►
From YouTube: Network Policy API Bi-Weekly Meeting for 20220425
Description
Network Policy API Bi-Weekly Meeting for 20220425
A
Okay,
hello.
Everyone
today
is
april
25th
2022..
This
is
a
meeting
of
the
sig
network
policy,
api
subgroup
to
sig
network.
This
is
a
cncf
certified
meeting,
so
please
be
nice
to
each
other
and
yeah.
Let's
have
a
good
meeting
today.
So,
if
you've
been
following
these
recordings,
the
past
two
meetings
we've
basically
been
working
mainly
on
the
admin
network
policy
api,
and
we
will
continue
to
do
so
today.
Unfortunately,
between
this
meeting
and
the
last
one,
we
haven't
had
much
more
additional
reviews.
A
A
Basically,
the
only
questions
I
had
were
does
it
make
sense
to
have
I
copied
what
gateway
api
did
basically,
and
I
created
a
new
file
called
shared
types
that
basically
holds
most
of
the
actual
types
that
are
used
by
both
baseline,
a
baseline
admin
network
policy
and
an
admin
network
policy.
Is
that
the
right
way
to
do
things,
or
should
I
be
more
explicit
in
that?
I
redefine
types
totally
or
is
there
any
opinions
on
that.
B
C
A
D
A
A
A
C
B
So
if
we
allow,
you
know
people
to
create
a
bunch
of
baseline
policies,
maybe
they're
we're
basically
just
allowing
them
to
step
there
on
their
own
toes
because
it
is
a
single
poverty
thing
and
if
you
define
you
know
conflicting
rules
that
might
end
up
not
looking
good,
whereas
we,
if
we
just
do
a
single
turn,
you
know
everything
will
be
listed
in
a
single
file
so
because
we
have
the
rule
all
the
right
thing
right.
So.
B
And
the
other
and
the
other
thing
is
about
use
cases,
because
I
think
the
last
time
we
discussed
it,
you
know
we
only
think
there
might
be
one
specific
use
case
for
the
baseline
rule,
which
is
you
know
for
every
namespace,
that's
not
coupe
system.
Basically,
I
wanted
to
start
it
out
denying
everything
stuff
like
that.
So
it
really
doesn't.
It
really
doesn't
strike
me.
As
you
know,
we
have
more
use
cases
than
just
2.1
single
baseline
policy,
although
this
has
been.
B
You
know
a
discussion
also
for
me
in
our
policy
because
we're
saying
hey,
this
is
the
only
use
case
we
can
think
of,
but
people
will
come
up
and
say
you
know
what,
if,
in
the
future,
there
are
other
use
cases
we
need
to
be
future.
You
know
right
so
there's
another.
You
know
discussion,
sorry
decision
to
make.
I
guess,
but
I'm
I
to
be
honest:
I'm
fine
either
way.
If
we
do
want
it
to
go
with
the
singleton,
then
probably
we
wanted
to.
A
Yeah
I
mean
it
can
be
as
simple
it
could
just
be.
You
know,
I
don't
know
default
yeah
default,
baseline
admin,
network
policy,
that's
a
mouthful
or
just
default,
yeah,
that's
fine,
and
then
it
to
do
that
in
the
api.
Do
I
guess
I
just
literally
validate
that
it
can
only
be
default,
but
it's
as
simple
as
that
right,
yeah,
okay,
cool.
B
A
A
Cool
okay
next
thing
was
refactoring
amp
ports.
I
think
we
should
just
table
that
until
tim,
that
talk
with
tim,
because
he
was
the
one
who
kind
of
pushed
us
away
from
the
what
we
thought
was
more
understandable
sort
of
thing.
So
I
don't
think
it
makes
sense
to
keep
talking
about
that
here.
At
the
current
time.
A
You
know
how
how
we're
setting
up
namespace
set
anyways
so
like
we
designed
designed
all
these
selector
structs
to
be
quote,
unquote,
extensible
and
quote
fail
close,
but
we
kind
of
disprove
the
ability
to
fail
close
or
to
define
what
fail
fail.
