►
From YouTube: Network Policy API Meeting for 20221205
Description
Network Policy API Meeting for 20221205
A
Foreign
hello,
everyone
today
is
Monday
December,
5th
2022..
This
is
a
meeting
of
the
Sig
Network
policy,
API
subgroup
to
think
Network.
This
is
the
cncf
certified
meeting.
So
please
be
nice
to
each
other.
Try
to
limit
the
curse
words
and
yeah.
Let's
have
a
good
meeting
today,
so
just
kind
of
hopping
in
something
we
hadn't
done
in
a
long
time
which
issue
triage.
A
We
used
to
do
it
all
the
time,
but
then
issues
kind
of
slowed
down.
So
all
that
the
issue
triage
is
is
basically
I.
Have
the
link
in
the
document
too,
if
I'm
ever
not.
Here
is
query
kubernetes
issues
with
the
label
Network
policy,
basically,
thankfully
there
weren't
any
new
ones.
So
that's
good,
nothing
really
for
us
to
tackle.
Yet
it
was
kind
of
interesting,
though,
to
see
some
old
ones
that
have
been
open
for
like
a
long
time
and
I
thought
you
know.
A
Maybe
we
could
talk
a
little
bit
about
it.
I
know,
Raul
is
working
on
fqdn
policies
and
I.
Don't
think
he's
here
today,
but
this
one
kind
of
had
some
good
thoughts
around
that
so
I
poked
him
in
the
agenda.
Hopefully,
he
sees
it
if
you're
watching
this
recording
our
role
go,
give
it
a
look
but
yeah,
if
I'm
ever
not
here
or
someone
else,
is
running.
The
meeting
feel
free
to
run
through
these,
it's
nice
for
us
as
a
subgroup
to
like
try
to
help
out
Signet.
A
However,
we
can,
if
there's
like
new
issues
and
stuff
cool.
Yes,
that
was
one
thing
I
just
wanted
to
add
it
on
is.
B
That,
like
something
that's,
come
up
multiple
times
and
then
I
guess
it's
just
a
continuous.
Is
it
a
debate
or
is
there
something
we're
going
to
do
or
is
it
kind
of
I'll.
A
Read
the
issue
I
guess
so
that
issue
actually
isn't
super.
It's
a
good
question
Ryan.
So
that
issue
isn't
super
current.
The
most
up-to-date
thing
with
like
layer,
7
policies,
more
narrowed
down
really
to
fqdn
policies
is
something
that
Raul
from
Google
has
been
working
on
for
a
while,
and
the
current
status
of
that
work
is
is
here,
so
you
can
go.
Give
that
a
read!
A
Well,
hopefully
he
can
hear
me
I.
Think
he'll
hop
on
I
was
just
saying:
Raul
I
found
a
really
old
issue
that
had
some
discussion
on
fkdn
from
Thomas
Graf,
all
the
way
back
in
2018
so
four
years
ago,
I
just
wanted
to
make
sure
you
had
seen
it
what
else?
What
else
so
I've
also
I
need
to
update
this
query
to
include
any
issues
open
against
the
network
policy,
API
repo,
which
I
will
do.
A
On
the
network
policy,
API
repo,
someone
opened
an
issue
saying
there
are
some
broken
links
on
the
website.
I
wasn't
able
to
reproduce
it.
So
if
someone
else
even
during
this
meeting,
could
just
click
through
these
links
and
make
sure
they
work
for
them
as
well,
and
if
so,
we
can
close
it.
A
A
A
So
for
folks
who
don't
know,
cyclonus
is
like
a
network
policy
conformance
tool
and
engine
that
Matt
Fenwick
has
written
I
had
written
a
long
time
ago
when
they
redid
the
Upstream
Network
policy
test
and
we
actually
ported
it
to
live
in
our
Upstream
repo
and
our
rough
idea
of
what
to
do
with
it
is
to
like
extend
it
for
admin
Network
policy
and
make
it
more
just
like
a
generic
tool
for
conformance
testing
for
both
Network
policy
and
air
policy
and
also
maybe
a
tool
to
help
folks
analyze
what
policies
are
doing
in
their
cluster.
