►
From YouTube: Network Policy API Meeting for 20230606
Description
Network Policy API Meeting for 20230606
A
A
It
should
be
easy
for
people
to
just
get
it
from
the
from
the
raw
GitHub
actions
thing
and
then
just
to
keep
CTL
apply,
and
that
should
work
and
I
think
this
is
the
installation
for
that
and
I
think
there's
a
nice
developer
preview
of
how
this
looks
like
under
the
guides
and
getting
started.
So
if
any
of
you
are
interested
in
doing
reviews,
it's
kind
of
an
easy
one
and
I
think
this
is
nice
to
give
it
some
thoughts.
I've
left
some
comments
and
I
think
Jan
will
get
to
them.
A
Then
I
think
the
second
one
was
something
that
I
added
I
was
trying
to
get
the
implementation
in
OB
in
kubernetes,
for
the
admin
Network
policy
and
I
noticed
that
we
have
support
for
status
in
ANP,
which
we
didn't
have
in
network
policies,
but
I
think
the
status
is
the
matter
of
even
conditions.
So
it's
it's
not
really
standardized
in
any
way,
and
it's
the
implementations
have
the
freedom
to
choose
what
kind
of
status
they
want
the
set,
which
makes
sense.
A
We
got
our
whatever
their
logic
is
for
implementing
the
policies,
but
I
thought
it
would
be.
It
would
be
nice
for
us
to
also
print
that
in
the
OC
get
output
command
for
both
Baseline
and
admin,
so
that
users
can
leverage
back
from
the
status
without
having
to
do
like
a
full
describe
of
the
policy.
So
it's
also
a
very
smart
and
new
change.
So
if
anyone
wants
to
click
on
get
it,
you
can
get
that
in
before
the
next
release.
What.
A
A
B
It's
not
I've.
A
Been
working
on
the
conformance
tests
still
I
think
what
I'm
going
to
do
next
is
so
there
there's
been
a
lot
of
PRS
that
are
floating
around
with
the
new
tests,
but
just
to
ensure
that
we
are
on
track
in
in
real,
like
these
tests
are
kind
of
helpful
for
other
implementations,
also
I'm
kind
of
waiting
on
Yang
to
give
initial
feedback
on
the
existing
tests
that
we
already
merged
and
to
see
if
those
are
also
helpful
for
Andrea
and
not
just
for
obn
kubernetes,
so
that
we
have
some
kind
of
an
agreement
on
the
framework
before
adding
more
of
them.
A
Let's
see
if
you
were,
if
anyone
is
looking
for
for
help
around
contributions
and
how
they
can
get
involved,
I
think
if
you
click
on
the
area
conformance
label,
there
are
a
bunch
of
things
that
I've
opened,
that
we
can
that
I
could
use
help
with
or
even
the
community
could
use
output
and
be
careful
I
trade
over
there.
If
anyone
wants
to
volunteer
group
pick
these
issues,
that
would
be
great,
especially
with
this
one.
A
I
actually
added
this
item
for
admin,
Network
policy,
especially
with
logging
it,
but
around
debugging
in
general,
right
I,
don't
know
how
other
implementations
are
doing
around
this,
like
for
Network
policies,
at
least
in
openshift
being
and
in
obnk.
We
have
a
specific
annotation
that
we
do
for
namespace
I'm,
not
sure
how
other
plugins
handle
this
do
any.
If
you
know-
and
if
is
there
is
this-
is
this
something
that
should
be
more
often
Upstream
option
that
we
should
provide?
Or
is
it
something
that's
very
implementation,
specific.
D
Sure
yeah
so
I
mean
on
gke.
We
have
Network
policy
logging
as
well
and
yeah.
We
support
either
a
annotation
on
a
namespace
or
we
have
our
own
crd,
which
you
can
just
use
to
flip
it
on
cluster-wide,
so
you
can
choose
either
turn
it
on
for
the
whole
cluster
or
opt-in,
individual
namespaces.
C
Yeah
I
wanted
to
just
discuss
it
in
general
because
when
you
so
first
of
all
developers
and
like
namespace
owners,
they
will
be
able
to
see
which
network
which
admin
Network
policies
exist
in
the
cluster
right.
E
B
Yeah
so
like
different
plugins
may
have
different
abilities
here
and
so
I
guess.
