►
From YouTube: Network Policy API Meeting for 20230425
Description
Network Policy API Meeting for 20230425
A
Awesome,
hello:
everyone
today
is
Tuesday
April,
25th
2023.,
it's
the
week
after
kubecon
EU,
so
folks
are
still
recovering
from
that
I'm
sure
this
is
a
meeting
of
the
Sig
Network
policy
API
subgroup
to
sing
network
as
all
other
cncf
meetings.
We
are
sponsored
by
them.
So
please
be
nice
and
kind
to
everyone
and
let's
try
to
follow
their
rules
but
yeah.
Otherwise,
that's
about
it
we'll
go
ahead
and
get
rumbling
today.
A
Just
before
we
dive
into
some
stuff
from
the
agenda,
I
don't
want
to
put
you
on
the
spot,
Syria,
but
or
Shane
yeah.
You
all
went
to
keep
con
last
week.
Were
there
any
good
conversations
around
the
admin,
Network
policy,
API
or
anything
else.
We're
working
on
that
may
be
applicable
to
the
group.
B
A
Awesome
good
to
hear
yeah
I'm
sure,
like
a
lot
of
the
values.
Just
in
the
conversations
you
have
so
glad,
I
got
a
shout
out
and
let's
just
keep
the
momentum
rolling
out
of
it.
I
know
we'll
probably
try
to
submit
a
admin
or
policy
talk
for
Chicago.
Do
you
know
when
that
cfp
deadline
is
or
is
it
even.
D
A
B
D
D
B
B
A
E
E
C
I
just
sent
here
in
Zoom,
oh
right
here
and
I-
think
contour
and
possibly
Envoy
Gateway-
might
help
us
test
it
out
as
well.
But
we
got
it
working
at
Kong
with
like
it's
producing
a
conformance
report
which,
ultimately,
in
time
we're
going
to
have
sent
back
to
the
Gateway
API.
C
So
most
of
like
the
just
the
really
fundamental
Machinery
is
there
so
might
be
interesting,
since
you
guys
are
talking
about
maybe
doing
something
similar
here
and
then
Surya
and
I
talked
at
some
length
that
kubecon
about
possibly
needing
to
get
this
out
of
Gateway
API
kind
of
abstracted.
The
test
Suite
basically
pulled
out
and
abstracted
a
little
bit
and
then
put
into
kubernetes
somewhere
more
General,
especially
if
Network
policy
starts
to
use
it.
So
just
keep
in
touch
with
me
on
what
you're
thinking
and
like
what
your
I
guess.
C
The
more
important
thing
is
what
your
bandwidth
is
for
doing
such
a
thing,
and
we
will
I'll
be
on
top
of
like
making
sure
we
we
do
that,
because
I.
D
A
No
100
I
think,
as
these
implementations
are
getting
done,
I
know
sorry
has
made
good
progress
and
I
know.
Yang
is
cracking
away
at
it
or
pretty
much
almost
there.
This
will
become
more
important,
so
I
think
once
those
are
kind
of
at
a
stable
point,
then
we
can
kind
of
recenter
together
here
in
upstream
and
say
like
how
can
we
test
these
in
a
uniform
way?
A
A
Cool
okay,
so
let's
toss
it
over
to
Nadia
to
talk
about
a
security
Zone
use
case.
So
is
this
another
new
use
case
you're
going
to
propose
Nadia
or
you're
thinking
about,
or
you
came
up
with
recently.
F
Yeah,
so
that's
one
of
the
topics
around
the
current
API
implementation
right
and
that
specific
one
is
around
tenants
and
same
and
not
same
labels,
and
you
said
that
well
we
for
now
we,
the
API,
only
applies
on
the
namespace
level
for
same
and
not
same
labels.
F
Right
because
we
said
that
we
expect
tenants
to
be
based
on
the
name
spaces,
and
it
doesn't
allow
you
to
do
that
on
the
pod,
selector
level
and
I,
let's
say,
found
the
use
case
where
customers
actually
using
this
kind
of
tenancy,
which
is
in
its
Essences
a
security
Zone.
F
So
only
pods
in
the
same
security
zone
are
allowed
to
communicate
with
each
other
and
that
kind
of
that
forms
something
similar
to
a
tenant.
But
it
is
based
on
a
pod
on
pod
labels.
Instead
of
namespace
labels.
A
F
A
Like
you're
you're,
basically
saying
in
the
API
previously,
we
only
defined
a
tenant
as
a
namespace
or
a
set
of
namespace.
We
didn't
Define
it
as
a
set
of
PODS
that
span
May
span,
namespaces
and
you're,
saying
that
that
you
found
kind
of
a
use
case
in
the
wild.
For
that.
B
F
F
That
logically
means
something
to
the
workload
and
it
may
be
difficult
for
them,
especially
for
customers
that
have
large
applications
or
sets
of
applications
running
in
the
same
cluster
to
actually
restructure
all
the
namespaces.
They
have
now
to
just
fit
that
requirement
and
I
guess.
That's
also
the
case
in
this
example:
I'm
sharing
now.
B
But
also
in
case,
let's
say
we
go
ahead
with
this
like
we
agree
that
there
is
a
valid
use
case
here,
right,
like
in
that
case,
even
if
same
and
not
same
is
applicable
on
a
namespace
level.
You
still
have
that
pod
selector
after
it
that
you
can
use
to
then
select
a
subset
with
them
right
from
the
API.
Oh.
