OCPBUGS-45841:clarifies overlapping ANP rules

Author: JoeAldinger

modules/nw-ovn-k-adminnetwork-policy.adoc

@@ -63,7 +63,7 @@ spec:
             custom-anp: tenant-1
 ----
 <1> Specify a name for your ANP.
-<2> The `spec.priority` field supports a maximum of 100 ANP in the values of 0-99 in a cluster. The lower the value the higher the precedence. Creating `AdminNetworkPolicy` with the same priority creates a nondeterministic outcome.
+<2> The `spec.priority` field supports a maximum of 100 ANPs in the range of values `0-99` in a cluster. The lower the value, the higher the precedence because the range is read in order from the lowest to highest value. Because there is no guarantee which policy takes precedence when ANPs are created at the same priority, set ANPs at different priorities so that precedence is deliberate.
 <3> Specify the namespace to apply the ANP resource.
 <4> ANP have both ingress and egress rules. ANP rules for `spec.ingress` field accepts values of `Pass`, `Deny`, and `Allow` for the `action` field.
 <5> Specify a name for the `ingress.name`.

modules/nw-ovn-k-anp-best-practices.adoc

@@ -9,7 +9,7 @@
 
 When building `AdminNetworkPolicy` (ANP) resources, you might consider the following when creating your policies:
 
-* Because there is no guarantee which policy will take precedence when overlapping ANP are created, you should create ANP at different priorities so that precedence is well defined.
+* You can create ANPs that have the same priority. If you do create two ANPs at the same priority, ensure that they do not apply overlapping rules to the same traffic. Only one rule per value is applied and there is no guarantee which rule is applied when there is more than one at the same priority value. Because there is no guarantee which policy takes precedence when overlapping ANPs are created, set ANPs at different priorities so that precedence is well defined.
 
 * Administrators must create ANP that apply to user namespaces not system namespaces.