhost,
you
could.
C
You
could
do
nasty
things
so
envoy.
Has
this
admin
webpage
built
into
it,
which
lets
you
like
see
its
configuration
like
clusters
and
things
it
also
lets
you
like
you,
know,
quit
envoy
and
shut
it
down
through
that
web
page,
so
it
could
be
so
we
just
we
just
actually
re-engineered
that
so
that
you
can't
get
to
those
now.
So
you
can't
talk
over
the
socket
now
so.
B
We've
got:
we've
got
a
vulnerability
on
on
ingress
in
china
in
best
where
we
we,
we
program,
the
lua
back
ends
with
with
a
socket
as
well
right,
so
we
have
to
to
to
not
rely
on
on
dynamic
reloads
in
genex
saying
actually
the
go
program
sends
sends
the
end
point
to
a
lua,
socket
saying
hey.
When
someone
tries
to
reach
you
it's
to
be
here
and
some
folks,
they
they,
they
could
use
external
external
names
from
services
to
reach
there
right.
B
So
if
we
we've
got
to
disable
that
but
yeah
cool
that
there
is
a
cool
hold
on
jay,
why?
Why
do
you
do
that?
That
there
is
a
cool
discussion
being
happening
in
in
in
the
chat
about
web
application
firewall
and
that
I
I
won't?
I
won't
go
into
the
discussion
of
why
or
like
how
it
it
helps
with
pci
or
something
like
that,
because
I
don't
know-
I
even
don't
know
about
that.
But
there
is
a
cool
project
of
web
application
file,
a
new
one
which
is
called
curia
fence.
B
The
link
to
it
it's
it's
incubating
in
cmcf.
Let
me
let
me
open
here
and
I'm
gonna
put
in
in
in
this
in
the
notes
as
well.
So
this
is.
This
is
a
a
a
a
sandbox
project
which
is
actually
based
in
in
envoy
as
well,
but
that's
that's
our
application
firewall.
So,
oh,
that's!
Sorry!
That's
j!
I'm
gonna
remove
j
screen.
You.
A
B
B
So
so
so
so
we
we
we
get.
We
we
have
this
offense,
which
is
a
cncf
sandbox
project
for
web
application
file
for
distributed
web
application
file,
and
it's
based
on
on
on
envoy
right.
So
that's
a
bunch
of
lua
scripts.
As
far
as
I
remember
that's
based
on
on
invoice.
So
if
you
want
to
take
a
look
folks,
we
we've
been
discussing
about
using
this
in
ingress
and
jynx.
B
I
know
that
it
already
supports
aj
proxy
and
we
can
actually
take
a
look
into
contour
as
well.
If
this
is
something
that
someone
wanna
wanna
take
a
look
right
but
yeah.
This
is
mostly
what
I
I
have
to
to
tell
you
about
about
this.
This
web
application
fire
in
the
discussion,
and
also
I
I
I
I
I
might
be
old
school,
but
I
I
really
like
still
like
mod
security,
how
it,
how
it,
how
it
works.
B
Folks,
yeah,
okay,
so
if,
if
you
want
to
take
a
look
into
the
the
web,
application
file
thing
just
take
a
look
into
into
a
curia
fence.
Okay-
and
I'm
gonna-
put
the
link
for
this
one
on
the
meeting
notes
as
well.
So
folks
we
have
some
some
folks
actually
asking
us
to
go
back
to
the
angry
to
the
ingress
thing.
B
So
let
me
add
this
right
here,
so
I
won't
forget
about
kyrie
offense
and
let's
go
back
to
to
the
contour
stuff.
So
I
I
have
deployed
my.
I
have
the
applied
contour
here
right,
so
I
I
now
I
have
a
kind
cluster.
I
I
have
just
dropped
it
off
my
qbdm
cluster,
because
I
I
have
broken
it
and
I
have
contour
here.
So
what
should
I
do?
