Kubernetes Network Policy support Spec

Co-Authored-By: Irena Berezovsky <irenab.dev@gmail.com>
Partially Implements: blueprint k8s-network-policies
Change-Id: Idcabcdb8f5a25a65036b3c3c6d6e14cbb92025fe
This commit is contained in:
Eyal Leshem 2017-11-13 08:49:38 +02:00 committed by Irena Berezovsky
parent acd3a9c865
commit 610a5fb8a1
3 changed files with 1173 additions and 0 deletions

687
doc/images/net-policy.svg Normal file
View File

@ -0,0 +1,687 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.2" width="215.9mm" height="279.4mm" viewBox="0 0 21590 27940" preserveAspectRatio="xMidYMid" fill-rule="evenodd" stroke-width="28.222" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg" xmlns:ooo="http://xml.openoffice.org/svg/export" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:presentation="http://sun.com/xmlns/staroffice/presentation" xmlns:smil="http://www.w3.org/2001/SMIL20/" xmlns:anim="urn:oasis:names:tc:opendocument:xmlns:animation:1.0" xml:space="preserve">
<defs class="ClipPathGroup">
<clipPath id="presentation_clip_path" clipPathUnits="userSpaceOnUse">
<rect x="0" y="0" width="21590" height="27940"/>
</clipPath>
<clipPath id="presentation_clip_path_shrink" clipPathUnits="userSpaceOnUse">
<rect x="21" y="27" width="21547" height="27885"/>
</clipPath>
</defs>
<defs>
<font id="EmbeddedFont_1" horiz-adv-x="2048">
<font-face font-family="Liberation Sans embedded" units-per-em="2048" font-weight="normal" font-style="normal" ascent="1852" descent="423"/>
<missing-glyph horiz-adv-x="2048" d="M 0,0 L 2047,0 2047,2047 0,2047 0,0 Z"/>
<glyph unicode="y" horiz-adv-x="1033" d="M 604,1 C 579,-64 553,-123 527,-175 500,-227 471,-272 438,-309 405,-346 369,-374 329,-394 289,-413 243,-423 191,-423 168,-423 147,-423 128,-423 109,-423 88,-420 67,-414 L 67,-279 C 80,-282 94,-284 110,-284 126,-284 140,-284 151,-284 204,-284 253,-264 298,-225 343,-186 383,-124 417,-38 L 434,5 5,1082 197,1082 425,484 C 432,466 440,442 451,412 461,382 471,352 482,322 492,292 501,265 509,241 517,217 522,202 523,196 525,203 530,218 538,240 545,261 554,285 564,312 573,339 583,366 593,393 603,420 611,444 618,464 L 830,1082 1020,1082 604,1 Z"/>
<glyph unicode="x" horiz-adv-x="1006" d="M 801,0 L 510,444 217,0 23,0 408,556 41,1082 240,1082 510,661 778,1082 979,1082 612,558 1002,0 801,0 Z"/>
<glyph unicode="w" horiz-adv-x="1509" d="M 1174,0 L 965,0 792,698 C 787,716 781,738 776,765 770,792 764,818 759,843 752,872 746,903 740,934 734,904 728,874 721,845 716,820 710,793 704,766 697,739 691,715 686,694 L 508,0 300,0 -3,1082 175,1082 358,347 C 363,332 367,313 372,291 377,268 381,246 386,225 391,200 396,175 401,149 406,174 412,199 418,223 423,244 429,265 434,286 439,307 444,325 448,339 L 644,1082 837,1082 1026,339 C 1031,322 1036,302 1041,280 1046,258 1051,237 1056,218 1061,195 1067,172 1072,149 1077,174 1083,199 1088,223 1093,244 1098,265 1103,288 1108,310 1112,330 1117,347 L 1308,1082 1484,1082 1174,0 Z"/>
<glyph unicode="v" horiz-adv-x="1033" d="M 613,0 L 400,0 7,1082 199,1082 437,378 C 442,363 447,346 454,325 460,304 466,282 473,259 480,236 486,215 492,194 497,173 502,155 506,141 510,155 515,173 522,194 528,215 534,236 541,258 548,280 555,302 562,323 569,344 575,361 580,376 L 826,1082 1017,1082 613,0 Z"/>
<glyph unicode="u" horiz-adv-x="874" d="M 314,1082 L 314,396 C 314,343 318,299 326,264 333,229 346,200 363,179 380,157 403,142 432,133 460,124 495,119 537,119 580,119 618,127 653,142 687,157 716,178 741,207 765,235 784,270 797,312 810,353 817,401 817,455 L 817,1082 997,1082 997,228 C 997,205 997,181 998,156 998,131 998,107 999,85 1000,62 1000,43 1001,27 1002,11 1002,3 1003,3 L 833,3 C 832,6 832,15 831,30 830,44 830,61 829,79 828,98 827,117 826,136 825,156 825,172 825,185 L 822,185 C 805,154 786,125 765,100 744,75 720,53 693,36 666,18 634,4 599,-6 564,-15 523,-20 476,-20 416,-20 364,-13 321,2 278,17 242,39 214,70 186,101 166,140 153,188 140,236 133,294 133,361 L 133,1082 314,1082 Z"/>
<glyph unicode="t" horiz-adv-x="531" d="M 554,8 C 527,1 499,-5 471,-10 442,-14 409,-16 372,-16 228,-16 156,66 156,229 L 156,951 31,951 31,1082 163,1082 216,1324 336,1324 336,1082 536,1082 536,951 336,951 336,268 C 336,216 345,180 362,159 379,138 408,127 450,127 467,127 484,128 501,131 517,134 535,137 554,141 L 554,8 Z"/>
<glyph unicode="s" horiz-adv-x="901" d="M 950,299 C 950,248 940,203 921,164 901,124 872,91 835,64 798,37 752,16 698,2 643,-13 581,-20 511,-20 448,-20 392,-15 342,-6 291,4 247,20 209,41 171,62 139,91 114,126 88,161 69,203 57,254 L 216,285 C 231,227 263,185 311,158 359,131 426,117 511,117 550,117 585,120 618,125 650,130 678,140 701,153 724,166 743,183 756,205 769,226 775,253 775,285 775,318 767,345 752,366 737,387 715,404 688,418 661,432 628,444 589,455 550,465 507,476 460,489 417,500 374,513 331,527 288,541 250,560 216,583 181,606 153,634 132,668 111,702 100,745 100,796 100,895 135,970 206,1022 276,1073 378,1099 513,1099 632,1099 727,1078 798,1036 868,994 912,927 931,834 L 769,814 C 763,842 752,866 736,885 720,904 701,919 678,931 655,942 630,951 602,956 573,961 544,963 513,963 432,963 372,951 333,926 294,901 275,864 275,814 275,785 282,761 297,742 311,723 331,707 357,694 382,681 413,669 449,660 485,650 525,640 568,629 597,622 626,614 656,606 686,597 715,587 744,576 772,564 799,550 824,535 849,519 870,500 889,478 908,456 923,430 934,401 945,372 950,338 950,299 Z"/>
<glyph unicode="r" horiz-adv-x="530" d="M 142,0 L 142,830 C 142,853 142,876 142,900 141,923 141,946 140,968 139,990 139,1011 138,1030 137,1049 137,1067 136,1082 L 306,1082 C 307,1067 308,1049 309,1030 310,1010 311,990 312,969 313,948 313,929 314,910 314,891 314,874 314,861 L 318,861 C 331,902 344,938 359,969 373,999 390,1024 409,1044 428,1063 451,1078 478,1088 505,1097 537,1102 575,1102 590,1102 604,1101 617,1099 630,1096 641,1094 648,1092 L 648,927 C 636,930 622,933 606,935 590,936 572,937 552,937 511,937 476,928 447,909 418,890 394,865 376,832 357,799 344,759 335,714 326,668 322,618 322,564 L 322,0 142,0 Z"/>
<glyph unicode="p" horiz-adv-x="953" d="M 1053,546 C 1053,464 1046,388 1033,319 1020,250 998,190 967,140 936,90 895,51 844,23 793,-6 730,-20 655,-20 578,-20 510,-5 452,24 394,53 350,101 319,168 L 314,168 C 315,167 315,161 316,150 316,139 316,126 317,110 317,94 317,76 318,57 318,37 318,17 318,-2 L 318,-425 138,-425 138,864 C 138,891 138,916 138,940 137,964 137,986 136,1005 135,1025 135,1042 134,1056 133,1070 133,1077 132,1077 L 306,1077 C 307,1075 308,1068 309,1057 310,1045 311,1031 312,1014 313,998 314,980 315,961 316,943 316,925 316,908 L 320,908 C 337,943 356,972 377,997 398,1021 423,1041 450,1057 477,1072 508,1084 542,1091 575,1098 613,1101 655,1101 730,1101 793,1088 844,1061 895,1034 936,997 967,949 998,900 1020,842 1033,774 1046,705 1053,629 1053,546 Z M 864,542 C 864,609 860,668 852,720 844,772 830,816 811,852 791,888 765,915 732,934 699,953 658,962 609,962 569,962 531,956 496,945 461,934 430,912 404,880 377,848 356,804 341,748 326,691 318,618 318,528 318,451 324,387 337,334 350,281 368,238 393,205 417,172 447,149 483,135 519,120 560,113 607,113 657,113 699,123 732,142 765,161 791,189 811,226 830,263 844,308 852,361 860,414 864,474 864,542 Z"/>
<glyph unicode="o" horiz-adv-x="980" d="M 1053,542 C 1053,353 1011,212 928,119 845,26 724,-20 565,-20 490,-20 422,-9 363,14 304,37 254,71 213,118 172,165 140,223 119,294 97,364 86,447 86,542 86,915 248,1102 571,1102 655,1102 728,1090 789,1067 850,1044 900,1009 939,962 978,915 1006,857 1025,787 1044,717 1053,635 1053,542 Z M 864,542 C 864,626 858,695 845,750 832,805 813,848 788,881 763,914 732,937 696,950 660,963 619,969 574,969 528,969 487,962 450,949 413,935 381,912 355,879 329,846 309,802 296,747 282,692 275,624 275,542 275,458 282,389 297,334 312,279 332,235 358,202 383,169 414,146 449,133 484,120 522,113 563,113 609,113 651,120 688,133 725,146 757,168 783,201 809,234 829,278 843,333 857,388 864,458 864,542 Z"/>
<glyph unicode="n" horiz-adv-x="874" d="M 825,0 L 825,686 C 825,739 821,783 814,818 806,853 793,882 776,904 759,925 736,941 708,950 679,959 644,963 602,963 559,963 521,956 487,941 452,926 423,904 399,876 374,847 355,812 342,771 329,729 322,681 322,627 L 322,0 142,0 142,853 C 142,876 142,900 142,925 141,950 141,974 140,996 139,1019 139,1038 138,1054 137,1070 137,1078 136,1078 L 306,1078 C 307,1075 307,1066 308,1052 309,1037 310,1021 311,1002 312,984 312,965 313,945 314,926 314,910 314,897 L 317,897 C 334,928 353,957 374,982 395,1007 419,1029 446,1047 473,1064 505,1078 540,1088 575,1097 616,1102 663,1102 723,1102 775,1095 818,1080 861,1065 897,1043 925,1012 953,981 974,942 987,894 1000,845 1006,788 1006,721 L 1006,0 825,0 Z"/>
<glyph unicode="l" horiz-adv-x="187" d="M 138,0 L 138,1484 318,1484 318,0 138,0 Z"/>
<glyph unicode="i" horiz-adv-x="187" d="M 137,1312 L 137,1484 317,1484 317,1312 137,1312 Z M 137,0 L 137,1082 317,1082 317,0 137,0 Z"/>
<glyph unicode="h" horiz-adv-x="874" d="M 317,897 C 337,934 359,965 382,991 405,1016 431,1037 459,1054 487,1071 518,1083 551,1091 584,1098 622,1102 663,1102 732,1102 789,1093 834,1074 878,1055 913,1029 939,996 964,962 982,922 992,875 1001,828 1006,777 1006,721 L 1006,0 825,0 825,686 C 825,732 822,772 817,807 811,842 800,871 784,894 768,917 745,934 716,946 687,957 649,963 602,963 559,963 521,955 487,940 452,925 423,903 399,875 374,847 355,813 342,773 329,733 322,688 322,638 L 322,0 142,0 142,1484 322,1484 322,1098 C 322,1076 322,1054 321,1032 320,1010 320,990 319,971 318,952 317,937 316,924 315,911 315,902 314,897 L 317,897 Z"/>
