►
From YouTube: SIG Network: Network Policy API Meeting 20200914
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
You
know
what
is
the
process
by
the
way
for
doing
whatever
that
magic
thing
is
that
you
always
do.
Is
that
just
a
leader,
login
or
something
log
out
and
log
back
in.
C
D
Okay,
so
combing
the
issues
here
we
have
this
first
one
is
yours:
jay,
do
you
want
to
talk
about
this
issue
and
whether
or
not
we
need
to
take
any
action
on
it
or
if
you
need
to
help
on
this,
which
one
is
that,
let's
see?
Okay,
sorry,
brainstorming,
a
crd.
B
So
this
goes
to
the
syntactic
sugar
thing
that
dan
and
chris
were
just
talking
about,
but
this
would
be
like
an
extreme
version
of
it,
and
I
think
I
don't
think
anybody
else
is
particularly
interested
in
this
other
than
me.
So
I'm
not
gonna
ask
bro,
but
if
anybody
is
interested
in
looking
at
like
what
would
be
the
ideal
way
to
express
these
things,
if
we
didn't
have
any
baggage
of
the
past,
that's
kind
of
something
that
I've
been
playing
around
with.
D
D
Gone
it's
all
kinds
of
monday
today
we're
in
the
middle
of
conference
season,
where
I'm
at
and
the
middle
of
a
product
launch
at
the
same
time.
So
it's
been
fun.
B
Okay,
yeah
and
I
just
checked
you're
you're.
It's
all
your
fault,
that's
all
my
fault.
Okay,
you
have
to
accept
the
response.
Okay,
yeah,
if
anybody's
interested
in
the
crd
stuff,
it's
a
really
hard
problem
like
so
matt,
I
don't
want
to
take
up
all
the
time,
but
I'll
just
for
30
seconds.
Matt
fenwick
has
really
really
dove
in
and
tried
to
build.
B
This
sort
of,
like
a
higher
level
operator
that
would,
at
a
very,
very
high
level,
use
a
traffic
abstraction
and
he
was
looking
at
it
and
he
was
getting
some
short
sharp
corners
in
the
apis
around
the
defaults
and
stuff
that
was
making
it
tricky
for
him
to
build
it
properly.
But
he's
been
thinking
about
a
lot
about
this
too,
and
we're
still
just
kind
of
trying
to
wrap
our
head
around
it.
And
so,
if
anybody
wants
to
talk
about
that,
that's
great
otherwise
I'll
just
keep
exploring
it.
On
my
own.
E
As
you
know,
I'm
interested
in
the
the
crd
aspects,
but
also
I
I
thought
one
of
the
things
that
we
were
going
to
discuss
today
was
taking
a
step
back
and
looking
at
the
proposal.
So
I
pushed
a
pr
for
that,
and
this
is
this
is
basically
building.
On
top
of
you
know
what
dan's
initial
thought
process
was
on
his
google
doc.
So
it's
it's
kind
of
like
you
know,
building
on
top
of
it.
E
E
So
so
that's
why
I
was
like
you
know
not
really
deep
diving
into
the
crd
concept
directly,
because
you
know
that's
like
implementation
or
some
sort
of
a
design,
but
taking
a
step
back
and
like
figuring
out
whether
this
security
model
works
for
for
the
kubernetes
clusters
or
what
we're
trying
to
do,
and
that's
why
I
thought,
like
you
know,
dan's
dock
was
pretty
good
in
that
in
that,
in
that
respect,
and
I
felt
like
it
kind
of
got
lost
between
you
know
this
move
to
the
caps.
F
E
So
whenever
we
get
a
chance,
maybe
we
can
just
go
through
that
pr
also
and
then
then
probably
also
I'll,
help
jay
work
on
the
crd
aspect
with
you.
E
B
Gotcha
yeah,
I
I
think
we're
very
far
from
an
api
level
conversation
I
think
dan's
doc
needs
to
be
yeah.