F
That's
a
good
question
because
we
haven't
decided
on
how
to
use
this
same
and
not
same
labels.
Finally
I
guess
or
like
at
least
we
have
this
discussion
going.
So
it's
hard.
B
To
tell
yeah
that's
yeah
fantastic
questions
right
I
wish.
The
adventure
was
here
because
Dan
and
I
talked
a
bit
about
this
at
chipcon,
oh
and
and
I.
Think
it's
a
bit
early
for
me
to
even
say
this
right,
because
we
wanted
to
do
a
like
done,
wanted
to
do
a
proper
presentation.
I,
don't
want
to
speak
for
that
part,
so
just
stream,
some
ideas
that
we
spoke
about
and
I
I
think
Yang
already
has
a
PR
to
implement
same
labels
and
answer
yes.
B
I,
don't
know
if
it's
too
late
to
bring
this
up,
but
we
wanted
to
restructure
and
redefine
tenancy
a
bit.
So
we
wanted
to
replace
same
labels
and
not
same
labels
with
us
with
a
field
called
tenancy
right
at
the
top
of
the
spec
in
the
API
right
like
along
with
the
subject
and
peer
that
we
Define
and
then
the
labels
that
we
use
to
define
tenancy
right.
So
that
will
be
the
subset
that
you
define
your
peers
for.
So
you
cannot
do
this
cross
relationships
with
multiple
labels
and
stuff.
B
So,
if
whether
it's
the
same
or
not
same
right,
that
relation
will
be
very
much
tied
to
the
tenancy
that
we
are
defining,
which
will
be
a
set
of
levels,
but
I
know
it's
a
bit
confusing,
because
it's
still
in
the
early
stages
like
we
just
it
was
literally
a
random
thought
that
we
were
writing
on
a
pen
and
paper.
So
maybe
Dan
can
share
more
thoughts
in
the
upcoming
meeting,
but
this
is
good
discussion
once
again
and
it's
it's
not
fixed
in
stone.
B
We
have
like
a
better
way
of
a
definition
here.
E
A
I'm
I'm
kind
of
processing,
I
I,
tend
to
agree
that
most
of
the
API
challenges
that
like
Nadia,
has
brought
up
recently
and
a
lot
of
what
we've
been
discussing
over
the
past
couple
weeks
have
been
with
how
we
Define
and
select
tenants.
So
if
we
could
think
up
an
easier
way
to
do
that,
I'm
totally
all
ears,
I
think
from
a
generic
standpoint
like
procedurally,
we
need
to
release
something
soon
regardless,
like
right.
Now
we
still
haven't
like
packaged
or
released
and
done
it.
A
Obviously,
we
have
V1
Alpha
One
up
in
our
repo,
but
we've
been
making
like
small
fixes
to
it.
If
we're
gonna
start
thinking
about
doing
bigger
things
like
I'd
really
like
to
go
ahead
and
say,
like
we're
done,
small
fixing,
let's
do
a
small
release
like
everyone,
Alpha,
One,
proper
release
and
packaged
unit,
and
then
we
can
move
on
to
either
everyone
Alpha
2
or
V1
beta
1.,
that's
kind
of
where
I'm
at
but
I
think.
This
is
totally
something
we
should
think
about,
because
it's
leading
to.
B
A
D
C
B
A
Yeah
I
mean
you
and
yang
have
already
been
working
on
the
implementation,
so
I
don't
want
to
keep
like
switching
it
up
like
I'd,
rather
go
ahead
and
cut
hard
cut,
rv1
alpha
one
and
then
keep
con.
If
we
think
we're
ready
to
after
you
all
have
started
implementing
it
and
everything
seems
to
be
right
so
far,
and
then
at
least
on
the
API
side
of
things
and
then
just
keep
iterating
Upstream.
A
If
at
least
the
mechanism,
the
way
it
is
right
still
using
it,
if
you
all
have
already
designed
to
it
right,
if
you've
already
implemented,
Melvin,
kubernetes
and
Yang's
already
implemented
it
and
Andrea.
E
Yeah,
so
I
I
just
want
to
clarify
some
of
the
things
right.
So
so
first
things.
First
we're
talking
about
the
security
Zone
use
case.
Something
is
still
I,
I,
don't
know
I'm,
not
saying
this
to
you
know
discourage
Nadia
or
something,
but
something
doesn't
really
sound
right
to
me
about
this
use
case
is
that
is
there
actually
people
who
put
who,
with
different
tenants
actually
put
you
know
different
tenant
workloads
in
the
same
namespace
and
then
do
that
across
a
bunch
of
namespaces.
E
So
what
you're
saying
is
that
you
know
for
a
admin
right?
Maybe
he
created
the
namespace
ABC
and
then
three
Tenants
come
in
and
they
just
decided,
oh
for
some,
for
my
workloads
for
10
and
one
workloads.
I
just
wanted
to
put
these
workloads
in
the
names
is,
you
know
across
names,
ABC
and
then
the
second
tenant
and
the
third
tenant
decided
to
do
the
same
thing.
Then
you
know
it.
It
doesn't
really
make
sense
to
me
anymore
on.
You
know
why
the
admin
had
to
create
this
namespace
in
the
first
place
right.
E
So
what
does
you
know
this
namespace
actually
signal
and
how
you
know
the
cluster?
Actually,
you
know
look
like
that.
The
reason
why
I
said
that
is
that
you
know
when
we
designed
the
adminable
policy
at
the
very
beginning.