Closed
is
within
the
api.
So
I
think
we
need
to
take
a
step
back
and
look
at
the
design
of
these
trucks
and
ask
ourselves
like.
C
C
A
Selector
and
pod
selector
flat
out
again,
that's
obviously
reverting
a
bunch
of
forward
quote-unquote
forward
progress.
I
think
we
made
at
some
point
to
get
this
cut
merge,
but
I
mean
the
logic
behind
it.
Is
there
I'm
just
trying
to
think
of
the
best
way
to
do
it
in
the
sense
that
you
know
we
do
it,
while
also
bringing
in
kind
of
your
rationale
here
into
that
change?
A
A
I
have
a
vlog
started
and
the,
but
I
obviously
have
been
able
to
finish
it
because
we
haven't
merged
this
kept
and
the
title
is,
I
think
it's
it's
in
line
with
the
you
know,
you
know
a
hundred
something
commits
or
two
years
100
something
commits,
and
you
know
800
comments
later
here
we
are,
and
now
at
this
point
it's
even
more
than
that.
So
yeah
it's
been
a
saga
but
yeah.
I
guess
really.
We
can't
solve
this
on
this
call.
B
Yeah,
I
think
so,
I'm
just
trying
to
sync
on
you
know
dan's
proposal
there,
because
essentially
he's
saying
there
are
only
two
cases:
one
is
namespace
and
the
other
is
pod
right.
So
for
namespaces,
the
only
thing
that
can
be
provided
there
is
namespace
vector,
whereas
for
pods
you
can
do
combinations,
I
guess
yeah
that
makes
sense,
but
for
pause
you
can
also
just
do
pause
vector.
Oh
no,.
B
Right
right,
yes,
I
I
I
got
you
what
you're
saying
so
essentially,
if
we
don't
worry
about
the
default
close
thing,
this
definitely
is
the
more
readable
api
design.
I
would,
I
would
definitely
agree,
but
I'm
just
not
sure
how
the
the
fading
open
fading
clothes
discussion
will.
I
just
I'm
just
worried
that
we'll
just
tear
that
discussion
bring
this
discipline
up
again.
C
A
A
Basically,
even
with
all
the
you
know,
the
rationale
you've
laid
out
dan,
it
does
fall
on
the
job
of
the
you
know:
admin
slash,
cni
provider.
You
know
users
a
little
bit
and
I
don't
think
that's
wrong
at
all,
but
it's
going
to
need
to
be
documented
in
a
way
that
you
know
wasn't
there
with
network
policy
right,
so
I'm
not
against
it.
I
don't
think
I've
been
against
it
from
the
beginning,
but
here
we
are
now
do
we
need
to
yeah
and
I
guess
at
the
end
of
the
day,
it's
it.
B
B
I
might
be
horrible
around.
Do
we
know
for
the
current
you
know
cni's,
for
example,
if
we
read
let's
say
networking
b1
net
network
policy
do
do
implementation
actually
do
that
or
from
my
understanding,
implementation.
Just
you
know,
grab
and
now
policy
object
and
assume
it's
better
one,
because
it
has
been.
You
know,
accepted
by
the
api
right.
So
I
from
what
I
remember.
I
only
see
this
instruction
thing
if
we
are
actually
implementing
a
web
book
for
the
resource
in
which
we
don't
use.
C
Normally,
you
wouldn't
use
unstructured
for
something
like
this,
where
you
know
the
type
at
compile
time
right.
The
the
idea
was
just
that
by
using
unstructured,
we
can
get
access
to
the
raw
value
right
or
it
gets
parsed,
which
you
wouldn't
be
able
to
do
if
you're,
just
using
the
typed
clients
that
put
it
into
the
go
objects
for
you
right.
I
see.
C
B
C
A
C
F
A
A
A
C
Basically,
if
we
can't
design
the
api
in
a
way
that
implementations
can
safely
use
objects
that
they
don't
recognize,
then
we
want
to
have
some
way
of
the
implementations
always
being
able
to
tell
when
they're
getting
an
object
that
has
fields
that
they
don't
know
about.
