►
From YouTube: CNCF Network Service Mesh 2020-06-02
Description
CNCF Network Service Mesh 2020-06-02
A
B
C
B
D
D
So
reminded
of
folks
who
are
joining
these
called
recorders,
they
will
be
posted
to
YouTube.
We
usually
start
about
five
minutes,
or
so
after
I've
pasted
the
link
into
the
chat.
If
you
could,
please
go
add
yourself
to
the
list
of
attendees
in
the
meeting
minutes.
Also
for
those
of
you
who
are
a
little
bit
less
familiar
with
this
sort
of
way,
agendas
are
handled
in
network
service
match
we're
a
really
open
regime.
D
When
it
comes
to
agenda,
it
is
not
at
all
uncommon
for
people
to
add
themselves
and
their
and
the
things
they
want
to
talk
about
to
the
agenda
themselves,
including
doing
so
as
the
meeting
is
in-flight.
So,
if
there's
something
you
would
like
to
see,
added
to
the
agenda,
I
would
actually
encourage
you
to
go
ahead
and
add
it.
B
B
B
So
we
are
also
participating
in
the
telecom
user
group,
which
occurs
every
every
first
Monday.
They
are
now
rotating
the
time
schedule,
so
the
third
Monday
is
no
longer
thing.
Instead,
what
they're
doing
is
every
every
every
month
it'll
be
at
8
a.m.
and
then
3
a.m.
Pacific?
It's
my
understanding,
I'll
double-check
the
final
dinner.
We
had
one
yesterday
at
8
a.m.
Pacific,
so
the
next
time
should
be
one
that
is
more
friendly
for
radio
time
zone
again.
B
I'll
get
the
specifics
and
verify
that
before
the
next
meeting
we
also
participate
in
the
CNCs
sig
network,
which
occurs
every
first
and
third
Thursday
of
every
month,
which
means
our
shooting
one
this
this
week
and
that
occurs
at
11
a.m.
there
is
a
link
in
the
meeting
notes.
Major
events
so
Q
Khan
China
has
gone
virtual.
B
B
B
D
D
B
Okay,
yeah,
so
Q
Khan
is
gone
virtual
for
Q
Khan
China
will
have
more
information
soon
we
have
in
may
26.
We
had
a
webinar
to
talk
on
cloud
nine
to
zero
Trust,
which
had
NSM
highlighted
side
of
it.
That
was
through
the
overshift
comments.
I
will
get
the
link
to
the
recorded
webinar
soon
and
once
I
have
the
link.
I
will
post
it
in
there
on
June
9th.
B
My
company
is
going
to
be
doing
a
webinar
on
federated
learning,
of
which
NSM
is
going
to
be
a
key
component
of,
and
so
I'm
not
going
to
be
talking
at
the
specific
one.
This
is
more
for
more
of
a
high-level
in
terms
of
federated
learning,
but
if
you're
interested
in
federal
earning
or
the
use
the
use
case
that
we're
going
to
be
adding
on
top
of
NS
and
then
definitely
recommend
showing
up
to
it
on
August
17th
is
going
to
be
cute
con
cloud
native
con
Europe
with
a
virtual
experience.
So
what
this
is.
B
This
is
going
to
be
register
the
way
that
the
way
this
is
going
to
work
now
is
that
we're
going
to
pre-record
all
the
talks
and
cue
you
know,
what'll
happen
is
that
the
talks
will
be
played
and
the
speaker
will
ideally
be
available
for
for
discussion.
So
so
this
this
removes
a
little
bit
of
the
attractiveness
a
bit,
but
it
also
should
should
result
in
more
professional
videos
and
my
guess
is
it'll
all
be
played
on
a
European
friendly
timezone.
B
We
also
have
omes
North
America,
which
is
going
to
which,
which
is
we
super,
so
waiting
for
information
and
guidance
on
what's
gonna
happen
there
at
the
same
with
all
IDs
Europe.
My
guess
is
that
they'll
have
virtual
virtual,
showing
on
both
Cube
Khan
North
America
is
still
proceeding
as
currently
planned
and
we
will
be
seeing
there
they're
currently
putting
together
the
committee's
to
review
the
CFP
s,
and
we
should
see
a
schedule
announcement
sometime
in
September
in
terms
of
announcements.