A
So
with
that,
we
got
the
core
recording
done
into
our
new
repo,
but
Matt,
who
obviously
made
cyclonus,
has
opened
up
an
issue
saying
like
what's
next
for
that
tool
right,
we
haven't
really
talked
about
it
here,
a
lot
and
thankfully
Brian
has
offered
to
kind
of
help
out
with
this.
So
this
is
the
issue
tracking
the
work.
A
B
A
If
we're
doing
you
know,
if
we're
releasing
just
a
container
image,
then
this
obviously
matters
more
in
my
opinion,
but
if
we're
trying
to
actually
release
like
cyclonus
binaries,
it
becomes
even
more
complicated
for
for
the
container
image.
You
know
if
it
was
just
me,
I'd
say:
let's
release
images
to
get
the
GitHub
container
registry,
but
I
don't
know
if
folks
are
using
the
that
in
kubernetes,
six
looks
like
they
are.
A
These
are
just
container
images,
I
know.
Well,
actually
I
could
be
wrong
yeah.
These
are
just
container
numbers
so
so
get
the
GitHub
container
registry
is
like
built
in
to
GitHub
now,
and
it's
really
nice,
because
it's
pretty
easy
to
like
automate,
builds
and
actions
and
then
push
here
which
is
cool
so
for
container
images.
This
this
would
be
a
great
tool.
It
seems,
like
folks,
are
using
it
in
kubernetes
six
that
was
kind
of
my
one
reservation,
so
I'm
fine
with
using
that.
A
C
C
It
should
be
because
it's
to
a
large
extent
works
on
the
the
the
specs
right
they're,
not
the
addresses
I'm
going
to
look
more
on
the
templates
and
so
on,
but
that
that's
something
I
think
we
need
to
think
about.
A
Yeah
I
think
the
moment
we
have
a
API
object
that
we're
hosting
here
or
that
kubernetes
is
hosting
around
policy
in
the
multi-network
scenario.
It'll
become
a
priority,
but
it
definitely
I
I.
Think
like
the
same
thing
will
apply.
Yeah.
A
That's
where
I
was
too
right
like
we,
we
talked
a
lot
about
tooling
for
admin,
Network
policy,
but
there
wasn't
really
anything
out
there
and
you
know:
Matt
was
had
already
kind
of
started
this
project
and
it's
great
so
we
figured
we'd,
take
it
over,
but
just
recycling
a
little
bit
Brian.
Does
that
answer
your
question
I
think.
B
It
does
if
you're,
if
you're
a
cni,
maintainer
and
you're
gonna,
run
performance
tests,
and
you
depend
on
cyclones
to
do
that.
Are
they
going
to
expect
those
images
to
exist
in
the
case
registry?
Is
that
what
they're
getting
anything
else
that
they
might
be
doing
like?
That
was
my
only
concern
there
was.
Are
we
doing
something
weird
by
putting
in
a
ghcr
for
say,
a
cni
person
that
wants
to
run
conformance.
D
A
Think
for
getting
getting
a
bootstrapped,
it's
totally
fine,
because
we
can
it's
always
we
can
always.
You
know
once
we
get
our
release
process
figured
out
for
cyclonus
change
to
releasing
in
registry.katesio
it's
just
harder
to
go
the
other
way
right.
So
I
figure
yeah.
Let's
start
there
and
then
move
forward,
and
you
know
I
would
start
with
just
releasing
container
images
and
maybe
just
container
images
that
are
based
on
Main
and
then
we
can
move
to
towards
like
a
natural
release
system
if
needed,
right
like
right
now,
everything's
still
new
and
fresh.
A
A
It's
a
thought:
I
think
we
totally
can
with
GitHub
if
we
need
to
with
GitHub
releases
I've,
just
never
played
with
using
GitHub
releases
for
like,
like
I
wonder
if
we
can
do
multiple
releases
for
a
single
repo
I'm
sure
we
can.
If.
A
Sweet
and
then
there's
a
bunch
of
other
stuff
here,
too
Brian
I,
don't
know
if
you
want
to
tackle
all
this,
or
do
you
want
to
like
split
it
up
into
smaller
issues
for
people
to
take
on
what?
What
do
you
feel
like?
Definitely
a
lot
of
stuff
yeah,
it
seems
to
me
like
we
can
split
up
these
main
three
goals
into
their
own
issues.
Some
of
them
are
good.
First
issues.