We
were
kind
of
like
everybody
who
jumped
in
the
car.
I
know
this
is
way
before
right.
E
Two
years
maybe
ago,
Everybody
kind
of
agreed
that
you
know
a
namespace
or
a
bunch
of
namespace
combined,
do
Define
tendency
in
you
know
most
of
the
use
cases
in
the
in
what
we
are
seeing
the
customers
do
as
of
now
so
for
whoever
is
asking
for
adminable
policy.
You
know
this
is
the
thing
and-
and
we
also
have
you
know,
different
implementations
or
companies
come
in
and
say
hey.
We
also
agree
that
you
know
the
name.
E
Spaces
be
in
tendency
is
good,
but
we
wanted
to
have
a
easier
way
to
do:
selectors
to
select
Tendencies
and
Define
how
tenancies
can
talk
to
each
other,
so
this
is
sort
of
like
the
founding
stone
that
we
we
build,
the
amp
on
and
I'm
just
not
feeling
like
really
comfortable
saying
that
you
know
we're
challenging
that
at
the
moment,
because
I
personally
haven't
seen
a
lot
of
the
use
cases
where
we
actually
mix
tendencies
in
namespaces.
Like
that.
So
you
know
this
is
my
first
observation
here.
E
I
I,
don't
know,
I,
don't
know.
If
Nadia
did
you
find
the
security
Zone
use
cases
somewhere
online
or
you
you
do
know
that
you
know
you
have
worked
with
customers
or
whatnot
who
actually
uses
this
sort
of
like
construct
and
and
is
there
any
a
little
bit
more
context
you
can
provide
on
why
you
know
a
single
tenant
may
want,
to
put
you
know,
workloads
in
different
namespaces
and
all
the
tenants
will
try
to
do
the
same.
F
D
F
I
guess
what
they
follow
and
they
use
name
they
like
use
namespace
as
some
abstraction
that
was
comfortable
for
them
to
adopt
whatever
they
were
running
out
of
the
cloud
like
to
just
put
that
into
our
clusters
right
and
they
have,
as
I
said
many
namespaces
that
are
like
they.
They
are
logically
separated
workflows
but
and
I
specifically
asked
them.
F
If
how
difficult
it
would
be
to
change
how
these
workloads
look
like
to
make
sure
that
the
tenancies
like
names
namespace
based
and
they
said
that
would
be
very
difficult
for
them,
so
I
thought
like
if
and
again
so
what
I
I'm
not
like
I'm,
not
sure
if
we
want
to
see
if
there
are
possible
use
cases
like
that
right,
so
I
have
one.
Now
we
can
ignore
it.
We
can
say
yeah.
We
want
to
introduce
that
for
customers.
F
E
F
F
That
makes
sense
and
then
actually
it
in
I
guess
that
it
should
go
along
then,
with
the
subject
selector,
also,
because
if
we
say
that
that's
not
safe
to
apply
policies
based
based
on
pod
labels,
then
you
shouldn't
do
that
for
the
subject.
Also.
But
then
what
I'm
saying
here
is
that
I
know
of
some
customers
that
are
using
clusters
like
that,
and
they
are
like
the
owners
of
the
cluster
and
they
are
owners
of
every
namespace
right
and
then
that
fact
that
someone
can
change
the
namespace
owner
can
change
labels.
A
F
I
mean
I
guess
there
are
just
like
two
decisions
on
this
level.
We
can
it
to
stay
more
or
less
consistent.
We
can
either
say
that
we
just
don't
allow
pod
label
based
filtering
for
admin,
Network
policy,
because
that's
how
we
expect
namespaces
and
pods,
and
this
name
spaces
to
be
labeled,
or
we
say
that
we
kind
of
acknowledge.
F
There
are
some
cases,
as
I
said,
when
cluster
admin
owns
all
the
namespaces,
and
that
may
be
like
useful
for
them
to
have
this
kind
of
functionality,
and
then
we
just
tell
everyone
and
I
guess
that
also
that's
a
good
thing
to
say,
even
with
the
existing
API.
To
just
have
this
warning
about
pod
based
filtering
that
namespace
owners
can
just
I,
don't
know,
remove
or
re-label
the
pods,
and
then
this
network
policy
will
not
apply,
as
you
expect
anymore.
B
A
I
I
think
I
I
think
it's
that,
like
you're
saying
sorry,
it's
like
that
subtle
interaction
right
like
generically
I,
agree
with
you
Nadia,
but
then
what?
If
the
admin
owns
that
namespace
like
the
cube
system
namespace
and
they
want
even
more
fine
grain
control
about
you
know
being
allowed
to
say,
talk
to
qbns
only,
for
example
like
in
that
case,
you
need.
A
You
need
pod
selectors,
but
when
we
talk
when
we
start
talking
about
defining
tenants,
I
think
that's
totally
different
right,
like
tenancy
I,
think
we
want
to
err
on
the
side
of
tenancy
being
hard
right
like
like
When,
an
Admin
defines
a
tenant
I
can't
think
of
many
times
where
they
want
that
to
be
solved
right.
They
don't
want
to
Define
soft
tenancy
boundaries.
They
wanted
to
find
hard
ones.
So
if
there's
some
way
for
us
to
ensure
that
when
we're
defining
tenets
explicitly,
you
can
only
do
so
at
the
namespace
level.
