►
From YouTube: Network Policy API Bi-Weekly Meeting for 20220912
Description
KCSNA 2022 Weekly Planning for 20220912
B
B
So
first
thing
on
the
agenda
was
just
a
shout
out
that
the
for
anyone
watching
this
shout
out
that
the
new
website
is
up
and
running
on
github
pages.
This
is
a
call
for
everyone
to.
Please
take
a
look
at
it
file
issues
like
let's
add
to
it.
Let's
make
this
really
cool.
We
can
add,
basically
anything
we
want
because
we
own
it
and
then
next
steps
will
be
just
to
get
it
deployed
to
a
kubernetes
url
via
netify.
So
that's
in
progress.
B
C
Yeah
sure
so
the
first
thing
was
something
that
I
mentioned
doing
last
time
around
and
I
it
took
me
a
bit,
but
I
finally
got
it
so
the
goal
was
we
pier
and
I
presented
some
data
that
we'd
gotten
from
our
from
our
customers,
and
I
was
thinking
that
it'd
be
good
for
other
folks
to
run
the
survey
as
well.
Other
cni
providers,
especially.
C
Have
ftd
and
network
policies
just
with
the
goal
of
understanding
what
customers
are
up
to,
and
hopefully
we
can
build
something
you
know
useful
for
them.
So
I
added
a
link
to
just
a
sample
survey
of
like
what
we
might
want
to
circulate
around.
I
my
goal
right
now
was
get
some
feedback
from
folks
on.
Is
there
are
there
any
questions
that
are
missing?
C
The
goal
is
to
understand:
are
people
using
wild
card
matches
or
are
they
okay
with
just
a
list
of
fqdns
and
also,
I
want
to
know
how
many
people
are
also
running
service
meshes
or
you
know,
proper
l7
capabilities
versus
how
many
people
are
using
very
specifically,
these
still
l4
policies?
Essentially,
so
that's
the
goal
behind
this
survey,
please
yeah
like
like,
send
out
comments
or
stuff.
If
you
have
thoughts
on
this,
I
actually
can
I
present
the
screen.
I
might.
C
How
about
how
about
now
yeah
there
you
go.
Okay,
I
hate
how
it
does
that.
That's
super
annoying
yeah
anyways,
the
yeah.
So
here
are
some
questions
that
we
were
playing
around
with
this
one
is
pretty
generic
just
to
get
a
feel
for
what
people
are
actually
doing
with
their
fpdn
policies.
It's
unlikely
to
affect
the
implementation,
but
just
something
interesting
to
note.
If
you
think
there'd
be
value
in
more
specific
drop
down,
you
know
narrow
specifications
here
we
can
do
that,
but
I
was
just
curious.
C
What
customers
are
doing
this
one
is
trying
to
get
to
the
heart
of
the
matter
is:
do
you
use
ftd
and
policies
to
match
exact
domain
names,
I.e?
You
know
some
deeply
nested
domain
subname.
Do
you
use
ftd
and
policies
to
do
a
pattern
match?
Do
you
write
something
like
star.mydomain.io
and
that
that
will
really
help?
I
identify
where
we
want
to
go
with
this,
this
one's
a
little
bit
of
a
long-winded
question
and
there's
a
lot
to
wrap
your
head
around.
It
drops
you
into
the
meat
of
it.
C
But
basically
the
idea
is
is
this?
Is
this
something
that
requires
an
active
proxy
in
the
middle
of
dns
resolution?
Or
is
this
something
we
can
you
know
you
do
asynchronously,
like
all
the
from
what
I
read
from
dan's
comments,
all
of
the
good
implementations
try
to
intercept
dns
traffic
and
you
know
update
their
allow
lists
with
whatever
they're
feeding
back
to
the
pods,
and
so
this
is
a
we're
just
trying
to
get
customers
to
say.
C
Yes,
that
seems
reasonable
to
me,
like
I'm,
okay,
requiring
a
dns
request
before
I
send
out
traffic
or
if
they
want
to
write
network
policies
using
fqdns,
but
their
traffic
is
just
raw
ips
without
any
dns
queries
backing
it.
This
was
kind
of
a
weird
question.
So
are
there
any
like
question
clarifications
here.
A
A
Something
that
is
or
do
some
vpn
like
application
right,
then
you
would
not
do
dns
question.
You
would
obviously
just
take
whatever
comes
on
the
wire
and
it's
the
application
that
you
vpn
for
where
that
would
have
to
do
the
dns
in
that
case.
So
now
that
is
probably
not
the
most
common
given
at
this
application.
