►
From YouTube: WG-Network Policy API Bi-Weekly Meeting for 20220606
Description
WG-Network Policy API Bi-Weekly Meeting for 20220606
A
Okay,
hello.
Everyone
today
is
june
6
2022..
This
is
a
meeting
of
the
sig
network
policy,
api
subgroup
to
sig
network.
This
is
a
cncf
certified
meeting,
so
please
be
nice
to
each
other
and
let's
have
a
good
day
as
I
was
stating
before
I
started,
recording
not
too
much
on
the
agenda
today.
I
do
see
a
new
face.
Hi
brian,
would
you
like
to
just
give
us
a
quick
intro
while
you're
here?
B
Yeah
I
recently
took
on
a
new
roles
principal
at
thoughtworks.
They
have
a
pretty
heavy
open
source
program
and
I've
been
a
user
of
kubernetes
forever.
So
just
trying
to
find
groups
where
I
can
jump
in
and
help
and
see
where
I
can
get
involved
network
is
one
of
the
ones.
I
work
with
a
lot
so.
A
Awesome
well
we're
happy
to
have
you.
We
definitely
need
help.
As
you
can
see,
we're
a
pretty
small
community.
I
think
we've
been
getting
smaller,
so
we're
trying
to
increase
our
sphere
of
influence,
moving
forward
yeah
and
our
agendas
in
the
calendar
invite,
if
you
look
back
and
and
one
of
our
main
efforts
right
now
is
admin
network
policy
which
we're
we've
got
to
kept
submitted
and
we're
finalizing
the
state,
the
final
stages
of
ap,
the
api
itself.
A
A
Yeah,
thank
you
for
coming
cool.
So
on
the
admin
network
policy,
api
dan.
I
got
to
your
changes
about
a
week
ago.
I
think-
and
I
besides,
that
I
don't
think
there's
anything
left
to
do.
Do
you
think
we're
nearing
kind
of
merging
of
the
pre-v1
alpha
one
version
of
this
api,
or
is
there
much
left
to
do.
C
Well,
I
don't
think
this
is
even
pretty
be
one
alpha
one
I
mean
this
is
v1
alpha
one
right,
I
so
yeah.
I
should
have
gotten
back
to
this
sooner,
but
I
actually
just
tagged
it
lgtm
hold
now,
so
it
now
has
lgtm,
but
it
also
has
hold,
because
I
was
saying
it
would
be
good
to
get
tim
to
look
at
it
again,
especially
with
the
change
that
he
made
with
ports
to
have
the
pointer
to
array.
C
A
Right,
that's
what
I'm
thinking
I
mean
people
are
going
to
find
bugs
as
we
start
implementing
it.
So
I'm
I
I
would
like
tim
to
see
it
too
and
I'll
try
to
do
a
little
more
research.
I
said
on
the
review
on
your
review
that
I
would
do
it
and
I
haven't
gotten
a
chance
to.
I
think
if
we
can
find
an
example
somewhere
else
in
the
api
or
crd
somewhere,
where
they're
doing
that.
That
would
be
sufficient
right
dan
for
at
least
the
pointer
to
the
array.
D
A
Yeah
yeah,
we
should
define
it.
We
should
be
able
to
define
it
as
a
good
practice
or
not
before
we
implement
it
fair
enough
awesome.
Well,
thanks
for
all
your
work
on
that,
I
will
reach
out
to
tim
and
just
give
him
a
poke
to
give
it
a
last
review
and
see
if
he
has
any
huge
problems
with
it,
if
not
we'll,
go
ahead
and
move
right
along.
So
that's
exciting
any
other
questions
with
admin
or
policy
yang.
D
Another
question,
but
I
just
realized
I
I
promised
to
do
a
round
overview
for
the
a
cap
updates,
but
I
forgot
to
do
that
so
I'm
adding
this
to
my
calendar
and
I'm
I'll
make
sure
I
do
that
for
for
this
week,
and
I
I
I
just
took
a
quick
look.
D
It
seems
like
it's
just
all
you
know
api
updates
and
those
look
good
to
me,
but
I,
as
I
said
last
time,
I
will
you
know,
go
through
the
cap
one
more
time
and
see
if
there's
any
narratives
in
the
description
that
has,
you
know
changed
since
you
know
the
campus
merge
and
the
new
api
has
spawned.
So
I
I
I
feel
like
there
is
something
that
might
need
to
be
updated
in
those
lines,
but
I'll
I'll
guess
I'll.
D
Just
push
a
commit
on
top
of
your
your
commit,
so
that
we
include
these
things.
