Dan Winship

> Why can't we say that this is implementation-specific? AFAIK, here are some current, real vendor implementations: Those are vendor implementations of _vendor APIs_. And if users want to use...

> Can we keep this as simple as "Denies should win over allows"? That really only works if you first compile the Rules in each ANP down into a flat...

Making "protocols" top-level instead of "ports" seems a little less convenient/understandable for the common case. But while we're thinking about how to rearrange things, I've always found `ports` really weird...

> there are more protocols (ICMP, ICMPv6 are the most popular requests) that may be useful. An example use case is "I want to only allow ICMP connections to implement...

> The network plugin usually has _some_ lever to block packets, eg nftables locally to the node. When using something like [amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s), packets go directly from pods to the cloud...

> Making "protocols" top-level instead of "ports" seems a little less convenient/understandable for the common case. Suggested in the meeting this week: we could keep `ports` as it is, but...

> Why do you think they should be mutually exclusive? Hm... I guess it doesn't have to be > (btw do we say somewhere in ANP docs to which protocols...

NetworkPolicy only describes the behavior at L4 (and only for unicast, and only for the pod network's supported IP families). It's undefined what happens at lower levels, other than that...

> This will surprise people I'm describing existing behavior; if it's surprising, it's already surprising. (And as Nadia pointed out, we document this now.) > For example, a cluster operator...

/sig cloud-provider /sig testing