Next,
maybe
create
an
ingress
object
and
see
what
happens
inside
it.
C
B
C
Yeah,
you
only
have
one
node,
so
you
only
get
one
envoy,
so
the
name
set
only
runs
once
again.
By
default.
We
run
two
contours.
Each
instance
of
contour
can
serve
traffic
to
any
any
envoy,
but
they'll
do
leader
elections
so
that
only
one
contour
will
actually
write
status
back
to
the
api
server.
So,
in
an
event
that.
B
C
C
That
yeah
so
ingress
class
for
folks,
it's
a
way
to
have
multiple
controllers
run
on
a
cluster,
so
you
can
have
you
know
nginx
and
hd
proxy
and
contour
all
run
on
the
same
cluster
at
the
same
time,
but
separate
them
out
with
this
class,
and
it
just
gives
it
an
id
that
you
can
run
against
ingress.
V1
now
has
that
baked
into
the
into
the
spec
which,
before
we
had
to
use
annotations
cool
some.
C
B
B
C
C
A
C
B
B
C
C
C
B
B
Yeah
yeah,
okay,
cool,
we'll
get
it
so
I
wanna
I
wanna,
I
wanna,
I
wanna
improve
this
ingress
object
and
maybe
add
some
some
more.
Some
more
things
like
this
server
may
expose
be
careful.
Oh
I'm
sharing
my
screen
with
you
with
something
that
that
exposes
sensitive
information.
Thank
you,
folks,
yeah!
So
so
I,
when
I
wanna,
I
wanna,
maybe
add
a
virtual
host
or
something
like
that
and
and
then
start
looking
into
the
envoy
configuration.
B
A
B
B
B
A
A
A
A
A
C
A
B
C
B
C
C
C
Oh
yeah,
so
so
the
example
that
ricardo
applied
that
yaml
file
deployed
these
things.
So
right
so
you
had
an
envoy
daemon
set
and
you
have
contour
running
as
a
deployment
contour.
What
it
does
is
it's
watching
for
things
in
the
cluster
things
like
secrets,
ingress
objects,
services,
endpoints,
all
that
kind
of
stuff,
that's
interesting,
and
then
what
it
does
is.
It
builds
a
configuration
for
envoy
and
then
it
passes
that
configuration
down
the
envoy
now
envoy.
We
could
dig
into
it
too.
C
C
So
contour
is
the
xds
or
like
control
plane
for
it
for
envoy.
So
when
onboard
spins
up
it
says,
hey,
go,
find
contour
and
then
contour's
job
is
to
send
down.
You
know
updates
for
envoy
configuration,
so
what
happened
was
is
when,
when
ricardo
created,
that
ingress
object
and
he
created
that
the
the
qwerty
service,
all
of
those
things
fired,
events
to
contour
contours
saw
those
happen,
and
then
it
it
generated
config
and
pass
that
down
to
envoy
and
that's
how
it
got
routing.
C
A
C
A
C
B
Yeah,
so
I
ip
tables
iptables
deals
with
the
layer
layer
for
rj,
so
you
have
a
a
source
and
a
destination
on
a
search
part
and
a
destination
part.
So
iptables
does
does
the
routing,
but
it
doesn't
know
what
what
you
have
inside
the
packet
so
envoy
in
china,
xha
proxy.
They
actually
when
when
we
did
that
to
when
when
when
we
did,
that
call
to
ricardo.com
iptables
would
wouldn't
be
aware
of
that,
because
you
could
be
pointing
to
the
same
machine
to
the
same
to
the
same
ip.
B
But
you
want
to
route
to
different
places,
for
example
right
and
so
in
envoy
that
packet
it
it
gets
open
and
you
you
know,
for
example,
for
which
part
to
send
so
what
what
was
the
header
which
photo
to
send?
Or
maybe
if
there
was
some
cookie
saying
that
you
should
you
should
direct
to
server
a
or
to
server
b
or
to
end
point
a
or
to
end
point
b.
