►
From YouTube: Network Policy API Meeting for 20230718
Description
Network Policy API Meeting for 20230718
A
Awesome,
hello:
everyone
today
is
Tuesday
July,
18
2023..
This
is
a
meeting
of
DC
Network
policy,
API
subgroup
to
sync
Network.
This
is
a
cncf
sponsored
meeting,
so
please
be
kind
to
each
other,
use
nice
language
and
follow
all
of
their
Community
guidelines.
Thanks
for
coming
today,
we'll
go
ahead
and
dive
into
it.
Let
me
share
my
screen
with
the
agenda
per
usual.
The
agenda
is
pretty
free-flowing
today
feel
free
to
add
stuff
as
we
go
or
anything
else
so
before
we
get
started,
I
see
some
new
faces.
A
B
A
Awesome,
that's
really
great
hunter.
We're
excited
to
have
you
know,
representatives
from
various
implementations
for
the
longest
time
it's
just
kind
of
been
Yang
from
VMware
and
Surya
from
oven,
kubernetes,
so
good
to
have
more
implementations
on
board.
There's
a
lot
to
catch
up.
If
you
look
back
to
our
agenda
and
look
through
some
of
those
docs
that
might
kind
of
help
you
but
we're
focusing
on
the
admin,
Network
policy
effort
right
now
so
cool
cool
and
then
I
might
be
saying
it
wrong.
How
do
I
say
it.
A
Awesome
happy
to
have
you
again:
we
actually
have
a
issue
to
track
the
implementation
of
admin.
Network
policy,
which
is
kind
of
the
API
we've
been
focusing
on
lately
in
psyllium,
so
any
help
we
can
get
there
and
pressure
is
is
is
awesome
we
and
we
also
want
feedback
from
them.
So
that's
kind
of
our
goal:
okay,
sweet!
A
So
first
things.
First,
there
was
an
issue
that
came
up
in
the
last
Sig
Network
meeting
around
a
couple
of
concerns
with
network
policies.
I
I,
don't
know
if
there's
really
an
action
item
for
us
in
this
group.
Yet
I'm
assigned
to
this,
but
Tim
Hawkins
gave
his
thoughts.
So
I
am
kind
of
just
waiting
on
a
response
from
there
to
see.
If
we
can
help
help
out.
A
Essentially
they
were
the
security.
The
audit
and
security
team
was
unhappy
with
a
lot
of
the
design
principles
with
existing
Network
policy,
some
of
which
we've
fixed
in
admin
Network
policy,
but
it's
definitely
a
good
read
as
we
kind
of
push
towards,
hopefully
designing
a
network
policy
V2,
so
I
definitely
advise
everyone
here
to
give
it
a
quick
review.
It's
kind
of
interesting.
D
A
A
A
A
We
wanted
to
make
it
a
little
less
cumbersome
for
folks
to
propose
new
features,
and
you
know
kind
of
Quicken,
the
iteration
cycle
for
a
working
group
and
it's
modeled
closely
after
the
Gateway
API
who
have
gaps
so
we
have
some
good
documentation
there
and
both
Surya
and
Nadia
have
opened
and
peps
around
ANP
features
in
the
future.
We
hope
to
you
know
for
anyone
here
if
they
have
some
cool
new
idea
for
a
feature
or
want
to
own
some
new
object.
A
That
could
be
a
part
of
network
policy
API,
please
open
an
npap.
So
diving
into
it,
the
first
one
has
been
open
for
a
while
from
Surya
and
it's
regarding
adding
support
for
egress
traffic
control
to
admin
hour
policy.
I,
don't
know!
If
we
really
need
to
talk
about
it
too
much
Surya.
Could
you
give
like
a
quick
rundown,
just
like
a
tldr
for
folks
on
the
call
about
what
this
nfep
is
is
regarding
Syria.
E
Yeah
I
can
be
quick
about
it.
So
what
so?
The
first
version
of
enp
is
supporting
only
east
west
traffic.
What
that
means
is
we
only
support
part
depart
overlay
networking
as
of
now
and
the
goal
of
this,
and
that
is
to
try
to
expand
that
to
also
support
Northbound.