B
It's
not
really
an
MSM
announcement,
but
just
to
make
sure
everyone
is
available
or
aware
whether
Dan
Cohn
is
no
longer
heading
the
CSUF,
but
he
is
still
with
the
Linux
Foundation
and
he's
taken
over
a
new
effort
called
the
Linux
Foundation,
Public
Health,
and
so
we'll
still
see
lots
of
them.
But
they've
announced
a
new
person
to
to
run
it
and
have
to
get
her
or
her
name
and
added
to
the
agenda.
B
But
this
person
was
the
I
believe
the
head
evangelist
evangelizer
over
at
gitlab,
and
we
should
see
some
really
good
work
in
these
skins.
If
come
from
our
leadership
in
terms
of
the
social
media
community
team,
we
have
an
additional
follower
and
are
following
five:
more
people.
We've
posted
out
25
tweets,
which
includes
the
last
week's
video
recap,
call
reminders
the
weekly
webinars.
B
The
introduction
of
t-mobile
has
a
gold
member
so
welcome
to
mobile
to
the
ECF,
and
there
is
also
a
virtual
Linux
Foundation
you
it's
gonna,
be
on
June
22nd,
so
you're
interested
artificial
intelligence
definitely
consider
signing
up.
There
is
also
information
on
Linux,
Foundation
training
and
there's
information
on
AC,
NT
t--
white
paper
seem
to
tea
is
something
that
I've
personally
have
been
involved
involved
with.
B
My
involvement
has
been
primarily
making
sure
that
that
the
wording
of
it
is
as
generic
as
possible
and
we
try
to
minimize
that
vendor
luck
and
it's
still
early
in
its
life
cycle,
so
there's
still
a
lot
of
work
to
do
in
that
space.
So
this
is
just
one
of
the
early
one
of
the
early
releases.
That's
that's
being
done,
and
there's
also
information
on
5g
and
Wi-Fi,
six
telecom,
TV
and
network
architecture
and
we're
cloud
native.
What
does
cloud
native
mean
to
that
space?
B
We
also
have
a
post
in
VMware
open
source
about
the
latest
earnings
from
the
open
source
community,
and
there
is
information
on
CNF
test
bed,
where
the
mobile
telecom
ministries
make
rapid
progress
in
conjunction
with
the
CNF
testbed
LinkedIn
posted
the
same
information
and
we've
added
an
additional
follower
there,
and
we
have
pending
updates
on
Edison
con
EU
2020,
and
we
are
going
to
once
we
get
some
clarifications
from
CN
CF.
We
will
begin
promoting
registration
and
and
sponsorship
and
schedules,
and
so
on
so
in
terms
of
the
main
agenda
we
have
at
the
top.
B
C
I
can
speak
a
bit
about
it,
it's
appropriate
on
and
the
naming
is
maybe
not
what
it's
about
application
date
and
control
planes
operation.
So
it's
actually
to
implement
service
that
that
will
be
the
control.
The
control
of
the
service
would
be
like
the
aya
Paris
Opera,
but
we
will
have
a
data
forwarder
directing
this
dream
in
a
completely
other
direction,
so
that,
what's
more,
that's
about
Oh,
fantastic.
B
C
B
But
one
of
the
things
is
that,
as
we
progress
forward,
I
think
we're
going
to
see
as
either
describing
and
your
application
base
control
plans
and
data
plane,
separations
and
I.
Think
that's
to
me.
It
looks
like
this
stuff
is
leading
towards.
Instead
of
the
application
responding
to
the
architecture
of
the
of
the
data
center.
B
The
data
centers
could
also
respond
to
the
architecture
of
the
applications
and
can
inform
themselves
based
upon
that,
because
the
control
plates
are
being
are
eventually
maturing
to
the
point
where
they
can
take
such
such
input
and
do
them
in
a
safer
way,
and
so
I'm
definitely
looking
forward
to
seeing
what
happened.
What
you
all
have
to
say
in
that
space
and
we'll
make
sure
it
definitely
happens.
D
Context
is
always
good,
especially
because
what
are
the
exciting
things
with
network
service
mesh
is.
We
have
people
coming
from
a
bunch
of
different
direction,
so
we've
got
a
bunch
of
deep
networking
people.
We've
got
a
bunch
of
sort
of
more
cloud
native
people
and
and
one
of
the
exciting
parts
is
we
all
shared,
very
different
context.
So
there's
a
lot
of
stuff,
that's
intuitive
to
one
group
of
folks,
that's
not
to
others.
So
explaining
context
is
always
very
helpful.