B
B
A
I
always
felt
the
reason
I
asked
is,
I
always
feel
like
engine
x
feels
like
layer
seven,
but
I
feel
like
envoy
is
like
lower
level
than
that.
It's
just
that's
just
some
fiction
that
I
made
up
in
my
head,
like
envoy,
is
not
capable
of
doing
lower
level
load
balancing
I
I
thought
it
was,
but
I
could
be
wrong.
C
C
Essentially,
what
we're
gonna
do
here
is
just
need
to
port
forward
to
envoy
on
9001,
and
then
I
have
the
list
of
endpoints
that
we
expose
so
before.
I
mention
that,
like
cv
that
came
out,
the
actual
envoy
web
page
has
a
lot
more
than
just
these,
but
these
are
the
read-only
ones,
so
they
send.
Essentially,
if
you
now
deploy
contour
and
envoy
in
your
cluster,
we'll
still
have
these
exposed
over
localhost,
and
if
someone
would
exploit
it
with
external
names,
then
they
still
couldn't
do
anything
malicious
short
of
seeing
stuff.
A
A
B
Because
we
I'm
kidding
but
but
hey
alex,
we
we
were
discussing
about
that
earlier
today,
and
this
is
why
I
made
the
joke
to
jay.
But
I
actually
I
don't
know
I.
I
am
not
sure,
because
one
thing
that
we've
been
discussing
is
that
we,
we
are
not
sure
about
the
sctp
use
case
right
so
feel
free
to
join
us,
also
in
copying
and
seek
network,
and
maybe.
A
You
should
have
come
to
kaping
today
and
you
should
have
heard
rant
about
sctp
and
how
horrible
of
an
idea
it
is
to
do
on
kubernetes.
I
didn't
fully
understand
it,
but
pair
can
talk
to
you
about
this,
and
so
can
so
can
lars
and
sign
network
on
slack
evidently
sctp
makes
basically
no
sense
on
kubernetes.
It
seems
to
be
what
everybody's
saying,
and
I
guess
nobody
even
knows
why
it's
ga,
because
nobody
uses
it,
and
I
I
don't
fully
understand
why.
D
A
B
C
C
So
essentially
you
could
deploy
the
same
app
a
bunch
of
times,
so
the
hash
makes
them
unique
within
our
configuration
because
there's
different
things
we
could
apply
in
terms
of
like
health
checks
and
waiting
and
that
sort
of
stuff
and
across
different
ingress
objects.
So
what
you'll
end
up
having
here
is
every
service.
That's
referenced
from
an
ingress
object
is
going
to
end
up
in
this
configuration.
C
So
this
is
what
contour
stream
down
to
envoy
through
that
xds
connection
and
you'll
see
things
about
this,
like
the
active
connections
and
total
connections
and
failures
and
that
sort
of
stuff.
These
are
just
clusters.
If
you
go
to
like
listeners,
you'll
see
the
listeners
that
we
opened
up
in
envoy
yeah.
So
there's
the
there's.
The
three
listeners
so
by
default
you've
got
your
8080,
which
is
your
insecure
one.
There's
a
stats
one
and
then
you
can
see
the
envoy
one
we're
listening
to
now
on
9001..
C
B
C
B
C
Them
yeah,
I
do
that
one
okay,
so
this
one
will
show
you
like
all
the
actual
routes
and
bits
that
that
we
programmed
to
envoy
with
so,
if
you're,
if
you're
having
trouble
or
we're
having
trouble,
you
know
adding
a
feature
to
contour
or
something.
This
is
what
we'll
dig
into.
So,
if
you
scroll
past
a
lot
of
this
stuff,
you'll
see
all
the
it
shows
you
metadata
about
what
what
version
you're
running
of
envoy
and
what
filters
and
stuff
are
installed.