We'll
definitely
want
to
look
at
what
different
people
are
doing
on
their
own
for
Network
policies
and
see
if
we
think
it
makes
sense
to
try
and
have
a
standardized
way
of
saying
it
in
admin.
Network
policy
or
we
may
have
like
a
standard
way
of
requesting
logging,
but
with
no
standard
definition
of
how
the
again
implements
it.
E
C
Vlogging
right
because,
if
you're
a
namespace
owner
and
something
is
dropped
by
admin,
Network
policy
and
not
by
your
local
network
policy,
you
probably
may
want
to
know
that
like
to
debug.
But
then
yeah.
C
Yeah
but
well
that
makes
sense,
but
then
also
how
namespace
owners
will
be
able
to
see
which
network
policy
drops
their
packets.
Let's
say.
A
A
C
C
B
We
had
talked
at
one
point
about
like
possibly
having
some
way
that
you
can
figure
out
conclusively.
Yes,
my
packet
is
being
dropped
by
an
admin,
Network
policy.
You
wouldn't
be
able
to
figure
out
what
the
policy
said
or
why
it
was
dropping.
But
but,
like
you
know,
we
could
theoretically
add
that
functionality
somewhere
and
then
at
that
point
you
know
talk
to
your
admin.
D
E
D
B
So
well
I
mean
specifically,
you
know.
Nadia
was
I,
think
mentioning
about
the
position.
There's
no
standard
logging
for
Network
policy
right,
but
the
thing
we
added
in
OB
and
kubernetes.
We
added
that
because
administrators
wanted
it
not
because
you
know
end
users
wanted
it
so
the
way
that
it
logs
the
logs
go.
You
know
into
some
node
level
thing
that
only
the
admins
would
have
access
to.
So,
even
though
you
can
enable
it
on
a
namespace
basis,
it's
not
something
that
is
usable
by
namespace
admins.
It's
only
usable
by
cluster
admins
Ico.
D
A
Yeah
and
I
had
a
question
for
Rahul,
so
you
mentioned
in
gke.
You
use
either
crd
for
enabling
it
on
a
full
cluster-wide
level
or
on
namespaces
using
annotation,
and
that
namespace
is
using.
Annotation
is
rpd1ov
and
K.
Also
like
Dan
said,
though
they
don't
really
have
a
way
to
do
it
on
a
cluster
wide
level.
But
what
about
ANP
well?
Do
you
have
support
for
admin
policies
Downstream
there
or.
A
C
It
may
be
difficult
to
decide
how,
like
this
logging,
as
a
part
of
API,
should
look
like,
because
it
probably
May
provide
different
options
of
what
like,
if
you
only
provide,
enable
disable
logging
or
if
you
allow
log
levels
where
maybe
there
are
some
more
options
for
specific
implementations.
A
Yeah
I
mean
I
think
that
is
a
valid
point
that
does
depend
on
each
implementation
and
exactly
how
the
convert
the
inverse
and
Ingress
roles
in
their
implementation
on
how
the
login
makes
sense
for
them.
So
maybe
it
is
hard
to
standardize,
but.
A
Yeah
just
wanted
to
bring
that
up
to
see.
You
know
if
there
are
ideas
doing
this
upstream
or
if
we
at
least
an
OV
and
K,
should
take
care
of
this
Downstream
again.
A
C
Thank
you,
yeah.
That's
just
a
continuation
of
that
conversation
about
what's
the
best
way
to
express
tenancy
in
the
most
simple
way
that
covers
all
of
our
cases.
C
I
have
added
one
more
option
there,
which
adds
a
completely
separate
object
for
that
I
think
it
would
be
nice
to
hear
some
feedback
on
that
in
general,
if
I,
just
summarize
that
there
are
some
field.
So
when
we
talk
about
tenancy,
it
seems
like
our
use.
Cases
only
need
to
Define
tenant
to
tenant
relationships.
C
So
basically,
the
only
type
of
peer
that
we
may
have
at
this
point
is
same
or
not
same
tenant
and
like
there
are
no
other
ways
to
say
anything
that
would
make
sense
and
then
so,
based
on
some
of
the
previous
versions
of
assertive
that
then
added.
It
also
has
a
namespace
selector
that
basically
defines
which
name
spaces
are
considered
or
like
a
subject
for
this
tenancy
and
then
same
same
labels.
