kubernetes
diff --git a/‎keps/sig-network/20201014-NamespaceAsName.md renamed to ‎keps/sig-network/2112-netpol-namespace-name-selector/README.md
+101-123 b/‎keps/sig-network/20201014-NamespaceAsName.md renamed to ‎keps/sig-network/2112-netpol-namespace-name-selector/README.md
+101-123
@@ -1,65 +1,3 @@
-<!--
-**Note:** When your KEP is complete, all of these comment blocks should be removed.
-
-To get started with this template:
-
-- [X] **Pick a hosting SIG.**
-  Make sure that the problem space is something the SIG is interested in taking
-  up. KEPs should not be checked in without a sponsoring SIG.
-- [X] **Create an issue in kubernetes/enhancements**
-  When filing an enhancement tracking issue, please make sure to complete all
-  fields in that template. One of the fields asks for a link to the KEP. You
-  can leave that blank until this KEP is filed, and then go back to the
-  enhancement and add the link.
-- [X] **Make a copy of this template directory.**
-  Copy this template into the owning SIG's directory and name it
-  `NNNN-short-descriptive-title`, where `NNNN` is the issue number (with no
-  leading-zero padding) assigned to your enhancement above.
-- [X] **Fill out as much of the kep.yaml file as you can.**
-  At minimum, you should fill in the "Title", "Authors", "Owning-sig",
-  "Status", and date-related fields.
-- [X] **Fill out this file as best you can.**
-  At minimum, you should fill in the "Summary" and "Motivation" sections.
-  These should be easy if you've preflighted the idea of the KEP with the
-  appropriate SIG(s).
-- [X] **Create a PR for this KEP.**
-  Assign it to people in the SIG who are sponsoring this process.
-- [ ] **Merge early and iterate.**
-  Avoid getting hung up on specific details and instead aim to get the goals of
-  the KEP clarified and merged quickly. The best way to do this is to just
-  start with the high-level sections and fill out details incrementally in
-  subsequent PRs.
-
-Just because a KEP is merged does not mean it is complete or approved. Any KEP
-marked as `provisional` is a working document and subject to change. You can
-denote sections that are under active debate as follows:
-
-```
-<<[UNRESOLVED optional short context or usernames ]>>
-Stuff that is being argued.
-<<[/UNRESOLVED]>>
-```
-
-When editing KEPS, aim for tightly-scoped, single-topic PRs to keep discussions
-focused. If you disagree with what is already in a document, open a new PR
-with suggested changes.
-
-One KEP corresponds to one "feature" or "enhancement" for its whole lifecycle.
-You do not need a new KEP to move from beta to GA, for example. If
-new details emerge that belong in the KEP, edit the KEP. Once a feature has become
-"implemented", major changes should get new KEPs.
-
-The canonical place for the latest set of instructions (and the likely source
-of this file) is [here](/keps/NNNN-kep-template/README.md).
-
-**Note:** Any PRs to move a KEP to `implementable`, or significant changes once
-it is marked `implementable`, must be approved by each of the KEP approvers.
-If none of those approvers are still appropriate, then changes to that list
-should be approved by the remaining approvers and/or the owning SIG (or
-SIG Architecture for cross-cutting KEPs).
--->
-# KEP-xxxx: Add Namespace as Name field to NetworkPolicy
-
 <!-- toc -->
 - [Release Signoff Checklist](#release-signoff-checklist)
 - [Summary](#summary)
@@ -105,67 +43,102 @@ Items marked with (R) are required *prior to targeting to a milestone / release*
 
 ## Summary
 
-The ability to target namespaces using names, when building NetworkPolicy objects, has been a request from the broader k8s community for quite some time.  In the sig-network-networkpolicy API group, it was one of the most popular policies which was voted on.
+The ability to target namespaces using names, when building NetworkPolicy 
+objects, has been a request from the broader k8s community for quite some 
+time.  In the sig-network networkpolicy API sub project, it was one of the 
+most popular policies which was voted on.
 
 ## Motivation
 
-NetworkPolicies are under utilized by developers when defining applications, and the most obvious tenancy boundary for a developer is that of **the Namespace**.  We thus aim to make this boundary **extremely** obvious and easy for users to target in a maximally secure manner.
+NetworkPolicies are under utilized by developers when defining applications, 
+and the most obvious tenancy boundary for a developer is that of **the Namespace**. 
+We thus aim to make this boundary **extremely** obvious and easy for users 
+to target in a maximally secure manner.
 
