►
From YouTube: Network Policy API Bi-Weekly Meeting for 20201021
Description
Network Policy API Bi-Weekly Meeting for 20201021
A
Okay,
there
we
go
hi
everybody.
This
is
a
this
is
the
sig
network
network
policy,
api
sub
sub
project,
and
this
is
an
official
kubernetes
cncf
meeting,
so
everybody
be
nice
to
each
other
and
now
ricardo.
Take
it
away
all
right.
B
Thank
you
jay,
so
we
have
an
agenda
here
with
the
first
15
minutes
to
pass
through
the
cap
and
issues
that
we
have
opened
to
the
port
range
in
the
name.
Space
selector.
I
don't
know
if
abhishek
wants
also.
C
B
Pass
through
the
the
cluster's
corporate
network
policy,
we
have
I've
left
30
minutes
to
discuss
the
the
document
from
andrew
about
the
summarization
and
and
the
user
stories
that
were
left
behind
in
this
first
pass.
And
then
we
have
10
minutes
left
for
ideas
and
next
steps
and
discussing
anything
else
that
we
want.
So
if
anyone
wants.
B
B
Where
is
it,
let
me
close
everything
yeah
so
so
we
have
started
to
discuss
about
the
the
port
range
cap,
it's
over
here
and
andrea
abhishek
and
also
then
winship.
They
have.
B
Of
the
of
the
fields
before
doing
another
commit
into
the
into
the
cab,
so
here
is
the
document
we
we've
got
the
original
proposal
and
I
honestly
I
can't
remember
why
why
I
wrote
that
I
just
wrote
anything
that
came
to
my
mind
and
then
andrew
and
abshak.
They
have.
B
This
this
syntax
having
a
port
range
field
whenever
this
field
is
going
to
be
with
a
from
and
two
and
a
single
port
specification.
If
you
want
to
specify
a
single
port
or
different
from
into
and
the
exception
being
a
singular,
an
array
of
singular
parts
being
excluded
from
from
this
port
range.
So
you
might
have
a
from
two
and
the
exception
field,
or
you
might
have
only.
E
B
E
B
F
G
Also
not
putting
so
single
ports
in
the
same
struct,
then
maybe
we
can
have
a
validation
wherein,
like
you
know,
the
the
name
port
is
available
only
if
it's
a
single
port
field
or
other
the
field
type
could
be
interesting,
just
just
to
be
similar
to
how
the
current
ports
are.
B
H
So
just
a
question
here:
you
you
basically
have
a
port
range
for
this
field
right,
why
you
have
a
single
port
here,
I'm
a
little
confused.
What's
the
difference
of
this
one,
this
is
the
one
above
says:
port
6379,.
G
Here
so
when
I
I
think
suggested
was,
I
think,
ricardo
also
had
the
same
thought
process
was
that
the
port
and
protocol
are
existing
fields
today,
and
if
we
want
to
have
a
single
field
to
for
all
the
ports,
then
maybe
we
deprecate
the
existing
field,
but
still
support
it
and
then
internally
convert
it
into
the
new
struct.
G
This
is
similar
to
how
for
pause.
You
know
you
had
multiple
pod
ips
that
were
introduced.
We
still
have
two
fields,
one
pod
ip
and
one
for
ips
and
the
pod
ip
is
internally
converted
into
the
power
ipc
until
we
deprecate
and
delete
the
old
field,
and
that
was
my
thought
process,
but
I
could
be
wrong.
H
H
Because
right,
so,
if
you
say
okay,
if
you
do
a
single
port,
you
just
program
port.
If
you
have
a
proven
you
program
programs,
will
that
be
good
enough
or.
I
By
the
proposal
we
can
remove
this
from
here,
right
and
and
in
particular
like
I
think,
if,
if
we
were
to
go
with
the
the
other
proposal,
which
just
puts
port
ranges
in
its
own
field,
not
under
reports,
then
I
think
it
makes
more
sense.
Yeah
like
in
this
scenario,
I
think
it
even
makes
makes
even
more
sense
to
not
have
port
in
four
ranges.
I
B
A
A
I
Yeah,
I
think
the
biggest
thing
is
like
it:
it'll
change
the
way
the
validation
happens
because
now
you're
inspecting
like,
if
you
put
port
rangers
as
a
top
level
field
in
ingress,
you
just
have
to
validate
one
or
the
other,
whereas
if
it's
embedded
in
just
ports,
you'd
have
to
go
through
every
port
and
then
validate
against
each.
