►
From YouTube: Network Policy API Meeting for 20221205
Description
Network Policy API Meeting for 20221205
A
Foreign
hello,
everyone
today
is
Monday
December,
5th
2022..
This
is
a
meeting
of
the
Sig
Network
policy,
API
subgroup
to
think
Network.
This
is
the
cncf
certified
meeting.
So
please
be
nice
to
each
other.
Try
to
limit
the
curse
words
and
yeah.
Let's
have
a
good
meeting
today,
so
just
kind
of
hopping
in
something
we
hadn't
done
in
a
long
time
which
issue
triage.
A
We
used
to
do
it
all
the
time,
but
then
issues
kind
of
slowed
down.
So
all
that
the
issue
triage
is
is
basically
I.
Have
the
link
in
the
document
too,
if
I'm
ever
not.
Here
is
query
kubernetes
issues
with
the
label
Network
policy,
basically,
thankfully
there
weren't
any
new
ones.
So
that's
good,
nothing
really
for
us
to
tackle.
Yet
it
was
kind
of
interesting,
though,
to
see
some
old
ones
that
have
been
open
for
like
a
long
time
and
I
thought
you
know.
A
Maybe
we
could
talk
a
little
bit
about
it.
I
know,
Raul
is
working
on
fqdn
policies
and
I.
Don't
think
he's
here
today,
but
this
one
kind
of
had
some
good
thoughts
around
that
so
I
poked
him
in
the
agenda.
Hopefully,
he
sees
it
if
you're
watching
this
recording
our
role
go,
give
it
a
look
but
yeah,
if
I'm
ever
not
here
or
someone
else,
is
running.
The
meeting
feel
free
to
run
through
these,
it's
nice
for
us
as
a
subgroup
to
like
try
to
help
out
Signet.
A
B
A
Read
the
issue
I
guess
so
that
issue
actually
isn't
super.
It's
a
good
question
Ryan.
So
that
issue
isn't
super
current.
The
most
up-to-date
thing
with
like
layer,
7
policies,
more
narrowed
down
really
to
fqdn
policies
is
something
that
Raul
from
Google
has
been
working
on
for
a
while,
and
the
current
status
of
that
work
is
is
here,
so
you
can
go.
Give
that
a
read!
A
Well,
hopefully
he
can
hear
me
I.
Think
he'll
hop
on
I
was
just
saying:
Raul
I
found
a
really
old
issue
that
had
some
discussion
on
fkdn
from
Thomas
Graf,
all
the
way
back
in
2018
so
four
years
ago,
I
just
wanted
to
make
sure
you
had
seen
it
what
else?
What
else
so
I've
also
I
need
to
update
this
query
to
include
any
issues
open
against
the
network
policy,
API
repo,
which
I
will
do.
A
A
A
A
So
with
that,
we
got
the
core
recording
done
into
our
new
repo,
but
Matt,
who
obviously
made
cyclonus,
has
opened
up
an
issue
saying
like
what's
next
for
that
tool
right,
we
haven't
really
talked
about
it
here,
a
lot
and
thankfully
Brian
has
offered
to
kind
of
help
out
with
this.
So
this
is
the
issue
tracking
the
work.
B
A
If
we're
doing
you
know,
if
we're
releasing
just
a
container
image,
then
this
obviously
matters
more
in
my
opinion,
but
if
we're
trying
to
actually
release
like
cyclonus
binaries,
it
becomes
even
more
complicated
for
for
the
container
image.
You
know
if
it
was
just
me,
I'd
say:
let's
release
images
to
get
the
GitHub
container
registry,
but
I
don't
know
if
folks
are
using
the
that
in
kubernetes,
six
looks
like
they
are.
A
These
are
just
container
images,
I
know.
Well,
actually
I
could
be
wrong
yeah.
These
are
just
container
numbers
so
so
get
the
GitHub
container
registry
is
like
built
in
to
GitHub
now,
and
it's
really
nice,
because
it's
pretty
easy
to
like
automate,
builds
and
actions
and
then
push
here
which
is
cool
so
for
container
images.
This
this
would
be
a
great
tool.
It
seems,
like
folks,
are
using
it
in
kubernetes
six
that
was
kind
of
my
one
reservation,
so
I'm
fine
with
using
that.
