►
From YouTube: Network Policy API Bi-Weekly Meeting for 20220912
Description
KCSNA 2022 Weekly Planning for 20220912
B
B
So
first
thing
on
the
agenda
was
just
a
shout
out
that
the
for
anyone
watching
this
shout
out
that
the
new
website
is
up
and
running
on
github
pages.
This
is
a
call
for
everyone
to.
Please
take
a
look
at
it
file
issues
like
let's
add
to
it.
Let's
make
this
really
cool.
We
can
add,
basically
anything
we
want
because
we
own
it
and
then
next
steps
will
be
just
to
get
it
deployed
to
a
kubernetes
url
via
netify.
So
that's
in
progress.
B
Otherwise
the
agenda
was
pretty
short
for
today,
but
raul,
I
think,
does
have
some
stuff.
He
wants
to
talk
about
around
fqdn
coming
off
of
the
awesome
presentation.
He
gave
us
last
time
around
some
of
their
data
collection.
So
do
you
want
to
take
it
away?
Rule.
C
Yeah
sure
so
the
first
thing
was
something
that
I
mentioned
doing
last
time
around
and
I
it
took
me
a
bit,
but
I
finally
got
it
so
the
goal
was
we
pier
and
I
presented
some
data
that
we'd
gotten
from
our
from
our
customers,
and
I
was
thinking
that
it'd
be
good
for
other
folks
to
run
the
survey
as
well.
Other
cni
providers,
especially.
C
Have
ftd
and
network
policies
just
with
the
goal
of
understanding
what
customers
are
up
to,
and
hopefully
we
can
build
something
you
know
useful
for
them.
So
I
added
a
link
to
just
a
sample
survey
of
like
what
we
might
want
to
circulate
around.
I
my
goal
right
now
was
get
some
feedback
from
folks
on.
Is
there
are
there
any
questions
that
are
missing?
C
Are
there
any
things
that
we
should
add
tweak
and
then
it
would
be
good
to
maybe
have
folks
reach
out
to
customers
that
they
know
are
using
this
feature,
but
also
maybe
just
put
out
a
blast
on
sick
network
and
say
hey
just
an
open
call
in
case
someone
wants
to
comment
on
this,
we'll
just
try
to
gather
a
little
bit
more
data,
so
we're
more
informed
the
main
goal
of
this
survey,
just
to
like
shape
what
my
thinking
was,
is
to
figure
out
whether
folks
need
the
sort
of
wild
card
matcher,
because
that's
that's
a
really
big
feature
that
that
has
architecture
ramifications
like
it
changes
what
sort
of
implementations
can
work
and
what
can't
so.
C
The
goal
is
to
understand:
are
people
using
wild
card
matches
or
are
they
okay
with
just
a
list
of
fqdns
and
also,
I
want
to
know
how
many
people
are
also
running
service
meshes
or
you
know,
proper
l7
capabilities
versus
how
many
people
are
using
very
specifically,
these
still
l4
policies?
Essentially,
so
that's
the
goal
behind
this
survey,
please
yeah
like
like,
send
out
comments
or
stuff.
If
you
have
thoughts
on
this,
I
actually
can
I
present
the
screen.
I
might.
C
How
about
how
about
now
yeah
there
you
go.
Okay,
I
hate
how
it
does
that.
That's
super
annoying
yeah
anyways,
the
yeah.
So
here
are
some
questions
that
we
were
playing
around
with
this
one
is
pretty
generic
just
to
get
a
feel
for
what
people
are
actually
doing
with
their
fpdn
policies.
It's
unlikely
to
affect
the
implementation,
but
just
something
interesting
to
note.
If
you
think
there'd
be
value
in
more
specific
drop
down,
you
know
narrow
specifications
here
we
can
do
that,
but
I
was
just
curious.
C
What
customers
are
doing
this
one
is
trying
to
get
to
the
heart
of
the
matter
is:
do
you
use
ftd
and
policies
to
match
exact
domain
names,
I.e?
You
know
some
deeply
nested
domain
subname.
Do
you
use
ftd
and
policies
to
do
a
pattern
match?
Do
you
write
something
like
star.mydomain.io
and
that
that
will
really
help?
I
identify
where
we
want
to
go
with
this,
this
one's
a
little
bit
of
a
long-winded
question
and
there's
a
lot
to
wrap
your
head
around.
It
drops
you
into
the
meat
of
it.
C
But
basically
the
idea
is
is
this?
Is
this
something
that
requires
an
active
proxy
in
the
middle
of
dns
resolution?