E
F
Hello,
everyone
can
you
hear
me
well,
I,
don't
know
if
my
microphone
is
working-
oh
cool
nice,
so
so
basically,
I'm
think
I
already
shared
with
Fred
and
also
add
a
little
bit
of
what
I'm
struggling
with
in
the
NSM
operator,
especially
in
trying
to
accommodate
the
network's
our
smash
inside
OpenShift,
which
which
is
also
a
goal
for
the
operator.
So
it
happens
that
OpenShift
works
with
a
different
API
server.
F
That
has
a
lot
of
networking,
especially
that
were
objects
that
we
can
retrieve.
Information
from
that
and
I
know
that
the
networks
are
smash.
Application
needs
to
retrieve
all
the
prefixes
that
are
being
used
by
the
platform,
maybe
openshift
or
kubernetes,
and
there
is
a
different
way
of
doing
that.
So
I
have
I'm
working
on
that
right
now.
This
week
help
I'll
be
working,
probably
a
big
slice
of
the
week
and
that
but
I
have
I
have
a
big
question
on
that
specific
thing
that
that
should
change
a
little
bit.
F
The
game
and
running
networks
have
smashed
on
top
of
openshift
and
the
question
would
be
how
often
client
go
or
something
like
line
goal
is
being
used
to
talk
to
the
QB
PI
server
in
kubernetes
in
the
NSM
codebase,
like
I've,
seen
a
few
bits,
but
I
don't
know
if
I
won't
need
to
do
that
a
lot
of
times.
So
this
is
one
thing.
F
We
need
to
screw
those
because
they
are
in
use
that
one
I've
seen
I,
don't
know
if
I
need
to
do
other
networking
queries
to
the
platform,
because
in
that
case,
I
need
to
use
a
different
client
because
OpenShift
has
its
own
client
go
it's
the
same
as
kubernetes
when
I,
when
I
need
to
talk
to
the
cube
API
server,
but
if
I
need
special
objects
that
are
already
developed
inside
OpenShift.
I
need
a
different
client,
because
that
one
who
have
Network,
getters
and
netten
that
method
will
bring
a
lot
of
networking
information.
D
D
F
D
F
Time
go
for
kubernetes
is
exactly
the
same
for
OpenShift,
but
when
you,
when
you
need
to
talk
to
something
special,
that
this
is
only
inside
openshift
depending
on
what
it
is,
then
I
need
a
different
one.
Only
in
that
case,
so
networking,
in
that
case
I,
have
a
very
special
way
of
doing
things.
That
would
be
pretty
easy
if
I
use
a
different
client,
but
for
all
the
rest
is
a
regular
Clank.
Oh
ok,.
D
Ok
got
it
I
got
it,
I
got
it.
Certainly
the
thing
to
understand
is
that
the
the
prefixed
is
the
the
go
figure
out.
What
prefixes
you
should
exclude.
D
So
I
mean
you:
could
you
would
literally
essentially
write
it
as
a
separate
package
so
that
we've
got
nice
tight,
modularity
and
then
go
back
to
where
we're
making
the
decision
and
say:
ok,
we
need
to
make
sure
we
have
proper
modularity
and
something
here
needs
to
sort
of
look
around
the
world
and
say:
ok,
this
is
the
environment.
I
find
myself
in.
Therefore
I'm
going
to
use
this
to
get
the
exclude,
prefixes
sure.
C
F
Let's
say
independent
of
everything
else
and
yeah,
the
other
two
things
I'm
working
on
one
one
is
capability,
tracing
I'm,
doing
that
in
parallel.
So
I
have
a
few
tools
here,
because
in
openshift
the
privileged
permission
is
a
problem
because
well
we
need
to
we
need.
We
need
you
to
touch
some
knobs
to
make,
make
it
work
and
it's
better
if
I
can
really
really
narrow
down
the
permissions
and
I've
seen
the
neat
container
that
is
injected
from
the
admission
controller
is
asking
for
permissions.
D
D
F
D
D
Gonna
depend
entirely
on
sort
of
why
open
shift
is
grumpy
because
it
may
be
like
I
can't
tell
you
how
many
times
I've
seen
something
where
like
exactly
like
the
situation
where
it
turns
out.
There
were
five
possible
ways.
We
could
have
done
the
thing
and
we
picked
number
three
and
the
the
place
that
is
now
grumpy
would
have
been
perfectly
delighted
with
numbers
too
or
number,
and
so
why
don't
we
just
pick
one
that
works
more
broadly
right,
yeah!