I
I
think
that
I
think
that
dan's
doc
is
probably
the
most
the
best
use
of
of
of
of
your
time,
because
I
think
it's
going
to
converge
with
other
stuff
right
I
mean
it
seems
to
me
like
that
abhishek
like
so
whatever
I
mean,
I
think,
does
anybody
have
a
strong
feeling
about
whether
doing
these
things
in
parallel
is
beneficial
in
any
way?
B
That's
the
basic
hypothesis
is
that
some
of
these
things
will
fail
and
some
will
succeed,
but
they
will
all
eventually
converge,
but
does
anyone
feel
like
any
of
these
efforts
are
actually
negative
like
going
to
get
you
know
going
to
lead
us
in
two
different
directions
in
a
way?
That's
dangerous.
I
think
that's
that's
the
bigger
question
right,
because
if
not,
then
you
know,
I
don't
have
any
particular
concerns,
but
I
guess
that's
the
thing
right.
G
I
don't
think
anyone
really
cares
about
what
anyone
else
works
on
in
parallel
is
the
important
thing,
though,
is
making
sure
that
we
review
the
things
we
think
that
are
ready
to
go
or
that
we
think
we're
ready
to
be
proud
for
discussion,
because
there's
always
going
to
be
experiments
and
things
that
happen.
E
Yeah,
so
let
me
rephrase
my
question,
I
think
I
wanted
to
ask
was
the
the
the
issue
that
you
have
the
brainstorming
crd
is
it?
Is
it
like
brainstorming,
the
the
api
for
that
crd,
like
how
the
how
to
format
that
cr
like
what?
What
fields
to
include
or
is
it
something
that
you
are?
You
know
you
already
have
an
implementation,
because
I
think
you
mentioned
that
matt
already
has
some
sort
of
operator
which
works
upon.
B
Oh
yeah
yeah,
it's
not
even
well-formed
enough
to
say
there
right
like
it
could
I
could
be
either
it's
just
like
what
other
ways
can
we
express
this
stuff
and
either
one
of
those
could
could
you
know
I
we
have
something
that
sort
of
works
and
that's
an
operator
and
that's
one
one
thing
and
then
that's
one
thing
that
we
possibly
could
use
help
with,
but
then
the
other
thing
is
an
actual
crd.
E
B
So
that
that's
why
I
still
think
that
the
going
back
to
dan's
dock
is
super
useful,
and
I
think
that
that's
like
you
know
having
that
as
another
way
that
converges
us
like.
If,
if,
within
a
month
from
now,
we
can
say,
we've
got
an
implementation
of
dan's
dock,
that's
like
a
unified
security
model
and
we've
got
oh
by
the
way.
We've
also
got
75
percent
of
a
couple
of
things
that
are
kept
that
fit
in
to
very
tactical
aspects
of
that.
B
E
Yeah
so
I
I
took
a
stab
at
that.
You
know
kind
of
like
translating
his
talk
to
a
pr
or
something
in
this
repo
and
then
maybe
we
can
build
on
top
of
it
as
well.
But
I
forgot
to
raise
an
issue
for
it.
So
maybe.
B
H
Okay,
I
have
a
question
on
this
crds
thing
right:
are
we
going
to
do
narrow
parts
of
v2
directly,
which
means
it's
not
backward
compatible
or
we're
going
to
do
an
enhanced
version
for
figures?
E
Yeah-
and
that
is
the
reason
why
I
kind
of
like
you
know,
alluded
to
taking
a
step
back
and
figuring
out
the
model
and
then
see
what
makes
more
sense,
especially
for
the
developer,
focused
apis.
I
think
there
are
two
ways
to
handle
it.
One
is
you
know
what
we
have,
because
you
know
it
is
something
that
works
the
v1
apis
and
we
only
decide
to
go
forward
with
the
generative
fields
that
we
can
add
without
any.
