Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / WG Policy / 9 May 2022
Kubernetes / WG Policy / 9 May 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: WG-Network Policy API Bi-Weekly Meeting for 20220509 (part 2)

Description

WG-Network Policy API Bi-Weekly Meeting for 20220509 (part 2)

A

Hello, everyone today is may 9th 2022 uh the week before or of cubecon, um and this is a meeting of the sig network policy, api subgroup district network. This is a cncf certified meeting, so please be nice to each other and no cursing and yeah. Let's have a good meeting today um so hopping right into more work on the admin network policy, api, specifically the semantics of the pr to do that itself.

A

So let me pull up my screen here and we can kind of discuss some of dan's. Most recent comments: a lot of nets. I clearly am not that great at proofreading, my my own spelling so sorry about that, um but I think we can talk about some of the more major things and he also added something to the agenda about this, so the first one was basically trying to make subject and pure more parallel.

A

This is something that's come up a few times, so maybe we should brainstorm it a little bit more.

A

So, let's find his comment.

B

Wait wait. What does it mean by making subject and appear more parallel.

A

So, basically, like there's a little bit of overlap in the api itself regarding right, like like selecting a subject for an advent network policy is different from selecting a peer for a number of reasons, and so we've defined that as such as various different types within the api and he's saying like, can we explore maybe creating an overlap in the sense of? Can we um share types between the two? I believe that's what he's saying um so I this stems from kind of his dislike of.

A

uh Basically, how stuff works it looks when you write it in yaml and I kind of tend to agree. I hadn't taken the time to sit down and kind of write this out, but with with today's design, currently like this is fairly ugly right at the end of the day like.

A

I think this is where he's coming from, but I'm not 100 sure.

B

Oh wait so so the last one, the one you had you're highlighting right now. I don't think our spec would look something like that right. Why would that be too positive?.

A

Because we ended up changing something that was named pod selector to just pods.

B

Right right and there's also a pos vector down there, so it's pause, pods, pause and actor, so it feels like three levels of nesting. I don't think that's the case.

C

Let's go: look, I have the pr. I have the actual api up right.

D

And also, I feel like under parts there will be name space selector as well right. So that's probably why we had a prefix spot.

A

Right.

B

um um I think we have a new folk here, maybe, let's just say, hi first.

A

Yeah for sure, let me get back to my actual terminal, where I can see all of y'all.

A

Oh my gosh, okay.

C

Hold on posh.

C

There it is.

A

Awesome: hey sir gang how's. It going.

A

You might be on mute, but um we've kind of been.

D

Right, I think, is from my team as well. So yes, it's from grouper and works on network security. Like sounds.

B

Like me and rahul,.

D

Okay,.

D

Do you want to unmute yourself and talk yeah? I just asked him is this? He literally sit next to me.

E

Hey yeah just have some audio issue.

B

Or is it all.

A

Yeah, do you want to give us just a little intro sugan and then talk about why you're here.

B

I know you're on.

E

His.

A

Team but uh there might be some more to add.

E

Yeah uh uh hi, my name is sugal. um I will work with uh satishua in the same team and we both are also working on gke network policy related stuff.

A

Cool awesome well great to have you. We currently are kind of running through the admin network policy api that we're implementing and if you look in the agenda, there's some links to the kep, which will describe it more and the actual pr we're looking at today, so feel free to follow along thanks: okay, hey dan! We were just talking about some of your comments.

F

Yeah and I added a few things to the agenda: yeah.

A

Yep we were going on the first one, so talking about basically trying to make subject and pure more parallel. um We looked at this and we were just uh yang wanted to verify that this is actually what would happen like this double nesting of pods. um I think when I looked just before this meeting like it could happen, so we just wanted to look really quick at the actual code.

A

So um right, if we have a if we've got a defined, pier, um the first layer is pods right yang, yes and.

B

Then, if you go to name space.

A

Pod piano, it's.

B

Pods again.