And
so
that's
what
what
I
was
talking
about
in
there
in
point
two.
B
F
B
F
So
it's
it's
addressing
sort
of
the
same
problem,
which
is
that
you
have
this
struct,
this
top
level
struct
that
has
a
bunch
of
basically
modes.
It
can
operate
in.
So
in
this
case
it
would
be
our
subject
selector
and
it
has
a
bunch
of
modes
it
can
operate
in.
It
can
select
name
spaces
or
it
might
be,
selecting
pods
or
you
know
in
the
future.
F
We
might
have
a
third
selector
or
fourth
selector,
and
the
idea
is
how
do
we
write
these
sort
of
structs
right
these
structs
that
are
essentially
a
one
of
and
so
they're
discussing?
Do
we
want
to
have
a
bunch
of
sub
selectors,
the
kind
of
kind
of
the
way
we
did,
which
is?
We
have
a
namespace
selector,
a
pod
selector
and
then
we
add
new
ones.
F
Do
we
want
to
add
a
type
field
at
the
top
of
the
struck
which
says
you
know
this
is
a
type
namespace
and
then
you
go
read
the
namespace
fields.
This
is
the
type
pod
selector
and
then
you
go
read
the
namespace
and
the
pods
like
so
on
and
so
forth.
So
it's
it's
basically
dealing
with
the
same.
I
think
problem
that
we
are
approaching
here,
which
is
how
do
we
handle
these
potentially
extensible
list
of
you
know:
sub
sub,
selectors
or
subfields
there.
F
B
A
Like
let
me
go
look
at
it,
it's
it's!
It's
a
little
clunky
like
you
know
something
along
the
lines
of
of
what
dan
was
was
talking
about.
Like
reads
a
lot
better,
so
something
like
this
or
even
like
removing
that
extra
level
right
like.
Why
should
we
have
to
say,
subject?
Well,
I
guess
you
still
always
have
to
say
subject
with
a
certain
types
of
subject,
you
know
the
extra
level
of
nesting
here
or
maybe
it
is
just
a
name
for
naming
problem
and
I'm
wrong.
F
I
mean
I,
I
don't
think
that
their
guidance
is
by
any
means
finalized.
I
just
think
it's
very
interesting
that
they're
having
the
same
discussions
that
we
are
more
or
less
they
may
not
have
considered
the
fact
that
naming
is
really
hard
and
it's
when
you
try
to
specify
this.
It
gets
a
little
bit
tricky.
D
F
Being
said,
personally,
sorry
guys,
oh
sorry,
glad
I
was
gonna
say
I'm
I'm
sympathetic
to
the
argument
that,
while
the
extra
layer
like
the
extra
level
that
you
have
to
add
in
the
yamo
is
annoying,
it's
preferred
to
the
ambiguity
that
comes
about
when
you
can
reuse
fields
with
sort
of
not
arbitrary
rules.
But
you
know
rules
that
you
have
to
mentally
compose
in
your
head,
like
if
I,
if
I,
if
the
namespace
field
is
reusable
a
bunch
of
times-
and
you
know
like
this
other
label,
selector
is
reusable
only
some
of
the
times.
F
C
So
my
original
comment
I
had
two
suggestions:
one
was
was
mostly
just
shortening
names
to
to
try
and
make
it
look
nicer
and
then
the
second
one
was
well.
Why
do
we
even
need
two
copies
of
of
namespace
selector?
Why
can't
we
just
have
one
so
yeah,
so
the
one
that
I
actually
wrote
out
the
details
of
here
that
does
still
preserve
the
a
separate
object
for
each
kind
of
thing,
with
no
reused
fields,
thing.
B
C
B
Okay,
I
was,
I
was
just
gonna
say
that
if
we
do
have
a
service
account
selector
to
be
coupled
with
namespace
sector,
it
is
essentially
also
selecting
parts
if
you
think
about
it
right.
So,
if
you
do
subject
pods
blah
blah
blah,
then
when
we
introduce
that
combination,
it's
really
hard
for
us
to
name
that
struct.