C
C
We
essentially
created
a
cluster
in
envoy,
which
said:
hey,
go,
find
contour
at
this
address
called
contour,
which
is
the
dns
entry
for
the
service
and
that's
how
envoy
goes
and
finds
contour
for
its
configuration
and
then
below
that
you'll
see
dynamic
resources,
so
you'll
see
lds
and
cds,
so
there's
listeners
and
clusters
and
then
from
there
everything
else
gets
streamed
down
dynamically.
So
there
should
be
a
route
for
your.
Your
ricardo.foo.com.
B
C
That's
the
name
of
the
cluster
in
envoy
that
contour
program
to
envoy
with
so
basically
envoy's,
looking
at
or
contour,
looks
at
all
the
services
in
your
cluster
right
and
then
it
goes
and
finds
all
of
the
endpoints.
And
then
it
adds
all
the
endpoints
to
a
thing
called
eds,
which
is
like
the
endpoint
discovery
service,
the
eds,
and
then
we
feed
those
into
envoy,
and
then
we
say
hey
route
to
this
cluster.
So
essentially,
then
we
tell
envoy
here's
a
set
of
endpoints.
C
You
can
use
the
route
to
which
are
sitting
behind
that
default,
slash,
quality,
slash
and
that's
how
we
get
traffic
to
to
endpoints.
So
english
controllers
simply
don't
route
to
services
they
route
to
endpoints
directly
and
that's
how
we
can
do
different
kinds
of
load,
balancing
strategies
to
get
traffic
to
these
different
endpoints.
C
A
C
C
A
A
My
head,
I
mean,
there's
always
some
weird
rule
that
gets
broken
right,
like
even
in
kubernetes.
There's
that
rule
that
nothing
talks
to
anything
except
sometimes
the
api
server
talks
to
the
kubelet
when
it
needs
to
get
logs,
otherwise,
never
right
so,
but
in
general,
that's
probably
what
it
is:
okay,
yeah.
C
A
C
C
About
about
about
doing
filters,
that's
it!
No!
We
don't
do
it,
we
just
we
don't
right
now,
yeah,
but
open
an
issue,
we'll
chat
about
it.
I
know
some
folks
who
compile
envoy
to
remove
filters
because,
like
if
you
there's
a
bunch
of
filters
that
are
installed
that
could
you
know
create
a
security
risk
for
you
in
a
different
kind
of
environment,
so
you
can
actually
compile
envoy
and
disable
a
bunch
of
things.
So
at
the
top
of
that
screen
recorder,
there
was
a
whole
list
of
filters.
B
C
C
A
B
B
C
Yeah
yeah,
so
some
of
these
will
give
you,
like
the
connection
manager.
There
gives
you
l7
right,
the
http
connection
manager,
so
you
onboard's
going
to
receive
you
know
an
l3
l4
connection,
and
then
you
apply
this
filter
which
turns
that
into
an
l7
thing
and
then
filters
below
that
can
then
use
that,
as
as
an
l7
connection.
A
C
C
B
B
Okay,
I
I
wanna
I
wanna.
So
we've
got
this
working
and
I
I
could
see
that.
I
think
that
it
would
be
interesting
for
us
instead
of
jumping
into
ingress
in
gynex
or
hp
proxy.
I
can.
I
can
do
that
as
a
as
a
parallel,
but
I
wanna
really
take
a
look
into
maybe
gateway
api
working
because,
as
this
is
really
something
really
new
for
for
for
latest
layer,
seven
routine,
maybe
should
be
it's.
It's
gonna
be
interesting
for
me
as
well.
B
C
B
C
C
So
if
you,
if
you
go
to
this
to
the
the
sick
group
for
this
they'll,
have
a
better
explanation
of
some
of
what
this
stuff
is,
but
essentially
there's
this
idea
of
of
gateways
now
and
that's
why
it's
called
game
api
now,
and
so
this
is
sort
of
a
way
now
that
you
can
route
some
route
traffic
into
your
cluster
using
l4
and
l3
in
different
ways.