A

We have like another layer of indirection right because our so when we initially designed this, we thought. Okay, we might one day add more ways to select pods right right.

B

So so I'm just wondering why it's parts down there shouldn't it be just a past lecture. What what is pod, pure, though, like yeah like.

F

I I commented on this, like, I think my next comment on the thing like pod pure, doesn't seem like it. It's needed like if we were gonna, add a new way to select pods, like you know, service, selector or whatever. That should be a new option underneath the um yeah. What is it right.

B

Right, yeah yeah. I agree. I agree. I agree this is I I I agree. This is wrong, so I I feel like under, if you scroll down to namespace uh pod pier, I think it should have name spaces with namespace pair is fine, because you will have all the the self nothing labeled stuff under there right, but for for the second one it should just be post factor. It shouldn't be another level of nesting that doesn't really make sense.

A

Yep agreed, I will change that for sure, um so that was the one part of it. The other part was dan, was kind of arguing or saying we should combine some of.

B

Right right on that note, I think uh I think we had this conversation before, if I remember this correctly, with tim and the other guys, and the reason why we decided to go with separate fields. Is that you know for the subject. Something really doesn't really make sense. So when you select subjects you are really clear on, you know which label namespaces you want to select or which label path you want to select. But in that particular case you cannot basically say something like I want to select subject and the name space is from self.

B

That doesn't really make sense, because you need to select subject first and then it appears you can say. I wanted to select name spaces for himself.

B

So there are some inherent differences between the subject and the peers, and you know we didn't want to sort of like mix those two types together, because otherwise you will have you know other weird stuff, like you know, validations, you want to say that if it's appearing in the subject field- um and you want to verify that the the namespace equals self not self is not set, because it cannot basically be there.

F

Yeah, no, so I wasn't saying that they should literally be the same types but like andrew.

F

If you go back to the the comment on the pr I I showed one thing where, like the the top half of the comment like right now, you know the subject for sin for subject and for a peer are exactly the same except there's one extra level in in the the peer and- and I feel like you know, we could just add that to subject as well, even though it's not necessary and- and you know, would that make it easier for people to use if you know if, if they were the same rather than you know getting rid of it, because it's the only option in the subject, I wasn't sure I I I see.

B

What you mean.

F

So so you.

B

Wanna sort of like let people have the consistency by if they wanted to select something by labels. There's always going to be four lines. Sort of saying is that yeah, basically.

F

Okay, it just seems like it could possibly be a little confusing the way it is now and, and that might make it clearer.

A

Yeah- and this is the only place we don't have like a level- then direction for selecting something right, this field. um So, okay, I'm not against it. I I mean it would literally just be another type: that's that's um wrapping a namespace selector label selector, but and.

F

It's possible that you had one before and I convinced you to get rid of it last time. I'm.

A

Pretty sure, that's exactly what happened. I think I started out with that and we were like. Oh wait. We don't need that, um but that is very long. That's what happens with long standing rounds overviews.

F

um So, and- and I'm not sure if the if the two pod versions are exactly the same once you get rid of the extra level of pods, uh I think they're, pretty close.

A

They're pretty close pods, it's just like it's. The naming is slightly different, I'll write out some yamls. I think after this round of reviews, and then we can look.

D

Yeah, but I think it applies to it applies to part as well. If I understand correctly because for the subject, there is no, there are no multiple selectors, but here we have multiple selectors, because we do have a part selected like I mean like selecting the constructs within the cluster versus selecting outside the cluster. So that's why we added additional indirection. Is it correct.

A

The additional interaction was all for extensibility like like in the future, just to make it a little bit more explicit and easier, um and it's just kind of the api design syntax that tim is advocating, for, I think, we've all kind of agreed on um what he. What dan's saying basically is like and yeah. We just have one less layer of interaction and everywhere else we have it. So it's kind of confusing to write the ammo for it.

