Merge pull request #96118 from dfitzmau/OCPBUGS-49997-15

[enterprise-4.15] OCPBUGS-49997: Inhanced the info for the k8s.v1.cni.cncf.io/policy-fo…

Author: dfitzmau

modules/configuration-ovnk-multi-network-policy.adoc

@@ -26,7 +26,7 @@ a|
 
 |====
 
-For example, the following multi-network policy is valid only if the `subnets` field is defined in the additional network CNI configuration for the additional network named `blue2`:
+You can use the `k8s.v1.cni.cncf.io/policy-for` annotation on a `MultiNetworkPolicy` object to point to a `NetworkAttachmentDefinition` (NAD) custom resource (CR). The NAD CR defines the network to which the policy applies. The following example multi-network policy is valid only if the `subnets` field is defined in the secondary network CNI configuration for the secondary network named `blue2`:
 
 .Example multi-network policy that uses a pod selector
 [source,yaml]
@@ -36,7 +36,7 @@ kind: MultiNetworkPolicy
 metadata:
   name: allow-same-namespace
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: blue2
+    k8s.v1.cni.cncf.io/policy-for: blue2 <1>
 spec:
   podSelector:
   ingress:

modules/nw-multi-network-policy-differences.adoc

@@ -18,19 +18,21 @@ kind: MultiNetworkPolicy
 
 * You must use the `multi-networkpolicy` resource name when using the CLI to interact with multi-network policies. For example, you can view a multi-network policy object with the `oc get multi-networkpolicy <name>` command where `<name>` is the name of a multi-network policy.
 
-* You must specify an annotation with the name of the network attachment definition that defines the macvlan or SR-IOV additional network:
+* You can use the `k8s.v1.cni.cncf.io/policy-for` annotation on a `MultiNetworkPolicy` object to point to a `NetworkAttachmentDefinition` (NAD) custom resource (CR). The NAD CR defines the network to which the policy applies.
 +
+.Example multi-network policy that includes the `k8s.v1.cni.cncf.io/policy-for` annotation
 [source,yaml]
 ----
 apiVersion: k8s.cni.cncf.io/v1beta1
 kind: MultiNetworkPolicy
 metadata:
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 ----
 +
 --
 where:
 
+`<namespace_name>`:: Specifies the namespace name.
 `<network_name>`:: Specifies the name of a network attachment definition.
 --

modules/nw-networkpolicy-allow-application-all-namespaces.adoc

@@ -54,7 +54,7 @@ metadata:
   namespace: default
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   podSelector:

modules/nw-networkpolicy-allow-application-particular-namespace.adoc

@@ -57,7 +57,7 @@ metadata:
   namespace: default
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   podSelector:

modules/nw-networkpolicy-allow-external-clients.adoc

@@ -61,7 +61,7 @@ metadata:
   namespace: default
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   policyTypes:

modules/nw-networkpolicy-create-cli.adoc

@@ -104,7 +104,7 @@ metadata:
   name: allow-same-namespace
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   podSelector:
@@ -139,7 +139,7 @@ metadata:
   name: allow-traffic-pod
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   podSelector:
@@ -186,7 +186,7 @@ metadata:
   name: api-allow
 ifdef::multi[]
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <network_name>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
 endif::multi[]
 spec:
   podSelector:

modules/nw-networkpolicy-deny-all-allowed.adoc

@@ -48,7 +48,7 @@ metadata:
   name: deny-by-default
   namespace: default <1>
   annotations:
-    k8s.v1.cni.cncf.io/policy-for: <namespace_name>/<network_name> <2>
+    k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name> <2>
 spec:
   podSelector: {} <3>
   policyTypes: <4>
@@ -67,12 +67,12 @@ spec:
 endif::multi[]
 ----
 ifdef::multi[]
-<1> `namespace: default` deploys this policy to the `default` namespace.
-<2> `network_name`: specifies the name of a network attachment definition.
-<3> `podSelector:` is empty, this means it matches all the pods. Therefore, the policy applies to all pods in the default namespace.
-<4> `policyTypes:` a list of rule types that the `NetworkPolicy` relates to.
-<5> Specifies as `Ingress` only `policyType`.
-<6> There are no `ingress` rules specified. This causes incoming traffic to be dropped to all pods.
+<1> Specifies the namespace in which to deploy the policy. For example, the `my-project` namespace.
+<2> Specifies the name of namespace project followed by the network attachment definition name.
+<3> If this field is empty, the configuration matches all the pods. Therefore, the policy applies to all pods in the `my-project` namespace.
+<4> Specifies a list of rule types that the `NetworkPolicy` relates to.
+<5> Specifies `Ingress` only `policyTypes`.
+<6> Specifies `ingress` rules. If not specified, all incoming traffic is dropped to all pods.
 endif::multi[]
 ifndef::multi[]
 <1> `namespace: default` deploys this policy to the `default` namespace.