You
can
describe
right,
so
this
is
going
to
cover
all
of
it,
not
just
ingress.
C
There's
a
so
this:
this
is
the
v1
beta
1.
literally
last
night,
they
released
the
v1
alpha,
2,
which
you
can
see
a
little
warning
down
there,
which
is
a
breaking
change
for
folks.
So
right
now,
contour
supports
v1,
alpha
1..
Now
that
v1
alpha
2
is
in
a
release.
Candidate
we'll
go,
try
and
support
that,
but
in
terms
of
contour
and
how
this
works
is,
and
we
look
at
code,
but
contour
supports
ingress
and
it
supports
our
own
crd,
which
we
call
http
proxy
and
we
support
gateway
api
as
well.
C
So
what
happens
is
when
traffic
comes
in?
We
said:
contour
watches
the
cluster,
for
you
know,
services
and
endpoints
that
sort
of
stuff.
It
also
watches
for
these
gateway
objects.
If
they
exist
in
the
cluster
and
if
they're
there
it'll,
you
know,
build
ingress
information
off
of
that.
So
contour
builds.
This
thing
in
memory
called
a
direct,
a
dag
or
a
directed
acyclic
graph.
So
we
build
this
graph
in
memory
and
then
we
walk
that
graph
and
generate
envoy
config
out
of
it.
C
So
essentially,
any
ingress
configuration
item
whether
the
ingress
or
our
cd
or
or
gateway
api
gets
shoved
into
this
like
middle
layer.
And
then
we
walk
that
graph
to
then
output
on
voice
config
and
that's
how
we
can
support
all
these
different
types
without
having
to
rewrite
you
know
contour
over
and
over
and
over
and
over
cool.
So
we
just
add
a
new
processor
to
the
list
and
go
yeah.
C
C
C
So
essentially,
this
quick
start
is
going
to
give
you
what
you
have
running
now.
You
know
namespace
with
envoy
and
contour
and
stuff,
but
it's
also
going
to
deploy
those
gateway.
Api
crds,
as
you're
familiar
with
ingress
before
is
baked
into
the
api
server.
So
an
upgrade
to
a
new
kubernetes
version
would
upgrade
your
ingress
now
because
of
crds,
you
can
kind
of
make
those
more
independent,
which
is
nice
cool,.
C
C
C
But
right
now
today,
contours
focus
on
a
layer,
seven
type
proxy
getting
in
the
you
know,
tcp
and
udp
adds
some
things
that
you
need
more
around
the
project
and
right
now
we're
just
focused
on
layer
seven,
but
there
is
an
issue:
it's
not
a
no
what's
what's
what
is
it
no
is
forever,
but
right
now.
Yes,
it's
forever
and
knows
not
right
now,
how's
that
saying
I
forget,
yeah.
C
There
you
go
yeah,
so
yeah,
that's
kind
of
where
we
are
with
that.
So
go
ahead
and
run
that
again
yeah.
So
you
had
to
hit
the
thing
where
the
crd
wasn't
ready
in
the
api
server
yet
yeah.
So
what
you
have
now
is
you
have
contour's
still
there
you
have
now
you
have
the
gateway,
pi
crts
installed.
You
can
see
those
there
in
the
middle
and
then
you
also
got
a
gateway
class
and
a
gateway.
B
C
B
C
B
C
Okay,
so
there's
these
different,
these
different,
you
know
personas,
so
the
infrastructure
providers.
So
in
your
gateway
class,
you
could
say
hey.
This
is
a
you
know,
an
external
type
gateway
which
has
certain
specifics
about
you
know
aws
or
google
or
azure
or
whatever
you're
deploying
it
into,
and
then
the
gateway
actually
implements
that.
So
actually
it's
the
thing
that
routes
the
traffic
and
then
from
there.
You
actually
have
routes.
