►
From YouTube: Antrea Community Meeting 09/26/2022
Description
Antrea Community Meeting, September 26th 2022
A
Good
morning,
good
afternoon
or
good
evening,
thanks
for
joining
this
anxia
community
meeting
today
is
Tuesday
September
the
27th
or
for
some
of
you
on
the
west
coast,
is
still
Monday
to
the
26th
of
September.
For
today
we
have
a
very
parked
agenda.
So
it's
going
to
be
a
very
interesting
meeting.
We
will
start
with
the
demo
of
the
stretch,
Network
policy
feature
for
multi-cluster,
which
will
be
presented
by
Young
and
Grayson.
This
is
expected
to
take
15
to
20
minutes.
A
According
to
the
number
of
questions
that
we
get
after
that,
Rahul
and
I
don't
know,
wealth
will
present
the
a
new
project
for
security
policies
on
public
clouds
with
Andrea
and
I
am
hope
that
I
get
the
pronunciation
correct.
It's
a
Nephi
and
I
mean
if
I
got
it
right,
then
Raul
will
correct
me.
So
I
believe
that
we
can
get
started
with
today's
meeting.
So
thanks
again
everyone
for
joining.
We
have
a
very
good
attendance
for
today
and
for
the
stretch,
natural
policy
D
model,
no
who's
going
to
go
ahead.
B
Yeah
I
think
so,
yes,
all
right.
So
thanks
guys
this
is
Young
and
Grayson
and
I
will
be
presenting.
You
know
the
latest
status
of
the
stretch
and
train
native
Odyssey.
B
So
this
is
the.
This
is
the
same,
slides
that
we've
presented.
You
know
a
couple
Community
meetings
ago,
but
since
we
have
some,
you
know
updates
I
just
wanted
to
quickly
go
through.
You
know
the
slides
again
to
show
you
guys
what
the
updates
are
to
the
internet
native
policy
and
then
Grayson
will
show
you
a
nice
demo
of
the
stretch,
Network
policy
in
action.
B
So
a
bit
of
a
background
on
what
we're
trying
to
do
here
is
that
currently
we
have
a
multi-cluster
feature
for
Atria,
where
we
sort
of
like
unite
a
couple
of
clusters
together
in
what's
called
a
cluster
set,
and
you
know,
regular
kubernetes
services
in
one
of
the
cluster
can
actually
be
exported
to
another
cluster,
so
that
in
in
that
other
cluster
pods
can
just
use
the
services
close
to
IP
for
accessing
the
service
ends
points
which
are
actually
on
another
cluster.
B
So,
right
now
before
stretch
Network
policy
with
the
entry
native
policy,
we
already
have
a
way
to
secure
the
egress
direction
of
the
flow
which
is
using
the
two
Services
feature
of
acnp.
Basically,
we
can
apply
a
policy
to
parts
and
select.
What
are
the
services
that
the
pods
are
able
to
talk
to?
These
Services
can
be
in
cluster
services,
but
it
they
can
also
be
exported
services
or
sorry
import
the
service
from
another
cluster.
B
The
limitation
to
that
is
that,
before
the
stress
level
policy,
we
don't
actually
have
a
way
to
enforce
Inc
Ingress
Direction
traffic
for
an
exported
service,
meaning
that
if
I
have
a
couple
pod
which
is
under
a
service,
that's
exported
to
another
cluster
I
can't
really
control
who,
in
my
cluster
or
the
other
clusters
in
the
cluster
set,
can
access.
You
know
the
service
that
I'm
exposing.
So
this
is
what
you
know
the
stretch
now
policy
brings
up
to
the
table.
How
we
realize
the
search.
B
Now
policy
is
through
a
thing:
that's
called
a
label
identity.
Basically,
you
know
for
all
the
parts
that
are
in
a
cluster
Set,
we
sort
of
like
we.
We
use
a
label
identity
to
categorize
them
if
a
couple
of
Parts
share
the
same
exact
same
labels,
which
basically
means
that
they
belong
to
a
deployment
or
whatnot
they
will,
they
will,
you
know,
have
the
same
label
identity,
which
is
categorized.
B
As
you
know,
a
unique
string
calculated
based
on
their
pod
and
namespace
labels,
and
what
we
do
in
the
multi-cluster
service
is
that
we
do
a
replication
for
this
label
identity
for
all
the
labor
agencies
that
exists
in
the
cluster.
B
We
send
a
resource
export
first
to
export
it
into
the
leader
cluster,
and
then
the
leader
cluster
will
also
distribute
these
label
identities
to
all
the
member
clusters,
so
that
you
know
all
the
member
clusters
in
the
cluster
set
will
know
how
many
label
identities
exist
in
a
cluster
and
also
we
assign
a
ID
for
each
unique
label,
identity,
which
is
also
synced
across
all
the
Clusters
in
the
cluster
set.
So
by
the
end
of
the
day,
Kristen,
can
you
move
to
the
next
slide?
Thank
you.
B
So,
by
the
end
of
the
day,
what
will
happen
is
that
you
know
for
each
of
the
member
cluster
in
the
entire
multi-cluster
cluster
set.
We
will
have
a
label
identity,
we'll
have
a
list
of
label
identities
which
is
basically
a
normalized.
Is
the
label
and
the
ID
assigned
to
the
label,
so
every
cluster
will
have
the
same
information.
This
is
sort
of
like
the
basis
on
how
we
were
able
to
enforce
a
scratch,
Network
policy
and
moving
on
to
okay.
B
So
this
is
just
basically,
you
know
what
we
added
to
the
orig
already
existing
resource
export
struct,
so
we're
using
the
same
sort
of
like
resource,
Import
and
Export
pipeline.
B
B
So
this
is
sort
of
like
just
a
example
on
you
know
what
labor
identity
actually
looks
like,
so
that
sorry,
I
can't
go
back
yeah,
just
really
quick.
B
So
if
we
in
the
namespace
a
we
have
two
parts,
you
know,
one
part
has
label
app
equals
client
and
the
other
also
has
the
app
equals
client
in
the
namespace
a
then
you
know
those
two
parts
will
basically
shared
a
label
identity
and
because
they
are
in
the
same
namespace
and
they
belong
to
the
same
deployment,
and
so
they
have
is
essentially
the
exact
same
labels,
not
only
for
the
part
but
also
for
their
namespaces.
B
On
the
other
hand,
in
namespace
B
we
have
you
know
a
pod,
a
and
Part
B,
which
has
different
set
of
labels
for
those
two
parts.
We
will
have
two
different
label
identities,
because
part
B
has
an
extra
set
of
labels,
so
in
total,
in
such
a
cluster
we
will
have
you
know
three
label
identity
exported
and
every
you
know,
member
cluster
will
learn
this
normalized
label
to
ID
mapping.