E
You
know,
disruption
to
the
or
without
any
backwards
incompatibility,
or
we
just
decide
that
you
know
what
we
replicate
this
and
we
move
on
to
the
new
v2
model.
We
do
a
set
of
apis,
but
I
guess
I
think
the
broader
group
kind
of
agrees
that
we
can
do
this
in
a
parallel
sense
and
and
see
which
one
gets
more
traction
and
what
is
more
relevant.
I
guess
well.
B
H
Oh
okay,
but
on
the
other
hand,
even
if
we
have
two
proposals
in
parallel,
we
we
want
them
to
have
something
common
right,
basically,
like
the
functionality
covered
by
one
of
them
should
be
included
in
other,
like
the
backward
compatibility
ones.
H
H
Okay,
then,
are
we
going
to
discuss
these
two
things
parallel
here
or
what
I
mean,
which
one
are
we
at
this
meeting
is
going
to
focus
on.
D
So
I
think
the
first
thing
we
need
to
do
is
there
are:
there
are
action,
items
or
issues
already
devoted
to
this,
to
both
both
sets
of
issues
right?
I'm
sorry
both
sets
of
courses
of
action
here,
both
the
the
crd
approach
and
continuing
to
finalize
the
caps.
So
I
think
we
can
do
both.
H
Okay,
I'm
not
sure
if
that
would
make
this
effort
to
be
distracted
or
not
if
we
are
doing
both
like,
for
example,
like
today,
I
was
thinking
that,
oh
initially,
I
thought
we
were
going
to
discuss
the
issue
of
30,
which
is
to
say
okay.
What
do
we
want
to
propose
in
this
special
cap
which,
since
it's
a
stutter
cap,
most
likely
it's
a
backward
compatible
one
or
not?
What
does
that
start?
Your
cap
means
that.
H
H
D
Oh
guys,
I
think
I
see
what
you're
saying
now,
so
I
think
what
jay
is
proposing
is
and
an
abstract
as
well
is.
You
know,
I
think
we
can
move
forward
towards
coming
up
with
a
unified
security
model
at
the
same
time
that
we're
trying
to
flush
out
some
of
the
specific
caps
is.
Is
that
right,
jay?
B
About
I
was
thinking
so
my
thought,
and
I
could
be
wrong
about
this,
but
so
so
saying
my
thinking
here
is
that
some
of
the
things
we
may
try
might
fail
and
that's
kind
of
okay.
So
I
guess
is
there
anything
in
particular
that
you'd
be
interested
in
kind
of
owning
or
helping
helping
with
of
these
approaches,
because
I
guess
that's
kind
of
the
that's
kind
of
the
driver
here
is
that
people
can
we're
going
to
make
success.
H
Yeah
sure
and
yeah
I
I'm
just
trying
to
understand
the
focus
here,
maybe
because
I
was
in
focus
on
this
for
a
long
time,
so
I
kind
of
want
to
know
what's
current
focus
like
what's
the
way
to
moving
forward
here.
Like
I
mean
it
looks
to
me
that
there's
many
paths
in
front
of
us,
we
had
to
choose
one
to
go
right.
G
G
H
B
And
then
zang,
if
you
want
to
sync
up
offline
sometime
this
week,
also
like
we
could
talk
more
about
what
your
concerns
are
for
sure
right.
B
A
D
C
D
G
A
Yeah
I
started
watching
chris
and
okay.
I
think
what
chris
and
ricardo
were
proposing
is:
let's
get
a
list
of
all
the
non-disruptive
or
backwards
compatible.
Like
incremental
apis
changes,
we
can
make
the
v1,
and
if
we
can
get
quorum
or
consensus
on
this
call,
then
we
can
start
creating
issues
to
track
work.
To
put
these
into
caps.
Is
that
is
my
understanding,
they're,
correct
ricardo,
chris?
Yes,
exactly.
I
E
I
Organization
of
existing
use
case
and
the
item,
one
is
the
possible
network
policy
additions.
