►
From YouTube: Network Policy API Bi-Weekly Meeting for 20211115
Description
Network Policy API Bi-Weekly Meeting for 20211115
A
Hey
everyone
today
is
november
15
2021.
This
is
a
meeting
of
the
sig
network
policy,
api
sub
group,
distinct
network.
This
is
a
cncf
certified
meeting.
So
please
be
nice
to
everyone
and
let's
have
a
good
meeting
today.
So
just
getting
started
really
quick.
There
was
one
issue
that
got
assigned
to
us.
I
was
taking
a
look
at
it
before
I
put
in
the
agenda
and
I'll
share
my
screen
real
quick.
A
It
looks
like
it
is
a
more
of
a
calico
question,
so
I
was
just
going
to
ask
them
to
reach
out
to
calico.
Basically,
a
pod
is
failing.
If
network
policy
is
there,
so
not
really
something
about
something
that
we're
controlling
more
on
the
cni
side
of
things,
but
if
you're
interested
you
can
take
a
look
at
that.
B
Not
in
particular,
I
think,
last
thursday
there
was
a
sig
network
meeting
already
and
in
that
specific
meeting
they
decided
that
the
next
occurrence
of
the
meeting,
which
falls
right
on
thanksgiving
that
occurrence
will
be
cancelled.
So
we
won't
have
a
meeting.
You
know
next
next
thursday,
so
we
presented
the
you
know
the
cmp
updates.
Roughly.
You
know
the
very
condensed
version
of
the
updates
to
the
sig
network,
because
you
know
there
are
other
agenda
items
that
took
a
lot
of
time
and
then
you
know
our.
B
We
basically
presented
that
you
know
there
are
five
major
updates
we
made
to
the
cmp
cap
or
five
major
areas.
We
wanted
some
feedback
on.
I
think
it
was
first
of
all,
you
know
the
plus
network
policy
naming
should
we
rename
it
to
our
policy,
for
example,
and
do
we
want
the
priority
number
to
mean?
You
know
a
lower
powering
number
to
mean
higher
power,
your
lower
priority-
and
you
know
the
the
struct,
the
the
workload
selector
struct
about.
B
B
So
those
are
kind
of
like
the
questions
we
brought
up
to
the
sig
network
and
we
asked
them
to
provide
feedback
on
the
cap,
because
tim
specifically
said
that
you
know
those
are
really
good
questions.
Those
are
questions
that
people
needed
to
think
about
before
you're
gonna
jump
into
conclusions,
so
they
don't
want
it
to
sort
of
like
give
an
answer
to
these
questions
on
the
spot
on
the
same
network
meeting,
but
they
said
they
will.
B
You
know,
review
the
cap
and
provide
a
comments
there,
but
you
know
again
this
might
slip
on
their
minds,
so
I
plan
on
you
know
doing
a
quick
painting
on
on
them
again.
You
know
sometime
this
week
to
remind
them
to
review
the
latest
com
commit
of
the
state
of
the
cmp
cap,
and
I
I
think
that's
it
they're
not
too
much
use
for
feedback.
B
A
C
A
A
A
D
D
D
B
D
D
A
This
is
like
of
fqdn
is
kind
of
a
complicated
object.
We
have
a
implementation
of
it
in
openshift
and
you
know
there's
a
lot
of
different
constraints
about
how
often
you
update
dns
records,
like
like
there's
a
bunch
of
questions
around
that,
and
if
your
policy
is
for
some
period
of
time
resolving
to
a
wrong
ip
like
things
can
get
pretty
messy.
I
don't
really
know
the
best
way
to
do
it
right
now,
but
I
guess
we'd
have
to
think
about
it
for
a
little
bit.
A
D
D
Than
it
should
have,
but
only
from
the
same
namespace,
okay
yeah,
but
I
think
yeah,
but
again,
like
your
point
about
thinking
like
how
we're
going
to
upgrade
the
records,
how
we're
going
to
convert
the
dns
to
ip
addresses,
because
I
mean
that
ultimately
say
provides
rely
on
ip
addresses
right.
So
all
right,
we
need
to
figure
that
out.
Like
I
mean
that's
it,
that
itself
is
a
complete.
You
know
like
separate
topic
on
itself
like
it
requires
a
lot
of
thought
process.
A
Just
a
little
worried
too,
like
with
that
with
you,
know,
upstreaming
something
upscreen
upstreaming
an
fqdn
policy
without
specifying
exactly
how
we
expect
it
to
work,
and
then
I
feel
like
we're.
Gonna
have
an
upstream
feature:
that's
behaves
differently
across
cni's,
which
isn't,
I
think,
a
great
thing
right.
It
leads
to
user
confusion
and
and
it's
a
good
argument
for
per
cni
specific
resources
rather
than
upstreaming
such
a
thing
right.
A
E
A
E
A
What's
the
major
concern,
I
think
you
can,
you
can
argue,
like
I
think,
you'll
be
able
to
reach
a
consensus
among
cni
providers
that
an
fqdn
policy
would
be
great
right.
The
problem
lies
on
the
other
side
of
it.
There's
a
lot
of
different
ways
to
implement
fqdn
and
dns
is
a
finicky
beast
in
the
sense
that
I
don't
feel
like
the
behavior
is
going
to
be
consistent
across
cni's
for
an
fqdn.
B
Well
like,
if
I
may,
I
wanted
to
you,
know,
provide
some.
You
know
quick
insight
on
this,
because
I
actually
before
my
before
my
leave,
I
actually
implemented
the
our
flavor
of
the
kdm
policy
in
entry.
So
essentially,
what
we
we
looked
at
is
that
we
also
look
at
the
cdm
solution
right,
which
is
open
source
and
the
catechol
solution
is
closed
source.