B
Yeah
I'll
skip
this
because
it's
just
sort
of
like
Bookkeeping
on
how
it's
implemented
I-
just
pause,
really
quick
here
to
see
if
there
are
any
questions
so
far,.
B
Okay
sounds
good,
so
moving
on
to
the
data
path,
side
of
the
label,
identity
for
the
stretch,
Network
policy,
we
actually
will
use
on
the
via
Knight
bits
right
in
the
in
a
pod
classifier
flow
in
OBS
to
implement.
You
know
the
stretch,
Network
policy,
what
we
mean
by
that
is
that
for
any
traffic,
that's
sent
from
one
part,
possibly
in
one
of
the
Clusters
to
another
part,
that's
a
back
end
of
a
service
and
that
part
might
be
in
the
same
cluster.
It
might
be
on
the
different
cluster.
B
Depending
on
you
know.
If
the
service
is,
you
know,
exported
or
not,
so
how
we
realized.
You
know
a
stretch.
Now
policy
is
that
on
the
sending
part,
if
a
traffic
is
sent
from
a
part
to
another
product
on
the
sending
parts
node,
we
always
add
a
classification
flow
which
basically
loads
the
hard
descending
Parts
label
identity
into
the
V
and
I
bits.
B
You
know
in
the
OBS.
If
you
can
see
you
know
the
green
highlight
the
green
bits
it
says
set
set
to
low,
so
this
basically
sets
the
vni
ID
in
the
OBS.
For
this
specific
traffic
and
the
value
set
is
the
basically
the
label
identity,
ID
assigned
and
on
the
receiving
pause
node.
B
If
there
are
any
stretch
now
policy
applied
to
this
part,
then
we
will
have
you
know
a
bunch
of
rules,
basically
matching
the
The
Source
by
the
internal
ID.
So
if
we
have
a
rule
saying
that
you
know,
I
wanted
to
allow
a
drop
from
a
specific
set
of
Labor,
IDs
and
we'll
just
put
these,
you
know
we'll
just
put
a
matching
condition
for
these
tunnel
IDs
and
then
enforce
the
policy
that
way.
D
Yep,
where,
where
will
I
the
Pod
identity
be
computed
and
and
the
vni
set?
Will
it
be
at
the
Gateway
node.
B
Not
not
really
so
so,
if
you
racing,
can
you
go
next
slide
to
the
sorry
can?
Can
we
go
back
to
the
go
back
to
the
export
and
imports
right?
The
diagram
one.
B
Yes,
so
so,
essentially
so
in
each
member
cluster,
we
will
create
a
resource
export
for
a
every
new
label,
every
unique
label
that
the
cluster
has
now
in
the
leader
cluster.
You
know,
since
every
member
cluster
is
exporting
these,
the
leader
cluster,
will
do
a
deduplication
and
also
do
the
ID
assignments
for
each
unique
label,
and
this
information
will
be
will
get
back
to
the
member
through
a
resource
import.
So.
D
Yeah
I
was
asking
where's
the
the
value
gets
injected
into
the
packet.
B
So
so
that's
on
each
node
of
the
pack
of
the
part,
because
on
each
on
each
node
there
is
an
entry
controller
running
who
already
knows
the
label
identity
mapping.
So
as
soon
as
you
know,
the
controller
gets
this.
This
sort
of
mapping
the
controller
will
basically
inject
a
that
ID
for
each
pod
in
the
classifier
flow.
If
that
makes
sense,.
C
Do
you
mean
the
this
classifier
flow
is
on
either
regular,
node
or
Gateway
node
or
who
is
an
attended,
slow.
D
D
To
me
I
because
in
my
mind,
if
I
thought
at
some
point
in
the
future,
it
would
be
possible
to
use
multi-cluster
with
each
cluster
with
specific
clusters
running
in
no
end
cap
mode,
but
I
think
that's,
never
gonna
be
an
option
that
you
can
only
use
multi-cluster
if
each
cluster
is
using
end
cap
mode,
I
guess,
ultimately,
that's
that's.
What
I
was
asking
and
if,
if
like
the
the
node
on
which
is
a
standing
part
is
running,
is
the
one
that
needs
to
inject
the
Pod
identity.
D
As
as
the
VNA
field
in
the
packet,
then
I
guess
it's
kind
of
like
a
requirement
to
to
have
each
member
cluster
run
in
end
cap
mode,
because
otherwise
there
is
no
vni
field.
B
This
is
this
is
sort
of
like
a
inclusive
requirement
that
we
have
right
now,
because
you
know
for
knowing
cap.
We
haven't
really
stopped
the
wrong
how
a
stretch
Network
policy
can
actually
be
enforce
here.
C
Dick
Young
and
Tony,
actually
I
I
think
we.
C
D
I
I
agree,
that's
kind
of
what
I
was
asking,
but
if,
if
the
first
packet
has
to
go
from
the
sender
node
to
the
Gateway
node,
which
is
going
to
do
the
the
encapsulation
right
and
at
that
point
you
will
link
up
the
packet
and
you
will
be
able
to
set
the
vni.
But
that
means
that
the
VNA
is
set
at
the
Gateway
node
and
not
at
the
sending
and
no
I
even
understanding
of
the
Gateway.
We.
C
Otherwise,
you
don't
have
a
way
to
for
the
driving
line,
yeah
I,
believe
so
otherwise,
how
how
we
send
the
traveling
to
the
8
minute.
C
Yeah,
on
the
Gateway
note,
do
we
need
another
flow
to
load
the
tunnel
from
the
receiving
port
to
to
the.
A
C
Port,
where
this
tunnel
be
Reach
Out,
when
Gateway
note
for
what's
it
I
think
I
can't
answer
this
question.
We
don't
have
to
change
any
flow
in
the
Gateway
node.
This
this
is,
will
go
with
this
packet
until
it's
reach
the
very
end.
Okay,
thanks
yeah.
B
Yeah,
okay,
I'll
just
I
just
move
on
a
bit.
If
there's
a
no
other
questions.
B
Cool
so
yeah.
This
diagram
basically
captures
you
know
what's
essentially
going
on,
for
you
know,
loading
the
loading
the
ID
in
the
classifier
table
from
the
sending
node,
and
then
the
traffic
go
through
the
Gateway
node
to
another
cluster.
If
you
know
the
the
traffic
is
intended
for
service
backend
on
another
cluster,
then
on
the
receiving
end,
we
also
have
a
entry
ingressible
table
which
enforces
rules
based
on
label
identity
ID.