So
you
can
have
you
know
http
routes.
C
I
think
we
have
to
restart
contour
and
explain
why
but
yeah
so
so
gateway
api.
Now
has
these
statuses,
which
are
great
right
and
ingress
as
you
as
you
never
recorded
like,
like
you,
don't
have
any
status
feedback
to
users
so
if
something's
wrong,
you're,
typically
tailing
logs
of
your
controller,
now
there's
the
status
condition
which
lets
you
get
feedback
so
right
now.
This
is
saying:
hey
someone's
generated
this,
this
gateway,
but
no
one's
picked
it
up.
No
one
said:
hey,
I'm
going
to
own
this
and
and
manage
it.
C
C
It's
like
right
that
one
says:
come
up
so
there's
two
things
today
that
this
uses
there's
there's
a
config
in
our
file,
which
tells
us
hey
what
gateway
class
to
begin.
Is
this
contour
going
to
own,
so
it's
kind
of
like
using
an
ingress
class
and
then
the
second
thing
is:
is
contour's
not
going
to
enable
gateway
apis
unless
the
the
crds
exist
in
the
cluster?
So
when
it
started
originally,
those
crds
did
not
exist.
C
B
So,
let's
create
an
http
route,
so
the
the
specification
here-
okay,
that
so
that's
persona,
related
and
and
in
this
case,
when,
when
that
persona,
because
this
is
namespaced-
it
says
that
the
cluster
operator,
but
but
it
can
be,
for
example
like
the
namespace
owner,
which
is
not
like
the
application
developer.
For
example,
like.
C
Yeah,
I
think
everyone's
going
to
manage
this
differently.
We've
heard
from
different
folks
in
terms
of
you
know
the
different
ways
they
want
to
use
this,
but
yeah
and
the
v1
alpha
2.
Some
of
the
bindings
are
different
and
what
we
can
see
that
here
of
how
how
you
bind
routes
to
gateways
and
and
the
new
version
it
sort
of
flips
on
its
head
and
it's
it's
different
for
person,
different
reasons,
because
your
gateway
now
doesn't
have
to
live
in
the
same
name
space
as
your
ingress
objects.
C
B
C
B
B
C
C
This
is
the
binding.
This
is
saying:
hey.
This
gateway
is
only
going
to
bind
to
http
routes
in
that
group
from
the
same
name,
space
matching
those
selectors
but
yeah.
We
could
change
that.
We
could
make
it
all
name
spaces
or
now,
in
the
new
version.
There's
there's
a
two-way
binding
where
you've
got
it,
the
gateway,
I'm
sorry,
the
route
is
actually
going
to
say:
hey,
I
want
to
bind
to
a
specific
gateway.
B
C
B
A
A
C
B
C
B
B
C
C
B
C
C
C
C
C
B
C
B
C
C
So
we
haven't
implemented
that
yet,
but
that's
a
conflict
right,
so
that
was
the
classic
ingress
example
of
two
routes
with
the
same
host
the
same
path.
What
do
you
do?
The
canonical
way
to
solve
that
and
give
api
is
whoever
got
there.
First
wins,
so
the
oldest
created
version
would
always
win
hunter
hasn't
implemented
that
yet,
but
that's
how
you
solve
that
in
our
crd,
we
solve
it
a
different
way,
but
yeah.
B
C
B
C
C
C
B
A
I
it
looks
like
it,
I
I
think
it
it
never
got
it.
I
mean
it,
it
didn't
work
because
it
it
looks
like
it
was
trying
to
it,
couldn't
pull
images
and
then
I'm
not
sure
why
it
couldn't
pull
the
images,
but
I
think
it
was
trying
to
there's
definitely
a
windows,
specific
configuration
that
you
have
to
set
contour
up
with
that
I
didn't
do.
A
C
A
B
D
A
B
B
A
D
Intel
code
was,
or
there
is
something
called
signaling
protocol
7.
