Dan Winship

So belatedly, it occurs to me that neither the iptables kube-proxy nor the ipvs kube-proxy ever refers to the `filter` table `KUBE-FIREWALL` chain... so the fact that it would not...

Can anyone confirm that - kube 1.25 - ipvs proxy - iptables 1.8.7 in nft mode works correctly?

> I guess that's not what you want since the problem seems to be host-container version mismatch I'm not at all convinced that that's what the problem is. My worry...

That's the `mode: iptables` proxy source, and you're using `mode: ipvs`. The ipvs proxier doesn't ever call `iptables-save` in 1.25. But ignoring that, even in the iptables proxier, no rules...

OK, I commented more on the kube-router bug (https://github.com/cloudnativelabs/kube-router/issues/1370) suggesting how to fix the problem. I don't think there's anything more we need to be tracking here... FWIW, as a...

Having written the KEP both ways now, it feels more topology-like than traffic-policy-like to me. Especially, you can't use the feature properly _just_ by enabling it on the `v1.Service`; you...

OK, trying to summarize the discussion: - We're still not totally in agreement about what the difference between "traffic policy" and "topology" is, and whether this would be better as...

So for the node-level case it's easy to ensure that your endpoints are distributed correctly because you just use a DaemonSet. Maybe we need some way to easily configure other...

So I feel like we don't have enough consensus here to move forward in 1.26? (We don't even have consensus on if it should be topology or traffic policy...)

Not sure prototyping would really help? We only have one use case, and for that use case, both approaches would yield identical results... > Atleast for iTP, it should be...