B
If
there
are
any
answer,
acmps
or
amps
applied
to
these
parts,
so
the
crd
type,
actually,
the
stress
entry,
Network
Odyssey-
is
still
the
acmp
or
amp
that
has
been
in
nature
like
in
Forever,
but
we
added
a
new
field
called
scope,
equals
cluster
set
as
a
special
flag
in
the
Ingress
rules
for
for
the
natural
native
policies.
B
So
when
people
when
the
crd
is
set
as
go
because
clusters
set,
it
means
that
you
know
for
on
the
positive
actors
or
namespace
vectors
or
a
combination
of
selectors
specified
below
it
will
be
applied
to
the
scope
of
the
entire
cluster
set
rather
than
the
cluster
itself.
B
So
it
will
basically
have
the
you
know
the
similar
workflow
as
the
alternative
policy
that
people
are
already
aware.
It's
just
that
we
we
can
use
this.
You
know
special
flag
to
to
select.
You
know
the
entire
from
the
entire
cluster
set.
B
B
Then,
when
we,
you
know,
convert
the
acmp
into
a
control
plan,
Network
policy
internally
after
you
know
the
entry
controller
process,
this
policy,
the
the
rule,
becomes
a
a
bunch
of
Labor
identities,
which
is
one
two
three
and
we
sort
of
like
distribute
this
rule
to
each
of
the
agent
that
you
know
this
policy
applied
to
and
on
the
data
path
side.
B
The
agent
will
program
these
labor
identity
IDs
into
the
data
pass,
so
that
you
know
any
incoming
traffic
that
matches
these
labor
identities
will
be
allowed
or
dropped,
or
you
know
are
rejected,
based
on
the
disposition
of
the
rule
itself.
B
Then
this
is
just
a
reference
on
what
the
flows
will
look
like
for
such
of
us.
What
what
the
rules
will
look
like
on
the
data
path
if
the
agent
received
a
control
plan
rule
looking
like
the
the
left,
I
won't
I
won't
go
into
detail
for
that,
because
we
are
already
a
little
bit
ahead
of
time.
So
I'll
guess
I'll
just
you
know,
jump
to
leave
the
floor
to
Grace
and
to
show
you
guys
a
really
quick
demo
on
you
know
the
stretch,
Network
policy
capabilities
right
now.
C
Okay,
thanks
Young,
so
I'm
gonna
show
you
guys
a
short
demo
video
to
give
you
a
a
rough
idea
about
how
stretching
that
policy
works.
As
you
can
see
on
my
screen,
there
are
two
terminals
the
upper
terminal
is
in
the
cluster,
where
I
run
the
client
pass.
As
you
can
see,
there
are
two
cardboard
client,
one
and
client
two.
They
have
the
same
labels,
which
is
Happy
equals
test
client
and
in
the
lower
terminal.
It's
in
a
cluster
where
I
run
the
server
pod
and
the
starter
service.
C
Also
the
on
This
Server
cluster.
It
already
exported
the
service
to
the
whole
cluster
set
so
on
the
upper
cluster
or
the
client
cluster.
We
already
can
see
the
atrial
MC
engine
service
imported
to
this
cluster,
so
both
the
client
pod
can
access
the
this
service.
Normally,
if
there's
no
Network
policy
applied
it
on
the
seller,
pod,
so
client
one
can
access
it
and
the
client
two
also
can
access
it
and
then,
in
the
server
cluster
we
we're
gonna
apply
a
across
the
network
policy.
C
Then
the
both
client
traffic
will
be
dropped
in
now.
Let's
see
if
we
update
one
of
the
pause
label
to
test
app,
for
example,
and
we
apply
it,
then
the
client
one
should
connect
it
to
the
able
to
connect
to
the
service,
but
the
client
too.
The
traffic
still
be
dropping.
C
B
This
this
demo,
video,
is
basically
just
to
show
that
you
know
we
can
handle
pod
labor,
update
events,
and
we
can
also
correctly
handle
you
know
a
acmp
policy
update
for
you
know
different
labels,
and
even
though
you
know
this
is
looks
quite
simple,
a
lot
of
things
are
sort
of
like
happening
under
the
hood,
for
example,
if
a
cloud
path
changes
label.
B
So
you
know
this
will
go
through
the
data
cluster
and
the
member
cluster
and
then
finally,
the
main
cluster
will
sort
of
like
receive
these
events,
and
when
a
member
cluster
receives
these
events,
it
will
also,
you
know,
trigger
any
acmp
that
you
know
affects
this
label
and
the
acmp
will
sort
of
like
be
reprocessed
to
take
these
changes
into
account
and
the
data
pass
flows
will
then
be
Rewritten
to
capture
these
changes
and
that
that's
how
you
know
the
entire
stretch.
B
B
Yeah
thanks
Grayson
we're
we're
ready
for
any
other
questions
regarding
demo,
if
it.
A
Cool
that
was
a
a
dice
introduction.
A
nice
explanation
of
the
feature,
I
have
to
say
that
often
the
demos,
when
there
are
these
kind
of
features
that
are
really
hidden
in
the
let's
say
in
the
in
the
control
plane
data
plane,
the
it's
the
demo
seem
a
little
bit
disappointing
like
you
know,
you
do
a
lot
of
work
and
then
the
demo
is
like
30
seconds
yeah,
it's
done
but
anyway.
A
That
was
great
thanks
for
this
great
explanation
and
do
we
have
any
question
or
comment
for
young
and
Grayson
regarding
this
feature.
A
Cool,
so
the
PRS
for
this
feature
are
in
review,
and
this
is
something
that
we
most
likely
be
part
of
the
entria
1.9
release.
So
at
this
stage,
since
it
appears
that
there
are
no
more
questions,
I
would
like
to
thank
thank
a
lot
young
and
Grayson
for
this
presentation
and
we
can
move
to
the
next
topic.
So
yeah
I.
C
Have
you
ever
tested
how
long,
typically
it
will
take
for
this
stretch?
Narrow
policy
to
take
effect
is
about
a
few
seconds
or
less
than
one.
Second,.
B
Yeah,
that's
that's
a
really
great
question.
This
is
a
part.
You
know,
because
of
the
time
limitation
we
haven't
be
able
to
expand
on
I.
Don't
have
a
exact
answer
to
that,
but
I
think
Grayson
would
know.
But
the
thing
is
you
know
if
you
know
we
have
a
delay
in
sort
of
like
labor
identity,
ID
communication
from
the
leader
and
a
member
which
means
that
you
know
the
member
wasn't
able
to
sort
of
like
receive
an
ID
as
I'm
for
a
new
label
in
in
really
quickly.
B
We
also
do
something
called
a
security
flow,
which
is
also
you
know,
suggested
by
I.
Remember
it
could
be
suggested
by.