That's
how
all
pod
I
mean.
All
telephone
networks
were
built
using
ss7
and
they're
still
widely
used
and
it's
sort
of
packet
oriented,
but
with
the
with
the
resend,
you
can
say
so
3dpp,
which
is
the
standardization
organization
for
mobile
telephony,
so
3d,
4g,
5g
and
60,
and
so
on.
It's
being
worked
on
there.
They
wanted
to
have
a
protocol
that
had
sort
of
a
mix
of
what
they
had
in
ss7
and
udp,
because
tcp
is
a
stream
right.
D
D
So
that's
what
I
wanted
to
do
and
instead
of
doing
something
like
quick
sort
of
or
something
simple
udp
would
retransmit
they.
They
came
up
with
this
protocol.
That's
what
they're
trying
to
do
what
was
done
with
ss7,
and
that
is
by
having
dedicated
networks
and
dedicated
paths.
So
it
typically
gives
each
and
end
points
to
ip
addresses
on
two
different
interfaces,
and
then
it's
assumed
that
these
will
then
guarantee
delivery
over
different
infrastructure.
D
So
if
someone
picks
up
a
fiber,
you
will
still
have
a
dedicated
path,
which
would
ip
is
very
hard
to
guarantee,
because
at
some
point
these
things
will
go
to
the
same
routing,
same
routing,
stack
or
routing
context.
You
can
say,
and
the
packets
get
treated
the
same
way
and
then
you
have
at
application
levels
means
to
steer
sort
of
which,
which
path
things
should
should
take
on.
D
So
it's
a
very
specific
usage
normally
of
the
protocol
when
you
use
these
dual
end
points
and
there's
semantics
that
comes
with
it
and,
like
I
said
it
has
typically
been
used
with
the
fixed
ports
on
both
sides.
You
set
up
connection
between
two
nodes
and
then
you
do
can
always
call
it
application
specific
load,
balancing
when
low,
balancing
or
not
low,
passing
but
distribute
the
streams
inside
this
connection.
D
I
got
it
you
would,
you
would
tie
your
process
to
use
both
nicks
and
then
you
would
expect
them
so
from
for
that.
You
that
you
had
inserted
specific
routes
into
your
application,
so
it
would
choose
the
right
path
based
on
which
address
you're
using
for
the
other
side,
so
it
doesn't
just
have
a
default
route
that
sends
it
down
that
very
specific
routing
or
connected
to
a
kernel
or.
A
A
When
I
have
a
tcp
connection,
I
usually
have
one
nick-
and
I
have
a
nick
over
here
and
this
neck
has
ip
1.2.3
and
four,
and
this
nick
has
1.2.3.5
and
I
go
here
and
I
have
a
dac
and
I
have
a
sin
and
I
have
an
ack
and
these
they
just
talk
to
each
other
and
they
just
talk
over
the
same
interface.
That's
what
I'm
used
to
at
least.
A
A
A
A
D
This
is,
you
can
do
similar
things
with
tcp
with
multi-path
tcp,
but
let's
leave
that
for
another
discussion.
So
so
now
you
have
two
sort
of
the
ideas,
then,
that
you
have
two
paths
that
these
two
endnotes
can
talk
to
each
other.
But
in
reality
you
have
a
packet
network
here
in
the
middle.
So
there's
nothing
that
guarantees
that
they're
going
to
separate
paths.
I
mean
separate
routers
and
separate
switches
and
so
on
at
some
point.
Typically,
it
goes
together.
D
A
A
D
They
tried
to
just
do
this
straight
pipe.
Actually,
so
they
do
this
to
have
redundance
to
have
redundancy
and
resiliency
sort
of
that.
You
you're
trying
to
assume
that
you
have
that
think
of
these
two
logical
wires
and
that's
how
ss7
works,
but
with
packet
networks,
it's
very
hard
to
guarantee
that
your
logical
wires
doesn't
pass
through
the.