A
A
Right
like
if
we
expect
users
to
use
this
in
a
certain
way
and
to
set
up
tenants
in
a
certain
way
like
we
have
to
document
that
accordingly
and
if
there's
some
tiny
subset
of
universe,
users,
which
I
would
say,
people
setting
up
tenants
that
are
sets
of
PODS
across
namespaces
are
a
smaller
set
of
users
like
as
long
as
we
Define.
You
know
what
we're
doing
with
good
documentation.
We
don't
have
to
design
to
every
little
corner
case.
A
B
E
To
be
honest
with
you,
I
think,
within
Andrew,
the
same
labels
is
still
a
PR,
not
merged,
because
I
think
a
majority
of
users
who
are
using
ensure
right
now
are
actually
happy
with
the
self
and
maybe
not
self-implementation,
of
this
in
in
the
sense
of
you
know,
we
would
I
know
we
talked
about
a
lot
of
times.
You
know
Tendencies
are
defined
as
a
namespace
boundary.
E
Well,
instead
of
a
bunch
of
namespaces,
the
majority
use
cases,
we've
seen
and
sure
users
have
which
obviously
you
know
there
are
a
lot
of
VMware
integrated
product,
I
would
say,
and
a
lot
of
these
products
use
namespace
as
a
like
a
single
namespace
as
a
hard
tendency
boundary.
So
that's
why
you
know
for
entry
use
cases,
usually
when
we
we
have
implemented
self
right.
So
let's
say
I
wanted
to
allow
traffic
coming
from
my
own
namespace,
but
nothing
else
right.
The
other
namespaces
I
just
wanted
to
drop.
E
So
this
has
already
satisfied.
I.
Think
the
majority
of
the
use
cases
that
Android
users
have
and
I'm
implementing
the
same
labels
just
to
sort
of
like
be
Upstream,
comply
compliant
right.
So
so,
when
would
you
like
admin?
Our
policy?
We
wanted
the
ability
to
have
a
bunch
of
namespaces
as
a
tendency
boundary,
which
is
also
from
what
I
remember.
E
Maybe
a
year
ago,
a
lot
developed,
the
other
guys
coming
and
say
this
is
what
we
envisioned
the
tendency
boundary
be
we
we
don't
want
to
only
support
a
single
name,
special
boundary,
but
a
bunch
of
namespaces,
which
was
same
labels
as
the
tendency
boundary,
which
also
makes
sense
to
me.
So
this
is
where
we
add-
and
you
know,
obviously
we
also.
We
also
implemented
the
the
the
the
same
labels,
which
is
in
the
PR,
but
as
I
said
before,
it
is
the
not
same
labels.
E
That's
a
little
bit
trickier
for
us
because
of
the
no
no
cells
selection,
but
only
East-West
thing.
So
essentially
you
know
we.
We
have
a
it's
a
little
bit
more
difficult
for
us
to
implement
that
in
a
very,
very
you
know,
scalable
way,
I
would
say
because
for
us
it
means
that
we
needed
to
sort
of
like
calculate
the
the
complement
of
the
the
same
label
selection
in
the
cluster,
because
we
are
explicitly
living
out.
The
north-south
part
right
so
yeah.
A
We
just
have
to
think
if
we
want
to
moving
forward
like
have
change
our
definition
of
tendency
to
to
expand
to
that
or
not
and
I
think
the
place
to
do.
That
is
probably
in
a
dedicated
issue
for
this,
and
we
can
like
hash
it
out
there
and
ultimately
come
to
a
conclusion
based
on
well
more
folks
than
just
us.
So.
E
Sorry
about
that
sorry
for
interiming,
you're,
good
I.
Think
that
the
the
more
the
one
thing
that
I
take
from
Nadia's
thought
is
that
you
know
in
in
a
sense
of
what.
C
E
Do
when
users
sort
of
like
change
the
pod
labels
in
the
unexpected
way
right
what
if
the
user
does
just
trying
to
escape
the
policy
that
that
me
has
said
for
them?
I
I,
don't
know
that.
Do
you
do
you
have
any
idea,
an
idea
on?
Is
there
any
potential
Solutions
or
something
you
see
in
terms
of
solving
this,
or
do
you
think
is
this
is
just
a
sort
of
like
loophole
in
terms
of
the
policy
definition
here.
F
D
F
That's
kind
of
fine,
it
just
was
so
since
we
are
still
kind
of
defining
the
tenancy
right
and
how
it
should
work,
and
we
just
said
that
you
didn't
hear
of
a
single
use
case
where
someone
would
use
that
the
cross
name
spaces
I,
just
thought,
I'll
bring
it
up.
So
that's
just
like
as
an
example
of
how
something
like
that
and
C
can
be
spread
across.
E
F
Yeah,
you
should
not
well,
you
should
not
Design
Network
policies
in
a
way
that
can
be
escaped
like
that
right.
So
that's
what
I
was
saying.
We
need
to
add
documentation,
saying
that
if
you,
you
kind
of,
can
only
use
pod
selector
for
admin,
Network
policy,
if
you
control
the
namespaces,
this
selector
applies
to
because
otherwise
pod
labels
are
not
under
your
control.
E
Yeah
that
that
that
makes
sense
and
I
I
think
that's
a
that's
a
really
good
point,
because
to
me
I
do
think
this
is
sort
of
like
out
of
the
scope
of
the
the
adminary
policy
API
itself,
but
because,
if
you
think
about
this,
you
know
if
user
do
wanted
to
change
pod
labels,
there's
nothing
really.
You
can
do
about
it
and
other
than
the
labels
I,
don't
think
of
it
like
a
good
way
for
people
to
Define.