-NetworkPolicies are also used by administrators to make specific default policies (for example, the common `kube-system` namespaces might be one which an administrator wants to protect from unwanted traffic).
+NetworkPolicies are also used by administrators to make specific default 
+policies (for example, the common `kube-system` namespaces might be one which 
+an administrator wants to protect from unwanted traffic).
 
-Although service-mesh and other technologies have been slated to obviate the need for developer driven security boundaries, these technologies aren't available in most clusters, and aren't supported by the Kubernetes API.
+Although service-mesh and other technologies have been slated to obviate the 
+need for developer driven security boundaries, these technologies aren't 
+available in most clusters, and aren't supported by the Kubernetes API.
 
-The ability to provide granular and intuitive network boundaries between apps is part of the braoder vision to make the NetworkPolicy API a universal security construct implemented in all production applications.  Many conversations have come up around this topic, with https://github.com/kubernetes/kubernetes/issues/88253 being one of the most recent ones.
+The ability to provide granular and intuitive network boundaries between apps 
+is part of the braoder vision to make the NetworkPolicy API a universal 
+security construct implemented in all production applications.  Many 
+conversations have come up around this topic, with [kubernetes #88253](https://github.com/kubernetes/kubernetes/issues/88253) 
+being one of the most recent ones.
 
 ### Generic motivation
 
-- Embrace the immutable nature of a namespace name as a fundamental security construct in the Kubernetes ecosystem.
-- Making network policies more secure by making it impossible to "impersonate" a bespoke namespace.
-- Making network policy tenancy boundaries more declarative to use by *not* requiring developers to copy/duplicate namespace labels
+- Embrace the immutable nature of a namespace name as a fundamental security 
+construct in the Kubernetes ecosystem.
+- Making network policies more secure by making it impossible to "impersonate" 
+a bespoke namespace.
+- Making network policy tenancy boundaries more declarative to use by *not* 
+requiring developers to copy/duplicate namespace labels
 
-These two motivating factors are mostly self explanatory, but in the next section we outline concrete feedback in these areas.
+These three motivating factors are mostly self explanatory, but in the next 
+section we outline concrete feedback in these areas.
 
 ### Community feedback on the namespace.Name selector
 
-- In 2016, the argument for namespace as name selectors was first made... https://groups.google.com/g/kubernetes-sig-network/c/GzSGt-pxBYQ/m/Rbrxve-gGgAJ, based on the fact that labels can be retroactively added to namespaces pretty easily, even if your namespace isn't intended to be able to send traffic somewhere: 
+- In 2016, the argument for namespace as name selectors was first made in
+the [mailing list](https://groups.google.com/g/kubernetes-sig-network/c/GzSGt-pxBYQ/m/Rbrxve-gGgAJ), based on the fact that labels can be 
+retroactively added to namespaces pretty easily, even if your namespace isn't 
+intended to be able to send traffic somewhere: 
 
 ```
- we need to clarify how namespaces are matched. I'm pretty 
+we need to clarify how namespaces are matched. I'm pretty 
 uncomfortable with using labels here, since anyone can add labels at 
 any time to any namespace and thus send traffic to your pod if they 
 know the label you're using. If it were simply a namespace name, it's 
 much easier to specifically allow only namespaces you control since you 
 know your own namespace names. 
 ```
 
-- Another recent argument was made on the basis of targetting namespaces using names, rather then labels, on the basis of **sheer convenience**.
+- Another recent argument was made on the basis of targetting namespaces 
+using names, rather then labels, on the basis of **sheer convenience**.
 
 ```
-While matching things like pods etc by label is certainly worthwhile, when matching a namespace I suspect the majority of the time you only want to match a single namespace. It been great match against the name rather than just a label. I suspect most people don't think to add labels to the namespaces.
+While matching things like pods etc by label is certainly worthwhile, when 
+matching a namespace I suspect the majority of the time you only want to match 
+a single namespace. It been great match against the name rather than just a 
+label. I suspect most people don't think to add labels to the namespaces.
 ```
 
-The latter comment received 9 likes as a github issue - indiciating the general popularity of this as a request, and that correlates well to feedback we've seen in the broader community as well.
+The latter comment received 9 likes as a github issue - indiciating the 
+general popularity of this as a request, and that correlates well to feedback 
+we've seen in the broader community as well.
 
-We thus conclude that, even though targetting an object using its name is not normal in K8s, in the case of NetworkPolicies, the overwhelming need for universal, easy to define security boundaries, makes a strong case for amending the API to support a "special" selector for namespace names that is **independent** of labels.
+We thus conclude that, even though targetting an object using its name is not 
+normal in K8s, in the case of NetworkPolicies, the overwhelming need for 
+universal, easy to define security boundaries, makes a strong case for 
+amending the API to support a "special" selector for namespace names that is 
+**independent** of labels.
 