So
if
those
of
you
who
know
Network
policies,
this
is
the
equivalent
of
the
IP
block
offering
that
the
network
policy
gives
so
something
similar
to
that.
E
So
that's
the
one
part
of
the
npap
and
the
second
part
is
to
to
see
how
we
can
smoothen
the
part.
The
host
Network
bar
communication
rights
are
more
like
towards
the
node
IPS,
which
crosses
from
the
overlay
to
the
underlay.
So
those
are
the
two
main
items
that
I'm
trying
to
address
in
this
n-pep
and
I
did
have
a
question
for
Andrew
or
maybe
Nadia
I,
feel
like
the
Gateway
power.
Sequels
put
their
npaps
in
the
website
and
I
didn't
see
the.
E
D
A
D
Yeah,
there
is
just
one
tiny
thing
that
for
every
and
pep
update
after
that,
you
also
need
to
make
sure
you
update
the
site
sources,
because
the
and
perhaps
or
gaps
are
grouped
by
this
status.
They
have
and
I've
seen
like
quite
some
PRS
that
you
know
will
merge
some
Gap
change
and
then
the
next
follow-up
will
be
over
I
forgot
to
update
the
site
page
sources,
to
also
change
that
right.
So
that's
why
I
didn't
add
it.
Here's
the
way.
A
100
I
think
we
can
even
add,
like
a
note
in
a
PR
template
for
an
n-pep
that
says,
remember
to
update
the
website
as
well,
but
for
now
I
think
it's
all
right.
I
would
like
to
do
that
in
the
future.
Definitely
so
back
to
your
npeps
area,
I
gave
it
another
review.
I
know
Dan's
reviewed
it
I
feel
like
we're
moving
towards
consensus.
A
So
the
reason
I
really
wanted
to
bring
this
up
is
is
to
here
if
anyone
has
issues
with
this
n-pep,
essentially
because
we
are
moving
towards
a
point
where
I
would
feel
comfortable
merging
it.
So
this
is
kind
of
the
last
shout
out
to
give
it
a
review
before
next
meeting
and
if
there's
not
any
outstanding
issues
raised
against
it,
we'll
go
ahead
and
get
our
merch
sound
good.
E
D
A
Okay,
what
else
on
this
one
I
think
the
only
other
main
thing
I
had
was
and
Nadia
also
had
around
this
cup,
and
maybe
we
can
kind
of
chat
about
it
here
really
quickly,
because
we
don't
have
anything
else
on
the
agenda
was
if
we
were
going
to
Define
traffic
destined
towards
a
node
or
a
host.
Network
pod
is
as
kind
of
the
same
thing
or
not
I,
don't
know
if
you
had
any
thoughts,
Surya.
E
I
wanted
to
make
it
explicit,
because
that's
one
of
the
mistakes
we
did
in
the
previous
in
network
policy,
where
we
did
not
have
rules
for
this
and
it's
not
well
defined
so
I
think
we
even
had
like
I,
was
actually
handling
towards
making
normal
pod.
Selector
select
only
see
an
iPods
and
then
have
a
whole
selector.
That's
explicitly
selects
only
in
both
pods
and
make
the
traffic
signal
using
those
selectors
foreign.
E
D
B
G
A
Right
and
I
think
that's
okay.
As
long
as
we
have
like
explicit
mechanisms
that
we
can
specify
that
some
implementations
might
not
be
able
to
to
actually
implement
so
like
I,
if
we
added
a
node
selector
or
even
a
host
Network
pod,
selector,
I
guess
that
would
be
all
right,
because
we
could
specify
that
this
may
be
a
feature
that
not
all
not
all
cnis
can
Implement
I'm,
not
against
that.
A
Supersede,
okay,
cool
I'm,
glad
you,
you,
like
you,
did
the
right
thing
you
linked
86
here
for
folks,
following
along
in
the
recording,
are
here
there's
a
lot
of
good
conversation
in
the
previous
er.
The
reason
we
open
a
new
one
is
so
that
we
could
align
close
more
closely
with
our
new
endpap
format.
So,
okay.
