►
From YouTube: Network Policy API Bi-Weekly Meeting for 20210405
Description
Network Policy API Bi-Weekly Meeting for 20210405
A
Still
new
at
this
okay,
hello,
everyone,
it
is
april
5th.
You
are
attending
this
sig
network
policy,
api
meeting.
This
is
cncf
sponsored
meeting,
so
we
are
being
recorded.
So
please
keep
stay
nice
between
everybody
and
try
not
to
use
any
curse
words
and
yeah.
Let's
have
a
good
meeting
today.
So
we'll
start
by
going
through
some
issue
triaging.
B
B
C
A
B
B
A
B
Okay,
but
I
haven't,
I
hadn't
read
this
one,
it's
strange
because
it
it
it
says
actually
about
hatzener,
firewall,
ssh
blocking
parts
but
cubelet,
but
I
can't
see
like
I
have
installed
some
sort
of
network
policy
or
something
like
that
free
switch
image.
Oh
damn
microc,
do
we
have
anyone
like
with
knowledge,
sweet.
B
B
Yeah,
so
I
guess
I
guess
this
is
not
related
to
network
policy
andrew
so
because
it's
like
it
says
about
dockercon
balls
host
network
tubeled.
So
I
guess
we
can.
We
can
leave
this
for
sig
network
triage
or
maybe
we
we
can
take
a
look
out
of
the
out
of
the
media.
So
I
guess
we
can.
We
can
move
forward
yeah.
A
D
A
Exactly
cool,
so,
let's
keep
moving
through
this.
I
the
two
main
things
on
the
agenda
today.
Obviously
I
keep
talking
about
v2
and
then
also
on
a
separate
thread.
I
just
wanted
to
see
if
there
was
a
another
closer
scope
network
policy
update,
we
can
do
either
or
first
whoever
wants
to
hop
in
anyone.
Anyone
vinay
have
you
had
time
to
talk
to
the
rest
of
your
team
about
owning
this.
E
Yes,
so
we
I
did
have,
I
did
start
a
discussion
and
there
is
like
a
as
you
know,
looking
at
the
large
company
I'm
having
some
consensus
issues.
So
there
is
like
that.
So
just
give
me
like,
if
you
can
indulge
me
for
like
give
me
a
little
bit
more
time.
I
think
I'll
try
to
come
back
with
a
more
definitive
answer,
so
there
it
is.
I
mean,
as
you
know,
I
don't
know.
E
If
you
guys
know
this
thing
or
not,
but
gobind
myself
and
satish
have
been
involved
on
the
cluster
network
policy
cnp
and
maybe
so
they're
saying
like
well.
Can
we
like
look
into
that
first
before
we
jump
on
the
youtube
bandwagon?
So
again,
it's
all
the
question
of
like
in
the
math
of
resources,
how
much
time
we
have
so
in
the
meantime.
Having
said
that,
I
don't
want
to
hold
people
faster
if
anybody
wants
to
run
with
it.
A
Okay,
yeah
no
worries
at
all
totally
understand.
You
guys
have
a
lot
on
your
plate
right
now.
I
think
if
you
guys
haven't
been
introduced
yet
andre
fadet
is
also
on.
This
call
he's
another
red
hatter
who
is
kind
of
hopping
on
this
effort
with
me
to
help
out.
So
I
think
we
still
have
some
more
discussion
to
do
offline,
but
we
definitely
might
be
able
to
by
next
week
have
an
idea
if
we
can
take
a
more
andre.
A
E
F
D
A
Cool,
well,
that's
good
to
know-
and
you
know
I
think
too,
like
this
is
gonna
be
a
large
v2
is
gonna.
It's
gonna
be
one
per
one,
maybe
group
owning
a
document
and
then
pushing
everyone
to
cooperate
right.
This
is
not
something
that's
ever
gonna
get
passed
or
move
anywhere
without
the
whole
consensus
of
this
group.
To
the
point
that
we
can,
you
know,
produce
a
document
that
is
then
presented
to
the
larger
group,
but
we
have
a
lot
of
work
obviously
to
do
before
it
can
even
begin
thinking
about
that
and.
B
And
have
you
seen
that
we
are
on
the
correct
timing
right
folks,
because
probably
closer
than
cluster
scope
and
network
policy
is
going
to
to
be
on
on
v2
api?
Also,
there
was
a
discussion
lastic
network
meeting
that
it
cannot
be
probably
inside
net
networking
case
io
slash
v1
alpha
1,
because
the
api
is
already
stable.
