►
From YouTube: [SIG Network] Network Policy API Meeting 20201109
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
hello,
folks,
this
today
is
november
9th
2020.
This
is
the
network
policy.
Apis
project
go
ahead,
jay
with
the
agenda.
C
C
B
B
B
There's
an
interesting
ambiguity
that
was
brought
up
recently
that
matt
fenwick
is
looking
into
that.
I
think
we
should
discuss
at
the
end
whatever
so
for
my
stuff,
it's
gotten
a
lot
simpler
and
I
have
just
kind
of
where
is
it
I
I
mine
is.
Let
me
pull
it
up
hold
on
one
second
yeah
mine
is:
does
everybody
see
my
sublime
editor
now.
B
B
Or
what
did
he
say?
He
suggested
adding
this
into
ingress
from.
B
B
But
anybody
who
wants
to
kind
of
update
that
or
pr
to
it
or
push
to
it
is,
is
kind
of
welcome
to
I
or
comment
on
it
or
whatever.
If
you
want
to
implement
any
changes,
I'm
just
kind
of
letting
it
letting
it
bake
for
a
while,
while
we
work
through
whatever
left
on
port
range
and
so
on,
so
I
don't
really
have
any
status
there.
B
B
But
that's
pretty
much
where
I'm
at
port
range
ricardo,
stuff.
B
I
I
mean
he's
not
here,
so
I
guess
we
can
just
do
next
week
right,
there's
no
point
in
trying
to
figure
out
where
he's
at
on
his
stuff.
I
mean,
I
think,
he's
pretty
far
along.
I
think
it's
just
getting
hardened
and
I
assume
you
know
that
process
will
go
on
for
a
little
while
cluster
scoped
zhang.
You
all
have
anything.
D
Episode
is
here,
so
probably
we
could
also
move
it
to
next
way.
We
have.
B
E
So
we
I
think,
as
a
team
we've,
you
know,
fine-tuned
the
initial
proposal
that
we
had
and-
and
I
think
with
the
present
proposal-
that
we
agreed
upon
there's
a
good
consensus
and
we
have
a
good
feeling
about
it,
and
so
we
are
going
to.
You
know,
run
that
particular
proposal
with
different
use
cases
and
see.
E
You
know
whether
you
know
what
we
have
solves,
all
the
use
cases
that
we
intend
to
solve
and,
and
then
and
then
maybe
add
you
know
a
few
more
parameters
to
it.
You
know
thinking
about
your
negation
of
namespaces
or
like
how
to
write
isolated
names,
basis,
policies
more
efficiently.
So
a
little
minor
improvements
on
top
of
this,
and
once
we
have
a
once,
we
have
a
you
know
a
proper
proposal.
B
That's
really
cool
all
right,
so
I
mean
just
curious
so
like
on
the
cni
side.
Like
do
you
feel
like
like
how
much
of
that
could
like
how
much
of
do
you
think
that
cluster
sculpt
policies
stuff
that
cni
providers
already
implement
and
how
much
of
it
do,
you
think,
is
like
new.
E
So
I
think
most
of
the
cni
providers-
maybe
maybe
not
most-
at
least
a
few
of
the
popular
ones-
have
their
own
crds
for
cluster
scope
policies,
so
they
in
some
fashion
do
have
a
solution
for
the
cluster
scope
policies.
B
E
E
E
No,
I
don't
think
so.
Okay,
but
but
the
spec
will
be
slightly
different
than
what
what
the
existing
crd
cni
provides.
Yeah
yeah.
B
B
You
guys
are
too
smart
for
me:
okay,
that's
cool!
Well,
thanks,
abhishek
and
zang.
That's
cool,
saying
you
have
anything
else
on
that,
or
is
that
pretty
much
it.
D
B
D
Very
welcome
for
any
I
mean
comments
and
so
on.
If
you
like
right.
B
E
Yeah,
I
think
you
know
before
going
to
significance.