<glyph unicode="g" horiz-adv-x="927" d="M 548,-425 C 486,-425 431,-419 383,-406 335,-393 294,-375 260,-352 226,-328 198,-300 177,-267 156,-234 140,-198 131,-158 L 312,-132 C 324,-182 351,-220 392,-248 433,-274 486,-288 553,-288 594,-288 631,-282 664,-271 697,-260 726,-241 749,-217 772,-191 790,-159 803,-119 816,-79 822,-30 822,27 L 822,201 820,201 C 807,174 790,148 771,123 751,98 727,75 699,56 670,37 637,21 600,10 563,-2 520,-8 472,-8 403,-8 345,4 296,27 247,50 207,84 176,130 145,176 122,233 108,302 93,370 86,449 86,539 86,626 93,704 108,773 122,842 145,901 178,950 210,998 252,1035 304,1061 355,1086 418,1099 492,1099 569,1099 635,1082 692,1047 748,1012 791,962 822,897 L 824,897 C 824,914 825,933 826,953 827,974 828,994 829,1012 830,1031 831,1046 832,1060 833,1073 835,1080 836,1080 L 1007,1080 C 1006,1074 1006,1064 1005,1050 1004,1035 1004,1018 1003,998 1002,978 1002,956 1002,932 1001,907 1001,882 1001,856 L 1001,30 C 1001,-121 964,-234 890,-311 815,-387 701,-425 548,-425 Z M 822,541 C 822,616 814,681 798,735 781,788 760,832 733,866 706,900 676,925 642,941 607,957 572,965 536,965 490,965 451,957 418,941 385,925 357,900 336,866 314,831 298,787 288,734 277,680 272,616 272,541 272,463 277,398 288,345 298,292 314,249 335,216 356,183 383,160 416,146 449,132 488,125 533,125 569,125 604,133 639,148 673,163 704,188 731,221 758,254 780,297 797,350 814,403 822,466 822,541 Z"/>
<glyph unicode="f" horiz-adv-x="557" d="M 361,951 L 361,0 181,0 181,951 29,951 29,1082 181,1082 181,1204 C 181,1243 185,1280 192,1314 199,1347 213,1377 233,1402 252,1427 279,1446 313,1461 347,1475 391,1482 445,1482 466,1482 489,1481 512,1479 535,1477 555,1474 572,1470 L 572,1333 C 561,1335 548,1337 533,1339 518,1340 504,1341 492,1341 465,1341 444,1337 427,1330 410,1323 396,1312 387,1299 377,1285 370,1268 367,1248 363,1228 361,1205 361,1179 L 361,1082 572,1082 572,951 361,951 Z"/>
<glyph unicode="e" horiz-adv-x="980" d="M 276,503 C 276,446 282,394 294,347 305,299 323,258 348,224 372,189 403,163 441,144 479,125 525,115 578,115 656,115 719,131 766,162 813,193 844,233 861,281 L 1019,236 C 1008,206 992,176 972,146 951,115 924,88 890,64 856,39 814,19 763,4 712,-12 650,-20 578,-20 418,-20 296,28 213,123 129,218 87,360 87,548 87,649 100,735 125,806 150,876 185,933 229,977 273,1021 324,1053 383,1073 442,1092 504,1102 571,1102 662,1102 738,1087 799,1058 860,1029 909,988 946,937 983,885 1009,824 1025,754 1040,684 1048,608 1048,527 L 1048,503 276,503 Z M 862,641 C 852,755 823,838 775,891 727,943 658,969 568,969 538,969 507,964 474,955 441,945 410,928 382,903 354,878 330,845 311,803 292,760 281,706 278,641 L 862,641 Z"/>
<glyph unicode="d" horiz-adv-x="927" d="M 821,174 C 788,105 744,55 689,25 634,-5 565,-20 484,-20 347,-20 247,26 183,118 118,210 86,349 86,536 86,913 219,1102 484,1102 566,1102 634,1087 689,1057 744,1027 788,979 821,914 L 823,914 C 823,921 823,931 823,946 822,960 822,975 822,991 821,1006 821,1021 821,1035 821,1049 821,1059 821,1065 L 821,1484 1001,1484 1001,219 C 1001,193 1001,168 1002,143 1002,119 1002,97 1003,77 1004,57 1004,40 1005,26 1006,11 1006,4 1007,4 L 835,4 C 834,11 833,20 832,32 831,44 830,58 829,73 828,89 827,105 826,123 825,140 825,157 825,174 L 821,174 Z M 275,542 C 275,467 280,403 289,350 298,297 313,253 334,219 355,184 381,159 413,143 445,127 484,119 530,119 577,119 619,127 656,142 692,157 722,182 747,217 771,251 789,296 802,351 815,406 821,474 821,554 821,631 815,696 802,749 789,802 771,844 746,877 721,910 691,933 656,948 620,962 579,969 532,969 488,969 450,961 418,946 386,931 359,906 338,872 317,838 301,794 291,740 280,685 275,619 275,542 Z"/>
<glyph unicode="c" horiz-adv-x="901" d="M 275,546 C 275,484 280,427 289,375 298,323 313,278 334,241 355,203 384,174 419,153 454,132 497,122 548,122 612,122 666,139 709,173 752,206 778,258 788,328 L 970,328 C 964,283 951,239 931,197 911,155 884,118 850,86 815,54 773,28 724,9 675,-10 618,-20 553,-20 468,-20 396,-6 337,23 278,52 230,91 193,142 156,192 129,251 112,320 95,388 87,462 87,542 87,615 93,679 105,735 117,790 134,839 156,881 177,922 203,957 232,986 261,1014 293,1037 328,1054 362,1071 398,1083 436,1091 474,1098 512,1102 551,1102 612,1102 666,1094 713,1077 760,1060 801,1038 836,1009 870,980 898,945 919,906 940,867 955,824 964,779 L 779,765 C 770,825 746,873 708,908 670,943 616,961 546,961 495,961 452,953 418,936 383,919 355,893 334,859 313,824 298,781 289,729 280,677 275,616 275,546 Z"/>
<glyph unicode="a" horiz-adv-x="1060" d="M 414,-20 C 305,-20 224,9 169,66 114,124 87,203 87,303 87,375 101,434 128,480 155,526 190,562 234,588 277,614 327,632 383,642 439,652 496,657 554,657 L 797,657 797,717 C 797,762 792,800 783,832 774,863 759,889 740,908 721,928 697,942 668,951 639,960 604,965 565,965 530,965 499,963 471,958 443,953 419,944 398,931 377,918 361,900 348,878 335,855 327,827 323,793 L 135,810 C 142,853 154,892 173,928 192,963 218,994 253,1020 287,1046 330,1066 382,1081 433,1095 496,1102 569,1102 705,1102 807,1071 876,1009 945,946 979,856 979,738 L 979,272 C 979,219 986,179 1000,152 1014,125 1041,111 1080,111 1090,111 1100,112 1110,113 1120,114 1130,116 1139,118 L 1139,6 C 1116,1 1094,-3 1072,-6 1049,-9 1025,-10 1000,-10 966,-10 937,-5 913,4 888,13 868,26 853,45 838,63 826,86 818,113 810,140 805,171 803,207 L 797,207 C 778,172 757,141 734,113 711,85 684,61 653,42 622,22 588,7 549,-4 510,-15 465,-20 414,-20 Z M 455,115 C 512,115 563,125 606,146 649,167 684,194 713,226 741,259 762,294 776,332 790,371 797,408 797,443 L 797,531 600,531 C 556,531 514,528 475,522 435,517 400,506 370,489 340,472 316,449 299,418 281,388 272,349 272,300 272,241 288,195 320,163 351,131 396,115 455,115 Z"/>
<glyph unicode="S" horiz-adv-x="1192" d="M 1272,389 C 1272,330 1261,275 1238,225 1215,175 1179,132 1131,96 1083,59 1023,31 950,11 877,-10 790,-20 690,-20 515,-20 378,11 280,72 182,133 120,222 93,338 L 278,375 C 287,338 302,305 321,275 340,245 367,219 400,198 433,176 473,159 522,147 571,135 629,129 697,129 754,129 806,134 853,144 900,153 941,168 975,188 1009,208 1036,234 1055,266 1074,297 1083,335 1083,379 1083,425 1073,462 1052,491 1031,520 1001,543 963,562 925,581 880,596 827,609 774,622 716,635 652,650 613,659 573,668 534,679 494,689 456,701 420,716 383,730 349,747 317,766 285,785 257,809 234,836 211,863 192,894 179,930 166,965 159,1006 159,1053 159,1120 173,1177 200,1225 227,1272 264,1311 312,1342 360,1373 417,1395 482,1409 547,1423 618,1430 694,1430 781,1430 856,1423 918,1410 980,1396 1032,1375 1075,1348 1118,1321 1152,1287 1178,1247 1203,1206 1224,1159 1239,1106 L 1051,1073 C 1042,1107 1028,1137 1011,1164 993,1191 970,1213 941,1231 912,1249 878,1263 837,1272 796,1281 747,1286 692,1286 627,1286 572,1280 528,1269 483,1257 448,1241 421,1221 394,1201 374,1178 363,1151 351,1124 345,1094 345,1063 345,1021 356,987 377,960 398,933 426,910 462,892 498,874 540,859 587,847 634,835 685,823 738,811 781,801 825,791 868,781 911,770 952,758 991,744 1030,729 1067,712 1102,693 1136,674 1166,650 1191,622 1216,594 1236,561 1251,523 1265,485 1272,440 1272,389 Z"/>
<glyph unicode="P" horiz-adv-x="1112" d="M 1258,985 C 1258,924 1248,867 1228,814 1207,761 1177,715 1137,676 1096,637 1046,606 985,583 924,560 854,549 773,549 L 359,549 359,0 168,0 168,1409 761,1409 C 844,1409 917,1399 979,1379 1041,1358 1093,1330 1134,1293 1175,1256 1206,1211 1227,1159 1248,1106 1258,1048 1258,985 Z M 1066,983 C 1066,1072 1039,1140 984,1187 929,1233 847,1256 738,1256 L 359,1256 359,700 746,700 C 856,700 937,724 989,773 1040,822 1066,892 1066,983 Z"/>
<glyph unicode="G" horiz-adv-x="1377" d="M 103,711 C 103,821 118,920 148,1009 177,1098 222,1173 281,1236 340,1298 413,1346 500,1380 587,1413 689,1430 804,1430 891,1430 967,1422 1032,1407 1097,1392 1154,1370 1202,1341 1250,1312 1291,1278 1324,1237 1357,1196 1386,1149 1409,1098 L 1227,1044 C 1210,1079 1189,1110 1165,1139 1140,1167 1111,1191 1076,1211 1041,1231 1001,1247 956,1258 910,1269 858,1274 799,1274 714,1274 640,1261 577,1234 514,1207 461,1169 420,1120 379,1071 348,1011 328,942 307,873 297,796 297,711 297,626 308,549 330,479 352,408 385,348 428,297 471,246 525,206 590,178 654,149 728,135 813,135 868,135 919,140 966,149 1013,158 1055,171 1093,186 1130,201 1163,217 1192,236 1221,254 1245,272 1264,291 L 1264,545 843,545 843,705 1440,705 1440,219 C 1409,187 1372,157 1330,128 1287,99 1240,73 1187,51 1134,29 1077,12 1014,-1 951,-14 884,-20 813,-20 694,-20 591,-2 502,35 413,71 340,122 281,187 222,252 177,329 148,418 118,507 103,605 103,711 Z"/>
<glyph unicode="A" horiz-adv-x="1377" d="M 1167,0 L 1006,412 364,412 202,0 4,0 579,1409 796,1409 1362,0 1167,0 Z M 768,1026 C 757,1053 747,1080 738,1107 728,1134 719,1159 712,1182 705,1204 699,1223 694,1238 689,1253 686,1262 685,1265 684,1262 681,1252 676,1237 671,1222 665,1203 658,1180 650,1157 641,1132 632,1105 622,1078 612,1051 602,1024 L 422,561 949,561 768,1026 Z"/>
<glyph unicode="-" horiz-adv-x="531" d="M 91,464 L 91,624 591,624 591,464 91,464 Z"/>
<glyph unicode=" " horiz-adv-x="556"/>
</font>
</defs>
<defs class="TextShapeIndex">
<g ooo:slide="id1" ooo:id-list="id3 id4 id5 id6 id7 id8 id9 id10 id11 id12 id13 id14 id15 id16 id17 id18 id19 id20 id21 id22"/>
</defs>
<defs class="EmbeddedBulletChars">
<g id="bullet-char-template(57356)" transform="scale(0.00048828125,-0.00048828125)">
<path d="M 580,1141 L 1163,571 580,0 -4,571 580,1141 Z"/>
</g>
<g id="bullet-char-template(57354)" transform="scale(0.00048828125,-0.00048828125)">
<path d="M 8,1128 L 1137,1128 1137,0 8,0 8,1128 Z"/>
</g>
<g id="bullet-char-template(10146)" transform="scale(0.00048828125,-0.00048828125)">
<path d="M 174,0 L 602,739 174,1481 1456,739 174,0 Z M 1358,739 L 309,1346 659,739 1358,739 Z"/>
</g>
<g id="bullet-char-template(10132)" transform="scale(0.00048828125,-0.00048828125)">
<path d="M 2015,739 L 1276,0 717,0 1260,543 174,543 174,936 1260,936 717,1481 1274,1481 2015,739 Z"/>
</g>
<g id="bullet-char-template(10007)" transform="scale(0.00048828125,-0.00048828125)">
<path d="M 0,-2 C -7,14 -16,27 -25,37 L 356,567 C 262,823 215,952 215,954 215,979 228,992 255,992 264,992 276,990 289,987 310,991 331,999 354,1012 L 381,999 492,748 772,1049 836,1024 860,1049 C 881,1039 901,1025 922,1006 886,937 835,863 770,784 769,783 710,716 594,584 L 774,223 C 774,196 753,168 711,139 L 727,119 C 717,90 699,76 672,76 641,76 570,178 457,381 L 164,-76 C 142,-110 111,-127 72,-127 30,-127 9,-110 8,-76 1,-67 -2,-52 -2,-32 -2,-23 -1,-13 0,-2 Z"/>