You
means
that
you
know
if
we
have
a
part
that
you
know
who's
made
by
identity.
We
don't
know
what
the
ID
is
we'll
first,
you
know
put
an
unknown
ID
for
that
and
and
essentially
for
any
policy
selecting
Parts,
which
is
a
backhand
of
a
multi-class
service
when
they
encounter
incoming
traffic
covering
an
unknown
ID
on
security
purposes.
We
just
defaulted
to
to
drop.
B
We
just
wait
until
you
know
the
the
ID
actually
comes,
then
we
update
the
flow
into
you
know
a
a
real
Network
policy
flow,
but
I
I,
don't
know
if
Grayson
knows
what
we
usually
observe
in
terms
of
the
time
Delta.
For
for
this
change
to
happen,
I
expect
it
to
be
to
be
really
really
slow,
really
really
small,
but
I
would
also
acknowledge
that
it
also
depends
on
a
lot
of
other
factors
such
as
you
know,
scale,
and
you
know
other
network
conditions
between
member
leader
yeah.
C
So
I
think
the
bottlenecker,
for
this
is
just
the
the
exchange
between
member
cluster
and
the
leader
cluster.
The
label
identity
assigned
I
have
done
a
test
in
our
multi-cluster
test.
Bed
I
update
the
namespace,
which
has
100
parts
inside
it,
which
would
basically
trigger
100
label,
updates
label
identity,
update
I'd
like
to
say
it
takes
roughly
I,
didn't
count
on
the
clock,
probably
four
or
five
seconds.
C
Oh
four,
five
seconds
for
updating
random
Space
Case,
you
mean
yes,
which
has
the
eye
which
has
a
two.
Is
it's
200,
Parts,
yeah,
okay
for
all
of
them
to
take
effect?
Yes,
thank
you.
Maybe
we
could
also
test
when
we,
when
we,
when
we
create
a
new
port
or
updating
a
nano
policy,
selector
and
Port
selector
in
the
internet
policy,
how
long
it
could
take
typically
I
think
that's
a
more
common
scenario.
Updating
namespace
label
I
think
it's
not
a
very
frequent
operation
yeah.
C
C
If
we,
if
I,
know
this
labor
identity
in
my
cache,
if
I
know
it
I
will
just
say,
like
put
them
like
my
ID
in
the
cache
implemented
in
the
in
the
data
path
and
the
Pod
Creator
event,
I
use
the
namespace,
because
I
want
to
trigger
100
or
200
label
identity,
update
events
at
the
same
time,
so
I
think
part
probably
suggests
like
two
or
five
seconds
divided
two
hundreds.
B
Yeah
and
and
I
think
for
the
sake
of
time,
I
I
also
wanted
to
say
that
you
know
I
think
this
is
tested
before
before
we
change
the
labor
identity
controller
to
you
know,
sort
of
like
an
async
queue
processing,
as
you
suggest
suggested
not
not
long
ago.
So
with
that,
we
probably
will
get
some
performance
improvements,
because
we
can
sort
of
like
concurrently
process
more
without
you
know
complicated
locking
mechanisms.
So
we'll
probably
you
know
test
a
bit
more
and
you
know
get
back
to
you
with
the
latest
results.
C
Thank
you
yes.
Yes,
my
test
is
like
done
almost
like
three
weeks
ago
or
a
month
ago.
I
would
try
to
do
more
legit
performance
test
with
the
latest
changes
yeah.
A
And
as
we
said
in
the
interest
of
time
now,
we
have
to
switch
to
a
new
topic
because
we
need
to
Grant
enough
time
for
the
Raul
and
their
team
to
present
this
new
project.
I
we're
running
a
little
bit
late
on
schedule
so
likely
this
meeting
will
last
a
little
bit
more
than
the
scheduled
hour.
So
hopefully
that's
okay
for
you
and
I
will
stop
talking
in
the
interest
of
time
and
later,
I
will
do
this
presentation.
E
Hi
guys
thanks
everyone
for
joining
the
call
I,
you
guys
can
see
my
screen
right.
Yes,
okay,
perfect,
all
right!
Thanks
everyone
for
joining
the
call
today,
I'm
going
to
talk
about
project
Nephi
I'll
provide
a
brief
introduction
of
what
project
Navi
does
what
are
its
capabilities
and
follow
up
with
a
brief
demo
or
a
short
demo.
E
First
of
all,
where
did
this?
How
did
we
come
up
with
this
name,
so
we
were
looking
for
something
which
has
some
relevance
to
Cloud,
because
this
project
is
targeted
for
cloud
and
Cloud
resources.
So
we
we
used.
We
chose
this
name
and
it's.
This
name
is
actually
derived
from
nephele,
which
actually
means
goddess
of
cloud.
But
when
we
looked
at
this
name
nephili,
there
were
a
lot
of
open
source
project
with
this
name.
E
So
what
we
did
is
we
just
shortened
this
name
and
we
called
Nephi,
so
the
pronunciation
is
sniffy.
E
And
production,
so
what
is
this
so?
Nephe
is
targeted
for
public
Cloud
resources
and
essentially
what
we
do
here
is
we
take
entry
and
network
policy
and
we
translate
and
enforces
those
policies
on
public
Cloud
resources.
Now
what
I
mean
by
public
Cloud
resource
is
in
the
first
release.
We
are
targeting
virtual
machine,
but
the
design
is
such
that
we
can
extend
the
support
for
other
public
Cloud
resources
like
native
Services,
load,
balancers
and
so
on
foreign.
E
How
do
we
do
the
policy
enforcement,
so
we
use
cloud
constructs,
which
is
what
we
call
network
security
group,
so
think
of
network
security
group
contains
all
the
rules.
It
contains
the
rules
and
then
you
apply
this
network
security
group
to
the
public
Cloud
resource,
like
virtual
machines,
typically
for
a
VM,
it's
applied
on
a
network
interface,
so
you
would
be
hearing
this
name:
network
security,
group
or
NSG,
frequently.
E
So
as
this
project
translates
entry
and
network
policy
right,
so
the
choice
of
network
policy
CLI
must
be
Andrea
and
I
I'm,
explicitly
calling
it
out
as
Network
policy
CLI,
because
if
you
take
some
managed
Cloud,
so
they
do
have
options
of
choosing
Network
plugins
separately
and
a
policy
plugin
separately.
So
for
Nephi
we
need
the
network
policy
to
be
entry.
E
For
Nephi,
we
only
support
whitelisted
policies.
What
I
mean
by
what
is
white
listed
is
for
an
ANP.
We
will
only
support.
Allow
action,
the
reason
being
like
one
of
the
cloud
AWS
doesn't
have
an
action
like
deny
or
drop,
or
something
like
that.