 ### Goals
 
-- Add a `namespace` option (which is additive to the current `matchLabels` selector).
-- Allow multiple `matchName` values, so that many namespaces can be allowed using the same field 
+- Add a `namespaceNames` option (which is additive to the current `matchLabels` selector).
+- Allow multiple `namespaceNames` values, so that many namespaces can be 
+allowed using the same field 
 
 ### Non-Goals
 
 - Support matching of wildcard namespaces
 - Changing the internal details of how namespaceSelector works with arbitrary syntax
-- Depending on more sophisticated features (like virtual labels) to accomplish this feature without changing the API (note that, if someone were
-to write a virtualLabels KEP, however, it might change the trajectory of this KEP, which is worth discussing)
+- Depending on more sophisticated features (like virtual labels) to accomplish 
+this feature without changing the API (note that, if someone were 
+to write a virtualLabels KEP, however, it might change the trajectory of this 
+KEP, which is worth discussing)
 
 ## Proposal
 
 In NetworkPolicy specification, inside `NetworkPolicyPeer` specify a new `namespaceNames` field.  
 
-1) One simple way to implement this feature is to modify the NetworkPolicyPeer object, like so.  Since this 
-doesn't involve modifying a go type (i.e. were not replacing a labelSelector with a different type, we expect it 
+1) One simple way to implement this feature is to modify the NetworkPolicyPeer 
+object, like so.  Since this doesn't involve modifying a go type (i.e. were 
+not replacing a labelSelector with a different type, we expect it 
 to be a cleaner implementation:
 
 ```
@@ -182,36 +155,40 @@ type NetworkPolicyPeer struct {
 
 ### User Stories (Optional)
 
-<!--
-Detail the things that people will be able to do if this KEP is implemented.
-Include as much detail as possible so that people can understand the "how" of
-the system. The goal here is to make this feel real for users without getting
-bogged down.
--->
-
 #### Story 1
 
-As an administrator i want to allow access from monitoring pods in kube-system namespace, into any pod in my cluster, as a fundamental policy. 
+As an administrator i want to allow access from monitoring pods in kube-system 
+namespace, into any pod in my cluster, as a fundamental policy. 
 
 #### Story 2
 
-As an user I want to "just add" a namespace to my allow list without having to manage the labels which might get added/removed over time from said namespace.
+As an user I want to "just add" a namespace to my allow list without having to 
+manage the labels which might get added/removed over time from said namespace.
 
 ### Notes/Constraints/Caveats (Optional)
 
 ### Risks and Mitigations
 
-- CNIs may **NOT** choose, initially to support this construct, and dilligent communication with CNI providers will be needed to make sure its widely adopted.
-- We need to make sure that hidden defaults don't break the meaning of existing policys, for example:
-  - if a namespcee name is retrieved by an api client which doesn't yet support it, the client doesnt crash (and the plugin doesnt crash, either).
-  - if a namespace name policy doesn't exist (is null), then the policy should behave identically to any policy made before this field was added, that is, 
-- Both "allow all" and "allow none" could be incorrectly interpretted incorrectly, so we need to make sure that plugins not implementing the feature don't get misled by the new data structure.
-
-the `NetworkPolicyPeer` should be as obvious as possible to interpret in a way that is compatible with the semantics of the v1 policy API **before** this feature was added to it.  
+- CNIs may **NOT** choose, initially to support this construct, and dilligent 
+communication with CNI providers will be needed to make sure its widely 
+adopted.
+- We need to make sure that hidden defaults don't break the meaning of 
+existing policys, for example:
+  - if a namespaece name is retrieved by an api client which doesn't yet 
+  support it, the client doesnt crash (and the plugin doesnt crash, either).
+  - if a namespace name policy doesn't exist (is null), then the policy should 
+  behave identically to any policy made before this field was added, that is, 
+- Both "allow all" and "allow none" could be incorrectly interpreted 
+incorrectly, so we need to make sure that plugins not implementing the feature 
+don't get misled by the new data structure.
+
+The `NetworkPolicyPeer` should be as obvious as possible to interpret in a way that is compatible with the semantics of the v1 policy API **before** this feature was added to it.  
 
 ## Design Details
 
-- Add a new selector to the network policy peer data structure which can switch between allowing a "matchName" or "matchLabels" implementation, supporting a policy that is expressed like this:
+- Add a new selector to the network policy peer data structure which can 
+switch between allowing a "namespaceNames" or "matchLabels" implementation, 
+supporting a policy that is expressed like this:
 
 - A list of conventional namespaces
 The "conventional namespaces" will look like so:
@@ -226,42 +203,53 @@ spec:
       app: mysql
   ingress:
   - from:
-      matchName:
+      namespaceNames:
       -  my-frontend
 ```
 
