Merge pull request #77716 from tssurya/anp-fix-yamls

Fix AdminNetworkPolicy yamls

Author: JoeAldinger

modules/nw-ovn-k-adminnetwork-policy-action-rules.adoc

@@ -31,9 +31,8 @@ spec:
     action: "Allow"
     from:
     - namespaces:
-        namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: monitoring
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
 # ...
 ----
 ====
@@ -64,9 +63,8 @@ spec:
     action: "Deny"
     from:
     - namespaces:
-        namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: monitoring
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
 # ...
 ----
 ====
@@ -99,9 +97,8 @@ spec:
     action: "Pass"
     from:
     - namespaces:
-        namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: monitoring
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
 # ...
 ----
 ====

modules/nw-ovn-k-adminnetwork-policy.adoc

@@ -14,7 +14,7 @@ An ANP allows administrators to specify the following:
 
 * A `priority` value that determines the order of its evaluation. The lower the value the higher the precedence.
 
-* A set of pods that consists of a set of namespaces or namespace.
+* A set of pods that consists of a set of namespaces or namespace on which the policy is applied.
 
 * A list of ingress rules to be applied for all ingress traffic towards the `subject`.
 
@@ -45,8 +45,8 @@ spec:
     from:
     - pods:
         namespaceSelector:
-            matchLabels:
-              custom-anp: tenant-1
+          matchLabels:
+            custom-anp: tenant-1
         podSelector:
           matchLabels:
             custom-anp: tenant-1 <6>
@@ -55,10 +55,9 @@ spec:
     action: "Pass"
     to:
     - pods:
-        namespaces:
-          namespaceSelector:
-            matchLabels:
-              custom-anp: tenant-1
+        namespaceSelector:
+          matchLabels:
+            custom-anp: tenant-1
         podSelector:
           matchLabels:
             custom-anp: tenant-1
@@ -68,6 +67,6 @@ spec:
 <3> Specify the namespace to apply the ANP resource.
 <4> ANP have both ingress and egress rules. ANP rules for `spec.ingress` field accepts values of `Pass`, `Deny`, and `Allow` for the `action` field.
 <5> Specify a name for the `ingress.name`.
-<6> Specify `podSelector.matchLabels` name of the pods to apply the ANP resource.
+<6> Specify `podSelector.matchLabels` to select pods within the namespaces selected by `namespaceSelector.matchLabels` as ingress peers.
 <7> ANPs have both ingress and egress rules. ANP rules for `spec.egress` field accepts values of `Pass`, `Deny`, and `Allow` for the `action` field.
 ====

modules/nw-ovn-k-baseline-adminnetwork-policy.adoc

@@ -42,10 +42,9 @@ spec:
     action: "Deny"
     from:
     - pods:
-        namespaces:
-          namespaceSelector:
-            matchLabels:
-              custom-banp: tenant-1 <5>
+        namespaceSelector:
+          matchLabels:
+            custom-banp: tenant-1 <5>
         podSelector:
           matchLabels:
             custom-banp: tenant-1 <6>
@@ -54,10 +53,9 @@ spec:
     action: "Allow"
     to:
     - pods:
-        namespaces:
-          namespaceSelector:
-            matchLabels:
-              custom-banp: tenant-1
+        namespaceSelector:
+          matchLabels:
+            custom-banp: tenant-1
         podSelector:
           matchLabels:
             custom-banp: tenant-1
@@ -95,9 +93,8 @@ spec:
     action: "Deny"
     from:
     - namespaces:
-        namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: monitoring
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
 # ...
 ----
 ====