A
D
I
think
the
definition
of
our
API
may
be
a
bit
different
in
these
cases.
So
if
we
say
that
host
Network
pods
are
like
indistinguishable
for
us
from
the
host
Network
traffic,
then
first
of
all,
it
probably
only
makes
sense
to
use
node
selectors
and
not
host
Network
pod
selectors,
because
if
you
select
the
host
Network
pod,
you
like
allow
or
deny
the
whole
node
right
and
the
host
Network
Port
is
just
a
little
part
of
that.
D
So
it
may
not
be
obvious,
and
by
selecting
a
host
Network
pod,
you
can
actually
like
drop
the
whole
traffic
from
the
node
to
something
like
that
right
and
then
also
in
that
case,
when
you
do
select
a
node,
let's
say
with
the
node
selector.
You
also
say
it
will
affect
all
host
Network
pods
traffic
hosted
on
that
node
right.
But
then,
if
in
the
future,
let's
say
we
want
to
distinguish
these
cases,
maybe
you
will
want
to
select
only
Network
pods
traffic
from
the
node
right
with
the
node
selector.
So
these
are
different
things.
D
You
will
be
able
to
have
host
Network,
pod
selectors
and
the
node
selector,
and
then
the
definition
of
what
node
selector
actually
does
will
be
different
in
these
cases.
So
that's
why
I
thought
it's
important
to
kind
of
Define
it
somehow,
while
we
are
here
so
there
is,
there
are
no
like
two
ways.
You
know
to
do
the
same
thing
and
then
it's
also
quite
obvious
of
what
exactly
will
happen
with
the
networking
when
you
select
something
like
that.
C
C
D
I
mean
from
the
API
point
of
view
like
how
we
just
know
the
Pod
selector
is
definitely
next
stage,
but
here
I
just
found
that
part
that
says
I
want
to
control
traffic
from
nodes
and
or
closed
Network
pods
right,
and
it's
not
obvious
if
you
actually
want
this
use
case
for
host
Network
pods,
specifically
separately
from
the
nodes
right.
If
we
will
not
be
able
to
actually
do
that,
I
thought
that
maybe
useful
to
Define
it
here
explicitly.
A
Yeah
I
think
maybe
maybe
even
just
break
if
we
do
want
to
try
this
to
segment
or
even
in
the
future
segment
between
traffic
does
infer
node
in
the
host,
Network,
namespace
or
trafficked
us
into
a
node
or
sorry
in
the
host
C
group,
the
default
C
group
or
traffic
does
into
a
node
in
a
in
a
container
C
group.
Let's
break
this
goal
into
two
and
say
yeah
traffic
control
towards
cluster
nodes
and
then
have
another
one
saying:
Implement:
traffic
control
towards
host
Network,
pods
and
Define
them
as
explicitly
separate
things.
A
A
A
Let
me
get
back
to
here,
so
the
next
one
is
in
regards
to
tenancy
Yang
I
know:
you've
had
a
you've
had
a
lot
of
opinions
on
this
one
too.
So
I
started
reviewing
this
today.
If
you
could
also
give
it
a
review,
I
think
we
want
to
figure
out
kind
of
how
this
would
work
if
we
need
to
do
something
here
and
what
the
consensus
is
in
regards
to
having
a
better
way
to
express
Hennessy
than
we
do
today
in
admin
hour
policy,
so
is.
A
Sweet
awesome,
thank
you
for
opening
that
I
think
it's
important
and
thanks
for
linking
the
existing
discussion
and
that
doc
she
was
talking
about,
is
an
issue
for
the
npap
and
it's
one.
Dan
wrote
up
a
while
ago:
I
really
like
this
doc.
So
if
folks
are
wanting
to
learn
more
about
our
discussion
around
tenancy
with
amp,
this
is
a
good
place
to
start.
A
Okay,
cool
and
eventually,
like
I,
think
we
should
formalize
to
kind
of
keep
us
honest
in
the
community
like
a
sort
of
timeline
for
npeps
I.
Don't
maybe
that's
a
bad
idea,
but
like
because
I
know,
surya's
has
been
open
for
a
long
time
like
I.