</g>
<g id="bullet-char-template(10004)" transform="scale(0.00048828125,-0.00048828125)">
<path d="M 285,-33 C 182,-33 111,30 74,156 52,228 41,333 41,471 41,549 55,616 82,672 116,743 169,778 240,778 293,778 328,747 346,684 L 369,508 C 377,444 397,411 428,410 L 1163,1116 C 1174,1127 1196,1133 1229,1133 1271,1133 1292,1118 1292,1087 L 1292,965 C 1292,929 1282,901 1262,881 L 442,47 C 390,-6 338,-33 285,-33 Z"/>
</g>
<g id="bullet-char-template(9679)" transform="scale(0.00048828125,-0.00048828125)">
<path d="M 813,0 C 632,0 489,54 383,161 276,268 223,411 223,592 223,773 276,916 383,1023 489,1130 632,1184 813,1184 992,1184 1136,1130 1245,1023 1353,916 1407,772 1407,592 1407,412 1353,268 1245,161 1136,54 992,0 813,0 Z"/>
</g>
<g id="bullet-char-template(8226)" transform="scale(0.00048828125,-0.00048828125)">
<path d="M 346,457 C 273,457 209,483 155,535 101,586 74,649 74,723 74,796 101,859 155,911 209,963 273,989 346,989 419,989 480,963 531,910 582,859 608,796 608,723 608,648 583,586 532,535 482,483 420,457 346,457 Z"/>
</g>
<g id="bullet-char-template(8211)" transform="scale(0.00048828125,-0.00048828125)">
<path d="M -4,459 L 1135,459 1135,606 -4,606 -4,459 Z"/>
</g>
<g id="bullet-char-template(61548)" transform="scale(0.00048828125,-0.00048828125)">
<path d="M 173,740 C 173,903 231,1043 346,1159 462,1274 601,1332 765,1332 928,1332 1067,1274 1183,1159 1299,1043 1357,903 1357,740 1357,577 1299,437 1183,322 1067,206 928,148 765,148 601,148 462,206 346,322 231,437 173,577 173,740 Z"/>
</g>
</defs>
<defs class="TextEmbeddedBitmaps"/>
<g>
<g id="id2" class="Master_Slide">
<g id="bg-id2" class="Background"/>
<g id="bo-id2" class="BackgroundObjects"/>
</g>
</g>
<g class="SlideGroup">
<g>
<g id="container-id1">
<g id="id1" class="Slide" clip-path="url(#presentation_clip_path)">
<g class="Page">
<g class="com.sun.star.drawing.CustomShape">
<g id="id3">
<rect class="BoundingBox" stroke="none" fill="none" x="2649" y="2649" width="3432" height="1654"/>
<path fill="rgb(114,159,207)" stroke="none" d="M 4365,4301 L 2650,4301 2650,2650 6079,2650 6079,4301 4365,4301 Z"/>
<path fill="none" stroke="rgb(52,101,164)" d="M 4365,4301 L 2650,4301 2650,2650 6079,2650 6079,4301 4365,4301 Z"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="2938" y="3696"><tspan fill="rgb(0,0,0)" stroke="none">Api server</tspan></tspan></tspan></text>
</g>
</g>
<g class="com.sun.star.drawing.CustomShape">
<g id="id4">
<rect class="BoundingBox" stroke="none" fill="none" x="8619" y="2649" width="3813" height="1654"/>
<path fill="rgb(114,159,207)" stroke="none" d="M 10525,4301 L 8620,4301 8620,2650 12430,2650 12430,4301 10525,4301 Z"/>
<path fill="none" stroke="rgb(52,101,164)" d="M 10525,4301 L 8620,4301 8620,2650 12430,2650 12430,4301 10525,4301 Z"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="8957" y="3696"><tspan fill="rgb(0,0,0)" stroke="none">Pod watch </tspan></tspan></tspan></text>
</g>
</g>
<g class="com.sun.star.drawing.CustomShape">
<g id="id5">
<rect class="BoundingBox" stroke="none" fill="none" x="14179" y="2649" width="4145" height="1654"/>
<path fill="rgb(114,159,207)" stroke="none" d="M 16240,4301 L 14208,4301 14208,2650 18272,2650 18272,4301 16240,4301 Z"/>
<path fill="none" stroke="rgb(52,101,164)" d="M 16240,4301 L 14208,4301 14208,2650 18272,2650 18272,4301 16240,4301 Z"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="14127" y="3341"><tspan fill="rgb(0,0,0)" stroke="none">Policy selected</tspan></tspan></tspan><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="14424" y="4052"><tspan fill="rgb(0,0,0)" stroke="none">Pods watch </tspan></tspan></tspan><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="16062" y="4763"><tspan fill="rgb(0,0,0)" stroke="none"> </tspan></tspan></tspan></text>
</g>
</g>
<g class="com.sun.star.drawing.LineShape">
<g id="id6">
<rect class="BoundingBox" stroke="none" fill="none" x="4030" y="4428" width="302" height="10543"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4302,4429 L 4180,14540"/>
<path fill="rgb(0,0,0)" stroke="none" d="M 4175,14970 L 4330,14522 4030,14518 4175,14970 Z"/>
</g>
</g>
<g class="com.sun.star.drawing.LineShape">
<g id="id7">
<rect class="BoundingBox" stroke="none" fill="none" x="10375" y="4428" width="301" height="10670"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10525,4429 L 10525,14667"/>
<path fill="rgb(0,0,0)" stroke="none" d="M 10525,15097 L 10675,14647 10375,14647 10525,15097 Z"/>
</g>
</g>
<g class="com.sun.star.drawing.LineShape">
<g id="id8">
<rect class="BoundingBox" stroke="none" fill="none" x="16465" y="4301" width="302" height="10797"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 16494,4302 L 16616,14667"/>
<path fill="rgb(0,0,0)" stroke="none" d="M 16621,15097 L 16766,14645 16466,14649 16621,15097 Z"/>
</g>
</g>
<g class="com.sun.star.drawing.LineShape">
<g id="id9">
<rect class="BoundingBox" stroke="none" fill="none" x="4301" y="5930" width="6225" height="301"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4302,6080 L 4355,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4408,6080 L 4461,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4514,6080 L 4567,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4621,6080 L 4674,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4727,6080 L 4780,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4833,6080 L 4886,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4939,6080 L 4992,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5045,6080 L 5098,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5151,6080 L 5205,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5258,6080 L 5311,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5364,6080 L 5417,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5470,6080 L 5523,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5576,6080 L 5629,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5682,6080 L 5735,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5789,6080 L 5842,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5895,6080 L 5948,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6001,6080 L 6054,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6107,6080 L 6160,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6213,6080 L 6266,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6319,6080 L 6373,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6426,6080 L 6479,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6532,6080 L 6585,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6638,6080 L 6691,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6744,6080 L 6797,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6850,6080 L 6903,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6957,6080 L 7010,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7063,6080 L 7116,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7169,6080 L 7222,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7275,6080 L 7328,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7381,6080 L 7434,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7487,6080 L 7541,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7594,6080 L 7647,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7700,6080 L 7753,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7806,6080 L 7859,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7912,6080 L 7965,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8018,6080 L 8071,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8125,6080 L 8178,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8231,6080 L 8284,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8337,6080 L 8390,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8443,6080 L 8496,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8549,6080 L 8602,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8656,6080 L 8709,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8762,6080 L 8815,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8868,6080 L 8921,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8974,6080 L 9027,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9080,6080 L 9133,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9186,6080 L 9240,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9293,6080 L 9346,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9399,6080 L 9452,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9505,6080 L 9558,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9611,6080 L 9664,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9717,6080 L 9770,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9824,6080 L 9877,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9930,6080 L 9983,6080"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10036,6080 L 10089,6080"/>
<path fill="rgb(0,0,0)" stroke="none" d="M 10525,6080 L 10075,5930 10075,6230 10525,6080 Z"/>
</g>
</g>
<g class="com.sun.star.drawing.TextShape">
<g id="id10">
<rect class="BoundingBox" stroke="none" fill="none" x="4937" y="5191" width="5081" height="1674"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="5787" y="5892"><tspan fill="rgb(0,0,0)" stroke="none">Pod created</tspan></tspan></tspan></text>
</g>
</g>
<g class="com.sun.star.drawing.LineShape">
<g id="id11">