So
what
we
do
is
if
we
see
any
entry,
Network
policy
which
has
which
has
drop
action
or
deny
action,
we
throw
an
error
and
we
fail
the
realization
we
wanted
to
unify
as
many
Cloud
as
possible.
E
Yes,
Azure
do
support,
drop
and
deny
actually
basically
deny
action,
but
then
we
didn't
want
to
UNIF.
We
wanted
to
unify
all
the
clouds
and
I
think
for
I
have
to
check,
but
gcp
does
support
I
think
it
does.
Support,
deny
action
So
based
on
feedback.
We
will
figure
it
out
that
you
want.
We
want
a
specific
Cloud,
specific
handling
of
Entry
Network
policies
or
we
wanted
to
keep
it
generated
right
now.
We
kept
it
generic.
C
Okay,
I'm
just
thinking
along
here,
because
if
you
don't
have
Tina
azurus
I
think
sum
is
unchealed
features
are
useless,
like
policy
priority
or
zero
priority,
I'm,
not
sure
if
we
can
optimize
a
little
or
not.
But
maybe
you
want
one
sentencing.
E
Okay,
I'll
evaluate
gcp,
also
just
to
see
if
gcp
supports
it
but
and
I'll.
Also,
sync
up
with
you
Offline
that
if
those
features
which
you
just
brought
up,
we
just
mentioned
we
would
those
are
critical
or
not,
or
we
needed
in
in
our
next
release.
E
So,
okay,
right
now
we
support
both
AWS
and
Azure
cloud,
and
the
architecture
is
such
that
it's
a
plugable
model
wherein
other
public
clouds
can
be
easily
inserted
in
every
project.
E
As
part
of
this
new
project,
we
introduce
a
few
crds
for
crd.
Is
cloud
provider
account
crd,
so
using
this
crd
or
CR,
the
user
would
be
able
to
on
board
a
cloud
account
in
Nephi,
so
this
will
essentially
carry
credentials
like
AWS
credentials
or
Azure
credentials.
What
region
you
want
the?
What
region?
E
You
want
your
resources
to
be
onboarded
in
in
the
in
kubernetes,
for
example,
let's
say
some:
some
user
may
not
want
resources
from
a
region
X
or
region
y
right
so
or
may
they
want
some
resources
of
reason,
X
to
be
onboarded,
but
not
from
region
wide.
So
they
will
use
this
CR
to
create
a
resource
and
then
specify
which
region
it
wants.
The
resources
to
be
imported
in
and
I'll
cover
this
further
in
the
next
slide,
then,
once
an
account
is
added
right.
E
So
in
a
single
in
a
single
account,
you
would
have
a
lot
of
resources
like
virtual
machines,
vpcs
and
so
on,
like
there
are
many
resources.
So
what
resources
you
want
to
onboard
on
kubernetes
or
nephe,
so
This
Cloud
entity,
selector
crd,
is
going
to
provide
a
user
an
option
to
onboard
a
public
Cloud
resource
of
a
particular
Cloud
account.
So
this
is
the
use
of
it.
So
first
CR
would
would
carry
credentials
and
then
the
second
CR
will
actually
be
used
to
specify
what
resources
you
want
to
be
imported
into
kubernetes.
E
The
third
crd
is
the
virtual
machine
crd.
So
once
we
have
figured
out
that
these
are
the
virtual
machine,
crds
matching
CES
criteria,
so
we
onboard
those
virtual
machines
as
CR
virtual
machine
CRS
in
the
kubernetes.
E
Okay
I,
just
I,
saw
a
response
from
Banky
that
gcp
doesn't
support
ni,
so
only
Azure
supports
109,
that's
good,
all
right,
a
sample
CPA.
E
So
in
this,
how
how
we
are
adding
a
secret
in
in
the
phase
earlier,
we
were
adding
the
access
key
and
secret
key
inside
the
CPA
object,
but
due
to
security
concerns,
what
we
did
is
we
separated
this
out
into
two
wherein
user
would
first
create
a
secret
and
in
the
secret
you'll,
have
an
opaque
object
which,
which
will
have
credentials
and
in
the
credentials
we
take
the
base64
encoding
of
AWS
key
and
Secret,
and
we
expect
the
user
to
create
this
Secret
in
nephew
namespace,
so
that
the
Nephi
controller
can
read
this
secret,
which
is
added
by
the
user
and
in
the
CPU
object
like
I
was
mentioning
that
we'll
have
AWS
and
Azure
config,
and
in
this
CPU
object
you
could
specify
which
region
you
want
your
resources
to
be
imported
from,
and
it
will
carry
secret
reference.
E
E
So
once
you
have
added
a
CPA
object,
the
next
thing
is,
you
add,
a
CES
object,
so
CES
object
is
where
you
specify
that,
out
of
lot
of
resources
of
a
particular
account
which
resources
you
want
to
be
imported
into
the
cluster,
so
the
Cs
object
will
carry
your
name
name
space.
It
will
have
a
reference
of
which
cloud
account.
The
CES
is
part
of
and
right
now
we
are
only
supporting
virtual
machine
CR.
So
we
have
this
VM
selector,
but
in
future,
if
we
have
other
selectors
this,
this,
this
thing
will
grow.
E
So
in
this
sample
example
I'm
using
a
VM
selector
and
in
the
VM
selector
it
actually
VM
selector
supports
four
different
combinations
like
VPC
ID,
VPC,
name,
VM,
ID
and
VM
name.
So
in
this
sample
example
I'm
using
a
VPC
match
with
the
match
ID
as
this
ID.
So
what
it
means
is
any
virtual
machine
part
of
a
VPC.
This
VPC
would
be
automatically
onboarded
into
the
kubernetes
cluster.
E
E
So
first,
the
user
will
add
a
CPU
object
which
carries
credentials
and
secrets
once
the
CPA
object
is
done.
You
specify
which
resources
you
want
to
be
imported,
so
using
CES
CR.
You
add
that
matching
criteria.
Once
these
two
things
are
added.
What
Nephi
does
is
it
pulls
a
public
cloud
and
identifies
all
the
resources
matching
the
criteria,
and
once
it
has
identified
that
these
are
the
VMS
matching
the
criteria,
it
creates
a
virtual
machine
CR
for
it
so
virtual
machines.
Here
right
now
we
kept
it
for
visibility.
E
Purpose
like
it
carries
the
running
state
of
the
VM.
If
it
is
up
or
down
the
VPC,
the
VM
belongs
to
and
I'll
show
this
in
the
demo.
So
let's
say
it's
mostly
for
the
visibility
purpose.
E
Then,
while
once
we
have
once
we
add
the
virtual
machine
CR
today,
NPR
Network
policy
is
actually
applied
on
external
entity.
