[14:46:44] <cdanis>	 hi all.  I heard there was some discussion (but not written down anywhere?) about https://phabricator.wikimedia.org/T344171 while I was out ?
[14:47:30] <akosiaris>	 cdanis: yes there was. In the SIG. Let me fetch you the meeting notes
[14:47:34] <cdanis>	 ahh!
[14:47:53] <akosiaris>	 https://www.mediawiki.org/wiki/Kubernetes_SIG/Meetings/2024-08-27
[14:47:56] <cdanis>	 yes thanks
[14:48:01] <cdanis>	 just got there myself :)
[14:48:44] <akosiaris>	 it also lacks an action point for me to look into the calico part for CoreDNS
[14:49:04] <akosiaris>	 neither the outside k8s, nor the NodePort approach is one that thrilled anyone in the group
[14:49:08] <cdanis>	 yeah
[14:49:13] <cdanis>	 is this essentially Calico doing a MetalLB imitation?
[14:49:40] <akosiaris>	 no, more like having a couple of pods that are always on the same IP
[14:49:46] <akosiaris>	 and can be addressed directly
[14:49:56] <akosiaris>	 instead of going through the rest of the kubernetes platform
[14:50:07] <akosiaris>	 and just delegate from gdnsd to those
[14:50:13] <cdanis>	 got it
[14:50:22] <akosiaris>	 whether it will work or not, we 'll see.
[14:51:42] <cdanis>	 so this is using calico as IPAM instead of using calico as BGP advertisements for a clusterIP or something
[14:53:00] <akosiaris>	 kinda. It's still IPAM and BGP advertisements in any case. 
[14:53:15] <akosiaris>	 but what it is is bypassing overall Kubernetes Service resources
[14:53:17] <cdanis>	 right
[14:53:24] <akosiaris>	 so no ClusterIP, no NodePort, no DNATs etc
[14:53:38] <cdanis>	 btw you can avoid that even when advertising ClusterIPs
[14:53:56] <cdanis>	 on both calico and metalLB there's a mode where only the pods that have the service in question will advertise the /32
[14:54:36] <akosiaris>	 ?
[14:55:03] <cdanis>	 externalTrafficPolicy: Local https://docs.tigera.io/calico/latest/networking/configuring/advertise-service-ips#advertising-service-ips-quick-glance
[14:55:24] <cdanis>	 not avoid having a Service ofc, but avoid touching too may nodes inside the cluster
[14:55:30] <cdanis>	 or doing a lot of NAT
[14:57:26] <akosiaris>	 ah, that setting. That requires that we cut off somehow a section of the cluster (labels?) and delegate to those nodes specifically and make sure we always run 1 or more coredns pods on those nodes.
[14:57:40] <cdanis>	 yeah
[14:57:47] <akosiaris>	 we are using already the flip side of it (internalTrafficPolicy) for mcrouter
[14:57:52] <cdanis>	 got it
[14:58:03] <akosiaris>	 which immediately requires a daemonset
[14:58:12] <cdanis>	 I think there's a decent argument for a coredns daemonset on the apiservers anyway, but meh :)
[14:58:16] <akosiaris>	 but running 200 coredns pods... meh
[14:59:17] <akosiaris>	 that being said, delegation is almost certainly the best way to go
[14:59:26] <cdanis>	 yeah
[14:59:30] <akosiaris>	 we did discuss also messing with powerdns (the recursors)
[14:59:52] <akosiaris>	 but somehow making them aware of this part of the infrastructure, didn't sound very appealing at the end
[14:59:59] <cdanis>	 sure
[15:02:48] <cdanis>	 thanks for catching me upo
[15:16:03] <akosiaris>	 yw