That's
also.
F
It
actually
gets
rejected.
It's
working
because
I
made
my
own
build
of
the
admission
controller
asking
for
those
permissions,
so
it
works
but
I'm
the
permissions
are
too
large
like
privilege,
or
something
like
that
and
I
know.
This
is
a
very
tiny
thing:
it's
not
something
big
right,
so
it's
just
a
matter
of
actually
tracing
the
capabilities,
understanding
why
they
are
there
and
once
I
have
that
it
will
be
good
to
go.
F
So
this
is
why
I'm
working
on
tracing
capabilities
from
from
the
process
perspective
to
understand
how
I
can
translate
that
into
the
security
context,
both
from
the
poet
in
the
container
and
and
then
translate
that
into
a
a
policy
inside
openshift.
Let's
say
hey,
you
are
allowed
to
ask
for
those,
because
you
are
working
with
that
and
that
yeah
I'm
I'm.
It's.
D
A
general
rule,
my
vast
preference,
would
be
to
try
and
figure
out
a
way
that
we
don't
have
to
ask
OpenShift
for
anything
magic
or
special
they're.
Okay,
because
because
I
mean
don't
get
me
wrong,
it
may
not
be
possible
right,
but
generally
speaking
in
every
other
environment
we've
dealt
with,
the
anok
container
is
able
to
do
its
work
in
a
completely
unprivileged
way.
I
mean
fundamentally
because,
like
literally
all
be
in
a
container,
do
is
doing
a
hundred
percent
of
all.
D
D
So
that,
yes,
it
is,
it
is
this
far
directory
just
because
that's
sort
of
the
traditional
unix
place
to
push
that
such
things,
and
so
it's
a
good
example
of
like
sort
of
the
as
a
good
example
of
the
point
I
was
making
earlier
about.
Sometimes
you
just
discover
that
you
know
you
had
five
choices.
You
picked
one
and
the
other,
and
that's
the
one
that
makes
of
things
grumpy.
If
the
issue
really
is
that
open?
D
Just
for
whatever
reason,
grumpy
about
us
using
a
UNIX
file
socket
in
/var
I
would
be
enormous,
ly
more
inclined
to
adapt
to
that
and
put
the
socket
someplace
that
is
not
going
to
make
for
a
grumpy
openshift,
then
to
convince
OpenShift
that
it
should
open
up
what
it
considers
to
be
a
broader
set
of
security.
Permissions.
D
Have
a
really
really
good
conversation
about
I'm
ever
so
slightly
curious
as
to
why
open
shipped
is
grumpy
about
having
UNIX
file
sockets
inside
a
container
in
/var,
but
I
also
know
you
know,
there's
there's
limitations
to
my
understanding
of
security
in
the
world,
and
so
sometimes
you
just
sort
of
shrug
and
say
security
people.
You
know
yeah.
F
D
They
don't
have
permissions
to
loosen
the
security
constraints
in
openshift,
for
whatever
reason
right
or
they
need
to
now
go
convince
someone
to
loosen
that
security
constraint,
and
nobody
really
understands
why
it's
there,
because
it's
quite
frankly,
like
I,
can't
tell
you
off
the
top
of
my
head.
Why
you
would
have
that
I'm
sure.
There's
a
good
reason.
D
D
Is
you
know
some
poor
user
have
to
go,
and
you
know
force
some
weird
SELinux
policy
into
the
world
that
they
don't
understand
why
it
was
there
to
begin
with,
which
means
it's
marginally
dangerous
for
them
to
change
it,
because
it's
generally
not
a
good
idea
to
change
security
things
you
don't
understand,
we
don't
want
them
to
have
to
do
that.
I
think
it's
to
be
ugly.
It.
B
Also
makes
the
conversations
with
these
security
teams
much
easier
when
you're
to
find
something
that
says:
hey,
you
need
to
go,
apply
the
Tipsy
Nordics
thing,
and
then
you
have
to
explain
to
security
to
the
security
team.
Why
you're
doing
it?
It's
it's
a
lot!
It's
a
lot
more
painful
to
have
that
conversation
than
to
just
work
at
a
time
for
those
like
so
this
is.
B
D
Yeah
and
that,
but
do
you
think
nothing
to
try
and
then
did
we
get
to
the
really
fun
discussion
of
ok?
What
what
exact?