A
B
E
B
B
B
We
cannot
have
a
new,
a
newer
kubernetes
networking,
kubernetes
io,
slash
v1
alpha
one
again,
because
the
v10
alpha
one
got
already
ripped
off
from
the
code,
so
this
might
get
some
sort
of
conflict
with
with
client
goal
and
other
parts,
but
this
was
like
something
that
even
tim
didn't
know
how
to
answer.
So
he
he
was
going
to
ask
for
jordan.
I
guess.
E
H
I
I
think
I
I
joined
the
temporary
for
the
sig
network
meeting
last
thursday.
I
still
didn't
tim
say
that
he
already
talked
to
the
api
machinery
guys-
and
I
remember
his
own
words-
was
that
they
admit
this
is
sort
of
like
a
a
problem,
but
they
didn't
know
how
to
fix
it
easily
something
along
those
lines.
So
yeah.
B
H
All
of
them
are
sort
of
like
crv,
spec
related
and
the
semantics
related.
They
didn't
really
look
closely
enough
to
the
to
the
you
know,
group.
Until
we
opened
up
the
cap
officially
and
they
and
antonio
stepped
out
and
said
hey,
this
is
not
going
to
work.
You
know
you
can't
put
a
view
on
alpha
one
version
on
the
stable
api
group.
So
that's
when
we
came
to
to
to
sort
of
like
figure
out.
This
is
a
problem.
F
H
A
F
F
A
Just
trying
to
think
about
how
we
can
get
past
this
kind
of
roadblock
right.
So
the
problem
is,
we
can't
add
cluster
scope,
network
policy,
an
unstable
feature
to
a
stable
channel
right,
so
I
mean
it's:
either
you
go
to
a
v2
and
we
kind
of
roll
it
out
while
we're
rolling
out
network
policy
v2
or
there's
another
hack
right.
Those
are
the
only
ways
forward
right
now
and
there's
no
pressure
on
anyone
to
really
do
it
unless
we
put
it
on
the
the
the
thing
of
the
crd.
B
H
That's
a
I,
I
think,
that's
a
really
valid
point
I'll
I'll.
Do
some
research
and
bring
it
up
with
the
with
abc,
who
is
also
he's
on
opportunity
leave,
so
he
only
joins
our
thursday
meetings
for
the
class.
Now
policy
I'll
definitely
bring
this
this
up
for
a
discussion
on
our
regular
state
meetings
and.
I
H
Know
it
feels
like
they're
getting
mangled
the
cluster
scope
policy
because
golden.
If
you
see
the
recent
comments
on
the
on
the
cap,
there
is
one
point
that
antonio
raised,
like
the
first
few
comments
about.
If
we,
whether
we
can
make
you
know
the
cluster
network
policy,
a
v1
alpha
1
into
the
network
policy,
dot
io,
because
it's
already
v1,
so
it
doesn't-
doesn't
allow
us
to
add
a
new
view
enough
of
one
version
of
crd
into
the
same
group.
H
H
I
A
I
Yeah-
and
I
don't
want
on
that
subject-
sorry,
I'm
just
trying
to
understand
like
I'm
reading
through
the
notes
and
stuff
as
well
for
the
v2
conversation,
what
what
are
some
of
the
or
maybe
this
is
still
working
progress.
So
that's
that's
totally
fine,
but
I
just
wanted
to
understand
what
are
the
the
main
goals
of
v2
policy?
What
are
we
trying
to
solve
and
why
does
that
necessitate
a
v2
necessarily.
A
So
I
think
some
of
the
guiding
principles
we
we
started
discussing
last
week,
a
lot
of
people
weren't
here
and
there
is
still
not
a
clear
dock
that
is
owned
by
anyone
that
is
describing
everything.
That's
kind
of
our
first
goal
is
to
get
a
get
a
doc.
Answering
all
those
questions
very
succinctly
right.
A
Do
we
go
back
and
we
try
to
edit
and
squeeze
in
these
features
to
the
existing
network
policy
spec
or
do
we
you
know,
look
into
a
v2
and
that,
along
with
the
fact
that
there
were
some
grievances
against
how
it
works
right
now,
for
instance,
the
fact
that
that
all
pods
can
talk
to
every
other
pod
until
any
policy
applied
and
then
at
that
point,
they're
cut
off
by
default,
like
that
implicit
behavior
should
be
explicitly
defined
by
a
network
policy.