<rect class="BoundingBox" stroke="none" fill="none" x="4174" y="7449" width="12448" height="302"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4175,7477 L 4228,7478"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4281,7478 L 4334,7479"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4387,7479 L 4440,7480"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4494,7480 L 4547,7481"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4600,7481 L 4653,7482"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4706,7482 L 4759,7483"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4812,7484 L 4865,7484"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4918,7485 L 4971,7485"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5024,7486 L 5078,7486"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5131,7487 L 5184,7487"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5237,7488 L 5290,7488"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5343,7489 L 5396,7489"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5449,7490 L 5502,7491"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5555,7491 L 5608,7492"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5661,7492 L 5715,7493"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5768,7493 L 5821,7494"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5874,7494 L 5927,7495"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5980,7495 L 6033,7496"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6086,7497 L 6139,7497"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6192,7498 L 6245,7498"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6299,7499 L 6352,7499"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6405,7500 L 6458,7500"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6511,7501 L 6564,7501"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6617,7502 L 6670,7502"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6723,7503 L 6776,7504"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6829,7504 L 6883,7505"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6936,7505 L 6989,7506"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7042,7506 L 7095,7507"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7148,7507 L 7201,7508"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7254,7508 L 7307,7509"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7360,7510 L 7413,7510"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7467,7511 L 7520,7511"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7573,7512 L 7626,7512"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7679,7513 L 7732,7513"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7785,7514 L 7838,7514"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7891,7515 L 7944,7515"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7997,7516 L 8050,7517"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8104,7517 L 8157,7518"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8210,7518 L 8263,7519"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8316,7519 L 8369,7520"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8422,7520 L 8475,7521"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8528,7521 L 8581,7522"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8634,7523 L 8688,7523"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8741,7524 L 8794,7524"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8847,7525 L 8900,7525"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8953,7526 L 9006,7526"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9059,7527 L 9112,7527"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9165,7528 L 9218,7528"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9272,7529 L 9325,7530"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9378,7530 L 9431,7531"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9484,7531 L 9537,7532"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9590,7532 L 9643,7533"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9696,7533 L 9749,7534"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9802,7534 L 9855,7535"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9909,7536 L 9962,7536"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10015,7537 L 10068,7537"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10121,7538 L 10174,7538"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10227,7539 L 10280,7539"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10333,7540 L 10386,7540"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10439,7541 L 10493,7541"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10546,7542 L 10599,7543"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10652,7543 L 10705,7544"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10758,7544 L 10811,7545"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10864,7545 L 10917,7546"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10970,7546 L 11023,7547"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11077,7547 L 11130,7548"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11183,7549 L 11236,7549"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11289,7550 L 11342,7550"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11395,7551 L 11448,7551"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11501,7552 L 11554,7552"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11607,7553 L 11661,7553"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11714,7554 L 11767,7554"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11820,7555 L 11873,7556"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11926,7556 L 11979,7557"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12032,7557 L 12085,7558"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12138,7558 L 12191,7559"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12244,7559 L 12298,7560"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12351,7560 L 12404,7561"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12457,7562 L 12510,7562"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12563,7563 L 12616,7563"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12669,7564 L 12722,7564"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12775,7565 L 12828,7565"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12882,7566 L 12935,7566"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12988,7567 L 13041,7567"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13094,7568 L 13147,7569"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13200,7569 L 13253,7570"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13306,7570 L 13359,7571"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13412,7571 L 13466,7572"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13519,7572 L 13572,7573"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13625,7573 L 13678,7574"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13731,7575 L 13784,7575"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13837,7576 L 13890,7576"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13943,7577 L 13996,7577"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14050,7578 L 14103,7578"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14156,7579 L 14209,7579"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14262,7580 L 14315,7580"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14368,7581 L 14421,7582"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14474,7582 L 14527,7583"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14580,7583 L 14633,7584"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14687,7584 L 14740,7585"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14793,7585 L 14846,7586"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14899,7586 L 14952,7587"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15005,7588 L 15058,7588"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15111,7589 L 15164,7589"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15217,7590 L 15271,7590"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15324,7591 L 15377,7591"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15430,7592 L 15483,7592"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15536,7593 L 15589,7593"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15642,7594 L 15695,7595"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15748,7595 L 15801,7596"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15855,7596 L 15908,7597"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15961,7597 L 16014,7598"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 16067,7598 L 16120,7599"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 16173,7599 L 16191,7600"/>
<path fill="rgb(0,0,0)" stroke="none" d="M 16621,7604 L 16173,7449 16169,7749 16621,7604 Z"/>
</g>
</g>
<g class="com.sun.star.drawing.TextShape">
<g id="id12">
<rect class="BoundingBox" stroke="none" fill="none" x="4937" y="6461" width="4573" height="1271"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="5787" y="7162"><tspan fill="rgb(0,0,0)" stroke="none">Pod created</tspan></tspan></tspan></text>
</g>
</g>
<g class="com.sun.star.drawing.LineShape">
<g id="id13">
