Hosted Control Planes or Hypershift repo: docs: Tooling that exists to explore this stuff on a libvirt host https://github.com/karmab/kcli Basic Architecture:

Overview of DNS. Typically CoreDNS is installed in a cluster at initialization with a deployment. This deployment will use the underlying host dns resolvers by default. How does Kubernetes Assign DNS to pods? Kubelet clusterDNS When a pod is deployed using a cni the pod is by default configured with dnsPolicy: ClusterFirst. Pods with this configuration are given the dns entries provided by the kubelet. When Kubernetes is deployed with a service cidr the first ip address in the cidr is allocated to the kuberenetes.default service. The 10th is allocated to the kube-dns.kubernetes service. This is done by providing the kubelet with the "clusterDNS" parameter. You can optionally override this parameter and the values given to pods on that specific node.

DC Requirements Egress work The dc routed pods use case. pci use case. Pods need: The application in the pod needs to understand the ip address that is being routed to it via the allocated interface. a routable ip address allocated from a specific ip pool that is different from the rest of the cluster.

aks clusters with kubenet. aks clusters with azure cni legacy with calico. pdb protect set drain timeout. Tasks: Bring up new cluster deploy sample apps

Upgrade paths tested. OpenShift 4.10.20 -> 4.11.20 cilium 1.11.8 -> 1.11.9 openshift 4.10.20 -> 4.11.20 cilium 1.11.8 -> 1.12.3 openshift 4.11.2 cilium 1.12.3 -> 1.12.6

for the checking of things I think we should consider kubectl exec -ti -n kube-system ds/cilium -- cilium status tho this doesn't show tunnel mode maybe consider custom columns instead of jq. kubectl get nodes -o custom-columns=name:.metadata.name,node-ip:.status.addresses[].address,pod-cidr:.spec.podCIDRs[]

⬢ Cilium Routing Options There are a variety of routing options in Cilium: By default cilium will deploy in an overlay mode and encapsulate all traffic between nodes. We also support Direct Routing. Where we route all traffic between nodes directly using the underlying network In this lab, we will explore what happens to packets that are transmitted between pods when using the Direct Routing option. We don't know that the nodes are part of 10.0.0.0/8 in fact docker exec -ti clab-bgp-cplane-demo-control-plane ip addr shows that they are part of a /24

Link https://hackmd.io/@mauilion/cilium-ipv6 Youtube link https://www.youtube.com/watch?v=IgPqIi67hSA Summary: Setup an cluster and deploy cilium in routed mode. Show connectivity between pods and then use tcpdump to show identity labels encoded in the flow label header for ipv6 traffic. Setup. We will use a kind cluster for this learn more about kind here

Summary of changes. With this release we are deploying a new configmap into the cilium namespace. The name of this configmap is cilium-ee-olm-overrides. The purpose is two fold. the default configmap looks like this: apiVersion: v1 data: RELATED_IMAGE_CERTGEN: quay.io/cilium/certgen:v0.1.5@sha256:0c2b71bb3469990e7990e7e26243617aa344b5a69a4ce465740b8577f9d48ab9@sha256:0c2b71bb3469990e7990e7e26243617aa344b5a69a4ce465740b8577f9d48ab9