Or
is
this
something
we
can
you
know
you
do
asynchronously,
like
all
the
from
what
I
read
from
dan's
comments,
all
of
the
good
implementations
try
to
intercept
dns
traffic
and
you
know
update
their
allow
lists
with
whatever
they're
feeding
back
to
the
pods,
and
so
this
is
a
we're
just
trying
to
get
customers
to
say.
C
Yes,
that
seems
reasonable
to
me,
like
I'm,
okay,
requiring
a
dns
request
before
I
send
out
traffic
or
if
they
want
to
write
network
policies
using
fqdns,
but
their
traffic
is
just
raw
ips
without
any
dns
queries
backing
it.
This
was
kind
of
a
weird
question.
So
are
there
any
like
question
clarifications
here.
A
A
Something
that
is
or
do
some
vpn
like
application
right,
then
you
would
not
do
dns
question.
You
would
obviously
just
take
whatever
comes
on
the
wire
and
it's
the
application
that
you
vpn
for
where
that
would
have
to
do
the
dns
in
that
case.
So
now
that
is
probably
not
the
most
common
given
at
this
application.
That's
for
for
sure,
but
there
are
many
types
of
applications
where
you
don't
have
the
sort
of
actual
session
initiator
in
your
own
application.
A
C
A
A
lookup
of
that
you
do
transformation,
then,
typically,
you
would
not
have
enough
kid,
but
that's
the
only
sort
of
cases
I
can
see
really
where,
where
someone
they
have
cases
where
people
just
use
addresses
and
those
are
easy
to
go
and
say
that's
bad
practice,
but
then
you
have
things
where,
where
something
will
be.
C
Right,
yeah,
that's
that's
what
I
was
hoping.
I
was
hoping
that
if
the
application
is
using
fqdns,
then
it
makes
sense
for
a
security
admin
to
write
fqdns
as
part
of
the
policy.
But
if
your
application
is
some
sort
of
you
know,
router
or
middleman,
it
probably
makes
more
sense
to
be
writing
those
rules.
In
terms
of
you
know
the
ip
blocks
that
the
router
is
managing
or
something
like
that.
B
Is
it
it's
more
saying
like?
Do
you
want
us
to
drop
the
tr
like?
Would
you
want
an
implementation
to
drop
the
dns
query
specifically
or
to
be
still
mapping
to
an
ip?
Is
that
like
what
the
question
is
it's
like?
Would
you
be
right
with
us
dropping
a
dns
query,
or
do
you
actually
want
us
to
be
firmly
on
layer,
3,
dropping
an
ip.
A
So
I
mean
the
the
real
problem
comes
when
you
have
a
combination
of
this
and,
like
you
had
before
right
with
the
star
in
front,
I
mean
you
have
all
the
addresses
in
the
domain.
Then
you
really
want
something
to
do
to
look
up,
so
you
can
tag
on
on
that
lookup
and
again,
then
that's
you
have
control
over
the
dns
from
that
pod.
A
Actually,
that
you,
you
have
control
over
the
resolver
right,
so
no
one
goes
and
uses
a
encrypted,
dns
logic.
What
you're
saying
is
that
you
want
to
push
so
that
you
can
listen
into
the
resolve
answer
and
by
that
enabling
this
address
in
the
firewall.
B
I
mean,
I
think
the
wild
card
matching
is
more
three
like
this.
From
what
I
like,
when
I
read
it
again,
it's
it's
literally
like
do.
You
want
us
to
be
dropping
traffic
on
a
layer,
seven
sort
of
my
mantra
or
do
you
want
this
to
be
a
true,
or
I
say,
layer,
seven
upper
layer
mantra.
Do
you
want
this
to
be
a
true
ip
fire
wall
like.
D
D
C
Probably
should
ask
that
question.
I
I
think
that's
a
pretty
valid
question
to
ask.
I
just
assumed
that
the
customer
who
we're
targeting
with
this
isn't:
okay
with
just
pure
dns
filtering.
D
A
D
A
C
D
D
Problem
with
the
the
dns
idea
is-
and
I
might
have
said
this
is
like,
if
they're
using
encrypted,
you
know
like
dns
over
https
or
or
something
rather
than
dns,
that
we
can
snoop
yeah.
C
A
C
But
I'm
hoping
that
that
can
be
and
implementation
detail,
like
you
know,
if
maybe
some
cni
down
the
line,
will
provide
an
all-in-one
solution
and
say
yeah.