That's
for
for
sure,
but
there
are
many
types
of
applications
where
you
don't
have
the
sort
of
actual
session
initiator
in
your
own
application.
A
C
C
Right,
yeah,
that's
that's
what
I
was
hoping.
I
was
hoping
that
if
the
application
is
using
fqdns,
then
it
makes
sense
for
a
security
admin
to
write
fqdns
as
part
of
the
policy.
But
if
your
application
is
some
sort
of
you
know,
router
or
middleman,
it
probably
makes
more
sense
to
be
writing
those
rules.
In
terms
of
you
know
the
ip
blocks
that
the
router
is
managing
or
something
like
that.
B
Is
it
it's
more
saying
like?
Do
you
want
us
to
drop
the
tr
like?
Would
you
want
an
implementation
to
drop
the
dns
query
specifically
or
to
be
still
mapping
to
an
ip?
Is
that
like
what
the
question
is
it's
like?
Would
you
be
right
with
us
dropping
a
dns
query,
or
do
you
actually
want
us
to
be
firmly
on
layer,
3,
dropping
an
ip.
A
So
I
mean
the
the
real
problem
comes
when
you
have
a
combination
of
this
and,
like
you
had
before
right
with
the
star
in
front,
I
mean
you
have
all
the
addresses
in
the
domain.
Then
you
really
want
something
to
do
to
look
up,
so
you
can
tag
on
on
that
lookup
and
again,
then
that's
you
have
control
over
the
dns
from
that
pod.
A
B
I
mean,
I
think
the
wild
card
matching
is
more
three
like
this.
From
what
I
like,
when
I
read
it
again,
it's
it's
literally
like
do.
You
want
us
to
be
dropping
traffic
on
a
layer,
seven
sort
of
my
mantra
or
do
you
want
this
to
be
a
true,
or
I
say,
layer,
seven
upper
layer
mantra.
Do
you
want
this
to
be
a
true
ip
fire
wall
like.
D
D
C
D
A
D
A
C
D
C
A
C
A
And
I
guess
we
can
also
not
have
to
think
about
the
subset
of
applications
sort
of
that
set
their
own
resolver.
I
mean
that
runs
much
more
than
just
a
normal
stack
right,
so
there's
more
than
a
normal
pod
and
run
their
own
resolve,
libraries
and
so
on
that
might
go
to
a
dns
server
encrypted
or
non-encrypted.
That's
outside
the
scope
of
the
local.
Are
you
listening
in
on
traffic,
or
are
you
doping,
the
dns
resolver
right
now.
D
C
C
A
So
my
my
biggest
sort
of
not
biggest,
but
one
fear
I
have-
and
this
is
sort
of
not
with
current
kubernetes
but
at
the
same
time
on
some
other
place,
we're
starting
to
discuss
more
multi,
networking
and
so
on.
We
have
many
interfaces
in
a
pod
and
then
it
gets
a
lot
harder
to
keep
control
on
over
where
the
resolver
is
and
all
of
these
things
and
obviously
everything
that's
network
policies
will
be
a
lot
more
complicated
but
sort
of
the
more
special
solution.
That's
needed.
A
The
hardest
sort
of
the
more
cases
will
be
that
that
is
not
working,
because
someone
do
it
from
a
different
vrf
in
the
pod
then.
So
I
think
the
I'm
not
saying
we
should
do
this,
but
I
mean
the
the
sort
of
the
definitions
on
when
this
is
possible.
To
use
should
be
well
def,
well,
dis,
well
described,
and
when,
if
I
should
say
sort
of
multi-networking
becomes
a
actuality,
then
obviously
sort
of
that
needs
to
be
really
really
clear
and
overall,
I
think
network
policies
will
be
a
very
interesting
area.
C
A
C
C
C
B
B
C
A
B
I
could
even
mention
this:
if
we
get
it's
like
a
streamlined
forum,
I'm
talking
in
the
sig
network
meet
and
greet,
and
I
could
like
throw
it
in
a
slideshow
there.
Probably
yeah
that'd
be
pretty
awesome,
so
that
might
be
helpful
and
if
not
I'm
sure
we
can
find
somewhere
else
to
put
that
link
so
that
it
gets
some
love
somewhere.
D
C
B
C
The
other
thing
I
wanted
to
talk
through
was
just
revisiting
the
doc
that
we
had
for
fqdn
policies.
I
I
do
need
to
refine
the
user
story
section,
but
one
of
the
things
that
we
were
still
debating-
and
I
wanted
to
get
clarification
on
this-
whether
cni's
that
currently
do
fqdn
can
agree
that
this
seems
like
a
decent
set
of
common
behaviors.