So
that's
like
a
couple
of
the
reasons
so
yeah.
I
A
I
So
you
know
like
maybe
then
it
could
be
like
yeah
sure,
like
you
know,
let's
do
a
v2
and
then
there's
a
significant
change
in
sort
of
the
motivation
and
the
scope
of
of
what
this
api
does.
But
if
it's
you
know
if
it's
mostly
changing
some
of
the
semantics
to
make
it
more
obvious
or
what
have
you
or
adding
some
convenience
selectors
I
mean
I
you
know
like,
for
example,
customer
policy
is
a
huge
effort
on
its
own.
I
You
know,
we've
been
working
on
it
for
several
months
across
several
different.
You
know
members
and
like
you
could
have
almost
argued
that
oh
cluster
network
policy
almost
deserves
like
or
will
force
number
policy
into
the
v2
land
and
we
have
to
come
up
with
a
new
api
and
define
a
v2
version
of
it,
and
even
that
we
were
able
to
sort
of
like
you
know,
sort
of
you
know
ignore
or
slash.
You
know
work
around.
I
I
should
say
you
know
in
the
the
v2
conversation
and
have
it
be
interoperable.
So
that's
kind
of
the
reason
I'm
I'm
wondering
like
what
is
the
sort
of
ground
truth
and
the
principle
on
which
we're
basing
the
decision
of
coming
up
with
the
v2
api.
And
if
it's
well
understood
you
know
it
would
be
very
well
like
it
would
be
worth
our
time
to
like
you
know,
do
that
before
we
jump
into
it.
A
Yeah-
and
you
know
we
had
brought
this
up
a
long
time
ago,
and
then
it
came
up
again
two
meetings
ago,
and
that
was
the
meeting
where
I
think
a
lot
of
us
agreed
on.
You
know
pushing
forward
with
it.
As
you
can
see
in
the
agenda,
we
were
talking
about
service
selectors
and
then
all
of
a
sudden
it
was
like.
Well,
let's
do
this.
Let's
start
talking
about
v2.
F
F
It
requires
absolutely
no
cni
knowledge
whatsoever,
which
is
we
could
build
a
set
of
common
crds
which
express
the
v2
semantics
but
then
generate
under
the
hood
v1
policies
right
and
then
we
would
prove
out
a
v2
api
which
worked
on
any
cni
provider,
and
you
know
I
I
know
matt
fenwick
has
done
some
of
this
already
right.
He's
demonstrated
that
you
could
do
some
of
this.
I.
F
A
Yeah
I
mean
we
have
a
egress
firewall
that
can
operate
on
dns
names
right,
but
I
mean
that's
kind
of
the
l7
thing,
but
you
know
that
a
bunch
of
questions
arise
when
you
say
okay,
we
can
take
anyway.
I
think
that's
a
day,
two
conversation.
We
need
to
unite
on
the
fact
like-
and
I
thought
we
did
this
two
weeks
ago,
but
now
I'm
hearing
a
little
bit
of
contention-
and
you
know
I've
had
my
own
second
thoughts
again
after
thinking
about
it
for
a
while.
So.
D
A
H
H
G
E
H
A
F
A
J
I
F
I
Yeah
yeah,
but
I
think
I
think
the
the
only
thing
I'm
trying
to
get
at
is
and
then
obviously
a
v2
conversation
is,
is
great
and
welcome.
I
just
want
to
understand
you
know
from
my
perspective
like
what
what
the
yeah
sort
of
motivation,
the
prime
motivation
for
that
is
and,
like
you
know
whether
v2
is
the
only
answer
because
it
with
with
a
new
api.
As
I'm
sure
everybody
understands
it,
comes
like
the
load
of
educating
customers,
migration
to
the
new
api
and
interop.
With
the
you
know,
old
api.
A
A
Is
it
going
to
work?
Is
it
only
going
to
work
for
some
half
of
the
feature
set
of
v2?
I
mean
it's
all
questions
we
started
to
ask
last
week.
I
think
it
boils
down
to
the
fact
look.
We
have
these
new
features
we
want
to
implement
with
network
policy.
We
also
have
some
grievances
against
how
network
policy
is
right.
Now,
what's
the
way
forward,
I
mean.
F
A
His
idea
was
you
already
have
a
cluster
scope
network
policy
in
the
works.
Why
don't
you
make
a
new
object
and
call
it
like
an
application
network
policy
right?