If
you
want
to
use
encrypted
dns
go
ahead
and
also
deploy
our
special
core
dns
pods
or
whatever.
A
And
I
guess
we
can
also
not
have
to
think
about
the
subset
of
applications
sort
of
that
set
their
own
resolver.
I
mean
that
runs
much
more
than
just
a
normal
stack
right,
so
there's
more
than
a
normal
pod
and
run
their
own
resolve,
libraries
and
so
on
that
might
go
to
a
dns
server
encrypted
or
non-encrypted.
That's
outside
the
scope
of
the
local.
Are
you
listening
in
on
traffic,
or
are
you
doping,
the
dns
resolver
right
now.
D
C
Yeah,
so
that's
question.
Five
will
hopefully
get
us
some
clarity
on
that.
I'm
hoping
customers
aren't
doing
too
much
craziness
here,
but
it's
kubernetes.
You
can't.
C
You
can't
rely
on
that
yeah
and
then
just
asking
about
the
service
mesh.
Do
you
use
the
service
mesh
capabilities
to
write?
You
know
proper
l7
rules.
Are
there
any
other?
I
think
one
thing
would
be
ask
if
dns
filtering
is
sufficient.
C
A
So
my
my
biggest
sort
of
not
biggest,
but
one
fear
I
have-
and
this
is
sort
of
not
with
current
kubernetes
but
at
the
same
time
on
some
other
place,
we're
starting
to
discuss
more
multi,
networking
and
so
on.
We
have
many
interfaces
in
a
pod
and
then
it
gets
a
lot
harder
to
keep
control
on
over
where
the
resolver
is
and
all
of
these
things
and
obviously
everything
that's
network
policies
will
be
a
lot
more
complicated
but
sort
of
the
more
special
solution.
That's
needed.
A
The
hardest
sort
of
the
more
cases
will
be
that
that
is
not
working,
because
someone
do
it
from
a
different
vrf
in
the
pod
then.
So
I
think
the
I'm
not
saying
we
should
do
this,
but
I
mean
the
the
sort
of
the
definitions
on
when
this
is
possible.
To
use
should
be
well
def,
well,
dis,
well
described,
and
when,
if
I
should
say
sort
of
multi-networking
becomes
a
actuality,
then
obviously
sort
of
that
needs
to
be
really
really
clear
and
overall,
I
think
network
policies
will
be
a
very
interesting
area.
C
Yeah,
that's
an
interesting
point.
I
hadn't
thought
of
that
yeah
like
what,
if
you
resolve
dns
with
one
network,
attachment
and
then
try
to
send
out
traffic
on
the
other
one
that
it's
a
little
funky
but
not
thoroughly
unreal.
A
C
And
then
the
rest
of
the
survey
is
just
interesting.
More
than
anything
else,
it's
trying
to
get
an
idea
of
who's
writing
these
policies.
C
C
C
B
B
C
Yeah,
I
can,
I
can
go
ahead
and
make
a
google
format
of
it.
I
just
wrote
them
up
like
this,
since
I
just
want
to
run
them
by
folks
see
if
there's
any
additions
or
clarifications.
You
think
we
need.
C
Oh,
that's
an
interesting
point
when
is
cubecon
again.
Is
that
october.
A
B
I
could
even
mention
this:
if
we
get
it's
like
a
streamlined
forum,
I'm
talking
in
the
sig
network
meet
and
greet,
and
I
could
like
throw
it
in
a
slideshow
there.
Probably
yeah
that'd
be
pretty
awesome,
so
that
might
be
helpful
and
if
not
I'm
sure
we
can
find
somewhere
else
to
put
that
link
so
that
it
gets
some
love
somewhere.
D
C
B
C
Might
help
yeah
and
the
other
thing
I
wanted
to
talk
about,
and
this
is
probably
a
longer
topic,
but.
C
The
other
thing
I
wanted
to
talk
through
was
just
revisiting
the
doc
that
we
had
for
fqdn
policies.
I
I
do
need
to
refine
the
user
story
section,
but
one
of
the
things
that
we
were
still
debating-
and
I
wanted
to
get
clarification
on
this-
whether
cni's
that
currently
do
fqdn
can
agree
that
this
seems
like
a
decent
set
of
common
behaviors.
C
C
So
I
I'll
probably
have
to
reach
out
to
folks
individually,
like
I'll,
have
to
ask
yang
what
entry
is
doing,
but
this
is,
I
think,
the
core
set
of
behaviors
that
I've
been
able
to
call
out,
and
it
would
be
good
to
get
you
all
to
just
take
a
look
through
this
and
see
if
what
we're
describing
is
reasonable.