E
You
know
I
wanted
to
select
specific
Parts
in
the
namespaces,
which
you
know
no
matter
how
the
users
change
the
power
labels
I
will
always
be
able
to
select
that
as
a
subject
or
whatnot
right.
So
this
is
not
like
a
problem.
That's
specific
to
A
and
P
itself.
E
I
I
would
say
like
for
Adam
being
I
would
imagine
right
if
they
wanted
the
whole
package
I
wanted
to
enforce
amp
on
the
product
retinarity,
then
we
needed
to
have
something
like
I:
have
a
admin
label,
maybe
on
a
pod
saying
that
something
like
you
know,
kubernetes.io,
you
know
admin
or
like
labeled
this
part
as
admin
control,
which
is
function,
blah
blah
blah
and
then
I.
E
E
So
so
this
is
sort
of
like
a
r
back
or
other
thing
that
are
completely
I,
feel
orthogonal
to
the
admin
Network
policy
API,
like
the
admin,
needs
to
make
sure
that
if
the
admin
is
to
make
want
to
make
sure
that
you
know
for
the
policy
they
have
been
set,
cannot
be
sort
of
like
abused
by
users
in
certain
ways.
I
do
feel
like
there
needs
to
be.
Other
mechanisms
are,
are
back
wise
even
for
namespace
story
right.
E
The
admin
needs
to
make
sure
that
the
users
of
the
namespace,
the
tenants,
cannot
just
come
in
and
modify
the
namespace
label
so
that
they
just
simply
escape
the
amp
right.
So
this
is
something
I
personally
feel
like
is
a
orthogonal
to
the
API
design
of
the
amp,
which
is
we
just
provided.
You
know
the
way
to
sort
of
like
help
admin
to
set.
You
know
these
guardrail
rules
so
that
we
can
Define
the
the
tendency
boundary,
but
you
know
we
we
actually
needed
some.
E
You
know
maybe
some
other
things
to
make
sure
that
it
is
not
sort
of
like
bypassed
intentionally
because
user
just
wanted
to
you
know
sabotage.
The
I
was
the
sabotage,
but
they
wanted
to
sort
of
like
bad
bypass.
You
know
all
the
rules
that
have
been
set
up
by
the
meetings.
That's
that's
what
I'm
thinking
on
this.
F
Finding
the
cluster-wide
objects,
it's
still
nice
to
share
this
kind
of
knowledge
and
possible
drawbacks
right
and
I.
I
also
think
there
are
some
use
cases
where
actually
admins
May
use
that
pod
based
labeling,
just
saying
to
their
clients
that
they
can
label
their
pod
with
this
label
and
something
will
be
allowed
to
them,
for
example
right,
so
it
kind
of
it
can
be
used
both
in
a
good
and
bad
way.
So
if
we
just
can
clarify
that
a
bit
I
guess
that
would
make
sense.
A
A
F
B
Not,
oh,
that's
I,
I,
don't
think
it's
more
about
who
owns
it
or
not.
I
think
it
I
think
I
agree
with
Andrew
on
the
fact
that
we
can
release
the
API
asses,
given
Yang's
done
his
part
and
I
can
try
to
do
the
same
deals
if
needed
or
and
then
we
can
reiterate
on
the
tenancy
on
V2
on
how
we
want
to
change
it.
But.
B
E
So
so
so
sure
do
you
think
Dan's
idea
on
you
know?
Maybe
we
wanted
to
change
the
the
tendency
thing
it's
still
based
on
the
namespace
labels
right,
so
do
you
think
it's
vastly
different
than
the
API?
We
have
right
here
or
it's
just
sort
of
like
semantic
change.
Like
sorry
announcement,
just
like
like
a
API
type
of
change
but
semantically,
you
know
the
implementation
would
basically
be
the
same.
B
C
B
E
E
Raised
I,
see
I,
see,
I,
see
a
lot
of
different
yeah.
B
So
the
same
rule,
the
same
policy
C
can
generate
multiple
Dynamic
rules,
so
the
peer
to
subject
relation
is
not
really.
You
know,
as
it
is
for
selectors
right
because
of
this,
so
that
is
the
real
part
that
Dan
is
trying
to
fix
because
he
thinks
it
can
be
confusing,
and
that
is
not
something
that
we
intended
to
do
as
tenancy.
It's
like
we
said
right.
B
E
Sense
of
whatever
label
you
use
to
select
the
subject
you're,
you
should
be
using
the
same
labels
to
select.
You
know
same
label
tenants
here.
A
B
Make
sense
yeah
what
he
what
he
was
proposing
is
just
like
we
have
subject
today.
We'd
have
enough
the
field
called
tenancy
and
tenancy
will
have
a
list
of
labels,
but
then
we
won't
have
any
more
same
labels
or
not
same
labels
in
the
peers.
What
we'll
have
is
what
Andrea
has
today,
which
is
like,
is
same
or
is
not
same
right
and
that
relation
will
map
to
the
tenancy.
So
all
it
means
is
the
labels
that
you
use
to
define
the
tenancy
asses.
E
Well,
it's
it's
not
really
like
in
the
API,
because
we
kind
of
like
designed
the
API,
but
you
know
I
know
for
entry
at
least
we,
as
I
said
we
do
have
customers
who
use
namespace
as
tendency
boundaries,
and
we
kind
of
like
did
want
to
go
with
this
when
we
designed
the
API
in
the
first
place
is
because
I
think
a
really
long
time
ago,
maybe
more
than
a
year
ago,
and
we
have
these
initial
people
who
is
interested
in
doing
the
developing
the
main
Network
policy
and
I
think
those
are
from
different
companies,
and
they
were
talking
about.