We
probably
want
to
do
and
get
an
approval,
or
rather
an
agreement
with
this
group.
First.
F
Yeah,
I
think
I
think
I
I
feel
like
the
crd
is
sort
of
like
a
spec
makes
make
sense
to
me
right
now,
so
we'll
probably
need
to
work
a
little
bit
on
sort
of
crafting
some
use
cases
that
can
be
solved
explicitly
with
this
new
cluster
network
policy
and
then
with
that
we
can
present
it
to
this
group
and
see
you
know
if
those
three
use
cases
make
sense-
and
you
know
it
makes
sense
to
everybody
that
the
cluster
in
our
policy,
that
kind
of
spec
can
actually
solve
this,
and
also
ask
people
that
you
know
if
they
have
specific
use
cases
they
want
to
solve.
F
With
the
cluster
network
policy
in
mind.
Where
can
can
our
sort
of
proposal
capture
it,
and
I
feel
like
that,
after
that,
it
should
be
pretty
much
in
a
good
shape.
B
A
Nope,
I'm
not,
I
definitely
have
strong
opinions
about
it,
but
I'm
not
working
on
that
yeah.
I'm
kind
of
waiting
for
gobin
to
put
something
together,
but
I'm
I'm
more
than
willing
to
put
a
spec
together
or
something
if
you
know
if
gobind
doesn't
have
cycles
or
you
know.
B
Yeah,
I
don't
know
where
he
is.
Was
he
here
last
week
yeah
what
what
it
was
ricardo's
here
and
he
got
a
haircut.
B
B
I
know
rich
is
kind
of
interested
in
it,
but
I
think
he's
busy
with
other
stuff
anyways,
though
so
it's
probably
easier
to
just
keep
it
with
gobin.
For
now,.
A
A
But
it's
a
matter
of
like
how
the
policy
is
enforced,
whether
you
resolve
the
fqdn
and
then
translate
that
into
network
policy
resources
or
whether
the
thing
resolving
the
dns
should
actually
just
enforce
the
policy
like
at
the
dns
server
level,
and
so
I
feel
strongly
that,
like
the
dns
server
like
core,
dns
or
qdns,
should
read
the
resource
and
do
the
actual
policy
enforcement.
I
don't
think
we
need
to
involve
like
out-of-band
network
policies
for
that
enforcement,
but
I
think
we
need
to
get
agreement
on
that
cool.
B
What
else
is
going
on
here?
Thanks
thanks
andrew,
I
know
you
got
a
lot
of
going
on
big
shout
out
to
andrew
he's
babysitting
and
working
at
the
same
time
today.
So
let
me
see
here.
B
How
do
we
figure
out
a
way
to
do
something
related
to
this,
because
it's
so
big
and
it
has
a
hundred
different
possible
solutions
that
are
all
going
to
work,
and
I
think
the
hard
thing
is
figuring
out.
Who
cares
about
it
enough
to
actually
do
something
like
build?
Something,
because
I
feel
like
there's
like
five
different
ways
to
solve
the
problem,
and
you
know
so
the
like
the
first
thing
that
someone
builds.
I
think
that
solves
this
in
a
somewhat
cni,
independent
kind
of
way
would
be,
would
be
kind
of
cool.
B
A
B
B
So
I
don't
know
if
I
had
like
infinite
amount
of
time.
I
think
it
would
be
so
much
fun
to
hack
on
that
project.
I
just
if
anybody
has
a
friend,
that's
like
looking
for
something
to
do.
I
think
this
would
just
be
the
coolest
project.
B
Like
you
know
so,
anyways
we
got
dan
has
a
cap,
so
I
was
really
happy
that
dan
made
a
cup
because
I
didn't
know
he
was
working
on
the
network
policy
stuff
anymore,
but
then
he
made
a
cap
about
it
today,
so
which
is
about
name
names,
stat
namespace
status,
which
we've
been
bringing
this
up
for
years.