A
C
A
A
That's
where
I
was
too
right
like
we,
we
talked
a
lot
about
tooling
for
admin,
Network
policy,
but
there
wasn't
really
anything
out
there
and
you
know:
Matt
was
had
already
kind
of
started
this
project
and
it's
great
so
we
figured
we'd,
take
it
over,
but
just
recycling
a
little
bit
Brian.
Does
that
answer
your
question
I
think.
B
It
does
if
you're,
if
you're
a
cni,
maintainer
and
you're
gonna,
run
performance
tests,
and
you
depend
on
cyclones
to
do
that.
Are
they
going
to
expect
those
images
to
exist
in
the
case
registry?
Is
that
what
they're
getting
anything
else
that
they
might
be
doing
like?
That
was
my
only
concern
there
was.
Are
we
doing
something
weird
by
putting
in
a
ghcr
for
say,
a
cni
person
that
wants
to
run
conformance.
D
A
Think
for
getting
getting
a
bootstrapped,
it's
totally
fine,
because
we
can
it's
always
we
can
always.
You
know
once
we
get
our
release
process
figured
out
for
cyclonus
change
to
releasing
in
registry.katesio
it's
just
harder
to
go
the
other
way
right.
So
I
figure
yeah.
Let's
start
there
and
then
move
forward,
and
you
know
I
would
start
with
just
releasing
container
images
and
maybe
just
container
images
that
are
based
on
Main
and
then
we
can
move
to
towards
like
a
natural
release
system
if
needed,
right
like
right
now,
everything's
still
new
and
fresh.
A
A
A
Sweet
and
then
there's
a
bunch
of
other
stuff
here,
too
Brian
I,
don't
know
if
you
want
to
tackle
all
this,
or
do
you
want
to
like
split
it
up
into
smaller
issues
for
people
to
take
on
what?
What
do
you
feel
like?
Definitely
a
lot
of
stuff
yeah,
it
seems
to
me
like
we
can
split
up
these
main
three
goals
into
their
own
issues.
Some
of
them
are
good.
First
issues.
B
A
C
E
B
For
each
of
them,
yeah
yeah,
so
Matt
and
I
did
a
an
entree
alive
the
other
week,
and
we
started
talking
about
how
to
get
Cyclones
to
support
A
and
P
and
basically,
what
it
came
down
to
was.
We
need
to
First,
extend
the
cyclonus
engine
to
be
able
to
support
and
work
with
A
and
P
and
Vamp,
and
then
once
we
have
the
support
built
in,
we
can
start
writing
conformance
Suite
tests
into
cyclonus
as
a
as
base
policy
tests.
E
E
Good
sounds
good,
but
but
a
quick
question
is
you
know
for
the
normal
kubernetes
Network
policy
right
now,
so
the
Cyclones
work
for
the
for
the
conformance
suite.
Does
it
work?
As
you
know,
you
bring
up
a
bunch
of
namespaces
apart
and
you
know
you
run
tests
through
them
and
is
that
like
a
three
three
namespace
three
parts
in
each
that
kind
of
thing
or
it's
usually,
you
know
on
demand
namespaces
apart
for
each
specific
test
case.
B
I
think
I'm
I'm,
still
not
a
psychonist
master,
so
I
might
be
wrong,
but
I
think
you
can
write
your
own
set
of
network
policies
and
then
use
cyclonus
to
run
conformance
against
those
after
you've
applied
them
into
the
environment,
or
you
can
use
cyclonus
to
run
against
a
vanilla
cluster
with
any
cni
and
verify
vanilla.
Network
policies
are
running
and
meeting
performance
within
that
environment,
but
I
think
you
can
also
write
your
own
policies
and
simulate
them
and
then
get
back
like
a
truth.
B
E
Yeah
I
probably
needed
to
look
at
specific
conformance
tests,
because
I
I
know
that
you
know
before
am
pmbanp.
A
lot
of
tests
are
written.
As
you
know,
you
have
a
specific
environment
where
you
have
you
know
three
namespaces
reposit
in
each
and
then
we
have
a
choose
table
sort
of
thing
and
we
applied
Network
policy
just
to
see
if
the
truth
table
holds
for
that
now
policy.