I
don't
think
it's
too
crazy.
Like
we're
saying
it's
only
egress
policies,
it's
this
one!
Might
be
a
little
bit
tricky?
C
It's
specifically,
you
know
a
lot
list
with
a
implicit
deny
backing
it
just
because
of
the
way
dns
works.
You
can't
writing
deny
rules
based
on
ftdns
is
always
tricky
and
weird.
C
Here
we
call
out
that
regex
matching
is
allowed.
I
said
only
prefix,
no
like
pattern
matching.
I
don't
think
this
doesn't
have
to
be
a
strong
requirement.
We
can
relax
it.
I
just
figured
it's
easier
to
be
more
restrictive
and
loosen
it
later.
A
C
Just
sort
of
says
it
doesn't
act
specially
if
you
write
an
fqdn
policy
allowing
traffic
to
go
to
twitter.com,
it
doesn't
magically.
Let
you
talk
to
cubedns
or
you
know,
whatever
your
in-cluster
dns
provider
is.
This
is
a
it's
it's
good
in
that
there's
no
magic
behavior!
It's
bad!
In
that
writing
an
fqdn
policy
while
not
being
able
to
talk
to
to
talk
to
the
dns
provider
is
pretty
silly.
C
A
So
yeah,
so
I
tried
to
remember.
I
see
my
comments
on
the
sinusoid.
I
know
what
I
reacted
so
strongly
on
with
the
star
was
that
I
mean
I
was
not
thinking
of
a
solution
that
would
sort
of
listen
in
on
the
on
the
lookups
right
when
they
happen
from
the
application,
but
rather
something
that
would
read
the
rules
and
then
do
its
own
mappings.
So
I
can't
remember
if
it's
clear
clearly
described
in
the
beginning
sort
of
the
approach.
A
That's
that's
suggested
with
this
that
it
actually
is
listening
into
the
lookups,
because
then
the
star
makes
perfect
sense.
Because
then
you
would
know.
Oh
okay,
this
matches
to
to
this
rule,
because
we
will
read
the
text
right
and
not
just
see
the
addresses.
A
I
don't
know
if
that's
expressed
really
high
up,
I
mean
from
the
beginning
the
quality
model
that
is
supposed
to
listen
to
the
application,
as
opposed
to
do
the
next
lookup,
and
then
the
the
system
will
listen,
basically,
look
at
the
dns
lookups
and
from
that
sort
of
be
able
to
get
the
a
yes
or
no
should
this
be
allowed.
A
B
A
It
makes
sense
to
have
a
listener
or
proxy,
basically
man
in
the
middle
or
not
and
sort
of
then
when
the
rest
is
described.
That
is
done
because
I
think
last
time
that
sort
of
got
sort
of
intervened
in
the
discussions,
and
then
we
talked
around
each
other
a
bit.
A
C
A
D
C
A
C
B
C
Okey-Dokey,
let's
see.
D
So
actually,
just
thinking
you
know,
another
good
question
to
be
asking
people
is:
are
you
using
an
http
based
protocol
and
if
so,
is
there
some
reason
you
couldn't
just
use
an
http
proxy
rather
than
a
a
or
or
you
know?
Is
there
any
reason
why
this
has
to
be
done
at
l3
rather
than
l7
other
than
just
well?
We
don't
want
to
have
to
deal
with
setting
it
up
ourselves.
D
A
C
A
question
to
the
survey:
ask
them
why
they
want
l3o4
or
if
they're,
okay,
with.
C
Having
a
proper
http
proxy
or
something
like
that
and
yeah,
I
think
when
peter
and
I
surveyed
our
customers
granted
our
sample
size
was
like
seven
or
eight
customers,
but
we
got
about
a
50
50
split
between
they
are
using
a
proxy
and
they
aren't
so,
I
suspect,
there's
a
good
number
of
people
who
don't
want
an
http
proxy,
but
we
should
verify
that.
D
I
mean
I
can
totally
imagine
there
are
people
who
don't
want
to
deal
with
setting
it
up
like
they
would
like
something
more
automatic
than
that
right.
D
But
it's
like
if
you're
going
to
get
something,
that's
more
automatic
but
not
as
good
a
feature,
and
you
know
requires
us
to
be
intercepting
your
dns
traffic
and
blah
blah
blah.
Then
do
you
still
want
that?