<rect class="BoundingBox" stroke="none" fill="none" x="4175" y="9613" width="6352" height="301"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10525,9763 L 10474,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10423,9763 L 10372,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10321,9763 L 10270,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10219,9763 L 10168,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10117,9763 L 10066,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10015,9763 L 9964,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9913,9763 L 9862,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9811,9763 L 9760,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9709,9763 L 9658,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9607,9763 L 9556,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9505,9763 L 9454,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9403,9763 L 9352,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9301,9763 L 9250,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9199,9763 L 9148,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9097,9763 L 9046,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8995,9763 L 8944,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8893,9763 L 8842,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8791,9763 L 8740,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8689,9763 L 8638,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8587,9763 L 8536,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8485,9763 L 8434,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8383,9763 L 8332,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8281,9763 L 8230,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8179,9763 L 8128,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8077,9763 L 8026,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7975,9763 L 7924,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7873,9763 L 7822,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7771,9763 L 7720,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7669,9763 L 7618,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7567,9763 L 7516,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7465,9763 L 7414,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7363,9763 L 7312,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7261,9763 L 7210,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7159,9763 L 7108,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7057,9763 L 7006,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6955,9763 L 6904,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6853,9763 L 6802,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6751,9763 L 6700,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6649,9763 L 6598,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6547,9763 L 6496,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6445,9763 L 6394,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6343,9763 L 6292,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6241,9763 L 6190,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6139,9763 L 6088,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6037,9763 L 5986,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5935,9763 L 5884,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5833,9763 L 5782,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5731,9763 L 5680,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5629,9763 L 5578,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5527,9763 L 5476,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5425,9763 L 5374,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5323,9763 L 5272,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5221,9763 L 5170,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5119,9763 L 5068,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5017,9763 L 4966,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4915,9763 L 4864,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4813,9763 L 4762,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4711,9763 L 4660,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4609,9763 L 4605,9763"/>
<path fill="rgb(0,0,0)" stroke="none" d="M 4175,9763 L 4625,9913 4625,9613 4175,9763 Z"/>
</g>
</g>
<g class="com.sun.star.drawing.TextShape">
<g id="id14">
<rect class="BoundingBox" stroke="none" fill="none" x="4683" y="8239" width="5208" height="1674"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="5533" y="8940"><tspan fill="rgb(0,0,0)" stroke="none">Pod created </tspan></tspan><tspan class="TextPosition" x="4933" y="9651"><tspan fill="rgb(0,0,0)" stroke="none">with default SG</tspan></tspan></tspan></text>
</g>
</g>
<g class="com.sun.star.drawing.LineShape">
<g id="id15">
<rect class="BoundingBox" stroke="none" fill="none" x="4176" y="9613" width="6352" height="301"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10526,9763 L 10475,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10424,9763 L 10373,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10322,9763 L 10271,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10220,9763 L 10169,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10118,9763 L 10067,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10016,9763 L 9965,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9914,9763 L 9863,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9812,9763 L 9761,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9710,9763 L 9659,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9608,9763 L 9557,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9506,9763 L 9455,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9404,9763 L 9353,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9302,9763 L 9251,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9200,9763 L 9149,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9098,9763 L 9047,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8996,9763 L 8945,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8894,9763 L 8843,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8792,9763 L 8741,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8690,9763 L 8639,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8588,9763 L 8537,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8486,9763 L 8435,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8384,9763 L 8333,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8282,9763 L 8231,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8180,9763 L 8129,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8078,9763 L 8027,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7976,9763 L 7925,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7874,9763 L 7823,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7772,9763 L 7721,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7670,9763 L 7619,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7568,9763 L 7517,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7466,9763 L 7415,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7364,9763 L 7313,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7262,9763 L 7211,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7160,9763 L 7109,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7058,9763 L 7007,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6956,9763 L 6905,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6854,9763 L 6803,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6752,9763 L 6701,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6650,9763 L 6599,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6548,9763 L 6497,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6446,9763 L 6395,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6344,9763 L 6293,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6242,9763 L 6191,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6140,9763 L 6089,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6038,9763 L 5987,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5936,9763 L 5885,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5834,9763 L 5783,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5732,9763 L 5681,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5630,9763 L 5579,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5528,9763 L 5477,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5426,9763 L 5375,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5324,9763 L 5273,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5222,9763 L 5171,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5120,9763 L 5069,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5018,9763 L 4967,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4916,9763 L 4865,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4814,9763 L 4763,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4712,9763 L 4661,9763"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4610,9763 L 4606,9763"/>
<path fill="rgb(0,0,0)" stroke="none" d="M 4176,9763 L 4626,9913 4626,9613 4176,9763 Z"/>
</g>
</g>
<g class="com.sun.star.drawing.LineShape">
<g id="id16">
<rect class="BoundingBox" stroke="none" fill="none" x="4175" y="11518" width="12194" height="301"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 16367,11668 L 16316,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 16265,11668 L 16214,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 16163,11668 L 16112,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 16061,11668 L 16010,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15959,11668 L 15908,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15857,11668 L 15806,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15755,11668 L 15704,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15653,11668 L 15602,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15551,11668 L 15500,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15449,11668 L 15398,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15347,11668 L 15296,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15245,11668 L 15194,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15143,11668 L 15092,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 15041,11668 L 14990,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14939,11668 L 14888,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14837,11668 L 14786,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14735,11668 L 14684,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14633,11668 L 14582,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14531,11668 L 14480,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14429,11668 L 14378,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14327,11668 L 14276,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14225,11668 L 14174,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14123,11668 L 14072,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 14021,11668 L 