Andrew
brought
it
up.
B
Last
time
we
talked,
I
think-
and
I
think
we
brought
it
up
about
a
year
ago
when
we
were
initially
proposing
the
new
validation
policy
stuff,
because
that
was
a
huge
thing.
We
started
looking
at
the
matrix
of
all
the
connections
and
I
think
people
have
even
brought
it
up
before
that
and
so
like
his
his
his
one
is,
and
then
we've
got
this
other
issue
that
came
up
today
is
that
it
andrew
thanks
ricardo
ricardo.
I
thought
you
were
gonna
be
in
trouble
because
you
didn't
come
today.
B
So
I
left
just
a
bunch
of
question
comments.
The
type
of
questions
you
leave
when
you
don't
fully
read
something,
so
you
ask
quite
a
quick,
ambiguous
question
so
like
and
he
he
clarified
it.
But,
like
my
understanding,
this
whole
thing
is
that
this
allows
you
to
have
this
slippery
in
my
in
my
mental
model
kind
of
a
slippery,
but
also
very
well
defined
kind
of
adherence
to
the
api,
because
you
can
he
he
wants
to
introduce
these
kind
of
meta-semantics
around.
You
know
minimum
versions
so.
H
I
think
I
think
that
the
idea-
the
idea
here
from
from
from
from
then
for
what
I've
read
already,
but
I
didn't
I
didn't,
read
the
the
whole
document.
I
also
was
like
you:
can
this
this
mean
version
you
can
you
can
specify
what?
What
kind
of
it's
it's
it's
kind
of
a
feature
gate,
but
only
for
network
policy
like
I,
I
am
not
going
to
accept
in
my
even
even
if
I
have
the
the
the
support
in
my
api
server
of
the
sctp
protocol.
I
don't.
H
I
don't
want
to
accept
earlier
versions
from
the
network
policy
to
to
be
honest.
This
this,
this
part
of
the
mean
version
from
the
network
policy
was
pretty
foggy
for
me,
but
the
the
other,
the
other
parts
of
the
cap
is,
is
really
nice,
because
what
then
is
proposing
is
like
that
we
treat
network
policies
like
as
a
pod
or
as
a
node
and
they
might
have
status.
H
So
the
cni
can
report
the
status
from
a
network
policy
by
by
then
proposal
here.
If
the
the
policy
was
enforced
or
not.
If
you
have
like
like
some
some
sort
of
warning,
because
you
you
have
specified
the
network
policy
with
that
problem
from
the
ib
slash
mask
not
being
not
not
covering
the
the
the
cover
in
the
whole
network
and
you
don't
want
to
cover
the
whole
network.
H
So
it's
as
far
as
I've
read
it's
it's
a
it's
really
interesting
to
to
have
a
to
to
take
a
look,
because
that's,
I
think
that
you
you
might.
You
might
also
have
the
ability
to
to
define
if
a
network
policy
is
applied
or
not,
and
this
might
probably
be
used
in
the
future
by
by
some
readiness
gate
from
the
pods.
Also.
H
A
I'm
not
I'm
not
opposed
to
status,
like
I
think,
like
yeah,
like
jay
mentioned,
I
think,
there's
a
a
good,
a
good
chunk
of
use
cases
for
why
network
policy
should
have
status
but
yeah
like
it's.
The
whole
main
version
thing
is
interesting
because
it's
not
clear
to
me
if
the
is
that
min
version,
something
the
cni
sets
like
wouldn't,
is
it
min?
A
Wouldn't
the
min
version
isn't
min
version
like
redundant
based
on
what
the
api
server
validates
like
if
a
api
server
rejects
it
like
you're
you're
on
the
wrong
like
you're,
not
in
the
mid
version
right
or
is
it
more
of
like
cni
is
reporting
what
what
features
are
allowed
based
on
the
version
I
should.
I
should
probably
just
read
the
cap
at
this
point.