Think
it'd
be
good
for
us
to
decide
this
community
within
a
span
of
like
you
know
we
can.
A
H
If
it
can
be
helpful,
I
I'm
not
I'm,
not
necessarily
directly
speaking
to
what
you're
saying,
but
it's
kind
of
related
in
Gateway
API.
We
have
introduced
the
concept
of
a
probationary
period
for
gaps,
although
it's
only
during
the
experimental
phase.
This
is
because
gaps
that
make
it
too
experimental,
but
then
last
for
say
two
years
become
used
in
production
and
are
no
longer
experimental,
even
though
they
say
experimental.
So
we
had
at
least
one
really
bad
situation
where
that
happened
and
learned
from
it.
H
A
Yeah
I
think
that's
a
good
point.
We
don't
even
have
kind
of
like
the
infrastructure
set
up
today
for
having
experimental.
You
know
the
different
stages
that
gaps
do
in
the
Gateway
API,
but
it's
probably
something
we're
going
to
need
so
Shane.
One
question
for
you
from
Gateway
API
do
fields
that
maybe
are
not
implementable
by
every
implementation.
Do
they
ever
make
it
out
of
experimental,
or
do
they
what's
the
name
for
okay.
A
H
H
Is
different,
so
actually
experimental
has
to
do
with
our
release
channels,
and
you
can
have
a
like.
An
experimental
thing
actually
goes
with.
Our
experimental
manifests
and
may
include
things
that
are
said
to
be
extended,
but
aren't
actually
promoted
to
standard.
If
that
makes
sense,
so
like
something,
that's
extended
will
go
into
experimental
first
and
it'll
only
be
available
there,
and
once
it's
graduated,
it's
gone
through
all
its
testing
and
we're
sure
that
it's
working
with
conformance
with
the
implementations
that
can
do
it,
then
it'll
start
showing
up
in
the
standard
Channel
later.
H
A
H
A
Okay,
I'm
gonna
start
looking
into
adding
that
infrastructure
for
us
as
well,
because
I
think
as
we
move
into
beta
there
might
the
more
m-peps
that
are
open.
The
more
I
realize
we're
we
might
have
some
fields
or
parts
of
our
API
that
are
a
little
more
difficult
to
implement
for
a
lot
of
folks.
So
yeah.
H
Once
you
hit
experimental,
you
have
to
have
graduation
criteria
to
make
it
to
standard,
and
six
months
is
the
time
period
you
have
to
meet
that
graduation
criteria,
or
else
you'll
be
considered
pulled.
So
the
idea
here
is
in
the
past.
We've
had
people
like
just
jump
on
experimental
use
it
in
production
and
unfortunately,
then
it
became
real.
A
D
Hey
well,
we
we
are
here
I,
just
yeah
I
just
wanted
to
tell
where
you
can
find,
like
we've
added
these
instructions
on
how
to
open
and
prep
right
and
what
statuses
we
have
now,
not
sure
if
it's
easy
to
find
so
one
way
is
in
this
natural
policy.
Api
website
we
have.
There
is
a
reference
section
that
you
need
to
click
on
and
there
is
enhancement
proposal.
So
that's
where
you
read
that
and
another
way
to
find
that
place
is
now
we
have
templates
for
issues
in
the
repository
we
have.
D
Then,
if
you
open
enhancement
proposal,
there
will
also
be
a
link
to
this
process,
saying
that
you
may
need
to
follow
it
if
the
enhancement
is
big
enough,
yeah,
the
slash
enhancement
one,
so
that
also
should
go
to
the
same
page.
We've
just
seen,
yeah
just
in
case.
Anyone
would
like
to
actually
find
that.
D
A
A
Sweet
silence
is
affirmation
in
my
book.
Okay,
next
thing,
I'm
gonna,
toss
it
over
to
Yang
and
Syria.
Whatever
order
you
want
to
go,
first
doesn't
have
to
be
long,
just
really
informal
and
brief
for
folks
who
haven't
been
here.
Oven,
kubernetes
and
Andrea
I'd
say
are
kind
of
the
far
the
furthest,
along
with
implementing
admin
hour
policy.