B

Actually, I wanted to add in here, so I I think you were asking the question if the namespace pass subject is really close to namespace pod peer and the answer is no, because in namespace pod pier you will have the namespaces to where you can do same labels now same labels etc.

B

But in the namespace past, subject, there's only a namespace vector and if continue on your argument before, if, if you do a namespace selector here, it's also one less um indirection from for the selectors, because if you wanted to write a namespace part, both selectors in the subject case and in the peer case in the subject case, you will have one less line. If you will, if that makes sense,.

D

Yeah, I think, yeah, that's what I wanted to make yeah, because the subject will always have one less indirection than the right.

C

Right.

B

Because it doesn't have the the same self, not something so right.

A

Okay, as an action item, all I will make that consistent in terms of nesting and then also remove the deepest pod pure indirection layer. We have that we don't need, um and then I think after this round of reviews, I'd like to just write some yammels, maybe some real-life animals and try to see like if there's anything, we're missing. um Yeah.

F

There's actually a third thing in the the second example there. In the namespace case, then the namespace selector is called just selector, whereas in the pod case the pod selector is called pod selector. um You know again, that seems like sort of a.

B

The the problem is that uh in the in the namespace and pod pier uh there can be two types of selectors.

F

Right so so, so I think I was saying like actually it looks like in well. I I was saying that the the one that's just selector here should be name space, selector um right and again, you know, maybe I'm the one who argued against that before yeah. I think you're right andrew, I think you you need to like.

F

We we need to come up with some example objects so that we can get a feel for how they look.

A

No, you know what you were the one who argued against that before, because I I had everything super explicit like obscenely explicit like, even if it was in a namespace beer. I had it as a newspaper selector, but.

B

um Okay,.

A

But.

B

I will.

A

Write it out, I think that's the best way to see it can.

B

We go back to the comment real quick. I just wanted to.

F

So you're right I did say here why not change pod selector to selector but yeah. Obviously that can't be because there are two selectors there. So.

B

Wait so did we say that uh if a namespace, it's a namespace pod appear- and you say, parts blah blah blah you can omit namespace vector in that case- is namespace selector required in this case, or no.

A

Let's see, I can't, I think it is so the part pier.

B

Namespace part here right, so so that's I think, that's uh where I'm confused about. Essentially, if you specify namespace pop here, you need to both provide namespaces and pause and actor, so that might make it a little bit more unclear because if you say in in the in the example you just you just uh if you go back to the comment, uh so essentially, you cannot do that uh if we just get rid of the extra level of parts right right.

B

uh So it's from then parts and then, along with a select pod lecture, you will have to provide the namespace that may may look make it look a little bit more um clear because.

F

If you otherwise.

B

If you just say selector and you provide namespaces down there, it might be a little bit confusing.

B

I see what you're saying, because it's going to see it's going to say, pods and then name spaces and then and then a selector down there and you're, not you're, not knowing whether it's selecting positive name spaces. That's that's what oh.

A

No, no, no, I mean if we get to this scenario right, we are coming from admin, network policy, pier and then we'd basically say pods. I think it'd be confusing because we'd say pods, but oh you're, saying if we get rid of that level and direction right that, that's why we did it in the in the beginning, because you're saying if this was just a pod, selector like this would end up just being selector.

A

Right but it has to be plot: selectors, girls.

B

Okay right, I I'm arguing for it needs to be pass selector, if you just say selector here, it makes it a little bit more confusing.

A

Yeah but then this new well then we don't have this level of under. This is all gone. Pod, yeah, yeah.

F

For this one, I think I I was probably more arguing that the selector in the name, space direct, should be namespace selector, not selector yeah, but but again like let's, let's see some objects and then we can argue agreed.

A

100 percent- sorry, I'm just taking some notes.

B

Side note: are you in spain already then.

F

Am I in spain, yeah no thursday night, oh cool.

F

Was anyone else here going.

A

I wish I wish too. I really wish I was going to be honest, but no, I don't think anyone else was. It was just you and and um tim.