It's
not,
it
doesn't
understand
virtual
machine
CR.
So
what
we
do
is
we
have,
we
also
add
a
one-to-one
mapping
between
the
virtual
machine,
CR
and
external
entity.
So
what
Nephi
does
is
whenever
a
virtual
machine
object
is
added
or
deleted?
E
E
So
this
is
the
overall
flow
and
then
so
this
network,
just
to
reiterate
the
network
policies,
they
would
have
to
apply
on
the
external
entity,
which
is
which
is
which
is
added
by
Nephi
controller
and
then
the
the
way
entrea
controllers
disperses.
The
policy
is,
it
looks
at
the
external
node
field
in
the
external
entity
and
decides
that.
Okay,
this
external
node
external
node
inside
external
entity,
is
has
a
Netflix
controller
in
it
as
a
field.
E
I'll
take
a
pause
here,
because
this
is
essentially
what
we
do
in
nifi
and
any
questions
on
this
workflow.
A
The
the
reason
I
don't
know
if
it's
a
question
or
a
comment
on
the
chart
and
the
Banshee
is
telling
us
that
the
G
cheap
gcp
do
does
support
the
denominator
policies.
I,
don't
have
the
context
for
this
I
don't
know
in
which
context
this
is
a.
E
Yeah
so
Jen
June
actually
mentioned
that
and
so
I.
So
I
mentioned
that
we
only
support
whitelist
policies
because
AWS
doesn't
support,
deny
action
and
looks
like
Binky
quickly,
checked,
gcp
cloud
and
gcp
does
support
Deni
action,
so
both
Azure
cloud
and
gcp
Cloud
does
support,
deny
action
yeah
so
and
as
engine
was
mentioning
that
there
might
be
some
features
which
might
be
meaningless.
If
we
don't
support
Deni
action,
so
we
will
have
an
offline
discussion
with
genjun
to
figure
out
what
those
features
R
and
then
click
it
from
there.
B
Just
a
quick
question,
so
you
just
mentioned
that
you
know
this
is
only
sent
to
the
net
fee
controller
if
the
policies
are
actually
applied
onto
the
external
entity.
So
does
that
mean
that
if
a
policy
applies
to
you
know,
pause
in
the
cluster
and
for
Ingress
and
egress?
It's
the
access
external
entity?
This
will
still
be
enforced
by
enter
a
controller,
and
the
addresses
are
just
computed,
as
the
external
entities
addresses
is
that
correct,
or
or
in.
E
So
well
so,
let's
take
a
step
back
here,
so
the
nephe
controller
applies
the
network
policies
on
the
virtual
machines
on
cloud
right
so
which
is
this
now?
What
is
its
representation
in
in
entria
controller?
This
representation
is
external
entity.
Now
now,
when
you
apply
a
network
call
and
if,
if
you
let
me
see,
if
I
have
not
okay,
so
I
I
thought
I
had
a
reference
external
entity,
but
in
the
external
entity
we
have
introduced
this
field
called
external
node,
which
is
essentially,
it
essentially
means
the
owner
right.
E
Let's
say
if
I
receive
a
pod
policy,
or
even
even
if
you
see
some
XYZ
policy,
nifi
cannot
do
anything
with
it
because
it
needs.
It
will
first
take
the
external
entity
from
this
internal
address
group
and
apply
to
group
and
would
identify
what
is
the
virtual
machine
belonging
to
that
particular
external
entity,
and
then
only
on
that
particular
VM.
It
applies
the
policy
in
Cloud,
so
it
needs
external
entity,
so
the
so.
E
E
So
when
we
import
when
we
create
an
external
entity,
we
add
a
few
few
fixed
labels
like
kind
Nephi
tag,
Nephi
and
so
on,
and
we
also
discovered
tags
from
the
word
from
the
public
cloud
and
add
those
tags
on
the
external
entity.
E
So
the
user
can
easily
use
those
labels
when
defining
an
entry
and
network
policy
and
then
and
then,
if
it
wants
those
VMS
to
be
managed
using
entry
Network
policy,
then
they
have
to
use
this
entity
selector
external
entity
selector
and
then
include
that
in
the
apply
to
field
I
hope
it
answers
your
questions.
Yeah.
B
E
B
E
All
right
again
any
questions
on
this
workflow
before
I
move
on,
because
this
is
the
quest
of
making.
A
Well,
let's
do
the
same
five,
four,
three:
okay,
two:
okay!
It
seems
there
are
no
more
questions,
so
I
will.
E
E
So
other
thing
which
we
have
done
is
we
have
used
kubernetes
dependent
concept
wherein
we
have
added
dependencies
on
the
objects,
so
this
CPA
object.
The
CES
object
will
have
an
owner
reference
as
a
CPA
object.
Virtual
machine
will
have
an
owner
reference,
the
CEO
CES
object
and
so
on.
So
in
that
way,
whenever,
as
if
somebody
removes
or
either
the
user
removes
the
CPA
object,
the
kubernetes
will
make
sure
that
all
its
child
objects
would
be
removed
automatically.
E
So
this
is,
we
use
kubernetes
construct
to
achieve
this,
like
we
added
a
dependencies
on
each
options:
sample
entry,
Network
policies.
Again
we
only
support
namespaced
policy
namespaced,
not
the
cluster
scope
and
name
space
scope.
It
has
to
up.
It
has
to
be
applied
on
external
entity
only
like
you
apply
it
on
a
pod
or
some
other
resources.
Then,
if
a
controller
will
not
even
receive
the
policies
and
then
the
Ingress
in
the
English,
you
can
either
have
like
an
IP
block
or
external
entity
selector.
E
So
this
is
fine.
I
mean
like
you
can
you
can
even
have
an
IP
set,
so
you
don't
have
an
issue
here.
We
just
have
to
make
sure
that
the
policies
are
actually
applied
on
the
external
entities
created
by
NFP
control,
foreign.
E
Network
policy
enforcement
done
so,
as
you
guys
are
aware
that
so
the
entry
Network
policy
is
converted
into
internal
internet
web
policies
and
then
the
consumer,
which
is
the
Nephi
controller,
receives
these
events.
So
as
part
of
these
three
events,
we
take
different
actions
and
I'm
going
to
talk
about
it.
So
the
first
one
is
the
address.
Group
address
group
is
whenever
you
have
something
like
from
which
has
this
kind
of
stuff.
So
what
the
entry
controller
does
is.
E
It
creates
an
address
group
and
then
this
address
group
for
Nephi
will
either
contain
an
IB
set
or
or
an
X
or
external
entity.
So
whenever
Nifty
receives
this,
Nifty
controller
receives
this.
It
computes
the
members
which
is
from
external
entity
to
which
we
are
in
public
Cloud.