13970,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13919,11668 L 13868,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13817,11668 L 13766,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13715,11668 L 13664,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13613,11668 L 13562,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13511,11668 L 13460,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13409,11668 L 13358,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13307,11668 L 13256,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13205,11668 L 13154,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13103,11668 L 13052,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13001,11668 L 12950,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12899,11668 L 12848,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12797,11668 L 12746,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12695,11668 L 12644,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12593,11668 L 12542,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12491,11668 L 12440,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12389,11668 L 12338,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12287,11668 L 12236,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12185,11668 L 12134,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 12083,11668 L 12032,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11981,11668 L 11930,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11879,11668 L 11828,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11777,11668 L 11726,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11675,11668 L 11624,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11573,11668 L 11522,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11471,11668 L 11420,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11369,11668 L 11318,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11267,11668 L 11216,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11165,11668 L 11114,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 11063,11668 L 11012,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10961,11668 L 10910,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10859,11668 L 10808,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10757,11668 L 10706,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10655,11668 L 10604,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10553,11668 L 10502,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10451,11668 L 10400,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10349,11668 L 10298,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10247,11668 L 10196,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10145,11668 L 10094,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10043,11668 L 9992,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9941,11668 L 9890,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9839,11668 L 9788,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9737,11668 L 9686,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9635,11668 L 9584,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9533,11668 L 9482,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9431,11668 L 9380,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9329,11668 L 9278,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9227,11668 L 9176,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9125,11668 L 9074,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9023,11668 L 8972,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8921,11668 L 8870,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8819,11668 L 8768,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8717,11668 L 8666,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8615,11668 L 8564,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8513,11668 L 8462,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8411,11668 L 8360,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8309,11668 L 8258,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8207,11668 L 8156,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8105,11668 L 8054,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8003,11668 L 7952,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7901,11668 L 7850,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7799,11668 L 7748,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7697,11668 L 7646,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7595,11668 L 7544,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7493,11668 L 7442,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7391,11668 L 7340,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7289,11668 L 7238,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7187,11668 L 7136,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7085,11668 L 7034,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6983,11668 L 6932,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6881,11668 L 6830,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6779,11668 L 6728,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6677,11668 L 6626,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6575,11668 L 6524,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6473,11668 L 6422,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6371,11668 L 6320,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6269,11668 L 6218,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6167,11668 L 6116,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6065,11668 L 6014,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5963,11668 L 5912,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5861,11668 L 5810,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5759,11668 L 5708,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5657,11668 L 5606,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5555,11668 L 5504,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5453,11668 L 5402,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5351,11668 L 5300,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5249,11668 L 5198,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5147,11668 L 5096,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5045,11668 L 4994,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4943,11668 L 4892,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4841,11668 L 4790,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4739,11668 L 4688,11668"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4637,11668 L 4605,11668"/>
<path fill="rgb(0,0,0)" stroke="none" d="M 4175,11668 L 4625,11818 4625,11518 4175,11668 Z"/>
</g>
</g>
<g class="com.sun.star.drawing.TextShape">
<g id="id17">
<rect class="BoundingBox" stroke="none" fill="none" x="10779" y="10144" width="5843" height="2385"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="11629" y="10845"><tspan fill="rgb(0,0,0)" stroke="none">Pod annotated </tspan></tspan><tspan class="TextPosition" x="11029" y="11556"><tspan fill="rgb(0,0,0)" stroke="none">with net-policy SG </tspan></tspan></tspan></text>
</g>
</g>
<g class="com.sun.star.drawing.LineShape">
<g id="id18">
<rect class="BoundingBox" stroke="none" fill="none" x="4301" y="13550" width="6352" height="301"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4302,13700 L 4355,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4408,13700 L 4461,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4514,13700 L 4567,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4621,13700 L 4674,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4727,13700 L 4780,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4833,13700 L 4886,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 4939,13700 L 4992,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5045,13700 L 5098,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5151,13700 L 5205,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5258,13700 L 5311,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5364,13700 L 5417,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5470,13700 L 5523,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5576,13700 L 5629,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5682,13700 L 5735,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5789,13700 L 5842,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 5895,13700 L 5948,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6001,13700 L 6054,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6107,13700 L 6160,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6213,13700 L 6266,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6319,13700 L 6373,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6426,13700 L 6479,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6532,13700 L 6585,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6638,13700 L 6691,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6744,13700 L 6797,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6850,13700 L 6903,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 6957,13700 L 7010,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7063,13700 L 7116,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7169,13700 L 7222,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7275,13700 L 7328,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7381,13700 L 7434,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7487,13700 L 7541,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7594,13700 L 7647,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7700,13700 L 7753,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7806,13700 L 7859,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7912,13700 L 7965,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8018,13700 L 8071,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8125,13700 L 8178,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8231,13700 L 8284,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8337,13700 L 8390,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8443,13700 L 8496,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8549,13700 L 8602,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8656,13700 L 8709,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8762,13700 L 8815,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8868,13700 L 8921,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 8974,13700 L 9027,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9080,13700 L 9133,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9186,13700 L 9240,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9293,13700 L 9346,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9399,13700 L 9452,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9505,13700 L 9558,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9611,13700 L 9664,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9717,13700 L 9770,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9824,13700 L 9877,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 9930,13700 L 9983,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10036,13700 L 10089,13700"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10142,13700 L 10195,13700"/>