B
A
Yeah
100
so
I'd
like
to
continue
getting
folks
involved,
so
anything
that's
a
good
first
issue
would
be
great.
Will.
C
A
What
else
cool
yeah
so
for
anyone
watching
and
sorry?
What's
going
on
yang.
E
Hey
hey
Andrew,
yeah
I
was
just
having
tried
to
ask
a
quick,
maybe
dumb
question
on:
what's
the
difference
between
the
engine
and
conformance
Suite
for
AMPM,
be
an
amp
listed
here
like
like
what
do
you
have
in
mind,
Matt
for
for
those
goals.
B
I'm
not
sure
I
understood
the
question.
Sorry.
E
Oh
no
worries
I
was
just
saying
that
to
because
right
here,
I
listed,
a
bunch
of
you
know,
goals
right.
So
one
of
them
says
engine
and
we
have,
you
know,
feature
for
A
and
P
and
pamp
here
and
the
other
is
the
conformance
suite
I'm.
Just
trying
to
understand
you
know.
What's
what's.
B
For
each
of
them,
yeah
yeah,
so
Matt
and
I
did
a
an
entree
alive
the
other
week,
and
we
started
talking
about
how
to
get
Cyclones
to
support
A
and
P
and
basically,
what
it
came
down
to
was.
We
need
to
First,
extend
the
cyclonus
engine
to
be
able
to
support
and
work
with
A
and
P
and
Vamp,
and
then
once
we
have
the
support
built
in,
we
can
start
writing
conformance
Suite
tests
into
cyclonus
as
a
as
base
policy
tests.
E
Okay,
okay
sounds
good,
now,
I
get
it
so
so
I
I
probably
needed
a
like
a
refresher
on
cyclones,
because
I
haven't
looked
look
into
that
for
a
while.
So.
E
Good
sounds
good,
but
but
a
quick
question
is
you
know
for
the
normal
kubernetes
Network
policy
right
now,
so
the
Cyclones
work
for
the
for
the
conformance
suite.
Does
it
work?
As
you
know,
you
bring
up
a
bunch
of
namespaces
apart
and
you
know
you
run
tests
through
them
and
is
that
like
a
three
three
namespace
three
parts
in
each
that
kind
of
thing
or
it's
usually,
you
know
on
demand
namespaces
apart
for
each
specific
test
case.
B
I
think
I'm
I'm,
still
not
a
psychonist
master,
so
I
might
be
wrong,
but
I
think
you
can
write
your
own
set
of
network
policies
and
then
use
cyclonus
to
run
conformance
against
those
after
you've
applied
them
into
the
environment,
or
you
can
use
cyclonus
to
run
against
a
vanilla
cluster
with
any
cni
and
verify
vanilla.
Network
policies
are
running
and
meeting
performance
within
that
environment,
but
I
think
you
can
also
write
your
own
policies
and
simulate
them
and
then
get
back
like
a
truth.
B
E
Yeah
I
probably
needed
to
look
at
specific
conformance
tests,
because
I
I
know
that
you
know
before
am
pmbanp.
A
lot
of
tests
are
written.
As
you
know,
you
have
a
specific
environment
where
you
have
you
know
three
namespaces
reposit
in
each
and
then
we
have
a
choose
table
sort
of
thing
and
we
applied
Network
policy
just
to
see
if
the
truth
table
holds
for
that
now
policy.
If
yes,
then
we
know
that
now
policy
is
correctly
enforced.
E
Now,
what
I'm
seeing
is
say
seeing
here
is
that
for
ampmb
amp,
because
we
have
the
you
know
more
advanced
selection
mechanism.
We
have
the
the
same
labels
same
namespace
and
stuff.
E
Maybe
we
needed
to
extend
the
number
of
namespaces
apart
deployed
for
us
to
sort
of
like
correctly
test
that,
because
right
now
you
will
need
to
have
at
least
a
bunch
of
names,
basically
the
same
labels
and
a
bunch
of
namespace
with
another
solar
standard
labels
and
do
some
same
label
amps
and
figure
out
that
now,
yes,
you
know
the
the
namespace
with
the
same
labels
are
talking
to
each
other,
but
not
across.
You
know
the
the
label
boundary
basically
and
that
basically
is
not
possible.
If
we
just
have
a
static.