A
Yeah
feel
free
to
steal
my
commit
in
your
npr.
If
you
want-
and
I
can
close
it,
there
is
some
unresolved
and
the
unresolved
items
you'll
see
in
the
cap.
Those
are
all
should
all
be
fixed,
so
you
can
also
update
that,
but
it's
pretty
clear
yeah.
I
would
do
cool
awesome.
So
that's
exciting.
I
will
definitely
ping
tim.
A
You
know
next
steps,
in
my
mind
at
least,
are
possibly
further
explore
exploration
of
dan's
idea
of
an
evpf
implementation
for
this
upstream.
Just
to
like
get
people
excited,
spread
awareness
but
more
sorry,
go
ahead.
Dan.
C
C
You
can't
do
it
on
pod
egress,
because
that's
before
service
proxy-
and
you
can't
do
it
on
pod
ingress
because
that's
after
network
policy,
so
it
has
to
happen
in
the
middle
of
the
the
existing
plug-ins
processing,
and
so
that
makes
it
a
little
trickier
to
to
figure
out
how
to
generically
insert
it
in
a
way
that
would
work
with
all
network
plug-ins.
A
Yeah,
no,
no
for
sure
I
mean
I
think,
reaching
and
trying
to
get
it
to
work
with
all
network.
Plugins
is
definitely
far.
I
was
thinking
even
before
that
just
getting
a
poc,
maybe
that
folks
could
just
spin
up
locally
and
play
with
like
and
and
maybe
that's
just
with
cubenet
and
upstream
q
proxy,
like
I
think
we
could
make
that
work
to
start.
C
A
And
you
do
you
mean
iptables
rules
pointing
to
bpf
programs
or
just
yeah
yep
and
maybe
a
little
off
topic,
but
in
some
cases,
if
we're
pointing
a
packet
to
a
bpf
program
from
an
iptables
rules,
doesn't
that
you
know
not
make
it
as
worthwhile?
Because
technically
you
want
to
be
hitting
the
bpf
program
in
kernel
space
before
you
even
touch
ip
tables.
C
C
You
know
so
fair
enough,
you're
you're,
not
bypassing
every
possible
bit
of
kernel
network
processing
that
you
could
be
bypassing,
but
I
I
I
don't
think
you
really
want
like
like
a
lot
of
times,
people
when
they
start
to
look
at
evps
sure
if
they're
like
oh,
we
could
just
like
directly
slice
these
two
sockets
together
and
completely
bypass
everything
in
the
universe
and
yeah
you
can.
But
it's
gonna
make
it
really
hard
to
debug
yeah.
D
C
D
C
So
but,
like
you
know,
if
you
can
turn
10
000
iptables
rules
into
a
single
evpf
call,
then
you
win.
C
A
Yeah
and
I'm
getting
into
the
weeds,
I'm
more
just
thinking
about
uvpf
but
cool.
So
it's
a
good
idea,
there's
some
interest.
It
may
not
be
as
useful
as
you
first
thought.
I
still
think
it
would
be
an
exciting
study
for
someone
looking
to
get
into
ebpf.
D
A
D
Cool
I'm
no
expert
in
the
ebpf
at
all,
but
I'll
I'll,
just
I'll
just
say
that
for
obs
out
of
implementations
you
can
definitely
count
on
entry
implementing
it.
It
will
be
sort
of
like
a
reference
implementation
and
we'll
already
start
working
on
it.
So.
A
Oh
nice
yeah
we'll.
Definitely
I
assume
no,
we
will
definitely
do
it
in
oven,
kubernetes.
I
don't
know,
I
will
definitely
be
helping
a
little
bit.
I
don't
know
if
dan
will,
but
we
got
to
get
the
api
merge
first
and
then
we'll
decide.
I
guess
we
could
start
a
little
early,
but
we
haven't
yet
cool
the
next
action
item.
So
as
the
api
kind
of
kind
of
comes
into
into
its
own
there's
a
lot
of
other
stuff.
We
need
to
do
when
you
start
thinking
about
documentation.
A
We
need
to
start
thinking
about
tools.
We
want
to
start
putting
together
for
the
annual
network
policy
api.
Basically,
the
question
is
like
what
we
want
to
do.
Moving
forward
with
the
network
policy,
api
repo
like
right
now,
it's
pretty
ugly
and
bare
bones
it's
about
to
have
an
api
in
it.
What
else
do
we
want
to
do?
