Merge pull request #96121 from dfitzmau/OCPBUGS-49997-12

dfitzmau · web-flow · commit 3af39e17fe24 · 2025-07-15T17:18:31.000+01:00
[enterprise-4.12] OCPBUGS-49997: Inhanced the info for the k8s.v1.cni.cncf.io/policy-fo…
diff --git a/modules/nw-multi-network-policy-differences.adoc b/modules/nw-multi-network-policy-differences.adoc
@@ -13,19 +13,21 @@ kind: MultiNetworkPolicy
 
 * You must use the `multi-networkpolicy` resource name when using the CLI to interact with multi-network policies. For example, you can view a multi-network policy object with the `oc get multi-networkpolicy <name>` command where `<name>` is the name of a multi-network policy.
 
-* You must specify an annotation with the name of the network attachment definition that defines the macvlan or SR-IOV additional network:
+* You can use the `k8s.v1.cni.cncf.io/policy-for` annotation on a `MultiNetworkPolicy` object to point to a `NetworkAttachmentDefinition` (NAD) custom resource (CR). The NAD CR defines the network to which the policy applies.
 +
+.Example multi-network policy that includes the `k8s.v1.cni.cncf.io/policy-for` annotation
 [source,yaml]
 ----
 apiVersion: k8s.cni.cncf.io/v1beta1
 kind: MultiNetworkPolicy
 metadata:
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 ----
 +
 --
 where:
 
+`<namespace_name>`:: Specifies the namespace name.
 `<network_name>`:: Specifies the name of a network attachment definition.
 --
diff --git a/modules/nw-networkpolicy-allow-application-all-namespaces.adoc b/modules/nw-networkpolicy-allow-application-all-namespaces.adoc
@@ -57,7 +57,7 @@ metadata:
   namespace: default
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   podSelector:
diff --git a/modules/nw-networkpolicy-allow-application-particular-namespace.adoc b/modules/nw-networkpolicy-allow-application-particular-namespace.adoc
@@ -59,7 +59,7 @@ metadata:
   namespace: default
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   podSelector:
diff --git a/modules/nw-networkpolicy-allow-external-clients.adoc b/modules/nw-networkpolicy-allow-external-clients.adoc
@@ -58,7 +58,7 @@ metadata:
   namespace: default
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   policyTypes:
diff --git a/modules/nw-networkpolicy-create-cli.adoc b/modules/nw-networkpolicy-create-cli.adoc
@@ -108,7 +108,7 @@ metadata:
   name: allow-same-namespace
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   podSelector:
@@ -143,7 +143,7 @@ metadata:
   name: allow-traffic-pod
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   podSelector:
@@ -190,7 +190,7 @@ metadata:
   name: api-allow
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   podSelector:
diff --git a/modules/nw-networkpolicy-deny-all-allowed.adoc b/modules/nw-networkpolicy-deny-all-allowed.adoc
@@ -50,7 +50,7 @@ metadata:
   name: deny-by-default
   namespace: default <1>
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name> <2>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name> <2>
 spec:
   podSelector: {} <3>
   ingress: [] <4>