C
Field
just
says
how
this
that,
how
this
namespaces
are
split
into
tenants
based
on
which
labels
and
that
also
solves
one
of
the
problems
we
discussed
about
what
we
want
to
do
for
empty
labels
right.
So,
if
you
don't
want
to
consider
label,
let's
say
user
that
doesn't
exist.
If
you
don't
want
this
namespace
to
be
a
part
of
a
tenant,
you
just
add
this
exists,
selector
that
will
avoid
that
and
then
in
case
you
do
not
add
it,
there
will
be
a
separate
tenant
that
has
empty
user
label.
C
One
thing
is
that
this,
if
that's
a
separate
object,
it
needs
to
be
probably
in
the
same
priority
range
as
admin
Network
policy,
which
is
kind
of
the
same
as
it
was
before,
but
from
the
semantics
point
of
view,
but
it
will
mean
that
we
have
two
different
objects
that
operate
on
the
same
priority
range
and
then
another
question
was:
if
we
need
to
in
case
we
end
up
with
this
object.
C
Do
we
need
to
have
Baseline
admin,
Network
policy,
tenancy
thing
which
will
be
applied
after
Network
policy
and
they
think
existing
BNP
API
allows
tendency,
but
then
I
thought
about
that.
A
bit
more
and
I
couldn't
find
a
use
case
where
you
would
like
to
imply
tenancy
on
BNP
level
because
it
may
be
overridden
with
network
policies.
So
it
doesn't
make
a
lot
of
sense.
B
Oh
yeah,
oh
I,
think
there.
There
is
one
use
case
which
you
know:
maybe
it
didn't
get
written
down,
but
I
know
it's
something
we
talked
about,
which
is
the
admin
denying
all
egress
by
default
in
a
baseline
admin,
Network
policy
and
then
well,
although
I
guess,
maybe
that
that's
not
really
a
tenant
thing,
though
that's
just
a
baseline
admin,
Network
policy
thing
so
yeah.
C
Yeah
I
I
actually
thought
about
that
and
I
tried
to
think
again
about
what
every
object
means
in
general
right.
So
when
we
talk
about
admin,
Network
policy,
that's
something
you
enforce
as
an
admin
unless
you
use
some
product
namespace
labels,
but
we
can
talk
about
that
or
some
labels.
You
do
not
control
and
then
Network
policy
is
like
the
developers
desire
to
secure
their
namespaces
and
then,
when
you
fall
down
to
Baseline
admin,
Network
policy,
that's
just
the
default.
Network
policy
object
for
namespace,
basically
because
it
is
completely
overridable.
C
D
Can
I
ask
a
more
high
level
question
and
I
apologize?
This
is
probably
treading
old
ground
because
I've
missed
a
couple
of
these
meetings,
but
is
there
a
tldr
on
what
the
goal
would
be
for
this
new
tenancy
construct
like,
however,
it
ends
up
shaking
out?
Is
there
is
it
because
we
want
to
express
something
we
can't
in
enp
today,
or
we
think
we
can
express
it
more
simply.
C
Yeah
it's
more
of
a
second
option,
and
there
are.
There
were
some
slides
that
they,
when
I
tried
to
explain
why
the
existing
API
may
be
a
bit
confusing
or
maybe
allow
more
options
that
we
actually
need,
so
that
in
general
this
is
a
an
effort
to
simplify
the
existing
API.
B
B
Why
can
you
do
this
and
you
know
why
does
this
work
this
way,
and
so
there
are
a
bunch
of
conversations
about
it
that
led
to
the
the
realization
that
we
we
added
tendency
to
admin
Network
policy
in
in
a
way
that
is
much
much
much
more
flexible
than
you
actually
need
for
the
user
stories
we
have,
and
so
we
thought
you
know,
maybe
we
should
rein
it
in
before
people
start
doing
totally
insane
things
and
you're
forced
to
make
your
implementation
really
like
inefficient,
and
you
know
to
support
all
the
possibilities.
C
Okay,
I
think
that
we
can
keep
this
discussion
in
the
dark
comments.
Thank
you.
A
Let's
keep
the
discussion
going
around
that
one
and
see
if
we
can
control
consensus
on
how
we
want
to
do
that,
at
least
for
the
next
version
of
the
API
yeah.
The
next
major
question-
and
that's
really
all
we
have
on
the
agenda.
Does
anyone
want
to
bring
up
other
topics,
discussions,
questions,
suggestions.