E
You
know
three
namespaces
three
passing
each
cell
up
to
test
with,
so
so
for
for
the
amp
and
bamp
test
weeks
to
be
complete
and
we
probably
needed
a
little
bit
more
more
pods
or
namespaces
in
the
infrastructure
for
us
to
correctly
test
it.
E
Yeah,
so
this
is
just
a
sub
if
I
don't
know,
if
Andrew,
you
you're
your
understanding,
what
I'm
saying.
A
E
A
Yeah
there
are
no
stupid
questions
by
the
way.
That's
that's
awesome.
That's
what
we
need,
so
it's
good
we're
kind
of
getting
started
here
because
there
was
just
not
no
one
doing
it
cool
any
other
thing
on
this
issue
that
we
need
to
talk
about
today.
Or
do
you
want
to
take
over
splitting
into
other
issues?
Brian
or
do
you
want
me
to
do
it?
I
really
don't
mind.
I
can
do.
D
A
A
A
That's
awesome,
cool
okay,
so
it
talked
about
those
issues.
I
already
got
an
LG
TM
on
this
I
was
writing
another
operator
for
open
or
a
totally
separate
operator
from
scratch
and
I
realized
that
our
crds
were
being
generated
incorrectly.
They
were
not
being
generated.
The
cluster
scope,
so
I
think
this
is
well
Yang.
You
just
have
to
give
a
lgtm
and
an
approved,
but.
E
Just
basically,
click
to
approve
I
I,
don't
know.
If
let
me
let
me
look
at
it
again,.
A
It's
just
proud:
you
have
to
give
the
dash
dash
LG
TM
on
that
one,
but
basically
all
this
stuff
yeah.
It's
no
worries
all
this
does
for
folks
who
are
interested
is
Cube
Builder
like
looks
at
our
API
definitions
and
generates
all
the
crds
form
automatically.
So
all
we
need
to
do
is
add
a
single
cue,
Builder
tag
to
make
sure
this
was
cluster.
Scoped
really
easy.
But
if
you
haven't
looked
at
Cube
builders
kind
of
interesting
to
check
out.
E
A
Yep
and
a
ton
of
like
validation,
stuff,
as
you
can
see
here,
which
we
do,
which
is
cool
and
it's
all
kind
of
built
in
which
is
awesome
awesome.
Ultimately,
it
gets
distilled
down
into
like
open,
API
V3,
which
allows
you
to
express
things
like
this.
So
and
it's
really
important
with
admin
hour
policy,
because
we
have
some
complicated
Like
rules
so
nice
to
use
that.
F
A
A
It's
a
great
question:
I,
don't
think
I
did
when
I
was
doing.
This
I
was
learning
it
all
for
the
first
time,
so
I
probably
missed.
That
sounds
like
we
need
an
issue
for
it.
I'm,
not
sure.
To
be
honest
with
you
fair
enough.
F
I
I
can
follow
one
yeah.
E
I
could
do
that
too,
but
if
you
want
to
take
it
also,
I'll
be
also
happy
to
end
too,
but
there's
also
some
other
things
that
might
be
really
used
for.
In
terms
of
this
tags.
I,
remember,
there's
you
can
define
printer
columns
there
like
like.
When
people
do
Coupe
cuddle
gets
amp,
you
can
Define
what
columns
are
there
like
like
Time
created?
E
You
know
the
first
priority
stuff
will
be
a
nice
thing
to
have
when,
when
it's
printed
out,
so
you
can
actually
Define
those
things.
I
I
think
we
needed
to
look
at.
You
know
what
are
the
use
for
things
that
should
be
printed
out
and
we
should
put
it
in
there.
E
F
I
yeah
I
mean
I.
The
only
thing
that
I
know
Cube
Builder
doesn't
handle
super.
Well
is
selectors
like
if
you
try
to
tell
cute
Builder
to
print
out
selectors
like
today,
the
network
policy,
Cube
cuddle
thing
is
handled
by
a
custom.
Printer
tries
to
the
formats
it
sensibly.
F
If
you
use
Cube
Builder
to
dump
selectors
it,
it
dumps
the
Json,
which
is
rather
unwieldy.
So.
A
I
didn't
know
about
that:
I'll
have
to
check
it
out,
feel
free
either
of
you
all
to
open
an
issue
for
that
that'd
be
great.