Where
exactly?
Should
we
put
it
under
what
circumstances,
because
you've
been
sort
of
two
pieces
of
tension,
one
of
which
is,
as
a
general
rule
you
want
to
as
a
general
rule,
you
want
to
try
and
follow
tradition
as
much
as
you
can,
which
would
say,
put
it
in
bar
run
and
so
we're
not
going
to
be
able
to
do
that
for
security
reasons
that
we
are
even
interested
in
figure.
D
D
B
B
F
F
They
need
to
be
attached
with
a
security
context
constraint
in
order
to
allow
everything
to
run,
and
it
includes
the
examples
so,
if
I
try
to
to
deploy
a
new
network
service,
that
one
also
needs
to
be
ran
under
a
specific
service
account
and
in
terms
of
the
operator,
the
operator
lifecycle
manager
is
capable
of
creating
those
accounts
and
let
them
like
pre
created
for
any
service
account
and
I.
Don't
know
if
it
is
a
good
practice
in
terms
of
networks.
D
So
I
think
part
of
what
you're
gonna
run
into
there
is
that
much
of
what
we're
using
the
service
accounts
for
is
that
spire
can
trigger
off
to
the
service
accounts
in
order
to
issue
spiffy
IDs.
So
what
you're
probably
going
to
discover
is
that
it
is
perfectly
okay
to
have
organized
your
your
network.
D
Services
by
service
accounts
in
whatever
way,
makes
sense
to
you
and
I
tend
to
be
on
team
as
granular
as
you
can
get
away
with,
without
driving
yourself
insane,
like
so
I
like
granular
granular
groupings
of
things,
so
I
would
tend
to
you
know
more
granular
service
counts,
but
it
is
going
to
need
to
be
the
case
then,
but
there
is
a
spiffy
selector
for
spire
that
will
cause
it
to
issue
an
identity
to
those
service
accounts.
Does
that
make
sense?
Yeah.
F
Totally
yeah
I
gotta
I
gotta
take
a
look
of
that:
okay,
okay,
I
see,
I,
actually
need
to
run
with
the
spire,
enable
and
and
see
and
see
how
things
will
work
with
this
specific
service
account
and
I.
Guess
one
thing
that
you
guys
mentioned
ons
leg
is
about
the
NSC
and
DNS,
see
how
I
know
how
an
operator
could
help
with
those
guys.
I
don't
know
if
you
have
a
specific
question
on
that.
If
you
want
to
try
to
discuss
that
later
well,.
D
I
mean
I
can
hum
I
can
hum
a
few
bars
if
that's
helpful,
so
I
think
the
reason.
The
thing
we
sort
of
mentioned
on
slack
was,
as
we
look
at
things
like
the
BL
3
network
service,
endpoint
right,
the
BL
3
network
service,
which
has
a
bunch
of
NS
ease
and
they
sort
of
interrelated,
slightly
more
complicated
ways,
some
of
the
things
that
we've
built
so
far.
So
what
do
you
do
in
a
kubernetes
system
when
you
have
slightly
more
complicated
systems
of
things
your
mind
immediately
turns
towards
an
operator
and
I.
D
Don't
know
what
this
ends
up
being
a
separate,
VL,
3
and
see
operator
or
if
it
ends
up
being
some
aspect
of
the
network
service
mission
operator.
My
my
knee-jerk
reaction,
just
because
I
tend
towards
modularity,
is
towards
having
a
separate
operator
but
as
I
think
you
sort
of
mentioned
persuasively
in
our
slack
discussions,
there
may
be
very
elegant
ways
of
just
rolling
these
in
a
generic
sense
under
the
existing
operator
and
I'm
a
huge
fan
of
elegance.
D
F
D
D
And
if
you
ping
beneath
on
slack,
you
can
point
you
can
sort
of
the
using
currently
building
out
some
design
documents
on
this.
That
can
give
you
some
notion
of
where
we
think
we're
going
and
again.
This
is
not
like
a
burning
issue,
yet
it's
just
you
I
find
the
world
is
much
easier
when,
when
I
considered,
like
think
about
things
in
the
back
of
my
head
for,
worked
I'm,
not
like
actively
think
about
them,
I
just
have
been
bouncing
around
of
my
imagination,
and
so
I
will
often
mention
sort
of
prospective
things
to
people.
F
Okay,
cool
I'll
definitely
do
that.
Yeah
I'll
try
to
address
those.