So
then
you
have
one
that's
handled
by
administrators,
more
so
and
then
another
that's
handled
by
application
developers,
whereas,
like
right
now,
network
policy
is
mainly
handled
by
by
both,
but
application
people
can
still
go
in
and
mess
stuff
up.
D
So
I
can
ask
a
stupid
question,
so
all
this
stuff
I
mean
a
while
ago,
so
it's
about
nested
namespaces,
which
will
always
obviously
break
complete
havoc
with
all
the
selectors.
So
so
it's
almost
pushes
in
network.
I
mean
nested
namespaces
right
then,
anyway,
all
the
policies
needs
to
be
redone.
So
is
that
ever
going
to
happen
necessarily.
D
That's
that's
what
I
meant,
but
I
mean
if
that
comes
in
then
another
sudden
you
have,
even
if
it's
just
one
level
right,
the
the
the
whole
the
whole
label
mechanism
becomes
much
more
complicated
and
the
the
policies
are
the
stuff
that
I
see
will
be
hit
hardest
because
your
your
pod
definitions
and
so
on,
yeah.
Well,
you
do
it
always
from
the
relative
point
of
the
namespace,
whereas
the
policies
are
so.
The
application
policies
could
then
work
within
sort
of
the
top
name
space.
D
D
A
A
F
I
F
A
F
F
I
I
F
A
And
I
think
you
know
if
we
can
get
that
written
down
that'll
be
crucial
because
that's
been
my
kind
of
push
for
the
past
last
two
weeks.
Is
you
know,
regardless
of
what
we
want
to
do?
Let's
get
it
written
down
documented
so
that
it's
there
for
anyone
to
see,
and
we
haven't
done
a
good
job
of
doing
that.
Yet
so
cool
and
I
mean
regardless.
We
need
to
figure
out
a
way
forward
for
these
new
features.
So.
D
So
from
from
what
I
understood
from
you
before,
right
and
a
large
part
did
not
do
it
in
v1,
it's
the
struggle
every
time
you
want
to
change
something.
So
if
you
would
define
it
fs,
it
would
be
a
v2.
At
least
you
would
have
all
the
you
would
be
able
to
add
attributes
and
all
this
stuff
without
much
of
discussion.
And
then
you
can
have
a
discussion
at
the
end,
whether
you
go
v2
or
not,
and
if
it's
not
12,
then
you
know
what
needs
to
go
into
v1.
F
F
A
F
A
F
Up
his
old
quotes
so
but
like
yeah,
he
said
this
and
it
was
like
real
interesting
he's
like
well.
The
biggest
mistake
we
made
is
not
writing
policies
against
the
service
right,
not
making
that
a
first
class
principle
right.
So
yeah
we're
going
to
have
to
write
this
up.
It's
going
to
be
a
little
work.
I
feel
like
andrew.
Maybe.
A
D
F
F
A
Cool
great
awesome:
well,
I
think
that's
pretty
much
all
we
have
you
know
and
at
on
the
same
token,
should
we
set.
We
don't
even
need
to
set
a
date,
but
we,
I
think
our
goal
over
until
it's
done
is
just
to
be
like
firmly
all
everyone
in
this
meeting
all
in
on
v2
or
if
someone
has
a
better
idea
to
please
bring
it
up
like
we
still
want
to
hear
other
ideas,
but
at
some
point
we
have
to
move
forward
with
one
one
or
something
else
right
with
v2
or
so
so
it.
A
A
A
D
The
so
the
world
I
live
in
multi-networking
is
a
fact
sort
of
that.
There
is
many
networks,
many
network
attachments,
many
addresses
and
is
one
thing:
what
happens
in
the
pod
right,
how
you
sort
it
out
and
there's
another
thing
how
the
kubernetes
framework
can
handle
it,
and
I
started
out
believing
that
it
couldn't
work
together.
I
changed
my
mind
over
the
last
six
months.
I
think
that
kubernetes,
I
call
it
from
the
semantics
and
the
bass
has
really
no
problems
with
with
multi-networking.
D
Okay
there's
certain
things.
That's
only
provided
on
the
first
interfaces,
but
it
wouldn't
have
to
like
network
policies,
there's
nothing
in
the
policies
that
really
talks
about
an
interface
it
does
to
assist
us.
This
group
of
pods
can
or
cannot
talk
with
this
other
set
of
parts.
I
mean
you
have
the
angus
ingress
and
the
egress,
and
it
says
nothing
about
which
interface
it
come
out
for
the
for
the
service
is
a
bit,
is
sort
of
that
there's
so
assumption
that
is
at
first,
but
it
would
be
very
easy.