B
B
No
yeah,
that's
the
thing,
that's
what
I'm
saying,
though
it's
like
kind
of
meta
right
like
it
could
just
be.
There's
no
end
to
this
right,
so
I,
but
I'm
assuming
dan.
He
knows
a
lot
more
about
the
api
than
I
do
so
I
feel
like
he
must
have
thought
through
this
right
like,
but
once
you
yeah
you're
right
like.
B
B
What
is
the
status
of
a
policy
that
a
provider
could
not
apply
because
the
api
seemed
incompatible?
How
is
that
conveyed
through
this?
That's
the
question
that
I
would
have
then,
and
then
enforcing
was
another
question
I
had
because
enforcing
is
weird
to
me.
Tell
me
if,
okay,
so
keep
me
honest
here,
so
I
was
going
back
and
forth
so
like
we
went
into
this
enforcing
verse,
readiness
thing
and
then
this
was
an
interesting
thing,
because
it's
like
well.
B
How
do
you
really
know
that
you're
enforcing
the
policy
right,
because
you
could
have
made
an
iptables
rule,
but
what,
if
there's
a
bug
in
ip
tables
or
a
cve,
comes
out?
You
don't
really
know
that
you're
enforcing
a
policy.
You
only
know
that
you
have
to
the
best
of
your
abilities,
like
done
some
reconciliation
with
the
underlying
operating
system
or
with
some
network
provider
to
create
rules
which
you
think
will
enforce
the
policy,
and
so
the
reason
why
I
think
this
is
not
just
kind
of
a
bike.
B
B
So
readiness
seems
like
a
weird
word
to
use
when
it
comes
to
this,
because
it
has
an
overload
with
the
pod
readiness
concept
which
we
all
know
as
yes,
I
can
act
as
an
endpoint,
and
so
I
was
kind
of
like
confused
about
like
I
understand
what
this
enforcing
thing
does,
but
I
don't
understand
how
I
I
I'm
not
sure
it
wouldn't
confuse
people
to
have
to
deal
with
pod
readiness
in
the
concept
in
the
context
of
network
policies.
A
A
B
Yeah,
so
there's
that
so
I'm
I'm
not
the
person
to
critique
the
api,
because
I'm
just
not
an
api
person,
I'm
real
bad
at
api
stuff.
But
if
anybody
knows
more
about
the
api
and
wants
to
look
at
that
and
help
really
harden
this
proposal
around
that,
that
would
be
cool.
B
I
just
feel,
like
you
know
from
my
perspective,
which
is
like
the
thing
I'm
really
interested
in
is
like
validating
and
comparing
the
different
cni's
like.
I
think
it
would
be
really
cool
to
have
any
metadata.
So
even
if
some
of
this
metadata
is
logically
inconsistent
or
whatever
I
don't
care,
I'm
all
for
it
right.
B
But
if
maybe
at
some
point
I
can
try
to
learn
more
about
the
api
and
then
evaluate
it
in
that
context
too,
you
know
but
yeah
like
if
anybody
really
like
yeah
somebody,
let's,
let's
help
dan
really
hard
in
this
harden
this
cup
like
this,
would
be
really
cool
because
having
some
status,
even
if
we
don't
have
this
mean
version
thing
would
still
be
cool,
and
anyone
else
want
to
talk
about
this
at
all
abhishek.
E
We
do
have
status
field
in
the
network
policy
in
interior,
but
I
have
not
gone
through
this
kept,
so
I
have
no
comments
on
the
cap
as
okay
cool,
perhaps
next
week,
maybe
or
I'll,
try
to
add
some
comments
on
the
catheter.
B
Yeah,
can
you
go
through
it
this
week?
Just
you
know
just
like
to
to
really
that
way
next
week.
Maybe
we
can
cool
thanks,
well,
ricardo,
anything
else.
J
To
read
it
but
hey
sorry,
jay,
I
gotta
drop
man
I'll
sync
up
with
you
sometime
tomorrow,
if
possible,
no
problem
all
right
thanks.