A

Hopefully, we'll be at the next one.

A

Okay, um I will do that writing out a couple. Examples will be awesome and- and we're gonna have to do it anyway and and we're almost to a t of equalization. So I shouldn't have to redo it a bunch of times we talked about pod, pure I'm gonna clean up this, because at the end of the day like we need to do whatever it takes to make these yamls look readable, like it's pointless for us to make an api that has stuff like that in it.

F

I don't know, network policy is pretty bad in places, and people use that so.

A

Yeah fair enough: well, that's the scariest part about all this is even if we crank out great api, it's going to be super confusing to transition, but all we can do is have user guides and suggest things.

A

um Was that what else so? The other comment you had dan was also namespace. Only rules versus namespace and pod rules. Did we already cover that or did you have something else to add there.

F

Yeah, I think.

A

That was all just part of that: okay cool um I've already gone through thanks for catching a lot of these. There was a lot of nits. I'm sorry about that. I've looked at this, so much that I don't think I can see anything anymore. um I think I addressed most these already locally.

A

um This was one I was going to ask you about uh you're, saying, basically reusing the admin network policy status. Struct for both uh is seems out of sorts, but I was trying to think of a actual reason for creating you know: an admin network policy status truck and a baseline admin network policy status truck like. Are they ever going to be different, or is it just a purely read? Reading through the code, you have a problem with yeah.

F

They'll probably be the same, but it just feels wrong to not have its own completely identical copy.

A

So why can't it just be a list like? Why can't we just not have a type for that, and it just be a list of conditions.

F

Because we may want to add more status, builds later: okay, okay, that's if no one.

A

And having.

F

Status be a struct is, is an api convention like yeah things assume that.

A

Okay, I'll change that.

A

Yeah.

D

I.

A

Think everything else was pretty straightforward um besides this, so I will clean up what we have and and push some changes here later today and start writing some uh yamls. I mean we should have a list of yamls anyway that just as reference to be probably put in this repo as well so that'll be good, um any other comments or questions with admin network policy bits um after this.

A

After I finish, these changes um is the next step just to get so once we have the lg tim from you dan, I I still think we'll wait for the lgtm from tim right before merging or is it sort of like if we get one just go ahead and merge like what do you think.

F

Yeah, I mean you know it's alpha, one right like if it's it's not like and and and this is merging to our own right right right so.

C

Yeah, if.

F

People will probably find bugs, as they start implementing it anyway right, so you know it. This isn't absolutely the end. You know if, if there's something dim once changed after you merge it, then it can be changed after you merge it.

A

Okay, cool, I just yeah, I know we don't have we really don't have any protocols set up yet for this you know oregon. This is such a small subgroup. All of a sudden, it used to be a little bit bigger. I think um so. I just wanted to make sure we weren't doing anything out of whack um the next step.

A

I think, for you know in terms of work items that I would definitely need some help with after getting this merged is I'd like to copy sort of the docs setup the gateway api has, and we can start it's going to be a long road, but I'd like to start getting some docks put together.

A

While all this is fresh in our head in our heads, um because it's going to be really important to have good documentation for this api and it'll be good for the implementers which I feel like are going to be basically the folks in this room right now, so at least the first round of influencers. Are you going to implement this for sdn dan, or should I just do it for 11k.

F

um I will probably not implement it for openshift sdn cool.

A

Okay, well, we'll do it for evan k, then um any other questions comments, concerns.

A

I have a pr up, adding yang as an owner for this. um I might do the same for you dan. If that's something you would like, um we definitely need to add you to the contributors list for this, because you've been super incremental here, um yeah, that's all I have. I will poke the group when I have the rest of this done and if we could just get some final read-throughs and lgtm some, we can move forward from there.

A

It's not keep working, but I think we can go ahead and give everyone some time back today and yeah feel free to reach out on slack. I really appreciate it hope you all have a good day, all right.

B

Bye thanks bye.

D

Thanks bye.