But
I
agree
like
it's
not
a
huge
difference,
but
I
think
it's
worth
squibbling
over
and
seeing
which
one
looks
better,
at
least
in
yammo
and
whatnot.
A
A
A
A
B
Yeah
I
was,
I
was
also
thinking
that
the
single
port
proposal
just
makes
sense
in
this
case
here
like
so
we
are
moving
to
a
port
range.
You
can
use
a
ports
or
port
range,
but
if
you
want
to
use
port
ranges
with
a
single
port,
you
can.
You
might
have
this
like
like
here
as
an
individual
field,
but
I
agree
that
this
for
the
first
one
here
is
much
more
clear,
clean.
H
A
A
H
It's
different
from
the
first
one,
though
for
original
proposal,
though,
because
that
way
you
have
a
list
of
words
right,
because
the
original
way
of
doing
this
course
is,
like
you
have
a
list
of
protocol
port
local
port
right.
So
we
do.
Maybe
we
don't
want
to
change
that.
The
only
thing
we
can
is
this
port
could
be
either
a
single
port
or
a
wrench.
It's
like
separate.
I
A
I
I
H
A
I
H
I
H
I
Can
we
can
we
write?
Can
we
write
it
down
like?
Can
we
can
we
write
down
what
things
proposal
is
like?
If
I
have
let's
say
I
have
a
port
range
like
between
30
000
and
one
thousand,
and
I
have
exceptions
at
like
three
thousand
one
and
or
three
thousand
one,
and
you
know
somewhere
in
the
middle
and,
like
I
have
five
exceptions
between
that
like
would
it
be
hard
to
read
just
a
moment.
A
I
E
H
B
A
I
H
We
can
also
have
an
array
there,
just
to
say,
like
you
will
have
a
bracket
right
like.
H
Well,
just
two:
it's
like
this,
like
you,
have
a
square
bracket.
B
But
I
think
that's
that's
pretty
confused.
That's.
B
A
A
H
One
thing
I
could
feel
difference
is
which
way
is
easier
to
validate
with
a
schema
like,
for
example,
your
fraud
needs
to
be
smaller
than
two.
All
your
acceptance
could
be
in
the
middle.
G
A
B
I
G
G
I
A
Yeah,
I
mean
it's
kind
of
an
interesting
thing
just
to
know
whether
we
maybe
I'm
glad
you
brought
that
up
zang,
because
I
was
thinking
the
same
thing,
but
I
was
afraid
to
say
anything
because
I
was
afraid
everybody
would
just
say
I
was
crazy,
but
maybe
there's
like
a
one
percent
chance
that
we
can
keep
the
stream
yeah.
So.
H
Maybe
let's
just
put
this
as
an
option
and
then
just
talk
with
api
guys
to
see
which
or
talk
with
him
to
see
which
way
he
would
prefer.
I
mean.
H
H
Validation
is
pretty
hard
with
steamer,
but
schema
can't
tell
you,
for
example,
there's
a
dash
must
be
the
stream
because
it
must
match
up
pretty
rejects
that
one
is
easier
to
do,
because
it's
a
single
file
think
about
it
right.
It's
hard
for
the
schema
to
do
cross
check
across
different
fields.
B
Okay,
so
just
just
as
a
decision
of
this
one,
I
might
bring
this
to
the
api
folks
and
ask
them
if
it's
valid,
to
make
this.
This
sort
of
validation
inside
the
api
machinery
is
that,
okay
for
everyone.
E
H
B
Okay,
and
about
about
the
exception
field
is
everyone?
Does
everyone
agree
that
we
might
have
like
the
exception?
One
inside
the
the
port
depart
like
not
declaring
this
in
the
part
range
or
anyone
had
have
some
strong
feeling
that
we
need
also
to
have
an
exception
field
here
like
having
this
inside.
A
B
I
The
other
thing
to
follow
up
we
could
do
it
like
asynchronously,
is
whether
ranges
whether
we
have
to
validate
like
ranges
between
each
other,
like
if
one
range
overlaps
another.
If
that
should
fail,
validation.
B
I
I
don't
know
what
do
other
folks
think
I'm
I'm
not
sold
on
either
one
yet
I
think
I
need
to
think
about
it.
More
yeah
just.
I
E
A
I
kind
of
feel
like
the
overlap
thing.