If
yes,
then
we
know
that
now
policy
is
correctly
enforced.
E
E
Maybe
we
needed
to
extend
the
number
of
namespaces
apart
deployed
for
us
to
sort
of
like
correctly
test
that,
because
right
now
you
will
need
to
have
at
least
a
bunch
of
names,
basically
the
same
labels
and
a
bunch
of
namespace
with
another
solar
standard
labels
and
do
some
same
label
amps
and
figure
out
that
now,
yes,
you
know
the
the
namespace
with
the
same
labels
are
talking
to
each
other,
but
not
across.
You
know
the
the
label
boundary
basically
and
that
basically
is
not
possible.
If
we
just
have
a
static.
A
E
A
Yeah
there
are
no
stupid
questions
by
the
way.
That's
that's
awesome.
That's
what
we
need,
so
it's
good
we're
kind
of
getting
started
here
because
there
was
just
not
no
one
doing
it
cool
any
other
thing
on
this
issue
that
we
need
to
talk
about
today.
Or
do
you
want
to
take
over
splitting
into
other
issues?
Brian
or
do
you
want
me
to
do
it?
I
really
don't
mind.
I
can
do.
D
A
A
A
That's
awesome,
cool
okay,
so
it
talked
about
those
issues.
I
already
got
an
LG
TM
on
this
I
was
writing
another
operator
for
open
or
a
totally
separate
operator
from
scratch
and
I
realized
that
our
crds
were
being
generated
incorrectly.
They
were
not
being
generated.
The
cluster
scope,
so
I
think
this
is
well
Yang.
You
just
have
to
give
a
lgtm
and
an
approved,
but.
D
A
It's
just
proud:
you
have
to
give
the
dash
dash
LG
TM
on
that
one,
but
basically
all
this
stuff
yeah.
It's
no
worries
all
this
does
for
folks
who
are
interested
is
Cube
Builder
like
looks
at
our
API
definitions
and
generates
all
the
crds
form
automatically.
So
all
we
need
to
do
is
add
a
single
cue,
Builder
tag
to
make
sure
this
was
cluster.
Scoped
really
easy.
But
if
you
haven't
looked
at
Cube
builders
kind
of
interesting
to
check
out.
E
A
Yep
and
a
ton
of
like
validation,
stuff,
as
you
can
see
here,
which
we
do,
which
is
cool
and
it's
all
kind
of
built
in
which
is
awesome
awesome.
Ultimately,
it
gets
distilled
down
into
like
open,
API
V3,
which
allows
you
to
express
things
like
this.
So
and
it's
really
important
with
admin
hour
policy,
because
we
have
some
complicated
Like
rules
so
nice
to
use
that.
F
A
A
E
I
could
do
that
too,
but
if
you
want
to
take
it
also,
I'll
be
also
happy
to
end
too,
but
there's
also
some
other
things
that
might
be
really
used
for.
In
terms
of
this
tags.
I,
remember,
there's
you
can
define
printer
columns
there
like
like.
When
people
do
Coupe
cuddle
gets
amp,
you
can
Define
what
columns
are
there
like
like
Time
created?
E
D
E
F
D
A
D
A
Cool
so
last
week,
I
was
poking
around
at
some
Legacy
stuff
and
I
had
looked
at
this
a
long
time
ago,
but
it's
basically
psyllium's
like
deep
dive
into
Network
policy,
and
it
includes
like
this
really
long,
YouTube
video
about
how
Network
policy
was
created.
Dan
actually
is
in
it
with
like
Thomas
Graf
and
some
other
folks,
and
it
lead
led
me
back
to
this
website.
Basically,
this
I
think
was
a
marketing
Point
too
put
forward.
B
A
I
kind
of
both
I
mean
it'd,
be
really
great
if
we
talked
to
the
civilian
folks-
and
they
said
yeah
here,
we'll
open
source.
This
editor
that
could
be
cool
because,
obviously
like
I,
don't
want
our
website
and
kubernetes
to
be
pointing
to
something:
that's
not
open
source
like
there's,
no
way
that
ever
happens,
so
we
couldn't
just
assume
this
website,
as
is,
but
it
does
definitely
has
some
nice
videos
and
resources.