E
I
We
started
to
discuss
whether
what
what
of
those
one
of
those
possible
network
process
additions
can
already
be
been
turned
into
a
cab.
So
I've
asked
about
the
port
ranges.
Jay
asked
about
the
the
matching
name
space
by
name,
but
we
know
that
there
is
a
a
a
disagreement
about
from
team
about
using
names
instead
of
of
labels
and
and
then
chris
also
got
the
the
one
from
the
name.
It's
a
dr
blocks
like
he
said
so.
I
The
the
proposal
here
is
can
can
we
start
working
in
something
that
that
is
it's
not
not
not
disruptive.
For
for
the
viewer
network
policy
can
we
start
writing
the
cab,
even
if
it's
not
implementable
yet
and
then
like
ask
for
sig
network
what
they
think
about
that,
because
this
is
this
is
much
more
like
the
the
the
abroad
pocket
that
rob
scott
proposed
for
the
cloud
providers
was
adding
just
a
field
to
service.
I
G
So
this
we
talked
about
the
cider
slices
one
and
I
think
that's
the
one
where,
as
I
mentioned,
this
is
probably
already
doable
by
just
creating
multiple
peers.
We
don't
have
to
go
as
granular
down
to
the
cider
field
as
it
exists
today.
The
other
one
is
nodes.
G
I
have
a,
I
posted
an
issue
in
the
you
know.
Let
me
just
re
posted
it
in
the
zoom
chat
in
case
anyone
joins
a
little
later.
I
put
it
in
our
notes
for
today
for
node
selector.
A
So
for
the
node
selector
one
is
node
selector
just
saying
I
want
to
select
a
bunch
of
addresses
based
on
like
the
internal
external
ips
that
we
set
on
nodes
and
then
use
those
in
the
network
policy
rules
like
in
terms
of
like
the
data
path.
It's
just
like
pod
ips,
but
you're.
Just
putting
in
note
ips
is
that
what
is
that?
What
it
is.
G
This
is
where
yeah
there's
a
bit
of
confusion.
If
we
take
a
look
at
how
others
have
implemented
node
selectors
in
their
custom
in
their
crds
for
their
individual
cni,
for
example,
we
have
I
found
in
psyllium.
They
do
a
node
selector
in
combination,
almost
with
endpoint
selector
and
I'll
post.
That
note
in
the
zoom
chat.
G
G
I
was
trying
to
figure
out
what
the
use
case
for
this
would
be
like.
If
you
had
a
bunch
of
I
think
ricardo
mentioned
you
know,
maybe
you
have
a
selection
of
nodes
that
are
for
your
sensitive
applications
or
something
and
you
deploy
a
bunch
of
pods
to
those
nodes
specifically,
and
then
you
just
wanted
to
say.
Okay,
I
know
that
everything
on
secret
nodes
belong
may
belong
to
a
bunch
of
pods
or
whatnot,
but
I
just
want
to
refer
to
them.
G
F
So
and
if
it's
node
sorry
go
ahead,
I
was
gonna
say
I
had
thought
that,
like
there
was
some
discussion
about
exactly
what
it
meant,
but
I
thought
that
the
the
proposer
of
the
original
thing
meant
for
it
to
be
for
selecting
node
ips
so
that,
for
instance,
you
could
say
I
want
these
host
network
pods
to
be
able
to
access.
You
know
this
pod
and
and
select
traffic
from
those
node
ips,
basically
by
using
me
not
for
selecting
pods
on
a
node.
A
Yeah
agreed,
I
thought
that
that's
what
it
was
too
and
if
it
is,
if
we're
saying
that
it
we
do
want
the
node
selector
to
be
all
pods
on
nodes,
then
I
think
the
change
is
a
bit
more
disruptive
and
not
something
that
we
can
incrementally
add.
But
it's
just
the
new
ips,
which
I
think
I
think
that's
what
we
want
to
start
with
right.