A
I'm
looking
for
you
know
other
ideas
here
with
the
goal
in
mind
to
make
it
kind
of
a
place
for
folks
who
want
to
learn
more
about
policy
kubernetes
policy
in
general,
so
maybe
that's
the
coalescing
of
network
policy
docs
and
then
also
the
addition
of
new
admin
network
policy
tools,
something
along
those
lines,
but
need
help
with
that.
There's
a
lot
to
do
there,
so
we
just
need
to
make
it
better
looking
because
it
reflects
our
our
working
group
and
right
now.
It's
bare
bones.
D
So
so,
in
terms
of
documentation,
I
was
thinking
on
lines
of
what.
What
exactly
in
your
mind,
will
will
be
something
to
be
added
in
addition
to
what
the
cap
has
right,
because
so
so
the
cap
is
sort
of
like
the
proposal
right.
So
it
does
have
all
the
api
documentations
and
how
we
arrived
at
that.
But
I
guess
in
the
in
actual
repo,
the
documentation
might
need
to
be
more
focused
in
terms
of
use
cases
and
how
you
know
people
can
get
started
on
using
those
things.
Yeah.
A
D
I
know
I
know
but,
but
I
feel
like
the
cap
has
a
already
has
a
good
section
of
five
or
six
user
stories
with
sample
apis
that
we
can
just
as
a
starter,
throw
in
there
because
right
now
it
has
something
like
if
you
wanted
to
isolate
every
namespace
in
the
cluster
right.
What
is
a
I
mean
our
policy
that
can
enable
that-
and
this
is
probably
the
some
first
bits
we
want
to
throw
in
the
documentation
for
it.
A
Right,
I
agree
so
first
bits
we
can
pull
from
kep.
You
know
as
kind
of
a
colorful
exploration
as
where
we
can
go.
I
I
definitely.
I
would
one
day
like
to
look
like
the
gateway
api
docs
because
they're,
in
my
opinion,
pretty
good
and
they
have
like
a
dedicated
website
already
built
and
it
I
think
it's
pretty
easy
to
build
a
website
like
that
using
mktop
mk
docs,
which
is
the
tool
they
used.
So
I'd
like
to
look
into
that
for
sure.
A
So
we
have
a
website
rather
than
just
a
repo,
that's
definitely
a
first
goal
and
beyond
the
kep.
You
know
I
think
it'd
be
nice
to
illustrate
what
yamls
are
going
to
look
like
for
a
couple
more
common
use
cases
so
so
start
with
the
kept
right
yang
and
then
expand
on
providing
some
more
sample
yamls
just
for
folks
who
maybe
want
to
go
a
bit
deeper.
A
Cool
and
then
the
last
bit
I
had
on
there
is
adding
cyclonus.
So
this
is
less
about
adding
cyclonus
to
that
repo
more
about
do.
We
want
to
store
like
more
tools,
network
policy
and
policy
related
tools
in
the
network
policy,
api
repo,
as
well
as
like
admin,
network
policy,
definitions
and
stuff
like
that,
or
should
we
look
at
making
a
new
repo
because,
obviously
we're
going
to
need
to
add
some
developer
tools
for
amp,
so
those
are
going
to
have
to
either
live
here
or
somewhere
else.
A
D
Just
just
as
a
reminder:
what
tools
will
we
actually
thinking
about
foreign
policy
when
we
were
talking
about
it?
I
know
you
know
we
wanted
something
sort
of
like
which
illustrates
how
maybe
deny
allows
in
the
by
the
time
the
baseline,
allow
you
know,
work
together,
so
so,
in
today's
context,
maybe
something
really
similar
to
psychonus
in
in
the
sense
of
if
we
have
both
these
three
or
four
policies
stacked
together
and
some
of
them
can
even
be
baseline
and
then
what
will
traffic
look
like
from
one
part
to
the
other?
D
Is
that
some
is
that
the
the
tools
that
we're
we're
having
in
mind
or
right
now.
A
So,
like
maybe
a
cube
cuddle
plug-in
that
says,
like
cube
couple
cube,
could
will
describe
a
pod
and
right
now
you
can
do
that
for
network
policy
and
stuff,
but
maybe
you
could
do
like
describe
security
context
of
a
workload
and
it
shows
you
like
the
network
policies,
the
admin
network,
policies,
etc.
That
are
touching
that
work,
that
workload
and
if
traffic
maybe
is
going
to
be
denied
or
allowed.
I
don't
know
something
along
those
lines.
D
We
do
we
have
that
for
for
for
upstream
kubernetes,
regardless
of
cnn.
I
I
I
find
that
hard
to
believe.