E
You
know
the
use
cases,
and
you
know
some
sort
of
like
quote-unquote
ad
hoc
network
policies
that
they
come
up
with
to
solve
the
use
case,
and
we
look
at
these
policies
and
say:
oh
they
write
these
because
they
wanted
to
group
these
namespace
together
and
they
wanted
to
group
those
names
basically
together
and
then
the
takeaway,
with
from
all
you
know
from
all
these
talks,
was
that
you
know
for
the
for
all
the
you
know:
customers
or
implementations
we
have
talked
about
in
terms
of
tenancy.
E
The
namespace
boundary
seems
to
be
the
the
mainstream
of
you
know
how
a
tendency
is
defined
in
a
cluster
these
days,
so
so
I
I
think
this
is
you
know,
I,
guess
the
history
of
it.
A
So
I
think
for
me,
like
that
sounds
that
sounds
great.
We'll
make
an
issue.
We
can
think
about
refactoring
that
for
the
next
version
for
this
version,
literally
the
for
view
on
Alpha
One,
like
I,
would
like
to
cut
just
cut
it
right.
So
go
ahead
and
do
a
release
of
it,
and
this
is
the
only
PR
I
think
we
need
to
like
figure
out
or
resolve
before
I
can
do
that.
I,
don't
know
if
y'all
agree
the
one
just
to
fix
the
description
of
same
not
same
labels.
B
A
B
Think
I'm,
okay,
with
that
I,
can
go
and
update
the
description
alone,
and
for
now
we
can
cut
it
and
then
I
think,
like
Shane
said
for
Gateway
for
conformance
testing,
we
don't
have
to
mandate
the
implementation
of
these
two
fields
for
the
cni
plugins
to
make
them
performance.
We
can
keep
them
as
optional,
but
keep
the
rest
of
the
API
Fields
is
not
looking.
A
I
like
that,
so
then
we
have
our
cut
release
of
V1
Alpha
One.
You
two
are
both
using
it
in
your
implementations
and
we
can
move.
We
can
like
officially
quote
unquote,
move
our
all
this
conversation
into
working
towards
a
V1,
beta,
1
or
V1
Alpha,
two
right,
I
think
that'll
just
make
everything
a
lot
easier.
Yeah.
A
Okay
Nadia:
this
is
another
separate
one.
I
think
you
want
to
talk
about.
D
A
That's
fine,
I,
don't
think
there
was
really
too
much
else.
Syria
just
poking
for
review
on
the.
A
Yep,
so
just
folks
here,
like
we're,
trying
to
figure
out
our
user
stories
for
egress
cluster
control,
Siri
is
open
to
PR
I've
been
reading.
It
I
haven't
had
any
comments
yet,
but
we
definitely
need
like
complete
consensus
on
this
before
we
merge.
It.
I
think.
B
G
B
F
I
actually
have
a
question
about
that:
egress
use
cases
we
don't
do
anything
for
Ingress
because
we
didn't
have
any
use
cases
for
that
right.
B
A
A
Like
a
lot
harder
to
Define
I
think
it's
that's
the
other
kind
of
an
issue
there
right,
because
what
most
clusters
are
using
some
sort
of
Ingress
mechanism,
I.E
the
Ingress
API
or
the
Gateway
API.
That's
another
interaction
that
we
need
to
start
exploring.
But
it's
not
like
as
simple
as
defining
egress.
F
B
F
B
F
B
G
Well
may
I
step
in
way
quickly
on
this
topic,
so
I
actually
see
a
very
strong
use
case,
for
instance,
if
we
can
imagine
some
kind
of
small
cluster
in
front
of
some,
let's
say
scientific
instrument,
which
is
basically
a
bunch
of
Hardware
outside
the
cluster,
and
then
we
wanna
some
kind
of
controlling
applications
inside
that
cluster
and
those
applications
will
definitely
need
to
access
Hardware.
B
B
G
D
G
Deploy
a
bunch
of
applications
there
like,
which
may
let's
say,
build
some
dashboards
or
whatever
some
alerting
stuff,
or
even
some
controlling
things
where
users
want
to
interact
with
the
hardware
on
the
other
side.
And
then
there
is
a
bunch
of
Hardware
which
is
effectively
outside
that
cluster
and
it
might
have
some
kind
of
network
endpoints.
And
we
want
to
talk
to
those
from
the
yeah.
B
That's
it
makes
it
makes
sense
totally
like
the
only
thing
that
doesn't
really
work
for
me
with
the
southbound
use
case,
always
is
that
pods
have
private
IPS,
so
anything
coming
Ingress
from
outside
the
cluster
is
already
kind
of
protected,
so
I'm
thinking.
What
do
we
want
to
really
deny?
Is
it's
anything
coming
from
the
internet
to
in
to
to
the
part
that
we
want
to
hit
here
or,
like
that's
the
one
thing
that
Ingress
bothers
me
about,
but.
G
So,
for
instance,
if
we
think
about
some
kind
of
think
control
facilities,
they
usually
have
a
storage
ring
where
electron
spinion
and
then
they
have
beam
lines
where
actual
science
happens
to
say,
and
they
it's
usually
well
in,
maybe
not
usually,
but
at
least
in
facilities
I
used
to
work,
it's
kind
of
one
network,
so
technically
one
scientist
from
one
group
can
add
access
directly,
Hardware
from
which
is
completely
unrelated
and
so
on.