D
A
D
A
Cool
so
last
week,
I
was
poking
around
at
some
Legacy
stuff
and
I
had
looked
at
this
a
long
time
ago,
but
it's
basically
psyllium's
like
deep
dive
into
Network
policy,
and
it
includes
like
this
really
long,
YouTube
video
about
how
Network
policy
was
created.
Dan
actually
is
in
it
with
like
Thomas
Graf
and
some
other
folks,
and
it
lead
led
me
back
to
this
website.
Basically,
this
I
think
was
a
marketing
Point
too
put
forward.
A
Psyllium's
Network
policy,
editor,
which
you
know
this
site,
is
open
source,
but
the
network
policy
editor
is
not
which
is
kind
of
interesting,
but
it
got
me.
A
Thinking
like
this
could
be
another
good
set
of
resources
to
kind
of
bring
back
into
this
core
sigs
Community
I
I
wanted
to
reach
out
to
Thomas
Graf
and
tell
them
folks
to
see
like
what
they
would
think
about
moving
some
of
it
back
and
maybe
deprecating
this
website,
because
you
know
the
the
URL
is
literally
Network
policy.io
and
it's
kind
of
a
downstream
website
in
an
upstream
fashion.
B
A
I
kind
of
both
I
mean
it'd,
be
really
great
if
we
talked
to
the
civilian
folks-
and
they
said
yeah
here,
we'll
open
source.
This
editor
that
could
be
cool
because,
obviously
like
I,
don't
want
our
website
and
kubernetes
to
be
pointing
to
something:
that's
not
open
source
like
there's,
no
way
that
ever
happens,
so
we
couldn't
just
assume
this
website,
as
is,
but
it
does
definitely
has
some
nice
videos
and
resources.
What
sort.
C
C
Know
I'll
have
to
see
if
I
forward
that
to
someone
I
guess
no,
it
was
through
all
the
emails,
something
that
I
reacted
on.
But
I
cannot
remember
exactly
what
I'll
dig.
G
Maybe,
as
a
as
a
new
person
in
this
Sig
call
just
to
chime
in
on
this
one,
you
know
we're
building
a
tool
for
that
automates
Network
policies-
and
you
know,
obviously
we
found
this
website
very
quickly.
It
looked
to
us
very
official
in
some
sense,
like
a
very.
A
G
A
Yeah,
that's
a
good
we're
stoked
to
have
you
Yuri
thanks
for
coming
and,
and
that's
a
really
really
good
point.
A
It's
that's
that
that's
that
was
kind
of
what
I
was
trying
to
get
across
like
it's
confusing,
so
I'm
gonna
try
to
reach
out
to
Liz
from
Liz
rice
from
psyllium
and
Thomas
Graf
and
see
like
what
they
think
about
how
we
could
like
I.
Don't
want
to
be
like
shut
this
website
down.
I
more
want
to
be
like
how
can
we
absorb
some
of
these
resources
into
our
website
and
you
know
maybe
they're
willing
to
open
source.
The
editor
now
that'd
be
even
cooler
right,
yeah.
A
A
Much
100
so
I'll
add
this
to
my
list.
However,
the
first
thing
I
want
to
do
before
I
reach
out
to
that
is
I
still
have
the
issue
of
to
kind
of
make
our
website
more
generic
right.
We
want
to
be
describing
all
of
kubernetes
policy
apis,
not
just
the
admin
or
policy
API
and
I've
had
an
outstanding
issue
to
do
that.
I
haven't
been
able
to
get
to
it.
So
if
folks
are
listening
to
this
call
and
want
to
tackle
it,
please
go
do
it.
D
A
A
E
No
problem
at
all
I
mean
I'm
also
busy
with
a
lot
of
other
things
recently,
but
I
think
we
have
released
cut
off
by
December
the
16th
so
in
between
six
things
and
Christmas.
I
do
feel
like
there's
gonna,
be
ton
of
free
time
for
me.
So
I'll
definitely,
you
know
spend
more
time.
Looking
at
The,
Amp,
related
stuff,
I
guess.
A
Awesome
yeah.
Thank
you.
I
appreciate
it
and
I'll
put
a
link
to
that
PR
here
in
a
second
for
folks
who
want
to
review
it
for
a
kind
of
a
back
story.
The
cap
originally
emerged
a
long
time
ago.