E
This
address
group
belongs
to
and
for
this
particular
address
group,
we
we
create
a
Network
Security
Group
in
Cloud,
and
then
once
we
have
created
this
network
security
group,
we
we
attach
that
Network
Security
Group
to
all
the
VMS
which
or
all
the
external
entities
which
are
part
of
this
address
group.
E
So
we
we
do
this,
because
if
you
have
an
address
group,
you
can
use
that
as
one
of
the
Ingress
Field
one
of
the
field
in
the
actual
Cloud
group,
you
don't
have
to
convert
the
address
group
members
and
figure
out
their
IP
set
and
then
apply
them
in
the
net
in
the
cloud
as
different
IPS.
You
can
also
create,
like
us,
another
address,
Security
Group
and
a
network
security
group
in
cloud
and
use
as
from
this
particular
Network
Security
Group
to
this
particular
Port.
Allow
something
like
that.
E
So
that's
the
significance
of
address
group
event
applied
to
event
is
similar
to
the
address
group
event,
wherein
once
we
receive
it,
we
do
we
again
compute
the
members
from
external
entity
to
the
VM.
We
also
create
a
network
security
group
for
this
applied
to
grow,
and
then
we
also
attach
that
particular
this
newly
created
NSG
to
the
virtual
machines,
typically
or
at
the
Nic
level.
E
Lastly,
the
NP
event
in
NP
event,
we
compute
the
rules
like
Ingress
and
egress
rules,
and
then
this
rules
are
actually
applied
under
this
applied
to
nsgs.
We
don't
create
another
nsgs
for
this
rules.
This
is
actually
applied
on
the
applied
to
network
security
group,
so
think
of
it
in
this
way
that
the
address
group
is
just
used
as
a
placeholder,
which
is
used
as
a
reference
in
the
which
is
used
as
a
reference
in
the
applied
to
Security
Group.
A
E
Moving
on
what
we
have
also
included
in
this
project
is
we
also
have
terraform
scripts
for
deploying
in
AKs
and
eks
cluster,
and
we
also
added
the
terraform
scripts,
wherein
you
can
quickly
create
a
VPC
or
a
v-net,
and
it
will
have
a
3bm
with
the
Apache
installed.
So
these
are
the
things
we
have
included
in
the
Lefty
project.
E
Future
scope,
agented
support
So,
as
you
can
guess
that
this
entry
Network
policy
enforcement
is
happening
agentlessly
using
Cloud
construct
in
future.
In
the
next
release,
we
also
want
to
add
agented
support,
in
which
we
will
run
a
VM
agent
on
the
public,
Cloud
VMS
and
enforcement
would
happen
or
via
obs.
E
We
want
to
add
more
match
criteria
like
tags.
Today
we
just
support
VPC
ID
VPC,
VPC
name,
VM,
ID
and
VM
name.
We
would
also
like
to
group
resources
based
on
tags
to
or
add
resources
based
on
tags
right
now.
The
support
is
only
for
virtual
machine,
but
we
would
like
to
extend
this
for
other
services
native
Services,
RDS
instances
and
so
on
see
at
the
end
of
the
day
any
public
Cloud
resource,
wherein
we
can
add
a
security
group,
so
that
can
be
imported
as
external
entity
in
in
kubernetes
cluster.
E
So
that
is
the
idea.
So
if
a
resource
has
network
security
group
so-
and
we
can
create
an
external
entity
for
it,
then
we
should
be
able
to
protect
that
and
apply
entry
Network
policy
on
it,
a
more
public
clouds
like
gcp
and
then
we
will
also
evaluate
if
we
have
to
serve.
How
do
we
to
support
a
deny
action?
As
general
mentioned
any
questions
before
I
jump
to
that.
A
Just
just
a
question
on
the
structure
of
the
of
the
young
three
electropologies.
Clearly,
if
the
applied
group
is
not
of
kindness
fee,
specifying
a
kind
of
Navy,
as
you
know,
from
close,
simply
makes
no
sense
right
because,
as
you
say,
these
are
the
the
Navy
enforcement
makes
sense
only
when
applied
it
with
an
external
entity
correct
so,
okay,
perfect.
So
it's
not
like
this
is
a
scenario
where
I
can
have
a
applied
the
two
to
pause
with
external
entity
being
a
virtual
machine.
E
Applied
to
is
an
external
entity
and
this
external
entity
is
created
by
by
Nephi.
So
when
I
the
external
entity
information
in
the
demo,
then
it
will
be
clear
that
we
add
this
special
tag
in
the
external
entity
and
using
that
hint
entry,
a
controller
disperses,
the
policy
to
Navi
control.
Otherwise
it
will
be
blocked
at
the
entry
controller
itself.
Okay,.
E
A
Ready
for
the
demos,
there
are
any
final
question
regarding
the
design
and
the
specification
of
external
entities.
Let's
just
wait.
Five
more
seconds.
E
In
the
interest
of
time,
so
I
have
already
created
a
kind
cluster
in
which
I
am
already
running
entria
a
1.8
version.
E
E
So,
as
you
can
see,
the
Netflix
controller
is
running,
so
we
just
create
one
replica
of
nephe
controller
now
as
the
next.
The
next
step
would
be
to
add
a
cloud
provider
account,
so
the
cloud
provided
account
for
that
we
have
to
create
a
secret
first,
so
I
can
cannot
show
you
the
secret,
because
the
basically
for
encoded
on
my
secret,
so
I'll
just
apply
that
yaml.
E
So
it
does
create
a
demo
name
space
and
a
secret,
but
just
to
show
you
I
have
another
yaml
wherein
I
just
have
a
placeholder.
E
E
And
then
we'll
apply
a.
E
A
CPA
object,
so
the
CPA
object
basically
has
a
reference
to
the
secret
which
I,
which
I
just
created
so
we'll
apply
that.
E
Then
the
next
step
is
the
CES
object.
So
I'll
show
you
the
Cs
object
too.
So
in
the
CES
object
it
is
pointing
to
the
AWS
account
which
we
just
added
and
I'm
using
a
VM
selector
and
the
VM
selector
has
this
VPC
ID.
So
any
virtual
machines
I'll
show
you
the
virtual
machines
on
Cloud
2.
Now
so
on
this
particular
VPC,
which
is
this
vpc21.
You
will
see
there
are
three
VMS
in
public
Cloud,
so
this
demo
is
for
AWS
Cloud.
E
So
you
see
these
three
VMS
would
be
automatically
imported
in
our
kubernetes
cluster.
So
let's
apply
this.
E
Okay,
so
so
now
what
Netflix
would
do
is
is
going
to
pull
a
AWS
cloud
and
it'll
add
the
virtual
machine.