D
No,
I
think
that
was
the
original
intent
was
the
note
ips,
but
I
think
that
it
was
a
no.
When
we
originally
talked
about
it
was
it
was
a
node,
specific
selector.
I
thought
in
terms
of
kubernetes
node
right.
We
wanted
a
way
to
say
I
want
to.
I
want
to
be
able
to
use
the
metadata
of
kubernetes
node
objects
to
select
traffic
coming
from
those
specific
hosts
and
and
not
not
the
pods
that
are
hosted
on
those
hosts,
just
the
traffic
that
is
using
the
host
default.
You
know,
network
interface,.
J
A
D
Make
so,
let's
make
sure
we
have
a
yeah?
Well,
let's
make
sure
we
have
a
the
user
story
created
for
that,
because
I
don't
think
I
don't
think
it's
in
there.
I
D
B
I
We
just
just
required
5g.
This
one
appears
appeared
for
us
as
a
p0
because
we
were
discussing
about
what's
the
impact
of
having
a
services
selector
and
we
we
we
discussed
about.
What's
the
impact
about
having
like
surface
selector
or
node
selector
or
whatever
object
selector,
and
we
put
that
into
heavy
new
selectors
for
services
for
nodes.
But
we
can.
We
can
already
discuss
if
this
is
like
a
p0
or
if
or
or
this
is
harder
than
it
looks
like.
B
G
A
I
A
D
B
I
D
Yeah,
I
mean
it's
all
no
traffic
right,
I
mean
it's
all
host
traffic
on
that
kubernetes
node.
B
B
D
So
we
can,
we
can
update
the
terminology.
Basically,
when
we
talk
about
host
traffic,
it
means
that
it
means
the
ip
address
that
the
processes
on
that
host
are
using
right
to
to
do
traffic.
If,
if
you
said.
D
Oh
well,
I
was
going
to
say
if
you're
talking
about
pod
traffic
right
pod
traffic
is
not
snatted
against
the
node
ip
address.
Unless
it's
going
external
right,
and
so
at
that
point
it
would
be
captured
any
anything
that
gets
estimated
would
be
captured.
So
we
would
have
to
have
an
option
in
there
not
to
capture
estimated
traffic.
D
Possibly
it
all
depends
on
how
you
want
to
do
that.
So
calico
actually
has
some
interesting
parameters
that
it
handles
evaluation
of
policy
either
pre-dna
or
you
know,
post
dna.
You
know
some
of
those
types
of
things,
and
so
it's
a
similar
type
of
thing
going
on.
D
I
B
And
I
work
with
andrew
and
you
know
he's
he
knows,
he's
got
some
thoughts
on
this
for
sure
and
and
also
I
can
reach
out
to
other
people
that
care
about
it
and
try
to
integrate
the
signals
to
get
to
get
good
consensus
on
what
folks
think
is
a
reasonable.
B
I
can,
I
can
definitely
own
it
like
to
start
for
sure.
I
think
I
think
I
think
I'm
going
to
poke,
of
course,
andrew
dan
and
anyone
else
who's
interested
in
helping
me
on
it,
but
feel
free
to
flag
me
as
an
owner
to
start.
A
Cool,
so,
while
cody
does
that,
I
actually
did
want
to
propose
two
more
things
to
ricardo's
issue.
For
like
good
starter
cups,
I
think
namespace
by
names
is
actually
pretty
useful.
I
know
I
know
tim
disagreed
on
that
one,
but
I
think
it'd
be
pretty
low-hanging
fruit,
as
long
as
we
have
validation
in
the
api
to
ensure
that
you
can't
set
both
namespace
by
names
and
by
selector,
and
the
second
one
I'd
want
to
propose
is
cluster
scoped
network
policies,
because
that
would
that
would
be
a
new
resource.
A
B
D
Add
that,
as
a
comment,
if
you
will
to
the
list
or
that
issue
that
we
were
looking
at.