What
sort.
C
C
G
A
G
A
It's
that's
that
that's
that
was
kind
of
what
I
was
trying
to
get
across
like
it's
confusing,
so
I'm
gonna
try
to
reach
out
to
Liz
from
Liz
rice
from
psyllium
and
Thomas
Graf
and
see
like
what
they
think
about
how
we
could
like
I.
Don't
want
to
be
like
shut
this
website
down.
I
more
want
to
be
like
how
can
we
absorb
some
of
these
resources
into
our
website
and
you
know
maybe
they're
willing
to
open
source.
The
editor
now
that'd
be
even
cooler
right,
yeah.
A
A
Much
100
so
I'll
add
this
to
my
list.
However,
the
first
thing
I
want
to
do
before
I
reach
out
to
that
is
I
still
have
the
issue
of
to
kind
of
make
our
website
more
generic
right.
We
want
to
be
describing
all
of
kubernetes
policy
apis,
not
just
the
admin
or
policy
API
and
I've
had
an
outstanding
issue
to
do
that.
I
haven't
been
able
to
get
to
it.
So
if
folks
are
listening
to
this
call
and
want
to
tackle
it,
please
go
do
it.
D
A
A
E
No
problem
at
all
I
mean
I'm
also
busy
with
a
lot
of
other
things
recently,
but
I
think
we
have
released
cut
off
by
December
the
16th
so
in
between
six
things
and
Christmas.
I
do
feel
like
there's
gonna,
be
ton
of
free
time
for
me.
So
I'll
definitely,
you
know
spend
more
time.
Looking
at
The,
Amp,
related
stuff,
I
guess.
A
Awesome
yeah.
Thank
you.
I
appreciate
it
and
I'll
put
a
link
to
that
PR
here
in
a
second
for
folks
who
want
to
review
it
for
a
kind
of
a
back
story.
The
cap
originally
emerged
a
long
time
ago.
Then
we
worked
on
the
API
and
got
it
merged,
and
now
Yang
has
gone
back
and
has
a
PR
update
to
cap
with
like
what
actually
emerged
in
the
API
design
side
of
things,
because
it
changed
a
little
bit.
So
it's
good.
A
It's
just
good
practice
to
keep
that
cap
updated
and
it's
even
weirder
for
us,
because
we
don't
adhere
to
kubernetes
release
guidelines
like
we're
just
a
crd,
but
it's
it's
definitely
a
good
practice
to
keep
that
updated
and
speaking
of
releases.
That's
something
you
know.
As
we
start
getting,
implementations
done
for
amp
like
we're.
Gonna
have
to
start
thinking
about
a
some
release:
infrastructure
for
the
API
itself,
and
hopefully
I
can
make
an
issue
for
that.
G
For
it
Yuri,
so
you
know
in
in
the
rolling
out
of
of
this
tool
which,
by
the
way,
is
open
source
we're
thinking
to
ourselves.
You
know,
Network
policies
are
an
interesting
thing
because,
as
you
say
there,
there
are
crd
they're,
an
object
that
exists.
Whether
or
not
anybody
pays
attention
to
it.
You
have
a
network
policy,
but
you
don't
know
that
anybody's
enforcing
it.
A
First,
you
know
that
first
thing:
Network
policy
itself
isn't
a
crd.
It's
a
core
API.
The
admin
Network
policy
we've
been
talking
about
a
lot
in
this
meeting
is
a
crd.
So
so
it's
we
we
did
that
just
so
that
we
could
iterate
a
little
bit
faster.
It's
a
good
question.
There
is
a
status
field
now
in
network
policy.
Now
the
issue
with
that
is
I,
don't
think
anyone
any
cni
has
implemented
it.
Yet
maybe
Ricardo.
E
E
Sorry
to
sorry
to
interrupt
I
just
wanted
to
share
a
little
bit
my
thought
here.
If
I
understand
this
question
correctly-
or
you
probably
are
talking
about
something
in
the
lines
of
I'm-
probably
a
app
developer
right,
so
I
wanted
to
know.
That
is
if
I
wanted
to
talk
to
some
other
namespaces.