D
The
sort
of
you
can
use
things
then
like
new
tools
like
srv6,
which
is
segment
routed
for
v6
to
rather
specify
in
the
packet
the
parts
this
has
to
go
through.
So
I
could
sort
of
take
a
packet
and
say
it
has
to
go
through
this
router,
this
router
and
this
router,
so
that
you
you
traffic,
engineer
the
past
is
going
to
take
through
the
network.
Then
you
can
actually
build
something
like
this,
but
the
problem
we
have
with
kubernetes
is
that
this
is
used
as
a
tunnel.
D
D
But
you
know
when
your
little
balance,
you
have
your
destination
address,
you
have
a
destination
port
or
you
can
say,
destination
address
and
source
address
yeah
and
you
have
a
protocol
and
then
you
have
destination
port
and
source
port.
Okay,
and
in
order
for
something
to
to
load
balance,
you
want
you
need
to
have
that
the
session
or
a
connection
is
unique.
So
this
five
tuple
needs
to
be
unique,
but
if
all
of
them
are
fixed,
you
can
only
have
one
so
so.
C
D
You
lock
down
all
these
variables,
then
you
can
only
have
one
connection
so
so
for
for
something
like
the
service
proxy
to
to
work.
You
only
lock
down
four
of
them.
The
source
destination,
address
protocol
destination
port
and
then
you
typically
have
a
fixed
source
address
from
the
node
you're
coming.
D
But
then
the
source
port
will
change
the
ip
stack
on
the
machine
where
you
set
down
up
the
connection
for
will
look
and
ensure
that
from
this
machine
this
is
unique
and
then
then,
on
the
other
side,
you
see
sort
of
you
check
again
in
the
stack.
Is
this
unique?
Yes,
it
is,
then
you
can
load
balance
that
you.
A
D
A
D
D
D
D
Should
there
be
or
should
it
not,
and
in
that
case
how
and
how
will
it
tie
up
to
the
things
you
can
do
in
envoy,
okay,
the
back
side
of
every
load,
balancer
sort
of
is
that
it
also
works
as
a
blocking
firewall
for
ports
that
are
not
defined.
So
should
there
be
a
a
path
between
things,
you
define
an
envoy
and
network
policies
and
vice
versa,.
D
B
A
A
You
should
definitely
come.
We
meet
every
friday
and
you
know
like
the
context
for
this
is
that
we're
kind
of
working
on
like
porting
some
code
from
the
original
coupe
proxy,
the
existing
one
into
kaping,
which
is
a
little
more
plugable
or
a
lot
more
plugable
and
so
pair
came
today,
and
he
was
talking
about
sctp
and
and
someone
else
who
was
working
on
sctp
and
a
lot
of
like
concern
and
questions
about
like
what's
the
actual
use
case
in
kubernetes
for
sctp.
A
D
Yes,
to
be
clear,
there's
no
one
that
says
that
as
a
tp
is
not
needed.
The
question
is:
how
is
it
best
supported
and
integrated
into
kubernetes
sort
of
based
solution?
It's
not
about
that.
I
mean
there's
there's
a
lot
of
applications
that
use
it
right,
but
I
just
don't
think
that
the
support
is
where
it
needs
to
be,
and
I
don't
think
sort
of
the
the
traditional
way
of
just
adding
in
another
protocol.
You
think
is
just
another.
B
A
A
A
Yeah,
where
did
we
go
here?
We
are
stream
yard
there.
It
is
okay,
cool,
I'm
putting
the
link
in
youtube
right
now
alex,
and
so
it's
called
the
coop
proxy
working
group.
So
you
can
go
to
kubernetes
network.
You
can
just
google
for
kubernetes
sig
network
on
github,
and
you
can
see
all
of
the
meetings
that
we
have,
and
one
of
them
is
specifically
this
this
group
and
we
we
meet
every
friday
morning
but
yeah
come
hang
out.