It
would
be
nice
to
say:
okay,
I
have
application,
but
it's
a
kind
of
dashboard
and
that
particular
application.
G
My
access
only
this
range
of
whatever
IPS
or
this
you
know
so
limits
somehow
that
Hardware
access
and-
and
this
you
may
think
about
the
hardware
accesses
basically
as
Network
endpoint,
it's
premium
elsewhere,
yeah.
C
G
G
F
D
B
A
A
F
I,
don't
know
I'm
not
sure
how
long
it
will
take.
That's
not
a
big
topic.
F
Yeah,
it
should
just
be
on
that
slide.
I'm,
just
I
I
had
this
question
about
asymmetry
about
our
subject.
Definition
right,
I've
asked
before
I
guess
so
that
we
can
Define
subject
as
namespaces,
with
namespace
only
label
selector
and
then
as
possible.
That
have
has
both
and
then
basically,
when
you
define
namespaces,
you
implicitly
Define
empty
pod,
selector
right
well
at
least
that's
what
it
means.
F
So
what
I
just
made
a
little
comparison
here
of
how
you
currently
can
Define
something
versus
like
if
you
just
had
a
symmetric
version
of
that
without
like
name
spaces
or
pods
Fields
right
so.
A
So
yeah
I
I
think
the
one
thing
that
was
like
previous
history
here
and
I'm,
trying
to
reboot
my
mind
but
like
right
now,
a
subject
is
a
basically
a
one
of
right:
it's
either
pods
or
namespaces.
You
have
to
Define
either
a
namespaced
peer
or
a
namespace
pod,
pure
whatever
that
design
schema
was
done
explicitly
for
extensibility
in
the
future,
so
meaning
like.
B
Like
you
could
have
services,
for
example,
if
service
mesh
comes
into
play,
that
can
be
it
that
we
are
also
trying
to
consider
some
of
the
expansions,
and
actually
this
is
also
something
that
Dan
and
I
talked
about,
and
we
were
like:
okay,
any
addition
to
namespace
and
pods.
If
there
is
something
in
future
that
comes
up,
then
we
want
it
to
be
separate
entities.
E
B
E
B
E
I
I
think
I
can
speak
a
little
bit
about
that.
I
think
it's
the
whole
fell.
Open,
fell,
closed
story
that
we
had
like
wasted.
E
I
would
say
you
know
hundreds
of
minutes
on
you
know
discussing,
but
the,
but
the
short
version
is:
if
we
do
that,
like
this,
on
the
on
the
right
side,
let's
say
like
in
the
future,
we
introduce
a
service
selector
on
in
the
parallel
of
namespace
selector
and
the
power
selector
right
and
the
the
the
issue
we
found
out
is
that
if
we
introduce
that
and
a
old
implementation,
let's
say
it's
oven,
kubernetes
orange
or
whatever
implementations
that
does
implement
the
API,
which
doesn't
know
about
the
service
lecture
yet
so
that
implementation
will
not
look
at
the
service
selector.
E
So
let's
say
people
put
a
namespace
selector
with
a
service
selector
with
the
intention
of
I
want
to
select
specific
services
in
that
namespace
right
and
what
the
implementation
sees
is
that
it
only
sees
the
namespace
selector,
because
it
doesn't
really
actually
know
about
the
service
selector.
So
the
implementation
looks
at
the
policy
and
parse
it
as
I
want
to
select
everything
in
the
namespace
because
it
doesn't
even
know
about
the
service
selector.
E
So
that
is
the
not
the
intention
of
the
policy
writer
because
he
doesn't
really
want
to
he
or
she
doesn't
really
want
to
select
everything
in
the
name
space
he
they
just
wanted
to
select
specific
service
in
the
namespace.
So
then
we
have
a
discrepancy
between
the
intention
and
what
the
implementation
actually
does.
So,
in
order
to
avoid
those
kind
of
problems,
we
have
to
be
really
really
explicit,
like
what
we
do.
E
On
the
left
hand,
side
where
you
know,
we
wanted
to
make
sure
that
people
either
select
a
namespace
or
a
pod,
or
once
the
service
comes
in
right
in
the
future.
They
they
need
to
say
that
I
wanted
to
select
the
serp
subject
and
the
subject
type
is
service
and
that
they,
you
provide.
You
know
different
selectors
on
how
you
actually
select
these
services,
so
so,
in
short,
this
is
by
design.
E
It
is
really
explicit
really
redundant,
but
you
know
it
is
the
way
that
it
is
because
we
want
it
to
be
future
proof,
so
it.
F
F
You
could
just
do
this
so
because
I,
first
of
all,
I
can't
imagine
people
coming
to
me
and
asking
what
this
namespaces
thing
selects
if
pod
selector
is
something
different,
but
namespace
selectors
still
selects
pods
and
we
do
have
still
two
ways
to
express
the
same
thing
in
the
API,
which
is
usually
not
a
good
thing
for
the
API
right.
So
you
still
can
have
this
extensibility
with
one
more
level
here,
but
have
only
one
way
of
expressing
things.
E
I
I
feel
you
I
feel
you
I
think
I
think
what
we
think
is
that
in,
for
example,
in
the
documentation
itself,
on
the
left
hand
side
you
have
the
the
part,
the
name
Suite
selector
equals
labor
selector
the
power
selector
being
an
empty
one.
