Update rules for existing pods when new pods are added

Hello,

My use case is this:

I have a namespace named myns with a MultiNetworkPolicy that allows pods inside that namespace (and only those) to communicate with one another (both as an ingress & egress policy) using the mynet network attachment definition. The policy looks like this:

apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
name: mypolicy
namespace: myns
annotations:
k8s.v1.cni.cncf.io/policy-for: mynet
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: myns
    - podSelector: {}
egress:
- to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: myns
    - podSelector: {}

I then create a first pod (podA) in that namespace. I see rules are created allowing traffic in/out using podA's IP address. So far, so good.
However, when I add another pod (podB) to the namespace, I see rules are created for podB, allowing traffic from/to podA & podB (also good), but the rules for podA are never updated, meaning that traffic going from podA to podB is dropped (due to the lack of a corresponding egress rule in podA) and traffic from podB to podA is also dropped (due to the lack of a corresponding ingress rule for podA).

For comparison, I see that some CNI plugins (e.g. Weave Net) use the IP sets framework to handle that:

The iptables rules apply to IP sets (e.g. -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChPgUaGF_$}G;WdH~~TK)o src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j WEAVE-NPC-EGRESS-ACCEPT). The content of such a set is similar to the following extract from ipset list :
```
Name: weave-s_+ChPgUaGF_$}G;WdH~~TK)o
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 1238
References: 1
Number of entries: 6
Members:
10.11.12.20 comment "namespace: default, pod: prometheus-kube-state-metrics-6723ds345-63435d"
```
Pods are added/removed to/from the matching IP sets when they are created/updated/deleted.

Is there a similar mechanism in multi-networkpolicy-iptables / is there a way to update the rules for existing pods when new pods are added to a namespace ?

Best regards, François

k8snetworkplumbingwg / multi-networkpolicy-iptables

Update rules for existing pods when new pods are added #42