Everyone
yeah
we'll
be.
B
H
B
The
issue
is
this
is
the
policy,
so
you
know
what,
at
the
very
least,
we
can
add
this
to
our
validation
stuff,
some
kind
of
a
test
that
you
know
that
makes
a
zero
zero,
zero,
zero
ip
ad
block
and
then
tries
to
accept
something
from
it
and
just
see
how
this
works.
I
mean
I
mean
my
first
case-
would
be
literally
I'll.
B
Just
try
to
generify
this
and
then
see
what
happens
when
we
when
we
look
at
the
connectivity,
but
this
is
the
policy
that
someone
created
and
they're
saying
it
didn't
seem
to
work
properly
and,
like
you
know,
he's
I
don't
know
so
he's
got
this
cider,
that's
like
an
outside
world
cider
so
allow
anything
from
the
outside
world,
but
nothing
from
inside
the
cluster
right.
So
he's
filtering
out
his
entire
pod
network
and
then
allowing
everything
from
the
inside
world.
B
E
Again,
yeah
here
it
is
so
so
I
think
this
is
a
valid
spread,
because
both
pod
selector
and
ip
block
are
in
different
pairs.
Port
selector
and
ip
block
in
the
same
pair
is
not
allowed
so.
E
B
C
C
H
Yeah,
so
while
you
write
that
j
I
put
on
on
vote
what
the
next
cap
that
we
should
discuss-
and
I
think
that
I'm
just
taking
a
look
that
just
andrea
and
abhishek
voted
and
they
voted
in
the
note
policy-
the
note
policy
cat,
the
node
policy
user
story.
H
H
E
I
wouldn't
because
I
was
curious
as
to
who,
what
what
kind
of
use
cases
the
community
is
looking
at
mainly
are
we
talking
when
we
say
note
selector,
are
we
talking
about
policies
that
apply
on
the
node
or
are
we
talking
about
policies.
F
E
Govern
traffic
between
powers
and
nodes,
so
in
one
case
the
node
selector
will
be
in
the
spec
spec
dot,
node
selector
and
in
the
other
case
the
node
selector
will
be
in
the
to
and
from
the
peers
so
which
node
selector.
Are
we
talking
about,
and
I
think
zhang
this
morning
had
a
similar
question.
H
B
H
H
Like
my
nodes
that
run
my
ingress
controller.
This
is
my
case.
Like
my
my
work,
we
have
like
separate
nodes
for
ingress
controllers
and
I
want
to
allow
just
just
ingress
controllers
nodes
that
running
the
host
network
to
reach
my
my
pod
leader,
so
who
do?
Who
wants
to
own
this
as
a
this
user
story,
trying
to
develop
it
better
and
then
we
can
take
it
also
too.
I
don't
think
that
for
the
stairs
they
we.
H
A
I
think
the
node
policy
one
needs
a
lot
more
like
thought
and
work
before
we
propose
the
use
case
basic
network.
I
think
the
services
one
is
a
little
bit
more
clear
like
it's
just
a
strict
replacement
of
pot.
Selector
like
you,
just
extract
the
pod
selector
from
service,
and
then
you
extract
the
port
information
from
there,
so
that
one
seems
a
little
bit
more
straightforward,
but
the
no
policy
one
seems
like
we
should
talk
about
it.
A
bit
more.
H
Yeah,
I
think
that
about
the
service
you
have
like
some
other
things,
that
you
also
need
to
think
like.
If,
if
we
are
allowing
the
selection
of
only
services
with
cluster
ips
or
like
the
the
headless,
how
are
we
going
to
deal
with
headless
services
also?
But
I
think
I,
I
think,
also
that's
a
that's
less
tricky
than
the
node
policy.
A
Or
cluster
ip
or
something
in
here,
but
okay,
I
mean
I
wasn't
even
gonna.