Then
we
worked
on
the
API
and
got
it
merged,
and
now
Yang
has
gone
back
and
has
a
PR
update
to
cap
with
like
what
actually
emerged
in
the
API
design
side
of
things,
because
it
changed
a
little
bit.
So
it's
good.
A
It's
just
good
practice
to
keep
that
cap
updated
and
it's
even
weirder
for
us,
because
we
don't
adhere
to
kubernetes
release
guidelines
like
we're
just
a
crd,
but
it's
it's
definitely
a
good
practice
to
keep
that
updated
and
speaking
of
releases.
That's
something
you
know.
As
we
start
getting,
implementations
done
for
amp
like
we're.
Gonna
have
to
start
thinking
about
a
some
release:
infrastructure
for
the
API
itself,
and
hopefully
I
can
make
an
issue
for
that.
G
For
it
Yuri,
so
you
know
in
in
the
rolling
out
of
of
this
tool
which,
by
the
way,
is
open
source
we're
thinking
to
ourselves.
You
know,
Network
policies
are
an
interesting
thing
because,
as
you
say
there,
there
are
crd
they're,
an
object
that
exists.
Whether
or
not
anybody
pays
attention
to
it.
You
have
a
network
policy,
but
you
don't
know
that
anybody's
enforcing
it.
G
Obviously,
there's
got
to
be
a
cni
that
supports
Network
policies
that
enforces
it
and
so
on
is
there
or
has
there
been
some
thought
towards
implementing
some
way
of
the
cluster,
knowing
that
somebody's
actually
enforcing
Network
policies,
so.
A
First,
you
know
that
first
thing:
Network
policy
itself
isn't
a
crd.
It's
a
core
API.
The
admin
Network
policy
we've
been
talking
about
a
lot
in
this
meeting
is
a
crd.
So
so
it's
we
we
did
that
just
so
that
we
could
iterate
a
little
bit
faster.
It's
a
good
question.
There
is
a
status
field
now
in
network
policy.
Now
the
issue
with
that
is
I,
don't
think
anyone
any
cni
has
implemented
it.
Yet
maybe
Ricardo.
E
E
Sorry
to
sorry
to
interrupt
I
just
wanted
to
share
a
little
bit
my
thought
here.
If
I
understand
this
question
correctly-
or
you
probably
are
talking
about
something
in
the
lines
of
I'm-
probably
a
app
developer
right,
so
I
wanted
to
know.
That
is
if
I
wanted
to
talk
to
some
other
namespaces.
Is
there
going
to
be
now
a
part
of
c
blocking
that
or
you
know
restricting
me
to
do
that-
is
that
what
your
question
is
more
about?
Certainly,.
G
One
of
the
use
cases
right
so
we're
creating
the
code
that
automatically
creates
Network
policies.
Yes
based
upon
sort
of
client
intents,
but
our
big
thing
is
that
we
can
say
great.
You
know
this
network
policy
was
created
and
if
it
were
enforced,
the
following
would
be
allowed
and
the
following
would
not
be
allowed,
but
we
don't
know
if
it's
being
enforced
by
anything.
E
Oh
okay,
so
yeah
that
that's
more
of
that's
more
of
a
status
thing.
Yes,.
A
Right
and
I
linked
the
cap
to
that
great
I
think
that'd
be
good
to
check
out
I,
don't
know
what
cni
are
using,
but
you
could
ask
them
to
possibly
implement
this
and
you
know.
Maybe
we
need
to
think
about
I,
don't
know
what
status
defaults
to
it
defaults
to
nothing
like
an
empty
list
of
conditions,
but
maybe
someday
in
Upstream.
We
need
to
have
the
logic
that
says:
unless
the
implementations
explicitly
write
like
implemented,
then
it
defaults
to
unimplemented
or
something
I.
Don't
know
how
that
would
work,
but.
A
Unfortunately,
we're
far
from
there
I
agree
with
you,
but
that's
a
really
it's
a
good
point.
It's
it's
a
good
question
and
you
know
it's.
E
That's
that's
an
interesting
thought,
but
you
know
for
the
users.
Actually
it
probably
also
gonna
be
a
little
bit
weird,
because
once
you
install
a
CNN
in
order
to
verify
that
use
inside
Corners
people
will
probably
see
that
a
bunch
of
namespace
that
art
just
came
up
and
then
you
know
running
some
tests
under
the
hood.