So,
as
you
see
that
this
is
mostly
for
visibility
that
from
which
what
VPC
this
VM,
which
has
instance
IDs,
is
imported,
it's
running,
State
and
so
on,
and
we
also
carry
tags.
So
I'll
just
show
you
the
tags
too,.
E
First,
let
me
just
show
the
owner
references,
so
this
well
remember
in
the
slide.
I
just
mentioned
that
we
had
dependencies,
so
this
object
owner
is
actually
the
CES
object,
and
this
is
the
ID
of
Cs
object
and
so
on
here
whatever
so,
these
are
some
of
the
default
tags
which
we
add
like
what
is
the
instance
ID
of
this
virtual
machine.
What
is
the
VPC
ID
and,
if
I
add
any
tag
on
that
particular
virtual
machine?
E
E
Mean
on
the
external
entity,
you
will
be
doing
that:
okay,
okay,
so
if
you
see
these
are
the
those
are
the
annotations
we
add
and
based
on
the
annotations,
we
add
this
labels
on
the
external
entity.
So
if
you
see
here
the
this,
this
is
the
name
which
is
a
tag
in
AWS.
The
kind
is
like
some
fixed
tags,
which
we
add
environment
is.
This
is
a
kind
of
tag.
E
What
VPC
this
external
entity
belongs
to,
so
all
these
things
I
mean
a
user
can
apply
an
ANP
with
with
the
match
selector
as
any
of
the
labels,
and
these
labels
are
actually
let
me
show
you
what
this
labels
are.
These
labels
are
actually
tags
here
on
on
the
public
Cloud
resource.
E
Typically,
what
people
do
is
they
add
tags
to
the
resources
and
they
they
use
these
tags
as
as
groups
for
grouping
purpose.
E
So
what
we
do
is
we
also
read
this
tag
from
the
public
Cloud
resource
and
add
them
as
labels
on
the
external
entity,
and
the
other
thing
which
I
was
talking
about
is,
as
this
external
entity
is
created
by
Nephi
controller,
we
set
this
field
in
the
external
entity
as
Nifty
controller,
so
any
enter
Network
policy
matching
an
external
entity
which
is
created
with
this
particular
tag.
Then
only
the
Netflix
controller
will
receive
the
network
policy.
E
Okay,
so,
as
you
can
see,
the
virtual
machine
CR
is
created,
external
entity,
CR
is
created
and
the
next
thing
is
to
apply
a
entry
Network
policy
and
see
that
in
action.
E
So
in
this
entry,
Network
policy
I'm
adding
two
network
to
enter
Network
policy,
one
will
include
an
IP
block
which
will
basically
allow
SSH
from
anywhere
and
the
second
one
is
because
I'm
I'm
adding
this
another
from
external
entity
selector
to
show
you
that
for
even
at
for
the
address
this
will
translate
to
an
address
group
event.
So
even
for
address
group,
even
we
do
create
a
network
security
group
in
cloud
and
I'm
going
to
show.
E
That
is
the
reason
I'm
showing
the
adding
external
entity
selector
in
the
form
field
too.
So
we'll
we'll
see
both
the
IP
set
in
action
or
IP
Block
in
action
and
we'll
also
see
the
address
group
in
action
on
the
cloud
side
and
how
things
translates
to
and
again
this
is
applied
on
the
match
label
with
kind.nify
as
virtual
machine
we
could
use
the
VM
ID,
also
and
so
on,
but
I
just
wanted
to
keep
it
simple.
So
now,
I
have
three
VMS,
so
these
policies
would
be
applied
on
all
three
games.
E
E
This
instance
has
two
Security
Group,
which
has
prefix
as
Nephi
a
g
means.
This
is
an
address
group.
A
t
means
is
an
applied
to
group.
This
is
the
ID.
This
is
the
ID
of
the
internal
ID
of
the
group,
and
if
you
see
here,
one
was
IP
block,
so
we
had
an
IP
block
and
then
the
second
one
is
an
address
group.
E
So
we
we
created
another
address
group
here
and
then
this
address
group
is
actually
used
as
a
source
field,
so
any
VM,
which
has
this
particular
address
group
attached
to
it,
so
this
policy
will
take
into
effect.
So
that
is
the
idea
of
it.
So
I
can
have
an
address
group
with
more
than
one
VMS
in
it.
What
I'll
do
in
cloud
is
I
create
a
security
group
for
it
attach
the
security
group
to
the
VM
and
use
the
security
group
ID,
as
in
the
rule
field
in
the
source
field.
Basically,.
E
I'll
take
a
pause
here
just
before
that.
I'll
also
cover
this,
so
we
also
added
a
internal
CR
for
it,
which
is
served
by
an
aggregated,
API
server
and
not
kubernetes.
So
it
actually
shows
the
realization
status,
how
many
policies
are
applied
and
if
you,
if
there
are
any
errors.
E
E
So
the
brief
overview
is
going
to
show
you
how
many
Network
policies
are
applied,
the
overall
realization
status,
and
if
there
are
any
errors
here,
you
can
look
at
the
description
field
and
in
the
description
field
it
will
carry
the
reason
why
this
particular
Network
policy
was
not
applied.
E
All
right,
I
think
well
time
for
Q
a
you
guys
have
any
questions.
A
C
I
have
small
comments
about
the
virtual
machines.
Annotation
I
I
think
that
they
are
copied
from
the
text
of
the
watch
machines
right,
yeah,.
C
If
we
use
labor
instead
of
annotations,
you,
you
would
be
more
friendly,
as
we
could
also
list
selected
virtual
machines
by
using
the
tag.
But
but
if
you
use
annotations,
it
can
only
be
used
for
visibility
cannot
be
used
as
selector,
for
example,
if
I
want
to
list.
E
Yes,
that's
right,
yeah,
that's
right!
Actually
our
plan
is
to
deprecate
this
and
you
and
serve
it
using
aggregated
API
server,
not
like
a
first
class
citizen
as
a
served
by
back
by
it
at
CD,
so
that
is
there.
This
is
a
temporary
thing,
probably
in
in
next
to
next
release,
we'll
we
plan
to
remove
it.
So
at
that
time
we
will
probably
consider
to
change
it.
E
Yeah,
because
what
we
we
wanted
to
this
kind
of
visibility
at
the
end
of
the
day,
so
what
we
decided
is
we,
we
separated
it
out
into
a
different
object,
and
this
is
what
we
are
showing
at
per
VM
level.
What
is
the
realization
status
of
each
Network
policy?
E
Apart
from
this,
the
project
is
here:
it's
open
source.
Everyone
can
take
a
look
at
it.
We
do
have
a
good
documentation
which
covers
the
architecture.