I
didn't
think
we
even
had
to
look
at
the
type
right
like
you
just
just
the
thing
that
selects
pods
and
then
from
there
on,
like
the
behavior,
would
be
identical
to.
B
B
I
wouldn't
mind
taking
it
on.
I
just
have
so
much
going
on
and
then
I've
got
I
feel
like
I
need
to
go.
I
feel
like.
I
would
like
to
take
a
minute
once
I
get
some
time
to
to
play
around
with
actually
trying
to
implement
my
api
change,
just
because
I've
never
done
that
before
and
otherwise
I
feel
like
it
would
not
be,
but
we'll
yeah,
I
have
a
feeling
nobody
wants
to
own
this
right
now
is.
B
That
is
that
is
that
the
consensus
everybody
agrees,
but
nobody
wants
to
really
own
this,
like
these
two.
Nobody
can
on
this
one,
because
it's
we're
not
ready
yet,
and
nobody
wants
to
own
this
one,
that's
a
decent
conclusion,
because
then
we
can
poke
people
around
and
see.
If
there's
someone
who
wants.
A
A
You'd
also
have
to
answer
questions
like.
Would
you
select
the
service
by
name
or
like?
Would
you
have
a
label
selector
for
services,
probably
by
name,
but
things
like
that?
I
don't
think
we
have
answered.
B
Yeah,
well,
if
any
of
y'all
have
any
friends
that
are
looking
to
write
a
cup,
you
know
want
to
want
to
make
that
jump,
get
their
name
on
a
cap
or
something
this
is
maybe
a
good
opportunity.
They'll
get
plenty
of
support
from
us.
So
please
do
let
folks
know.
H
B
Yeah
I
mean
in
general,
I
feel,
like
I'm
comfortable,
at
least
in
the
short
to
medium
turn,
owning
maybe
one
cap
at
a
time,
but
I
don't
know
I
just
I
can
barely
keep
my
head
above
water
with
the
with
the
one
I'm
doing
now,
because
I
just
need
to.
I
want
to
make
sure
I
I
get
it
right,
but
I
think
after
that
it'll
get
easier,
because
I
again
the
api
changes.
I
want
to
make
sure
I
I
get
that
stuff
right,
but
yeah.
B
H
Yeah,
what
I
was
going
to
say
that
we
should
probably
discuss
if
we
are
getting
this
like
in
a
slower
cycles,
probably
make
this
a
bi-weekly
until
we
have
some
some
bandwidth
again
to
discuss
other
cats.
But
I
think
that
we
are
going
so
far.
We
are
going
fine,
so
probably
revisiting
the
caps
next
week
and
having
like
a
smaller,
a
shorter
meeting.
B
Yeah
I
mean,
I
think,
if
we
could
go
asynchronous
or
semi-asynchronous,
that's
a
benefit
to
everybody,
I'm
down
to
do
that
at
any
time.
A
H
Yeah,
I
mean
I
mean
just
just
like
if,
if
if
we
are
starting
to
became
slow
because
of
not
knowing
nothing
of
bandwidth,
maybe
discussing
about
turning
this
into
a
bi-weekly
but
but
right
now,
I
think
we
can.
We
can
keep
like
a
weekly
meeting
and
at
least
at
least
keep
reviewing,
because
I
hope
that
in
one
week
or
two
week
we
have
also
abhishek
and
zayn
closer
scope
and
policy
cap,
and
I
think
this
is
going
to
bring
a
lot
of
discussions
for
us.
So
yeah.
B
And
I
think
there
are
some
people
that
are
maybe,
depending
on
the
fact
that
we
hold
this
we're
here
if
they
can
come
if
they
need
to
so
you
know
that
may
be
a
little
irresponsible
irresponsible.
Is
that
the
right
word
of
us
to
you
know?
I
mean
to
change
that
I
mean
and
we
all
talk
anyways.
So
at
least
this
is
the
one
time
where
we're
all
talking
in
public.