As
far
as
that
goes,
I
feel
like
that's
a
no-op
to
me,
because
I
feel
like
if
somebody
wants
to
redundantly
declare
that
a
port,
a
port
is
allowed
that's
kind
of
okay
based
on
the
allow
semantics,
but
it
would
be
weird
if
somebody
allowed
a
port
in
range
in
one
declaration
and
then
disallowed
it
as
an
accept
or
another,
but
I
feel
like
there's
a
logical
order,
that's
happening
which
is
kind
of
the
overriding
way
things
are
done.
G
Range
and
then
the
same
port
number
same
port
number
in
the
exact
range.
As
long
as
there
is
an
allow.
B
E
A
B
E
A
A
A
A
So
then,
the
only
question
to
me
that
first
came
up
and
anybody
can
interrupt
me
here
right,
like
I'm
just
kind
of
spitballing,
but
the
first
thing
that
came
to
me
was
like
cardinality
was
what
I
was
thinking
of
right.
So,
like
you
know
right
now,
you
can
have
a
namespace
selector
and
the
namespace
selector
can
select
multiple
namespaces
because
of
the
fact
that
it
uses
labels
and
there's
a
many
to
one
relationship
between
labels
and
namespaces
right.
A
So
you
could
have
the
same
label
in
many
namespaces,
and
so
or
maybe
it's
many
or
many,
I
guess
but
anyways.
The
point
is
that
you
kind
of
need
it
to
be
plural.
I
guess
so
it's
not
really
a
namespace's
name,
it's
more
like
a
namespaces,
his
name.
I
guess,
but
I
think
it's
pretty
self.
I
don't.
A
I
don't
know
I
feel
like
it's
pretty
self-explanatory.
I
wasn't
able
to
think
of
any
wrinkles,
but
I
admittedly
have
been
a
little
distracted
lately.
So
is
there
much
more
to
it
than
this?
I
don't
know.
Let
me
know
I
still.
I
feel
like
it's
the
same
thing
like
we
just
mentioned
before.
As
far
as
you
know,.
I
Well,
yeah,
I
think
I
think
this
is
pretty
much
what
I
think
this
is
pretty
much
what
we
were
kind
of
saying
like
instead
of
namespace
selector,
just
a
list
of
namespace
names.
I
think
it
would
have
been
great
if
names
does
the
field.
Namespace
selector
was
a
top
level
field
and
then
it
had
like
a
label
field
and
a
names
field,
but
we
can't
that
would
be
a
breaking
change
to
change
like
name
space
selector
is
already
a
label
selector,
so
we
can't
do
that.
I
I
think
I
think
so,
but
then
it's
it
would
be
a
code
breaking
change
for
like
cni
implementations
of
it.
Maybe
so
that's
a
good
point
like
I
think,
there's
a
way
to
do
it,
where
you
don't
break
the
yaml,
because
you
can
just
wrap
the
label
selector
under
another
struct,
that's
embedded
and
then
you
just
add
the
names
feel
to
it.
A
G
We
kind
of
like
rely
on
the
fact
that
the
name
selector
is
a
label
selector,
and
then
we
use
all
the
package
and
figures
or
methods
and
functions
that
they
provide
the
library
yeah.
You
move
it
to
a
different
kind
of
struct
and
then
they
might.
We
need
to
have
that
kind
of
quote
and
I
guess
there
will
be
code
changes
required.
Yeah.
A
I
If
name
space
selector,
so
if
we
had
a
wrapper
struct
and
the
label,
selector
was
an
embedded
field
in
the
new
struct.
Would
that
still
be
a
breaking
change.
G
No,
I
think,
as
long
as
we
should
be
able
to
still
access
label
selector
as
us,
I
think
it
should
not.
Now
now
I
see
what
you're
trying
to
do
you're
trying
to
embed
that
into
a
new
struct
and
add
a
new
match
name
or
whatever
names.
H
H
H
E
I
G
I
G
Yeah,
but
then
also,
then,
restrict
other
types
of
selector
to
not
use
it
right.
For
example,
if
pod
selector
is
also
okay.
Okay,
so
you
are
only
changing
the
name
space
selector
to
the
new
new
app.
G
H
So
you
are
this:
okay,
that's
a
good
point.
So
it's
already
tied
to
a
label
selector.
That
means
you
cannot
add
a
actual
field.
Okay,
that
makes
sense.
Okay,
yeah!
Basically,
you
can
expand
that
one.
A
A
I
mean,
I
think
this
is
just
again
something
we
should
follow
up
on
as
a
like,
a
team
or
whatever
we
should
know
like.
We
should
probably
have
a
good
feeling
about
these
things
and
how
they
work,
so
maybe
I'll
try
to
hack
around
with
that
just
to
see
if
I
can
get
it
working.
