Nadia Pinaeva

I see that v1beta2 is not yet considered stable, so it may be risky to upgrade now. A good example right there is a change like https://github.com/k8snetworkplumbingwg/multi-networkpolicy/pull/21 that will break...

@cathy-zhou @l8huang my point is that before v1beta2 is "fixed" upstream, there may be more changes potentially that will go into v1beta2. We can't release v1beta2 in openshift while it...

> Do you mean `backward-incompatible changes`, or does OpenShift's release policy requires that the API version must be fixed? yes, backwards-incompatible changes are the main concern, but from what I...

Only a couple of small nits are left, otherwise /lgtm

https://github.com/ovn-org/ovn-kubernetes/actions/runs/9749486954/job/26907761431?pr=4484

Great summary @huntergregory ! I think one of the extra questions around "How could Policy Assistant know about connections to determine denied connections?" is how to figure which connections actually...

I think these 2 tools just give different kind of information. For example, I am convinced that I allowed everything my pod needs, but forgot to allow ingress from monitoring....

> We'll want to prevent folks from shooting themselves in the foot for a CNI dry-run mode. A few pitfalls discussed today: > > * What if some connections will...

> What if CNIs don't even do the bare minimum to no-op a policy with this field present, and a user applies a policy with the field without realizing that...

> > A potential solution if to have a dry-run flag, that would turn all (B)ANP actions into logs. > > It seems really really weird to define this without...