C
C
So
I
I'll
probably
have
to
reach
out
to
folks
individually,
like
I'll,
have
to
ask
yang
what
entry
is
doing,
but
this
is,
I
think,
the
core
set
of
behaviors
that
I've
been
able
to
call
out,
and
it
would
be
good
to
get
you
all
to
just
take
a
look
through
this
and
see
if
what
we're
describing
is
reasonable.
I
don't
think
it's
too
crazy.
Like
we're
saying
it's
only
egress
policies,
it's
this
one!
Might
be
a
little
bit
tricky?
C
C
A
C
Just
sort
of
says
it
doesn't
act
specially
if
you
write
an
fqdn
policy
allowing
traffic
to
go
to
twitter.com,
it
doesn't
magically.
Let
you
talk
to
cubedns
or
you
know,
whatever
your
in-cluster
dns
provider
is.
This
is
a
it's
it's
good
in
that
there's
no
magic
behavior!
It's
bad!
In
that
writing
an
fqdn
policy
while
not
being
able
to
talk
to
to
talk
to
the
dns
provider
is
pretty
silly.
C
A
So
yeah,
so
I
tried
to
remember.
I
see
my
comments
on
the
sinusoid.
I
know
what
I
reacted
so
strongly
on
with
the
star
was
that
I
mean
I
was
not
thinking
of
a
solution
that
would
sort
of
listen
in
on
the
on
the
lookups
right
when
they
happen
from
the
application,
but
rather
something
that
would
read
the
rules
and
then
do
its
own
mappings.
So
I
can't
remember
if
it's
clear
clearly
described
in
the
beginning
sort
of
the
approach.
A
A
B
A
A
C
A
D
C
A
C
B
D
So
actually,
just
thinking
you
know,
another
good
question
to
be
asking
people
is:
are
you
using
an
http
based
protocol
and
if
so,
is
there
some
reason
you
couldn't
just
use
an
http
proxy
rather
than
a
a
or
or
you
know?
Is
there
any
reason
why
this
has
to
be
done
at
l3
rather
than
l7
other
than
just
well?
We
don't
want
to
have
to
deal
with
setting
it
up
ourselves.
D
A
C
D
But
it's
like
if
you're
going
to
get
something,
that's
more
automatic
but
not
as
good
a
feature,
and
you
know
requires
us
to
be
intercepting
your
dns
traffic
and
blah
blah
blah.
Then
do
you
still
want
that?
Or
would
you
rather
go
with
the
http
proxy
in
that
case,
and
what,
if
kubernetes
made
it
easy
for
you
to
set
up
an
http
proxy
somehow.
C
C
All
right,
so
I
made
a
note
of
that
in
the
survey
I'll
I'll
flesh
that
out,
but
yeah
other
expected
behaviors
pods
are
required
to
make
a
dns
before
the
traffic
is
allowed
to.
I
forgot
to
fill
out
this
example,
but
I
think
we
talked
about
this.
I
think
we're
all
on
the
same
page
here,
yeah
ip's,
reported
by
cluster
dns
service
are
the
only
ips
we
need
to
allow
this.
C
C
D
D
C
Right,
I
think
this
is
different,
though,
in
that,
if
a
ttl
expires,
it's
not
so
much
that
someone
made
a
policy
change,
it's
just
the
natural
behavior
of
dns.
If
you
will
like,
if
you
just
happen,
to
get
a
record
with
a
short
ttl,
but
you
want
a
long
connection.
I
think
that's
a
valid
use
case
that
we
should.
We
should
be
opinionated
about
right,
like
we
should
say
yeah.
If
the
ttl
expires,
that's
okay!
You
can
still
keep
your
connection
around.
C
C
C
B
B
B
C
B
Yeah,
that's
that's
exactly
what
I
was
thinking
and
it
it
had
been
so
long
since
we
first
started
this,
but
we
had
definitely
talked
about
I
about
it
forever
ago.
So,
let's
think
about
it,
some
more
and
and
see
because
I
don't
think
we're
ever
gonna
be
adding
an
ex
implicit
deny
into
avid
network
policy
right.
That
would
be
against
right
core
behaviors
right.
So
it's
definitely
something
something
to
think
about.
B
The
only
other
thing
that's
happened
since
is
we
did
add
the
status
deal
to
network
policy.
But
again,
I
think
going
down
the
road
of
augmented
network
policy
is
the
right
thing,
I
think
of
anything
like
a
network,
positivity
2
or
its
own
resource
right
right,
but
we
need
to
sell
cignet
before
we
can
go
down
that
route
right.
So
we
don't.