Explore options for controlling policy and workload associations

[elevran]

Explore how to better control who can set policies on workloads. In k8s the network policy selects Pods within the same namespace only. With ClusterLink the policies can have arbitrary from and to fields.

In addition, some users may want to create the notion of "buckets/containers" for policies and workloads and then ensure that the scope of influence is only within the same bucket/container. For example, one could envisage the use of a "network segment" as the container of everything else. We can then have special rules within the same "segment" and rules for governing cross segment access. Everything (policies, workload) are defined at the segment level. A segment can be (e.g., in k8s) a set of namespace, or (e.g., in VPC) subnets.

[zivnevo]

Currently, for a given connection, all PrivilegedAccessPolicies are considered, and only AccessPolicies in the namespace of the relevant Import/Export are considered.

@elevran , do you think more investment is required in this direction? Should we leave a more coarse bucketing to a future management app?