 ### Test Plan
 
-We will add tests for this new api semantic into the exting test/e2e/ network policy test suites in upstream which cover both of these scenarios, using the validation framework outlined in https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/20200204-NetworkPolicy-verification-rearchitecture.md#motivation.
+We will add tests for this new api semantic into the exting test/e2e/ network 
+policy test suites in upstream which cover both of these scenarios, using the 
+validation framework outlined in https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/20200204-NetworkPolicy-verification-rearchitecture.md#motivation.
 
 ### Graduation Criteria
 
-All new field introductions need gates for at least one release, thus, we would add this feature gate in alpha, so we must use
-feature gates idiomatically to implement this change.  
+All new field introductions need gates for at least one release, thus, we 
+would add this feature gate in alpha, so we must use feature gates 
+idiomatically to implement this change.  
 
 Gone are the days of changing the API with reckless abandon.
 
 #### Alpha 
 - Communicate CNI providers about the new field.
-- Add validation tests in API which confirm several positive / negative scenarios in the test matrix for when this field is present/absent
-- All new field introductions need gates for at least one release, thus, we would add this feature gate in alpha. 
+- Add validation tests in API which confirm several positive / negative 
+scenarios in the test matrix for when this field is present/absent
+- All new field introductions need gates for at least one release, thus, we 
+would add this feature gate in alpha. 
 
 
 #### Beta
 - The name selector has been supported for at least 1 minor release.
-- Four commonly used NetworkPolicy (or CNI providers) implement the new field, with generally positive feedback on its usage.
+- Four commonly used NetworkPolicy (or CNI providers) implement the new field, 
+with generally positive feedback on its usage.
 - Feature Gate is enabled by Default.
 
 #### GA Graduation
 
-- At least **four** NetworkPolicy providers (or CNI providers) support the The name selector field.
+- At least **four** NetworkPolicy providers (or CNI providers) support the The 
+name selector field.
 - The name selector has been enabled by default for at least 1 minor release.
 
 ### Upgrade / Downgrade Strategy
 
-If upgraded no impact should happen as this is a new matching option and not colliding with old ones.  There will potentially be some golang magic required to convert objects at the type level to be flexible enough to support different inputs, but this will use the K8s API Translation layer.
+If upgraded no impact should happen as this is a new matching option and not 
+colliding with old ones.  There will potentially be some golang magic required 
+to convert objects at the type level to be flexible enough to support 
+different inputs, but this will use the K8s API Translation layer.
 
-If downgraded the CNI wont be able to look into the new field, as this does not exists and network policies using this field will stop working.
+If downgraded the CNI wont be able to look into the new field, as this does 
+not exists and network policies using this field will stop working.
 
 ### Version Skew Strategy
 
@@ -285,7 +273,8 @@ _This section must be completed when targeting alpha to a release._
   Yes, but CNIs relying on the new field wont recognize it anymore
 
 * **What happens if we reenable the feature if it was previously rolled back?**
-  Nothing. Just need to check if the data is persisted in ``etcd`` after the feature is disabled and reenabled or if the data is missed
+  Nothing. Just need to check if the data is persisted in ``etcd`` after the 
+  feature is disabled and reenabled or if the data is missed
 
 * **Are there any tests for feature enablement/disablement?**
 
@@ -311,18 +300,7 @@ the health of the service?**
 _This section must be completed when targeting beta graduation to a release._
 
 * **Does this feature depend on any specific services running in the cluster?**
-  Think about both cluster-level services (e.g. metrics-server) as well
-  as node-level agents (e.g. specific version of CRI). Focus on external or
-  optional services that are needed. For example, if this feature depends on
-  a cloud provider API, or upon an external software-defined storage or network
-  control plane.
-
-  For each of these, fill in the following—thinking about running existing user workloads
-  and creating new ones, as well as about cluster-level services (e.g. DNS):
-  - [Dependency name]
-    - Usage description:
-      - Impact of its outage on the feature:
-      - Impact of its degraded performance or high-error rates on the feature:
+ No
 
 ## Implementation History