Is
there
going
to
be
now
a
part
of
c
blocking
that
or
you
know
restricting
me
to
do
that-
is
that
what
your
question
is
more
about?
Certainly,.
G
One
of
the
use
cases
right
so
we're
creating
the
code
that
automatically
creates
Network
policies.
Yes
based
upon
sort
of
client
intents,
but
our
big
thing
is
that
we
can
say
great.
You
know
this
network
policy
was
created
and
if
it
were
enforced,
the
following
would
be
allowed
and
the
following
would
not
be
allowed,
but
we
don't
know
if
it's
being
enforced
by
anything.
A
Right
and
I
linked
the
cap
to
that
great
I
think
that'd
be
good
to
check
out
I,
don't
know
what
cni
are
using,
but
you
could
ask
them
to
possibly
implement
this
and
you
know.
Maybe
we
need
to
think
about
I,
don't
know
what
status
defaults
to
it
defaults
to
nothing
like
an
empty
list
of
conditions,
but
maybe
someday
in
Upstream.
We
need
to
have
the
logic
that
says:
unless
the
implementations
explicitly
write
like
implemented,
then
it
defaults
to
unimplemented
or
something
I.
Don't
know
how
that
would
work,
but.
A
E
That's
that's
an
interesting
thought,
but
you
know
for
the
users.
Actually
it
probably
also
gonna
be
a
little
bit
weird,
because
once
you
install
a
CNN
in
order
to
verify
that
use
inside
Corners
people
will
probably
see
that
a
bunch
of
namespace
that
art
just
came
up
and
then
you
know
running
some
tests
under
the
hood.
People
are
probably
gonna
figure
out
on
you
know.
What's
going
on,
you
know.
So
that's
that's
also
something
to
think
about.
E
G
A
Yeah
there's
something
there
there's
also
another.
There
was
another
issue
and
I
can't
find
it
right
now.
I
will
go
find
it.
There
is
a
kind
of
proposal
within
an
issue
to
add
an
enforcing
flag
to
network
policy,
so
that
could
could
be
used
as
more
of
an
explicit
same
way
right.
You
could
just
make
a
network
policy
with
enforcing
set
to
false.
A
Yeah
no
good
to
have
you
Ori,
and
you
know
it's
interesting
I've,
seen
a
lot
of
folks
kind
of
doing.
In
the
same,
the
same
thing
y'all
are
trying
to
do
because,
in
my
opinion,
it
shows
that
Network
policy
is
hard
to
explicitly
illustrate
a
lot
of
intents.
So
you
always
end
up
having
a
shim
that
is
creating
Network
policy
right
or
an
engine.
G
D
G
Governance
and
so
on,
and
then
there's
what
the
app
developers
are
trying
to
do,
which
is
just
to
make
the
right
things
work
and
like
how
do
those
meet
right?
Do
we
have
to
monitor
for
drift,
or
is
there
some
official
way
to
say
you
know
this
is
where
the
intent
of
the
developer
meets
the
governance
of
the
admin
yeah.
C
Do
thank
you,
wait,
there's
a
lot
of
cool
things
that
could
be
done.
One
is
like,
let's
say
they
will
say
central
control
system.
They
calculated
everything
and
he
you
can
do
a
lot
of
cool
things
with
things
like
srv6
and
metadata,
so
you
could
actually
have
something
that
pretends
to
be
a
pod,
sending
traffic
through
and
see.
If
it
gets
caught
right
you
will,
you
would
tell
the
firewall,
on
the
other
side,
never
forward
this
to
the
actual
pod
right.
Yes,
return
result.
C
A
Yeah,
he
is
I,
think
I
think
he
had
to
take
a
call
yeah
all
right,
awesome,
cool
awesome!
Well,
thanks!
So
much
folks.
If
there's
nothing
else
going
on
going
twice
sold
good
meeting
today,
pretty
constructive
thanks
for
the
time
and
thanks
for
coming
I
hope
you
all
all
have
a
really
good
rest
of
the
week
and
well
I.
Think
we'll
see
you
next
time,
I
gotta!
Look
at
when
what
date
the
next
meeting
falls
on,
because
if
it's
in
the
Christmas
holiday,
we
might
cancel.