root@sk730conoc4nb06:/home/cilium# cilium policy trace --src-k8s-pod 0020707-integration-business:centos2-deployment-548b74766c-74qpf -d k8s:io.kubernetes.pod.namespace=openshift-dns --dport 53 ---------------------------------------------------------------- Tracing From: [k8s:app=centos2, k8s:io.cilium.k8s.namespace.labels.cvApplicationName=IP_Forward_Services_-_Workflow, k8s:io.cilium.k8s.namespace.labels.cvCamrKey=0020707, k8s:io.cilium.k8s.namespace.labels.cvTpgKey=IP, k8s:io.cilium.k8s.namespace.labels.faas-name=0020707-integration-business, k8s:io.cilium.k8s.namespace.labels.faas.visa.com/enforcement=STRICT, k8s:io.cilium.k8s.namespace.labels.infraIdentifier=K8OS73BNPGNN03, k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=0020707-integration-business, k8s:io.cilium.k8s.namespace.labels.router=business, k8s:io.cilium.k8s.namespace.labels.vks.visa.com/app-name=IP_Forward_Services_-_Workflow, k8s:io.cilium.k8s.namespace.labels.vks.visa.com/app-number=0020707, k8s:io.cilium.k8s.namespace.labels.vks.visa.com/infra-identifier=K8OS73BNPGNN03, k8s:io.cilium.k8s.namespace.labels.vks.visa.com/tpg-key=IP, k8s:io.cilium.k8s.policy.cluster=default, k8s:io.cilium.k8s.policy.serviceaccount=default, k8s:io.kubernetes.pod.namespace=0020707-integration-business] => To: [k8s:io.kubernetes.pod.namespace=openshift-dns] Ports: [53/ANY] Resolving egress policy for [k8s:app=centos2 k8s:io.cilium.k8s.namespace.labels.cvApplicationName=IP_Forward_Services_-_Workflow k8s:io.cilium.k8s.namespace.labels.cvCamrKey=0020707 k8s:io.cilium.k8s.namespace.labels.cvTpgKey=IP k8s:io.cilium.k8s.namespace.labels.faas-name=0020707-integration-business k8s:io.cilium.k8s.namespace.labels.faas.visa.com/enforcement=STRICT k8s:io.cilium.k8s.namespace.labels.infraIdentifier=K8OS73BNPGNN03 k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=0020707-integration-business k8s:io.cilium.k8s.namespace.labels.router=business k8s:io.cilium.k8s.namespace.labels.vks.visa.com/app-name=IP_Forward_Services_-_Workflow k8s:io.cilium.k8s.namespace.labels.vks.visa.com/app-number=0020707 k8s:io.cilium.k8s.namespace.labels.vks.visa.com/infra-identifier=K8OS73BNPGNN03 k8s:io.cilium.k8s.namespace.labels.vks.visa.com/tpg-key=IP k8s:io.cilium.k8s.policy.cluster=default k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=0020707-integration-business] * Rule {"matchLabels":{"k8s:io.kubernetes.pod.namespace":"0020707-integration-business"}}: selected * Rule {"matchLabels":{"k8s:io.kubernetes.pod.namespace":"0020707-integration-business"},"matchExpressions":[{"key":"k8s:faas-quarantined","operator":"NotIn","values":["true"]}]}: selected Allows to labels {"matchLabels":{"k8s:io.cilium.k8s.namespace.labels.faas-name":"istio-system"}} No label match for [k8s:io.kubernetes.pod.namespace=openshift-dns] Allows to labels {"matchLabels":{"k8s:io.cilium.k8s.namespace.labels.faas-name":"kube-system","k8s:k8s-app":"kubernetes"}}

Are you going to Valencia? Virtually or IRL? cnebpf eu Multus CNI source Migration Case Where can I use Multus? OpenShift

Headshot: whoami Duffie Cooley Field CTO Isovalent twitter: twitter.com/mauilion linkedin: linkedin.com/in/mauilion web: https://isovalent.com github: github.com/mauilion

GH link tests func TestStripRoot(t *testing.T) { for _, test := range []struct { root, path, out string }{ // Works with multiple components. {"/a/b", "/a/b/c", "/c"},

Follow me on twitter @mauilion important links cloudnative.tv eCHO certs magic with Saiyam debuting on cloudnative.tv today! klustered kind.sigs.k8s.io find this stuff here hackmd.io/@mauilion/cka-lab

Topic for discuss.k8s.io Title: Call for Questions! sig-HONK AMA KubeCon NA keynote panel Description: Hello World! We are giving an Ask Me Anything keynote at KubeCon NA 2020, and we are calling for questions to be answered during our panel, SIG-Honk AMA Panel: Hacking and Hardening in the Cloud Native Garden. What would you like to ask us? We would like to answer! Who we are sig-HONK is @coldwater, @bradgeesaman, @raesene, @mauilion

--- title: Talk slides template tags: Templates, Talk description: View the slide with "Slide Mode". --- # A kind workflow for contributing to Kubernetes <!-- Put the link to this slide here so people can follow --> slide: https://hackmd.io/p/template-Talk-slide --- We have a collaborative session please prepare laptop or smartphone to join! --- ## Who am I? - Front-end developer - VSCode :heart: - I use tabs. :cat: --- ### 70% of our users are developers. Developers :heart: GitHub.