D
The
same
thing
say
same
thing,
and
I
want
to
have
a
set
of
addresses
that
works
on
this
network
that
should
be
able
to
load
balance
over
another
set
of
poor.
I
mean
over
another
interface
or
network,
so
to
speak,
there's
nothing
in
the
semantics
of
how
how
things
are
set
up
that
that
stops,
that
so
telcos
and
all
of
these
that
wants
to
run
their
5g
stuff,
because
5g
now
is
specified
that
it's
going
to
use
containers.
So
everyone
has
had
their
call
it
infrastructure
as
a
service
vnf.
D
So
now
they're
going
to
move
it
over
to
containers
first,
they
think
they
can
just
take
them
around
them.
That
will
never
work,
but
I
mean,
even
if
you
rewrite
it,
it's
going
to
be
multi-network
and
people
are
going
to
have
to
use
vrfs
in
the
containers
and
so
on
and
sort
that
out,
but
what
they
do
in
the
container
doesn't
really
kubernetes
as
such.
Doesn't
care
right
same
thing
with
the
constant
network
orchestration
kubernetes
is
not
set
up
to
handle,
it
should
never
do
kubernetes.
Can
you
can
define
a
network?
D
D
How
can
we
do
this,
but
I
do
think
sort
of
that
it
should
be
possible
for
someone
like
me
to
write
network
policies
that
works
over
multi-networking.
It's
simple
to
do.
If
you
do
it
from
the
beginning,
you
think
of
it,
and
as
long
as
it
doesn't
destroy
right
now,
shouldn't
say
the
story.
It
doesn't
change
the
semantics
for
someone
that
doesn't
use
these
things.
D
It
shouldn't
be
a
problem
and
sort
of
see
if,
if
the
kubernetes
community
is
starting
to
get
open
to
sort
of
see,
that
multi-networking
is
problematic
because
any
multi-homing
you
never
know
which
interface
it
goes
out.
But
if
someone
knows
how
to
handle
that
at
least
the
framework
shouldn't
sort
of
stop
it
so
right
now
and
we
have
the
call
it
the
eth0
network
and
then
we
have
the
cni's
only
doing
all
sort
of
and
every
cni
does
it
differently
and
it
just
doesn't
make
any
sense.
D
We
have
annotations
sitting
in
the
pods,
that's
that's
specified
by
network
plumbing
groups
and
multis,
and
so
on,
and
it's
it's
there.
So
I
think
that
same
thing
when
you
discuss
v2
here,
if
you're
going
to
discuss
v2
for
networking
at
some
point,
those
things
should
go
in
there
as
well,
but
it
should
needs
to
be
done
in
a
way.
That's
not
changing
the
base
semantics
of
kubernetes
and
if
it
changes
something
it
should
be
by
extending
it
for
those
specific
use
cases
not
changing.
What's
there
if
it's
not
needed.
A
C
This
group
yeah
hi,
my
name,
is
prasad.
You
know
this
is
first
call
I'm
joining
and
you
know
I
work
at
juniper
and
you
know
I'm
one
of
the
current
trial.
You
know
initial
members,
if
you
know
about
contrail,
and
I
help
in
I
worked
in
openstack
and
those
areas
so
right
now,
you
know
we
are
started
looking
into
kubernetes
areas
so
and
I
started
looking
into
the
network
policies
and
you
know
wanted
to
help
in
this
area.
C
A
C
Thank
you,
and
is
there
a
way
you
know
like?
What's
the
starting
point,
like
you
know,
I
mean
I
wanted
to,
you
know,
get
onto
the
notes.
Whatever
happened
earlier,
you
know
maybe
just
wanted
to
quickly
browse
through
you
know
so
that
you
know
we'll
get
a
little
more.
You
know
clarity
on
some
of
the
areas
which
you
are
talking.
A
Yeah,
definitely
our
agenda
has
a
lot
of
stuff.
That's
going
on.
That's
probably
the
best
central
place
for
notes.
I
would
say
right
ricardo.
It
should
contain
most
sorry.
I
was
looking
to
another
screen
andrew,
oh
no
you're,
fine,
I
was
just
prasad-
was
just
asking
for
best
ways
to
kind
of
read
up
on
what
we're
doing
and
where
we're
getting
started-
and
I
just
pointed
them
to
the
agenda.
Yeah.