If
we
have
named
this
guy
pods
right.
So
that's.
F
B
A
E
A
A
The
only
other
thing
with
the
pier
was
was
refactoring.
These
booleans,
which
I
think
before
you
hopped
on
or
all
we
had
touched
on,
the
possibility
of
just
making
these
constants
instead
of
booleans
to
to
signal
self
or
not
self.
I
don't
think
there's
ever
there's
been
other
argument
around
that,
so
shouldn't
be
too
hard
to
fix.
A
A
A
Is
issue
28,
which
is
essentially
just
trying
to
reopen
the
network
policy,
the
north-south
debate?
I
think
dan
already
had
a
good
point
here.
Basically,
one
of
our
rationale
for
reopening
the
debate
was
that
cna
cnis
may
not
be
able
to,
or
cni's
already
are
distinguishing
between
east-west
and
north-south
traffic,
specifically
I.e
like
technically
an
empty
namespace
selector
selects
all
only
east-west
traffic
and
north-south
traffic.
I
would
say
that
that's
not
implemented
correctly
by
at
least
oven
kubernetes.
A
C
A
A
B
Well,
the
the
the
difference
is,
you
can
say,
egress
and
don't
provide
anything
down
there.
That
by
definition
means
block
everything,
but
if
you
pro
provide
the
rule
egress
rule
which
says
I
wanted
to
select
namespace
selector
empty
curry
places.
That
means
a
different
thing.
That's
my
understanding
on
the
network
odyssey
current
network
yeah,
we're.
C
A
Okay,
cool,
so
maybe
that
that
is
a
valid
I
was
just
saying
like.
Basically,
if
this
is
the
case,
then
that
kind
of
removes
one
of
our
reasons
to
even
bring
this
back
up
again
because
cni's
already
doing
it
if
they're
implementing
the
api
correctly,
but
otherwise
I
don't
have
any
other
thoughts
and
I
totally
get
it
if
no
one
else
here
does
dan's
already
gave
a
comment.
The
only
thing
I
I
would
advocate
for
doing
now
is
adding
an
ip
block
selector,
maybe
for
egos
traffic.
A
A
Are
there
any
other
thoughts
here?
I
mean
it's
totally
all
right
for
a
thought
to
be.
We
don't
want
to
deal
with
it
now,
but
we
are
going
to
have
to
deal
with
eventually.
So
our
rationale
was
we
might
as
well
revisit
it
because
I
I'd
say
the
the
voice.
The
number
of
voices
in
this
has
has
dwindled
down
to
now
us
us
three
or
four.
A
B
Not
I
think
not
really
related
to
you
know
policy
api
seek,
I
guess,
but
I
was
just
wondering
I
haven't
been
able
to.
You,
know
tag
along
with
the
multiculturalistic
discussions.
I'm
just
wondering
is
there
anything
related
to
the
multicultural
policy,
that's
bringing
them
that
has
been
brought
up
there?
Do
you
have
any
idea
on
that
or
no
I've.
B
B
E
B
A
A
D
A
Yeah
not
much
has
been
going
on
in
the
last
couple
weeks,
at
least
thanks
andrew
yeah,
no
worries
cool
and
then
so
after
I'll
kind
of
go
back
and
make
some
updates
based
on
what
we
did
today.
Sorry,
I
didn't
do
it
until
today
for
last
time's
meeting,
just
because
I
was
super
busy
with
some
other
stuff,
but
I'll
try
to
get
that
done
sooner
rather
than
later
rahul.
Just
you
weren't
here
yet,
but
I'm
also
to
set
up
a
meeting
with
tim.
A
He
couldn't
come
today,
so
he
has
free
time
on
friday,
I'm
going
to
set
up
another
meeting,
so
we
can
hopefully
kind
of
squash
some
of
these
final
little
things
out,
such
as
basics,
basically
just
syntactical
refactoring
of
amp
ports
and
also
talk
about
north-south
stuff.
So
I'll,
add
you
to
that
meeting
if
you're
interested
as
well?
Yes,.