<path fill="rgb(0,0,0)" stroke="none" d="M 10652,13700 L 10202,13550 10202,13850 10652,13700 Z"/>
</g>
</g>
<g class="com.sun.star.drawing.TextShape">
<g id="id19">
<rect class="BoundingBox" stroke="none" fill="none" x="4556" y="12303" width="5335" height="1271"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="5406" y="13004"><tspan fill="rgb(0,0,0)" stroke="none">Pod update </tspan></tspan></tspan></text>
</g>
</g>
<g class="com.sun.star.drawing.CustomShape">
<g id="id20">
<rect class="BoundingBox" stroke="none" fill="none" x="8365" y="15096" width="43471" height="1889"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="48236" y="16853"><tspan fill="rgb(0,0,0)" stroke="none">Attach policy </tspan></tspan></tspan></text>
</g>
</g>
<g class="com.sun.star.drawing.CustomShape">
<g id="id21">
<rect class="BoundingBox" stroke="none" fill="none" x="9508" y="17015" width="42394" height="500"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="46208" y="17475"><tspan fill="rgb(0,0,0)" stroke="none">vxcxvattsdsadsadsa</tspan></tspan></tspan></text>
</g>
</g>
<g class="com.sun.star.drawing.CustomShape">
<g id="id22">
<rect class="BoundingBox" stroke="none" fill="none" x="7730" y="14968" width="5592" height="3179"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 10525,14969 L 13320,16557 10525,18145 7731,16557 10525,14969 10525,14969 Z"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 7731,14969 L 7731,14969 Z"/>
<path fill="none" stroke="rgb(0,0,0)" d="M 13320,18145 L 13320,18145 Z"/>
<text class="TextShape"><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="8639" y="16422"><tspan fill="rgb(0,0,0)" stroke="none">Attach policy </tspan></tspan></tspan><tspan class="TextParagraph" font-family="Liberation Sans, sans-serif" font-size="635px" font-weight="400"><tspan class="TextPosition" x="9202" y="17133"><tspan fill="rgb(0,0,0)" stroke="none">sg to port</tspan></tspan></tspan></text>
</g>
</g>
</g>
</g>
</g>
</g>
</g>
</svg>

After

Width:  |  Height:  |  Size: 66 KiB

View File

@ -33,6 +33,7 @@ Design Specs
specs/pike/contrail_support
specs/pike/fuxi_kubernetes
specs/pike/sriov
specs/queens/network_policy
Indices and tables
==================

View File

@ -0,0 +1,485 @@
=======================
Network policy support
=======================
By default all Kubernetes pods are non-isolated and they accept traffic
from any source. "Network policy" is Kubernetes specification that defines how
groups of pods are allowed to communicate with each other and other network
endpoints [1]_.
This Spec suggests a design for supporting Kubernetes "Network policy" in
Kuryr.
Problem Description
===================
Kubernetes "Network policies" define which traffic is allowed to be
sent or received by group of pods.
Each network policy has 3 main parts [2]_:
* Pod selector: Use kubernetes "label selector" [5]_ that defines on which
pods this policy should be applied. The relationship between pod and policy
is N to M.
Each pod can be selected by multiple network-policies (when an OR operator
is applied between the policies), and each policy can be attached to
multiple pods.
* Ingress section: defines which traffic can be received by selected pods.
It's defined by a "Cartesian product" of (allowed peers) and (protocol).
* There are 3 ways to define Allowed peer:
* Ip-address-block: allowed CIDR (also enable to exclude an inner CIDR).
* Pod selector: allowed set of pods defined by "label selector" [5]_.
* Namespace selector: list of namespaces; all pods that belong to that
namespaces are defined as allowed-peers.
* Port is defined by 2 fields:
* L4 protocol (TCP/UDP/ICMP..)
* L4 destination port
* Egress section: defines which traffic can be sent from the selected pods.
This is defined in the same way as the ingress section.
In order to support network-policy, kuryr-kubernetes should handle all the
events that are related to the network-policies and translate them into
Neutron objects for apply an equivalent network-topology to the one defined by
the Kubernetes policies. Neutron doesnt have a security API that is equivalent
to the the kubernetes-network-policy. The translation should be done carefully
in order to achieve eventually consistent required topology, and avoid
corner-cases and race conditions.
Proposed solution
=================
This spec suggests to implement Kubernetes network-policy by leveraging Neutron
security-groups [4]_.
There is some similarity between security-groups and network-policy, but there
are also some definitions inside the network-policy that require some more
complex translation work.
In order to provide a full translation between kubernetes-policies to security
groups, there are 3 main issues that need to be consider:
* Translation of the kubernetes-policy to Neutron security-group object.
* Attaching the security-group to the relevant-ports according to
the policy pod-selector.
* Response to changes in the group of pods that selected by pod selectors and
namespace selector:
* when pod is created and matches the queries
* when pod is updated with new label, and that label matches to the query
The next paragraphs describe the implementation proposal for each of the tasks
described above, including new Handler and Drivers, that should be added to
the Kuryr controller.
Translate Kubernetes policy to Neutron security-group
-----------------------------------------------------
Allow all policy [3]_
#######################
Network policy that allows all traffic, should be translated to
Security group with one rule that allows all traffic.
Example for allow all egress traffic:
.. code-block:: json
{
"security_group_rule": {
"direction": "egress",
"protocol": null,
"security_group_id": "[id]"
}
}
Deny all policy [6]_
######################
Translate to an empty-security-group.
Ingress/egress
##############
Can be translated to security-group-rules ingress/egress traits.
IpBlock:
########
Can be done by “remote ip prefix” trait in security-group-rule as both
use CIDRs. In case of Exceptions (It's an inner CIDR's of the ipBlock, that
should be excluded from the rule), the ip-range should be broken into pieces
that cover the all ip-block without the exception.
For example, if there is Ip-block :”1.1.1.0/24 except 1.1.1.0/26”, Kuryr should
create security-groups-rules with 1.1.1.128/25 an 1.1.1.64/26).
podSelectors
############
Pod selector uses kubernetes label-selectors [6]_ for choosing set of pods.
It is used in the policy for 2 purposes:
* Define on which pods the policy should be applied.
* Allow ingress/egress traffic from/to this set of pods.
The first one defines on which ports the policy should be applied, so it will
be discussed in the next section. For the second, the translation mechanism can
use the security-group trait - "remote_policy_group", that allows to define as
valid source all ports that belong to another security-group. This means that
we could create security-group with no rules for each network-policy selector
and attach all ports corresponding to pods that selected by the pod query
to this security-group.
We assume that each port attached to this security-group will be attached to
at least one other group (default security-group), so that attachment will not
entirely block traffic to the port.
namespaceSelector
#################
Namespace selector is used for choosing all the pods that belong to the
namespaces that selected by the query for allowing ingress/egress traffic.
Should use the same security-group as the pod selector for allowing ingress/egress
traffic from the selected namespaces.
Port, protocol
##############
This can be translated to port and protocol in security-group-rule.
Mix of ports and peer
#####################
In this case security-group-rule should be created for each tuple of
peer and ports. Number of rules will be a Cartesian product of ports and
peers.
Match between security-groups and its ports
-------------------------------------------
A security-group that derived from kubernetes-policy should be
tagged [7]_ with network_policy UID. In case of issue of length or characters-set
hashing should be applied, so security-group unique tag could be derived from the
policy-UID.
For defining on which pods the policy should be applied Kubernetes defines a
pod-selector query [5]_. For applying the policy on the relevant ports, Kuryr
needs to know at any given moment which pods belong to that group. It can
happen when pod is created/updated/change-label.