So
hopefully
we're
we'll
have
like
actually
complete
implementation
soon,
so
I'll
toss
it
over
to
y'all.
E
I
can
go
first,
so
we
have
been
working
closely
with
the
Upstream
Community
for
six
months
now
or
even
over
there,
since
the
Detroit
kubecon,
which
is
when
I
first
got
involved
with
amb.
So
I
have
this
implementation
in
progress.
So
it's
mostly
us
working
with
so
it's
red
hat
and
Nvidia,
who
use
O,
B
and
K
mostly,
but
it
is
all
open
source
and
Upstream
plugin,
and
so
we
are
in
good
shape
right
now,
like
with
regards
to
supporting
all
the
fields.
E
There
are
some
fields
that
we
have
not
implemented
yet
some
of
them,
so
one
of
them
is
the
same
labels
and
not
same
labels
and
the
reason
why
we
didn't
implement
it
is
because
of
the
tenancy
npep
that
Nadia
has
opened,
because
we
wanted
to
clarify
about
that.
Field
stands
for
and
the
other
thing
that
is
sort
of
not
in
the
first
iteration
of
implementation
is
the
named
ports,
but
I
do
have
like
a
secondary
PR
where
we
will
bring
it
in
so
outside
of
these
two
I
think
pretty
much.
E
So
all
the
e2e
tests
live
in
the
Upstream
repo,
but
every
cni
can
just
take
that
and
run
it
Downstream
in
their
specific
implementation,
and
that
is
already
done
in
this
PR,
which
is
pretty
cool.
So
the
CIS
are
all
running
the
e2es
that
are
versioned
with
the
1.1
release
that
we
have
in
all
the
lanes.
So
it's
good
that
the
conformance
tests
are
more
Upstream
generic
and
not
cni
specific.
But
the
next
step
here
is
to
also
do
conformance
profiles.
E
So
since
obnk
is
almost
done
and
Andrea
is
also
almost
done,
I
do
plan
to
open
and
confirm
API
because
they
did
this
first
so
that
we
can
then
report
which
of
the
cni
plugins
that
are
implementing
a
specific
API
Upstream.
So
for
A
and
P
and
B
and
B,
we
can
say
that
okay
obn
care,
does
it
and
Trail
does
it,
and
we
can
give
some
sort
of
a
badge
saying
whether
they're
conformant
to
all
the
API
fields
or,
if
they're
conforming
to
some
of
them,
and
not
really
for
everything
and
stuff
like
that.
C
A
H
E
A
I
Yeah,
it's
a
little
bit
more
complicated
story
so
for
for
entria
I
think
the
implementation
is
ready.
We
have
this
PR
for
the
implementation,
which
you
know.
Obviously
pretty
much
does
the
same
thing.
We
don't
support
the
same
label
so
that
same
labels,
yet
but
I
think
we
do
actually
support
the
nameport
case,
which
I
didn't
realize
that
there
wasn't
one
in
the
conformance
testing,
which
I
can
probably
add
to
that.
But
I
think
we
do
support
the
name
per
case.
So
that's
not
a
part
of
the
conformance.
Now.
I
I
The
strategy
for
conformance
testing
on
Nigeria
is
that
we
were
trying
to
add
a
GitHub
action
so
that
you
know
every
time
you
maybe
a
PR
is
pushed
to
the
actual
repo.
We
spin
up
a
new
kind
environment
and
do
the
confirm
assessing
there,
but
we
discovered
that
you
know,
because
maybe
the
the
test
bed
will
be
a
little
bit
slow
and
there.
The
current
conformance
testing
logic
doesn't
there's
a
little
bit
of
a
glitch
that
we
needed
to
fix.
I
So
it
spins
up
for
namespaces
and
you
know,
use
the
pods
in
the
four
namespaces,
the
Harry
Potter
houses
right
to
to
do
the
conference
testing.
But
the
problem
is
right.
Now
we
use
a
pod
ready
condition
to
to
do
to
verify
that
these
pods
are
already
now
on
the
test
bed
that
we
had
after
a
the
state
for
sale
is
deployed.