This
should
never
occur
in
the
documentation
because,
even
though
it
does
the
same
thing
as
the
above,
essentially
whoever
writes
is
just
trying
to
select
namespace.
E
So
so,
even
though
we
provide
the
flexibility
to
do
that,
we
should
never
see
the
policy
written
like
this,
because,
by
the
end
of
the
day,
you're
trying
to
select
namespaces
right.
So
so
we're
sort
of
like
given
the
flexibility
and
when
people
do
actually
wanted
to
select
parts.
We
expect
that
the
power
selector
to
not
be
empty.
We
don't
sort
of
like
require
that
and
the
reject
the
policy
if
it
it's
written
like
this,
but
you
need
to
really.
E
A
They'll
be
there
because
they're
built
in
the
types
I
think
like
this
goes
back
a
long
way
and
another
big
part
of
this
was
like
building
a
yaml.
That
was
really
explicit
and
easy
so
like.
If
a
user
wants
to
select
namespaces
and
there's
a
tool
called
a
tool,
iea
yaml
field
called
namespaces.
Why
the
heck?
Would
a
user
ever
use
the
tool
called
pods
yeah.
A
Think
that's
what
yeah
and
yang
and
I
hatched
our
teeth
over
this
for
a
long
time,
that's
kind
of,
but
I
fully
understand
what
you're
saying
Nadia
I'm
thinking.
If
we
really
want
to
get
down
into
it
here,
we're
over
time
too
so
I'm
gonna
try
out
this
up.
If
we
really
wanted
to
drill
our
teeth
down
into
it
here,
we
could
do
some
validation,
especially
with
kubernetes,
X,
validation,
to
say,
pod
selector
must
be
set,
but
cannot
be
empty
right.
A
F
E
F
I
mean
I
every
time
I
see
namespace
selector
in
this
case
I'm
thinking
about
pods,
because
I
know
I'm,
selecting
pods
right.
That's
why?
Maybe
it's
like
some,
my
perception
right
of
that.
So
if
you
thought
that
about
that
a
lot
already
I'm
like
just
I've,
had
some
answers
right.
If
you
think
that
doesn't
that
that's
not
worth
keep
discussing,
I
I
think
that's
fine
I
mean
it
looks
like
I
I,
just
I
I
definitely
miss
some
history
right
as
you're
saying
here
so.
E
D
E
See
no
no
I'll
just
say
that
you
know
I'm
happy
to
sort
of
like
discuss
a
little
bit.
You
know
offline
with
you
if
you
have
any
more
concerns
or
something,
but
you
know
so
to
me.
I
I
need
to
be
really
honest
here,
because
you
know
Andrew
and
I
have
been
in
the
in
the
game.
E
For
you
know
over
a
year
and
to
me
I
feel,
like
you
know,
the
more
important
thing
right
now
is
sort
of
like
we
presented
an
API
in
a
way
that
makes
sense
to
the
users
and
it
can
achieve
the
use
cases
that
most
majority
users
want
to
see
at
this
level,
but
not
to
be
too
sort
of
like
fix
it
fixed
it
on
what
the
API
look
like
exactly
because
sometimes
some
apis
can
be
really
confusing.
E
But
looking
at
this,
as
a
you
know,
selecting
namespace
all
parts
as
a
subject,
I
don't
feel
like
this
is
really
confusing
and
it
achieves
the
sort
of
like
use.
Cases
that
we
have.
You
know
came
up
this
far.
So
my
intention
is
that
it,
unless
it's
sort
of
like
really
confusing
to
the
users,
maybe
we
should
not,
you
know,
look
at
and
changing
it.
That's
what
I'm
you
know.
Thinking
on
on
this
matter,.
A
B
Yeah
and
I
think
we
should
also
document
what
Yang
was
saying
right
like
while
we
do
provide
a
way
to
have
that
the
part
on
the
left
side,
with
pods,
with
empty
name
space
and
part.
We
should
not
let
users
do
that
as
an
example,
and
they
should
just
use
name
spaces.
E
Wanted
to
drive
somewhere
there's
only
one
mile
away,
they
can
take
a
highway
and
take
a
detour
tens
of
u-turns
and
they
get
there
right.
They
they're
free
to
do
that.
It's
just
that
in
the
documentation.
What
we
should
do
is
that
we
should
provide
the
example
saying
that
you
should
use
the
namespace
selector
and
be
done
with
it,
and
if
they
really
wanted
to
go
that
route,
it's
fine.
We
provide.
A
Okay,
that
that
was
a
good
conversation,
though
it
is
really
interesting
and
API
design
like
this.
You
run
into
it
all
the
time
so
I'd
like
to
have
a
note
on
it,
but
we
are
way
over
time.
I'm
super
sorry
for
keeping
you
all
late.
A
We've
had
a
ton
of
good
conversations,
so
I'm
gonna
go
ahead
and
end
it
here,
let's
continue
over
to
slack
if
we
want
to
I'm
happy
to
keep
talking
and
yeah
I'm
gonna
work
on
getting
a
release
cut
before
next
meeting
for
V1
apple
one,
and
then
we'll
set
our
eyes
squarely
on
implementations
there
and
on
to
the
next
iteration
so
on
to
the
egress
stories
and
any
other
user
stories
you
want
to
Target
for
beta,
but
thanks
so
much
everyone
for
all
your
time
today.
I
really
appreciate
it.