When policy is created, Kuryr should trigger a get query for applying the
policy on all pods that already match,
and add a watch for getting an update when POD added or removed from
network-policy and apply/remove the translated policy on the pod's port.
For applying the policy on the pod, an annotation with the security-group-id
will be added to the pod. That will cause the "update pod" event.
The VIFHandler via security-group Driver will attach the pod to the port.
We can't attach the security-group directly in the watch callback as it
will create a race condition between the watch and the VIFHandler as
the watch could be called before Kuryr notified that the pod is created.
With the annotation - when new pod is created, if the watch was called
before VIFHandler pod creation processing, VIFHandler will get the pod already
with the annotation. Otherwise, it will get pod with no
security-group-annotation and will attach it to the default security-group.
When the watch will update the annotation, the pod will be updated with the
correct security-group.
When policy is updated, if policy pod-selectors changed,
a diff between the old and new selected-pod-set should be done,
and the pods security-groups annotations should be updated respectively.
Selector watches should be updated with the new queries.
Allow traffic from the pod ingress and egress selectors:
--------------------------------------------------------
As mentioned above, "remote_group_id" will be used to allow ingress and
egress traffic from pods selected by the pod/namespace selectors.
For the pod-selector and namespace-selector we need to
create a security-group per policy (one for ingress and one for egress).
The security-group should be tagged with tag that is derived from the
policy-UID and traffic direction (for example: [policy_UID]_EG for egress traffic).
In case of characters-sets or allowed-length issues, hash should be applied for
updating these security-groups.
For each selector (namespace or pod) a watch should be set. The watch callback
will add/remove the relevant pods to/from the security-group.
Controller Handlers and Drivers impact:
---------------------------------------
For supporting Network-policy Handler that watches network_policy events
will be added.
Two new drivers will be added:
* On the network_policy Handler:
* "Network Policy Apply Driver", it will have 3 responsibilities:
* Translate the network-policy to security-groups.
* Match the security-group to its relevant port
(by setting the watch and annotating the pod as described above).
* Update the security-groups for ingress/egress POD/namespace selector.
* On VIF handler:
* A security-group-policy Driver will be used instead of the default
security groups Driver. It will be responsible for:
* Set the port security-group according to the annotation.
Controller startup
------------------
The following should be done on Controller startup:
* Retrieve from Kubernetes API all network-policies and set all the
relevant watches. This should happen before the Controller starts.
* Need to do some sync operation to make-sure Neutron topology is synchronised
with Kubernetes Network Policy model.
* for every network-policy:
* Get it's main security-group and check if it's updated. This validation
will be done by the generation tag. Generation is part of k8s metadata
and and increased by one on every policy change. When the policy will
applied by kuryr, it's should be annotated with current policy generation.
If the generation in the policy meta-data is newer than
the generation in the annotation, it's mean that the policy had been
changed and the security-group rules needs to rebuild.
* for each pod selector in the policy:
* get from kubernetes-api all pods that selected by this query.
* get all ports of the relevant security-groups.
* Do diff between port that needed to be attached to SG,
and add/remove pod-ports from security-groups.
Port pool impact
----------------
Changes in the security-policy can cause negative impact on the port-pools [9]_.
The combination of the security-groups of port is part of the pool key, and
changes in network-policy could make some pools not relevant any more.
For example let's assume that we have 2 policies "a" and "b", and both policies
should be applied on pods with the label "role: db". When the first pod with
label "role: db" is created - a new port-pool is created and its pool key is
composed from the security-groups of "a" and "b". If policy "b" will be changed
and pods with label "role: db" would not be selected by the policy anymore,
then the port-pool that was created for the combination of "a" and "b" will not
be not useful any more.
That can lead to the ports leak, as pool holds many ports that not useful
anymore. For handling this issue a new cleanup task should be added. This task
will release all ports from the pools that are not in use anymore.
Another issue that needs to be treated is that the policies of pod can be
changed while pod is running. Currently when pod is deleted its' port is
returned to the pool that it was taken from. But if the pod's policies are
changed, this behaviour is incorrect. When port is released it should be
returned to the pool that matches to the current state of the pod.
Execution flow diagram
----------------------
See below the network policy attachment to the pod after pod creation:
.. image:: ../../../images/net-policy.svg
:alt: Ingress creation flow diagram
:align: left
:width: 100%
Possible optimization:
----------------------
Kubernetes label-selector divided into 2 types of queries "match-labels",
and "match-expression" [10]_. "match-labels" selects a closed list of labels
while "match-expression" selects all pods that match to paticular expression.
This spec suggests to create a watch for each label-selector query, because in
"match-expression" queries it is not possible to determine if pod matches the
query, without implementing parser for each expression. By setting a watch we
are using kubernetes-api-server for the matching between pods and queries.
The spec treats the "match-labels" and "match-expression" queries in the same
way for simplicity reasons. But future optimization may distinguish between
queries-types. "match-labels" queries watches may be removed and the matching
between pod to its' "match-labels" queries could be done directly
on the vif-handler.
Assumptions
-----------
Security-groups are supported by the networking backend for all vif interfaces.
In case of special interfaces (SR-IOV, mac-vlan, etc ..), the network-policy
will be applied on the interface if and only if then networking backend
enables security-groups on those interfaces.
Execution flow-example
----------------------
This section describes system execution flow in the following scenarios:
* POD is deployed on empty system.
* Network-policy that should be applied on the first pod is deployed.
* Another pod that belongs to the network-policy is deployed.
Pod is deployed on empty system:
* Pod is created with the following details:
* name: p1, namespace: default, labels : {Role:db}.
* VIF Handler:
* Security-group-policy driver:
* Assign default-policy to this pod (as we still
do not have any network-policy in the system).
* Create security-group for namespace 'default',
and add pod p1 port to that security-group.
Network policy is deployed:
Let's assume that following policy is created (taken from k8s tutorial [8]_):
.. code-block:: yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
* Network policy Handler:
* Network policy Driver:
* Create security group with the following rules:
* Ingress , tcp:6379 172.17.0.0/24
* Ingress , tcp:6379 172.17.2.0/23
* Ingress , tcp:6379 172.17.4.0.0/22
* Ingress , tcp:6379 172.17.8.0/21
* Ingress , tcp:6379 172.17.16.0/20
* Ingress , tcp:6379 172.17.32.0/19
* Ingress , tcp:6379 172.17.64.0/18
* Ingress , tcp:6379 172.17.128.0/17
* Ingress , tcp: 6379 , remote_group_id : [test-network-policy-uid]_in
* Egress, tcp:5978 10.0.0.0/24
* Create match for the policy:
* Queries k8s-api about pods that match to {role:db}
* Attach the annotation with security-policy-id to p1.
* Set a watch on the query - “Match-label : {role:db}” , the watch
callback of this watch will update the security-group annotation on
the updated/new pods that are selected by this query.
* Create a match for the ingress/egress group:
* Set watch on the query : “match-labels {role:frontend}” , watch
callback will add all pods that are selected by this query to the
security-group [test-network-policy-uid]_in.
* VIF Handler:
* Will get update event on p1 as its' annotations is changed.
* security-policy-group-driver:
* Attach the interface to its security-group.
Second pod is created:
* pod is created with the details:
* name: p2 , namespace: default , labels : {Role:db}.
* Let's assume that VIF handler is called before watch-callback (as this case
is little more complicated).
* VIF Handler:
* Pod created event (still no namespace sg annotation on the pod).
* Namespace security-group driver
* Return the default network-policy.
* Pod is created with default-policy.
* Watch Callback:
* p2 is selected by security-group net-policy-test, annotates the pod
with security-group-id that matches to the policy.
* VIF Handler:
* security-group policy driver
* Update pod P2 port with network policy driver.
References
==========
.. [1] https://kubernetes.io/docs/concepts/services-networking/network-policies/
.. [2] https://kubernetes.io/docs/api-reference/v1.8/#networkpolicy-v1-networking/
.. [3] https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-allow-all-ingress-traffic
.. [4] https://developer.openstack.org/api-ref/network/v2/index.html#security-group-rules-security-group-rules
.. [5] https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
.. [6] https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
.. [7] https://docs.openstack.org/neutron/latest/contributor/internals/tag.html
.. [8] https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource
.. [9] https://github.com/openstack/kuryr-kubernetes/blob/master/doc/source/devref/port_manager.rst
.. [10] https://v1-8.docs.kubernetes.io/docs/api-reference/v1.8/#labelselector-v1-meta