The
pods
are
not
even
there
so
in.
I
In
short,
we
got
a
Ron
go
a
green
light
for
conversing
the
conformance
testing
before
all
the
testing
parts
are
actually
becoming
ready.
So
this
is
something
that
I
have
already
opened
the
pr
to
fix
and
I'm
thinking
that
we
probably
need
this
to
be
to
be
merged
and
then
maybe
use
a
different
release
tag
or
something
so
that
you
know
entry
can
use
that
specific
release.
Tag
to
to
to
to
to
do
the
conformance
testing,
because
otherwise
the
GitHub
actions
is
actually
fading
on
on
the
entry
test.
G
I
Is
kind
of
like
the
status
right
now,
but
you
know
I'm
hoping
to
have
this.
You
know
sorted
out
soon
because
we
are
actually
looking
at
maybe
another
entry
release
next
week
and
I
really
hope
to
get
the
mean
level
policy
super
merged
by
that
release.
So
but
obviously
we
need
the
conformance
testing
to
be
passing
so
I'll
I'll,
you
know
I
see.
Surah
has
already
commented
on
PR
I.
I
E
Yeah
this
is
actually
awesome
and
I
I
took
a
look
at
the
pr
and
it
was
coincidental
because
one
of
the
lanes
when
I
was
testing
it
in
kind
on
OB
and
K.
I
ran
into
this
exact
same
issue
that
you
reported
I
just
didn't
have
time
to
dig
into
it.
So
I
wanted
to
take
a
moment
to
thank
you
for
coming
and
fixing
this
right,
because
it
is
going
to
help
pogi
and
K
as
well,
because
I.
C
I
At
least
I
think
the
ready
replicas
should
do
the
trick
because
the
Pod
status
it
doesn't
also.
It
doesn't
also
explicitly
check
for
all
the
containers
right,
so
it
just
checks.
You
know
the
part
itself
is
in
succeeded
status,
which
I
think
should
be
equivalent
to
the
ready
replicas.
However,
the
problem
is,
you
know,
for
this
specific
change.
I
I
haven't
been
able
to
test
it
because
I
was
doing
a
replace
for
the
now
a
policy
API
to
my
own
repo,
but
there
are
some
sort
of
like
wear
dependency
issues,
so
I
couldn't
I
wasn't
able
to
run
this
using
the
specific
Branch
that
I
have
so
I'm
going
to
still
try
that
to
verify
that
you
know
it
does
solve
the
problem
before
you
know,
we
actually
merge
it,
but
but
I
I
do
think.
I
do
think
this
should
be
enough
for
checking
the
ready
status,
though
dude.
I
E
A
A
We
also
want
to
think
about
for
our
next
release.
How
we're
going
to
package
these
bits
into
the
release.
I
know
today,
you're
just
pulling
from
a
tag
in
your
in
your
vendoring
for
your
Downstream
implementations,
but
maybe
there's
a
way
we
want
to
do
that
differently,
I'm,
not
sure
yet.
So,
let's
just
try
to
think
about
it.
While
you
both
are
dealing
with
running
them.
Downstream.
E
I
I
C
E
A
A
A
Okay,
the
last
thing
I
guess
I
wanted
to
mention
when
I
was
looking
back
at
the
last
one,
the
last
week's
or
our
last
meetings
agenda
is
Dan.
Winship
is
officially
an
approver.
So
just
keep
that
in
mind.
If
you
need
something
merged,
he
can
do
it
as
well,
so
excited
about
that
and
I
think
that's
all
I
had
for
today.
Does
anyone
else
have
any
questions?
Comments,
concerns
Floors,
open.
A
Okay,
again,
silence
is
affirmation
for
new
folks.
If
you
I
know
that
we
went
over
a
lot
of
stuff
that
involved
a
lot
of
prior
art
that
we've
already
discussed,
if
you're
looking
for
places
to
get
involved
and
want
to
actually
start
getting
your
hands
dirty.
We
have
plenty
of
stuff
to
do
just
reach
out
to
me
or
others
in
the
network
policy.
Api
slack
Channel
we'd
be
happy
to
get
you
up
to
up
to
speed.