Or
would
you
rather
go
with
the
http
proxy
in
that
case,
and
what,
if
kubernetes
made
it
easy
for
you
to
set
up
an
http
proxy
somehow.
C
C
All
right,
so
I
made
a
note
of
that
in
the
survey
I'll
I'll
flesh
that
out,
but
yeah
other
expected
behaviors
pods
are
required
to
make
a
dns
before
the
traffic
is
allowed
to.
I
forgot
to
fill
out
this
example,
but
I
think
we
talked
about
this.
I
think
we're
all
on
the
same
page
here,
yeah
ip's,
reported
by
cluster
dns
service
are
the
only
ips
we
need
to
allow
this.
C
C
Past
the
ttl
of
the
dns
record
and
the
connection's
still
active.
It's
just
the
ttl
of
dns
expired.
D
D
C
Right,
I
think
this
is
different,
though,
in
that,
if
a
ttl
expires,
it's
not
so
much
that
someone
made
a
policy
change,
it's
just
the
natural
behavior
of
dns.
If
you
will
like,
if
you
just
happen,
to
get
a
record
with
a
short
ttl,
but
you
want
a
long
connection.
I
think
that's
a
valid
use
case
that
we
should.
We
should
be
opinionated
about
right,
like
we
should
say
yeah.
If
the
ttl
expires,
that's
okay!
You
can
still
keep
your
connection
around.
C
C
Yeah,
so
that's
that's
one
open
kind
of
open-ended
thing.
We
can
be
as
specific
as
we
want
on
that.
The
other
thing
is
fkd
and
enforcement
for
cluster
local
services.
C
This
one's
something
I've
heard
opinions
on
both
sides
about
basically
the
thing
that
it
comes
down
to
is:
if
you
try
to
resolve
a
cluster
local
service,
you
just
get
the
vip,
and
so
it
behaves
a
little
bit
differently
than
any
other
fqdn,
because
you
know,
q,
proxy
or
whatever
you
have
going,
is
going
to
translate
that
fib
into
a
pod
ip
oftentimes
before
network
policy
gets
enforced,
and
so
your
fqdn
system
needs
to
be
smart
enough
to
handle
that
or
you
know
we
say
it's
actually
not
supported.
C
C
B
Sweet
yep,
I
think
you,
but
you
you
might
like
if
you
can't
get
a
hold
of
people
either
like
just
looking
at
the
documentation.
You
should
be
able
to
express
answer
some
of
these,
if
not
all
of
them.
B
It's
like
that
might
be
a
good
resource.
I
don't
know
if.
C
Anything
andrea
is
the
thing
that
I'm
most
concerned
about,
because
it
does
look
like
they
have
deny
dns
policies,
at
least
that's
what
it
seemed
like
from
the
documentation,
and
I
just
want
to
talk
to
yang
and
see
what
his
experience
with
that
has
been,
because
her
stance
right
now
is
that
that's
a
bad
idea
that
it
won't
work
well,
but
yeah.
B
B
C
Reach
out
to
him
that
might
actually
pose
a
problem.
If
we
tried
to
do
this
in
an
admin
network
policy.
B
Yeah,
that's
that's
exactly
what
I
was
thinking
and
it
it
had
been
so
long
since
we
first
started
this,
but
we
had
definitely
talked
about
I
about
it
forever
ago.
So,
let's
think
about
it,
some
more
and
and
see
because
I
don't
think
we're
ever
gonna
be
adding
an
ex
implicit
deny
into
avid
network
policy
right.
That
would
be
against
right
core
behaviors
right.
So
it's
definitely
something
something
to
think
about.
B
The
only
other
thing
that's
happened
since
is
we
did
add
the
status
deal
to
network
policy.
But
again,
I
think
going
down
the
road
of
augmented
network
policy
is
the
right
thing,
I
think
of
anything
like
a
network,
positivity
2
or
its
own
resource
right
right,
but
we
need
to
sell
cignet
before
we
can
go
down
that
route
right.
So
we
don't.
B
C
B
Totally
been
in
the
same
boat
well
reach
out
if
we
can
help
at
all,
starting
to
hopefully
have
a
little
more
time,
there's
some
folks
coming
in
from
red
hat,
who
have
been
helping
out
with
admin
network
policy,
so
have
some
extra
cycles.
Finally,.
D
B
Okay,
on
that
note,
we'll
get
some
time
back,
20
minutes,
thanks
for
stopping
by
good
conversation
and
we'll
keep
on
chugging.
I
hope
everyone
has
a
good
rest
of
the
week.
Talk
to
you
soon
take
care.