So
I
think
it's
a
good
idea
just
to
think
about.
H
A
But
you
know,
I
think
this
is
going
to
get
more.
These
things
are
important,
though,
so
this
is
great,
because
the
reason
I
really
appreciate
you
bringing
this
up
zhang
is
that
I
feel
like
at
some
point
we're
going
to
hit
a
point
where
we
have
something
we
want
to
do,
maybe
where
we
really
maybe
want
to
stretch
what
we
can
get
away
with
in
the
v1
and
still
call
ourselves
v1,
and
so,
if
we
understand
how
to
do
these
things,
better
it'll
be
good
for
us.
I
think.
A
I
H
A
H
H
K
Yeah
correct
so
it's
kind
of
like
a
for
loop
that
just
you
know,
applies
a
basic
policy
to
you
know
all
all
namespaces
that
you
yeah
so
yeah.
That
could
be
a
cluster
in
our
policy
use
case.
But
you
know
if
anybody
has
another
opinion.
Here's
to
here.
A
A
Now
we
have
a
port
range,
we're
allowing
people
to
select
multiple
ports,
so
the
I
don't
think
that
this
increases
the
cardinality
of,
what's
being
selected
against
in
any
fundamentally
different
way
than
what
you
get
with
a
label
selector.
So
I
I'm
not
sure
to
me.
It
doesn't
feel
like
it.
It's
like
it
doesn't
feel
like
we're,
cheating
and
making
a
network
a
cluster
network
policy
by
using
the
projects.
It
feels.
B
A
C
H
It
is
right,
so
so,
at
least
for
that
particular
case,
we
are
able
to
address
it.
I
mean
I
agree
that
it
can
be
just
in
class
on
our
policy,
but
we
probably
eventually
need
to
solve
it
there
right.
It
says
every
namespace,
except
the
good
system
can
talk
to
external,
for
example,
right.
A
H
A
I
I
A
Was
thinking
it
would
be
additive
yeah
right,
because
why
would
it
not
be
right
like
the
namespace
selector,
as
is
if
I
have
a
namespace,
with
a
million
labels
on
it
and
one
of
them
and
I
and
I'm
only
selecting
for
one
of
them?
So
if
I
have
an
empty
namespace,
selector
or
you
know
I
mean,
then
it
selects
anything
right
so.
H
That's
actually
a
rubber
wheel,
for
example,
if
you
have
a
name,
space
here
says
allow
from
back
end,
then
you
have
another
one
says
from
namespace
selector,
back-end
and
patch,
that
stays
there,
like
whatever
label.
What
does
that
mean?
Are
you
going
to
allow
every
pass
from
that
namespace
or
you
only
allow
the
path
with
selected
label
in
that
namespace,
and
I
got
a
little
confused
here
now.
H
A
H
H
H
Okay,
so
basically,
for
example,
when
you
have
this,
when
you
have
the
current
configuration
that
and
jay
is
doing
here,
what
does
it
mean?
It
means
it
can
be
talked
means
from
a
yeah
go
ahead.
A
J
H
Right
I
mean,
if
you
don't
have
that
two
of
them,
I'm
not
saying
that
you
remove
all
of
them
right.
J
I
feel
like
in
this
case
name
three
selector
and
namespace
should
be
mutually
exclusive,
like
you
can
only
expensive
one
sort
of
sort
of
like
the
the
port.
I
don't
know
it's
not
a
it's
a
good
analogy,
but
you
know
yeah
in
this
case,
I
don't
think.
I
G
So
do
we
still
explore
the
path
of
like
having
this
single
type
with
the
namespace
selector
and
try
to
have
match
names
with
as
part
of
match
labels
do?
Are
we
still
gonna
explore
that
to
see
whether
it's
technically
feasible?
I
A
Before
three
minutes
yeah,
we
got
it
again.
B
I
Doing
that
sorry,
no,
no!
I
we
can,
we
can
do
it
offline
or
we
can
do
it
next
week.
It's
not
a
big
deal.
Yeah.
A
I
A
Fyi
is
here
so
if
anyone
wants
to
look
at
it,
he's
kind
of,
went
and
clarified
the
ones
that
we
were
actually
talking
about
into
some
sustained
paragraphs,
which
is
really
cool.
Okay,
I
think
this
is
it.
It
means
five
o'clock,
so
I
think
saying
if
you've
got
that
in
there,
I
can
noodle
around
with
how
we
might
be
able
to
implement
that.