People
are
probably
gonna
figure
out
on
you
know.
What's
going
on,
you
know.
So
that's
that's
also
something
to
think
about.
E
G
A
Yeah
there's
something
there
there's
also
another.
There
was
another
issue
and
I
can't
find
it
right
now.
I
will
go
find
it.
There
is
a
kind
of
proposal
within
an
issue
to
add
an
enforcing
flag
to
network
policy,
so
that
could
could
be
used
as
more
of
an
explicit
same
way
right.
You
could
just
make
a
network
policy
with
enforcing
set
to
false.
A
Yeah
no
good
to
have
you
Ori,
and
you
know
it's
interesting
I've,
seen
a
lot
of
folks
kind
of
doing.
In
the
same,
the
same
thing
y'all
are
trying
to
do
because,
in
my
opinion,
it
shows
that
Network
policy
is
hard
to
explicitly
illustrate
a
lot
of
intents.
So
you
always
end
up
having
a
shim
that
is
creating
Network
policy
right
or
an
engine.
A
So
we're
hoping
if
you,
if
you
get
some
time,
definitely
check
out
our
admin,
Network
policy
and
let
us
know
if
we
missed
anything
because
we're
still
early
in
the
cycle
and
we're
hoping
that
it's
a
little
bit
easier
to
use
straight
natively
and.
G
D
G
Governance
and
so
on,
and
then
there's
what
the
app
developers
are
trying
to
do,
which
is
just
to
make
the
right
things
work
and
like
how
do
those
meet
right?
Do
we
have
to
monitor
for
drift,
or
is
there
some
official
way
to
say
you
know
this
is
where
the
intent
of
the
developer
meets
the
governance
of
the
admin
yeah.
C
Do
thank
you,
wait,
there's
a
lot
of
cool
things
that
could
be
done.
One
is
like,
let's
say
they
will
say
central
control
system.
They
calculated
everything
and
he
you
can
do
a
lot
of
cool
things
with
things
like
srv6
and
metadata,
so
you
could
actually
have
something
that
pretends
to
be
a
pod,
sending
traffic
through
and
see.
If
it
gets
caught
right
you
will,
you
would
tell
the
firewall,
on
the
other
side,
never
forward
this
to
the
actual
pod
right.
Yes,
return
result.
C
What's
this
forwarded
or
not
so
there's
a
lot
of
cool
toolkits
that
can
be
made
to
to
check
that
this
actually
works
in
in
reality
for
a
given
CNA,
that's
at
least
where
we're
going
so
we
will
be
able
to
calculate
the
full
graph
and
say
what
can
talk
to
what
and
then
run
it
and
compare
that
to
psychologist
results
and
also
actually
test
an
all
combination
to
see
if
it
fulfills
the
requirements
by
having
actual
traffic
being
sent
to
any
of
the
pods,
but
telling
the
connection
tracker
on
the
source
to
to
not
forward
that
report.
C
Yes,
send
back
the
the
result.
Compare.
C
On
my
company,
what
I
was
going
to
work
with
that's
what
we
and
parts
of
it
my
dream
and
goal
is
to
be
able
to
give
away
an
open
source
of
complete
control,
plane
that
eats
up
the
policies
and
can
also
be
made
very
easily
to
handle
more
policy
types
and
then
the
laborers
call
it
a
logical
firewall
API
where
you
would
plug
in
backends
to
and
then
you
do,
your
implementation
of
your
firewall.
C
The
way
you
want
to,
but
kubernetes
should
have
something
call
it
the
other
end
of
the
cyclonus
one
one
implementation,
not
similar
implementation.
That
calculates
if
things
can
communicate.
Yes,.
A
Yeah,
he
is
I,
think
I
think
he
had
to
take
a
call
yeah
all
right,
awesome,
cool
awesome!
Well,
thanks!
So
much
folks.
If
there's
nothing
else
going
on
going
twice
sold
good
meeting
today,
pretty
constructive
thanks
for
the
time
and
thanks
for
coming
I
hope
you
all
all
have
a
really
good
rest
of
the
week
and
well
I.
Think
we'll
see
you
next
time,
I
gotta!
Look
at
when
what
date
the
next
meeting
falls
on,
because
if
it's
in
the
Christmas
holiday,
we
might
cancel.