G
For
the
namespace
by
name
thing,
I
know
we've
talked
about
this.
Quite
a
lot
is
the
is
the
worry
on
that
like
if
you
are
able
to.
Are
you
able,
with
our
back
to
say,
you're,
not
able
to
read
labels
on
name
spaces.
F
B
G
So
being
able
to
see
like,
if
being
able
to
see
all
of
the
labels
on
the
name,
space
is
not
something
that
you
can
lock
down.
F
I
think
this
should
specifically
be
namespace
name,
there's
much
less
of
an
argument
for
doing
it
with
any
other
resource
type.
A
Yes,
but
but
one
thing
to
know
like
I
noticed
these
are
p0s,
but
I
thought
we're
only
talking
about
like
caps
that
are
like
low
friction
changes
to
v1.
So
I
don't
know
if
you
want
a
category
for
that,
because
I
don't
want
to
say
that
name
as
policy
target
is
not
a
p0,
but
it's
definitely
not
zero.
For,
like
incremental
additions
to
v1.
D
B
B
A
E
Okay,
I
had
two
comments
on
this.
This
particular
one
this
one
is
that
to
make
it
a
little
less
friction
it
might
be.
It
might
be
more
useful
for
this
use
case
in
the
clusterscope
policy
namespaces.
I
think,
and
the
other
one
was
that
if
we
do
plan
to
introduce
node
selector,
maybe
nodes
as
name
would
also
probably
make
sense.
D
D
C
B
So
we've
got:
let's
see
one
two,
three,
four
five:
we
got
about
15
16
people
here.
Does
anybody
want
to
own
this
story?
You
can
add
my
name
on.
C
D
The
scope
here
does
not.
That
would
be
a
link,
but
basically
what
average
tech
is
saying
is
if
we
create
a
administrative.
You
know,
network
policy,
that's
cluster
scoped
in
nature,
right,
which
I
just
named
it
cluster
network
policy.
We
may
name
it
something
different,
but
including
this
option
only
there,
since
that's
a
net
new
object,
our
net
new
resource
might
have
less
friction
than
changing
to
standard
network
policy.
Understand:
okay,.
B
C
D
All
right,
let's
go
to
that,
I'm
going
to
add
both
you
and
abhishek
on
that,
because
I
think
he's
also
pretty
passionate
about
that
as
well.
Sounds.
B
Good
yeah,
I
don't
know
if
we've
as
a
group,
come
up
with
anything
collectively
for
that
do
we,
maybe
we
do.
I
guess
we
do.
That
might
be
you
know.
Abhishek,
maybe
gobin
could
help
you
on
the
dock
that
you're
making
with
dan.
That's
a
perfect
thing
right,
because
that's
exactly
where
that's
all
gonna
fit
in
okay.
A
D
No,
you
can
add
me
for
this
story
as
well.
This
is
young
speaking.
B
E
Yeah
I'll
I'll
reason
and
I'll
talk
to
the
guys:
okay,
okay,
thanks.
I
D
D
I
C
D
And
who
said
they
were
going
to
do
the
port
range?
I'm
sorry
was
that
ricardo
or
somebody
else.
A
So
to
clarify,
are
we
saying
that,
for
the
good
starter
use
cases
for
the
first
kept,
that
ricardo
was
mentioning
we're?
Seeing
that
we're
doing
port
ranges?
Name
is
my
name
clusterscope
policy
and
node
selector
oops.
Are
we
all
on
the
same
page
in
that
I
think
so?.
B
D
B
D
Now
did
you
did
you
update
this
issue
30
and
add
the
two
others
that
andrew
mentioned
this
running
list
here.
D
B
When
I
was
going
to
add
that
in
thanks
for
bringing
that
up
andrew
because
we
were
debating
that
and
we're
like
no,
let's
leave
it
out
and
I'm
glad
somebody
brought
it
up.