So
we
don't
know
for
sure.
B
You
know
how
they're
handling
fqdm
policies,
but
I
think
that
one
major
problem
you
know
regarding
fkdm
policies,
as
as
andrew
mentioned,
that
you
know
we
there
might
be
a
lot
of
different
schemes
in
terms
in
terms
of
deciding
how
long
I
guess
a
particular
dns
record
can
be
hold
up
being
called
up
to
so
in
our
solution,
you
know.
First
of
all,
it
depends
on
you
know
which
dna
dns
servers,
you're
you're
talking
to.
Is
this
the
dns
server
configured
for
a
specific
pod
or
you're?
B
Just
using
you
know
the
the
kube
api
coupe
dns,
which
is
configured
in
the
cluster,
because
you
know
in
the
in
the
cluster,
you
can
have
different
dns
policies
for
different
parts.
So
if
you
have
a
policy
applied
onto
different
parts,
then
if
those
parts
are
having
different
dns
policies,
then
you
have
a
little
bit
of
confusion
in
terms
of
which
dns
server.
Are
you
actually.
F
B
F
C
F
Things
are
resolved
too,
because
when
you
build
it
all
the
way
so
that
you
get
when
you
get
an
address,
you
try
to
check
back,
because
I
assume
that
when
you,
when
you
have
the
address
in
the
field
right,
you
don't
try
to
map
it
back
to
to
the
name,
to
a
name
by
doing
a
reverse
name:
lookup.
That
takes
too
long
time.
F
B
F
Name
again,
I'm
just
scared.
When
you
have
things
like
you
see
what
hashicorps
have
done
and
so
on,
when
they
basically
do
their
service
register
and
the
pods
go
and
register
themselves
so
that
you
can
get
systems
with
really
really
high
frequency
updates
on.
What's
in
there
I
mean,
so
I
don't
think
it's
probably
for
most
of
it,
because
it's
probably
to
reach
fairly
stable
domains
right
then
these
fqdans
will
work
fine,
I
mean
google
or
something
like
that.
B
A
B
B
F
F
The
question
is:
really:
you
have
two
fours
like
one
is
like
when
you
block
when
you
don't
allow
things
that
should
go
through
and
that's
probably
more
common
than
the
other
way
around
right.
When
you
will
block
when
you
will
not
block
things
that
should
be
blocked,
because
that's
typically,
when
you
have
an
address,
that's
changed
to
be
used
for
something
else
right,
but.
A
F
I
mean,
I
guess
you
could
describe
it
as
I
mean
in
one
way
as
a
helper
object
that
will
translate
these
dns
strings
into
set
of
addresses
and
that
it
runs
with
a
I
mean
if
you
describe
it,
that
you
don't
have
to
implement
it.
That
runs
with
a
certain
frequency
and
it
takes
the
values
that
it's
given
at
that
particular
point
in
time.
It's
it's
a
helper
for
lace.
I
mean
it's
not
perfect,
but
sort
of
the.
E
E
We
do
a
lookup,
it's
meant
to
be
really
for
you
know,
you
don't
want
to
type
out
an
ipv6
address
and
it
you
know,
you
know
you
know
it's
not
changing,
and
so
it's
a
helper,
but
you
know,
implementation
stuff
can
be
as
sophisticated
as
cni's
want
right
like
if
you
want
to
do
ttl
or
you
know,
periodic
rechecks
or
whatever
the
case
may
be.
I
guess
individual
cni's
can
yeah.
C
F
I
do
think
for
the
cni
that
to
to
sort
of
have
the
discussions
around
the
let's
call
it
the
the
connectivity
piece,
that's
sort
of
set
up
to
connectivity
and
the
path,
the
policy
enforcement
point
and
the
policy
decision
point
right
can
that
be
built
in
there
so
that
you
can
have
different
policy
decision
functions,
basically
working
with
different
cni's
or
different
connectivity
pieces,
because
today
I
mean,
if
you
look
at
palo,
alto
and
so
on,
they
have
to
do
a
full
cnr
implementation.
So
it's
like
why
they're
doing
firewalls?
F
It's
quite
significantly.
I
think
that's
also
something
we
could
look
at
as
part
of
the
version.
Two
so
also
try
to
get
the
cni
to
be
more
firewall
friendly.
I
mean
the
layer,
the
lower
layers,
not
layer,
seven,
because
today
it's
all
baked
together
and
if,
if
you
want
to
do
one
part,
you
have
to
do
everything
and
that
doesn't
make
any
sense
to
me.
A
A
E
A
C
A
B
It
will
be
next
week,
so
I
was
thinking
that
so
maybe
we
could
have
it.
You
know
always
align
to
be
before
the
sig
network
meeting
on
the
thursday,
because
you
know
that
way
we
can
go
over
last
minute
to
if
we
wanted
to
present
to
sig
network.
If
there's
anything,
we
wanted
to
present
to
seek
network
and
go
over
not
right
before
the
meeting
and
stuff,
but
so,
if
you
guys
think
we
should
do
on
the
on
a
different
week
than
a
sick
network
meeting.
That's
fine
with
me
too.
B
A
C
A
If
not
we'll
give
everyone
20
minutes
back,
I'm
still
always
looking
for
people
to
help
me
with
the
repo
add
stuff,
the
one
issue
we
had
to
import
all
those
user
stories,
the
person
who
was
on
it
I
reached
out
and
said
I
think
I
finished
that
comment.
I
was
going
to
reach
out
and
just
say
we're
going
to
sign
this
to
someone
else.
If
you
aren't
able
to
get
to
it
here
soon,
but
otherwise
love
to
pretty
up
that
repo.
So
yeah,
that's
all
I
have.