Those
first
permission
problems
so
this
week,
I
will
have
some
resolution
in
some
of
them
and
and
then
I'll
see
how
the
operator
could
embrace
another
API.
Maybe
if
not,
it
may
be
a
new
operator.
It's
it's
not
a
problem
at
all.
Yeah.
B
B
A
couple
possible
integrations
for
how
the
endpoints
themselves,
through
the
use
of
it,
so
one
of
them,
could
be
if
you,
if
you
have
dependent
services,
like
suppose,
you
have
a
an
intrusion,
detection
system
that
requires
access
to
some
cue
or
to
some
to
some
database,
and
so
the
operator
can
help
with
with
configuring
and
maintaining
all
of
that,
all
of
that
information
and
and
helping
out
with
some
of
the
some
of
the
state
in
regards
to.
But
how
do
you?
How
do
you
upgrade
it
or
how
do
you?
B
B
The
management,
the
top
level
of
the
top
level
objects
and
ensuring
that
they
get
created
in
the
in
the
correct
way,
in
a
uniform
way
that
is
easy
to
manage,
becomes
very,
very
useful
and
drive
down
a
little
bit
more
deeply
into
that.
When
I,
when
I
say
management,
management,
I,
don't
just
simply
beam,
go
run,
queue
control,
apply
and
then
you're
done
like
when
you
started
running
a
larger
number
of
these
across
a
higher
number
of
pops.
B
Then
you
start
to
you
start
to
see
environments
where
you
have
to
manage
all
of
these
things
in
in
higher
and
higher
number
and
it
becomes
unmanageable.
You
have
to
touch
a
bunch
of
things.
So
how
do
you
make
sure
that
you
update
all
of
your
wiring
so
that
you
keep
the
uniformity
across
the
a
lot
of
the
operator
is
also
a
potential
path
towards
making
sure
that
that
synchronization
happens
and
then
takes
place
so
so
I'm.
B
F
Totally,
it
totally
makes
sense
what
I
see
there
is
like
modeling.
If
I
have
a
coastal
resource
that
could
represent
that
system,
then
I
can
model
the
status
field
on
that
resource,
with
a
lot
of
very
specific
information
and
the
operator
as
a
control
loop
as
a
controller
will
be
watching
that
status
field
all
the
time
watching
for
all
of
those
resources
and-
and
it
will
take
action
upon
any
kind
of
state
that
you
are
retrieving
from
the
various
components
for
that
specific
Kusum
resource.
F
B
Just
a
super
simple
example.
You
know
and
a
my
mic
scaling
that
properly
even
bad.
You
learn
question
alone
is
something
that
an
operator
can
get
him
help
out
with
tremendously,
especially
when
we
start
looking
at.
Let's
go
pull
the
CPU
stats
out
of
out
of
kubernetes.
Let's
go
hold
the
connection
stats
out
of
out
of
network
service
sesh
and
try
to
work
out.
B
If,
if
the
firewall
is
going
to
start
running
the
Google
into
scaling
issues
with
its
current
configuration
and
expand
that
the
bigger
should
have
yeah
so
just
like
dead,
simple
dead,
simple
approach
and
technology
underneath
of
it
and
the
operator
on
top
of
Acton
can
potentially
potentially
help
do
that
not
just
from
a
single
cluster.
But
you
can
do
some
of
this
through
through
the
standard.
B
B
B
Templates
or
samples
that
people
who
are
building
these
types
of
things
on
top
of
NSM
and
can
start
off
with
one
of
those
things
and
eventually
just
use
that
as
a
template,
is
to
add
additional
functionality
on
top
of
it
or
to
have
some
pluggable
systems
that
they
can
configure.
And
it
would
just
tell
it
to
go
so
just
as
some
ideas
moving
towards
a
future
sure.
B
B
D
E
D
Yeah,
there's
also
a
nice
modularization
of
how
these
policies
are
handled
so
effectively.
It's
very
easy,
then,
to
mix
and
match
a
bunch
of
really
well
done
default
policies
in
with
custom
behaviors
that
you
may
want
to
have.
So
you
can,
for
example,
say
well.
I
actually
have
custom
policy
behaviors
about
who
I
want
to
allow
to
talk
to
this
network
service
in
point.
But
you
know:
here's
a
few
characters
to
also
mix
in
making
sure
that
sort
of
default
behaviors
around
token
expiry
and
validation
are
actually
being
done
correctly
as
well.