A
A
C
So
and
if
you're
going
to
be
implementing
admin
network
policy
in
evpf
you're
going
to
have
to
write
some
code,
that
will
look
at
the
current
sets
of
namespace
and
pod
labels
and
policies
and
figure
out,
like
all
that
stuff.
So
you
can
translate
it
into
the
data
structure
that
the
ebp
program
will
use
so
like.
If
you're
careful,
you
ought
to
be
able
to
reuse
that
same
code
in
the
you
know,
figuring
out
which
pods
this
network
policy
applies
to
for
debugging
purposes,
code.
D
D
Right
and-
and
I
I
think
it's
also
the
case
for
our
cni's,
because
for
whatever
cnn
was
implementing
this,
I
would.
I
would
believe
that
the
same
thing
will
happen
right,
so
in
cni
they
must
have
some
sort
of
like
internal
stores
on
you
know
what
what
parts
are
this
policies
selecting
and
what
are
the
ingress
and
egress
peer
currently,
so
so,
if
we
just
pull
that
out
from
a
cni
cache
or
or
whatnot,
it's
also,
it's
gone
also
gonna
work.
D
You
know
really
smoothly,
but
I
don't
want
this
to
be
tied
to
a
specific
scene,
either
right.
A
So
I
had
some
thoughts
this
morning
kind
of
along
those
lines
like
we
could
almost
mimic
what
kpng
did
for
network
policy
like
decoupling,
the
kubernetes
bits
and
providing
like
a
clean
api,
so
that
you
know
folks
who
are
implementing
only
have
to
implement
responses
to
an
api,
but
there's
a
shim
layer
in
there
allowing
you
to
do
observability,
troubleshooting
everything,
but
obviously
that's
a
little
further
out.
Just
just
a
thought
I
had
could
be
cool.
You.
A
Just
like
network
policy
today,
some
cni's
don't
even
implement
network
policy,
but
some
do
so
so
we'll
be
following
the
same
thing:
we're
just
finding
api
inventors
will
do
what
they
will
same
with
the
gateway
api,
et
cetera,
et
cetera,
but
gotcha.
Lately,
there's
been
some
more
initiatives
towards
you
know,
looking
at
bringing
some
of
this
functionality
upstream
or
closer
to
upstream,
maybe
in
the
sig
groups.
So
having
like,
we
talked
about
before
reference
implementation
upstream.
A
B
A
So
it'd
be
cool
to
bring
some
of
that
that
knowledge
to
the
wire
community
for
sure,
okay,
I
think
we
have
some
good
things
to
go
on.
I
have
an
action
item
to
poke
tim,
which
I've
gotten
pretty
good
at
I've
poked
him
a
lot
throughout
this
process.
A
Otherwise,
there
is
also
going
to
be
an
article
ying
and
I
had
started
a
while
back
that
we're
going
to
try
to
put
out
onto
their
waves
once
this
is
kind
of
finalized
and
merged,
just
kind
of
presenting
admin
network
policy,
and
we
also
submitted
a
kubecon
talk
last
week
for
north
america
to
kind
of
present
a
p
to
the
community
and
see
where
we
can
go
with
it.
A
I'm
folks
take
that
as
a
no
well
thanks,
you
all
for
all
coming
today,
thanks
for
the
continued
review.
Oh
sorry,
we
have
one
more
edition:
hey
victor
how's,
it
going.
D
I
think
I
think
he
or
she
just
was
just
connecting
to
audio
and
didn't
hear.
Oh,
I
gotcha
I
gotcha
hi
victor
we're
just
measuring
the.
We
have
a
new
edition
here.
So
maybe
you
want
to
introduce
a
little
bit
about
yourself
and
what
brings
you
here
maybe.
A
Oh
yeah,
I'm
actually
just
interested
to
learn
at
this
point
cool.
Well,
we
were
just
wrapping
up
the
meeting
for
today,
but
if
you
want
to
learn
a
little
more
about
what
we're
doing
and
definitely
check
out
the
agenda,
we
have
most
of
our
action
items.
We've
been
doing
a
lot
of
them
around
a
new
resource
called
admin
network
policy,
but
you
know
that's
coming
to
an
end
and
we're
looking
to
expand
and
wrap
up
moving
forward
onto
new
things.
So,
okay,
we
also
are
all
on
kubernetes
slack.
A
So
we
have
a
channel
specifically
for
this
working
group
so
feel
free
to
reach
out
with
any
questions
along
the
way
and
yeah
we're
happy
to
have
you
here.
A
Cool
okay,
pretty
short
for
today.
Thanks
again,
I
hope
you
all
have
a
good
rest
of
the
week
and
we'll
talk
to
you
soon.
Bye.