From 6d162327cced0b575a952bc07c933c6d6f9fcbc9 Mon Sep 17 00:00:00 2001 From: dfitzmau Date: Tue, 24 Jun 2025 12:00:05 +0100 Subject: [PATCH] OCPBUGS-49997: Inhanced the info for the k8s.v1.cni.cncf.io/policy-for annotation --- modules/configuration-ovnk-multi-network-policy.adoc | 4 ++-- modules/nw-multi-network-policy-differences.adoc | 6 ++++-- .../nw-networkpolicy-allow-application-all-namespaces.adoc | 2 +- ...etworkpolicy-allow-application-particular-namespace.adoc | 2 +- modules/nw-networkpolicy-allow-external-clients.adoc | 2 +- modules/nw-networkpolicy-create-cli.adoc | 6 +++--- modules/nw-networkpolicy-deny-all-allowed.adoc | 4 ++-- 7 files changed, 14 insertions(+), 12 deletions(-) diff --git a/modules/configuration-ovnk-multi-network-policy.adoc b/modules/configuration-ovnk-multi-network-policy.adoc index 8456d923a315..6db5fda17257 100644 --- a/modules/configuration-ovnk-multi-network-policy.adoc +++ b/modules/configuration-ovnk-multi-network-policy.adoc @@ -26,7 +26,7 @@ a| |==== -For example, the following multi-network policy is valid only if the `subnets` field is defined in the additional network CNI configuration for the additional network named `blue2`: +You can use the `k8s.v1.cni.cncf.io/policy-for` annotation on a `MultiNetworkPolicy` object to point to a `NetworkAttachmentDefinition` (NAD) custom resource (CR). The NAD CR defines the network to which the policy applies. The following example multi-network policy is valid only if the `subnets` field is defined in the secondary network CNI configuration for the secondary network named `blue2`: .Example multi-network policy that uses a pod selector [source,yaml] @@ -36,7 +36,7 @@ kind: MultiNetworkPolicy metadata: name: allow-same-namespace annotations: - k8s.v1.cni.cncf.io/policy-for: blue2 + k8s.v1.cni.cncf.io/policy-for: blue2 <1> spec: podSelector: ingress: diff --git a/modules/nw-multi-network-policy-differences.adoc b/modules/nw-multi-network-policy-differences.adoc index 6acf8c31643d..3300980cdc34 100644 --- a/modules/nw-multi-network-policy-differences.adoc +++ b/modules/nw-multi-network-policy-differences.adoc @@ -18,19 +18,21 @@ kind: MultiNetworkPolicy * You must use the `multi-networkpolicy` resource name when using the CLI to interact with multi-network policies. For example, you can view a multi-network policy object with the `oc get multi-networkpolicy ` command where `` is the name of a multi-network policy. -* You must specify an annotation with the name of the network attachment definition that defines the macvlan or SR-IOV additional network: +* You can use the `k8s.v1.cni.cncf.io/policy-for` annotation on a `MultiNetworkPolicy` object to point to a `NetworkAttachmentDefinition` (NAD) custom resource (CR). The NAD CR defines the network to which the policy applies. + +.Example multi-network policy that includes the `k8s.v1.cni.cncf.io/policy-for` annotation [source,yaml] ---- apiVersion: k8s.cni.cncf.io/v1beta1 kind: MultiNetworkPolicy metadata: annotations: - k8s.v1.cni.cncf.io/policy-for: + k8s.v1.cni.cncf.io/policy-for:/ ---- + -- where: +``:: Specifies the namespace name. ``:: Specifies the name of a network attachment definition. -- diff --git a/modules/nw-networkpolicy-allow-application-all-namespaces.adoc b/modules/nw-networkpolicy-allow-application-all-namespaces.adoc index c8ea67e9850d..8ce5efbde425 100644 --- a/modules/nw-networkpolicy-allow-application-all-namespaces.adoc +++ b/modules/nw-networkpolicy-allow-application-all-namespaces.adoc @@ -54,7 +54,7 @@ metadata: namespace: default ifdef::multi[] annotations: - k8s.v1.cni.cncf.io/policy-for: + k8s.v1.cni.cncf.io/policy-for:/ endif::multi[] spec: podSelector: diff --git a/modules/nw-networkpolicy-allow-application-particular-namespace.adoc b/modules/nw-networkpolicy-allow-application-particular-namespace.adoc index a4daf44f7af9..4f8044808289 100644 --- a/modules/nw-networkpolicy-allow-application-particular-namespace.adoc +++ b/modules/nw-networkpolicy-allow-application-particular-namespace.adoc @@ -57,7 +57,7 @@ metadata: namespace: default ifdef::multi[] annotations: - k8s.v1.cni.cncf.io/policy-for: + k8s.v1.cni.cncf.io/policy-for:/ endif::multi[] spec: podSelector: diff --git a/modules/nw-networkpolicy-allow-external-clients.adoc b/modules/nw-networkpolicy-allow-external-clients.adoc index de385744401d..1fe4aedffaa3 100644 --- a/modules/nw-networkpolicy-allow-external-clients.adoc +++ b/modules/nw-networkpolicy-allow-external-clients.adoc @@ -61,7 +61,7 @@ metadata: namespace: default ifdef::multi[] annotations: - k8s.v1.cni.cncf.io/policy-for: + k8s.v1.cni.cncf.io/policy-for:/ endif::multi[] spec: policyTypes: diff --git a/modules/nw-networkpolicy-create-cli.adoc b/modules/nw-networkpolicy-create-cli.adoc index 5883e5b9d165..83d4dd9f5c8d 100644 --- a/modules/nw-networkpolicy-create-cli.adoc +++ b/modules/nw-networkpolicy-create-cli.adoc @@ -104,7 +104,7 @@ metadata: name: allow-same-namespace ifdef::multi[] annotations: - k8s.v1.cni.cncf.io/policy-for: + k8s.v1.cni.cncf.io/policy-for:/ endif::multi[] spec: podSelector: @@ -139,7 +139,7 @@ metadata: name: allow-traffic-pod ifdef::multi[] annotations: - k8s.v1.cni.cncf.io/policy-for: + k8s.v1.cni.cncf.io/policy-for:/ endif::multi[] spec: podSelector: @@ -186,7 +186,7 @@ metadata: name: api-allow ifdef::multi[] annotations: - k8s.v1.cni.cncf.io/policy-for: + k8s.v1.cni.cncf.io/policy-for:/ endif::multi[] spec: podSelector: diff --git a/modules/nw-networkpolicy-deny-all-allowed.adoc b/modules/nw-networkpolicy-deny-all-allowed.adoc index a276c64e12b5..21b2be01e7e5 100644 --- a/modules/nw-networkpolicy-deny-all-allowed.adoc +++ b/modules/nw-networkpolicy-deny-all-allowed.adoc @@ -46,7 +46,7 @@ metadata: name: deny-by-default namespace: my-project <1> annotations: - k8s.v1.cni.cncf.io/policy-for: / <2> + k8s.v1.cni.cncf.io/policy-for:/ <2> spec: podSelector: {} <3> policyTypes: <4> @@ -66,7 +66,7 @@ endif::multi[] ---- ifdef::multi[] <1> Specifies the namespace in which to deploy the policy. For example, the `my-project` namespace. -<2> Specifies the name of a network attachment definition. +<2> Specifies the name of namespace project followed by the network attachment definition name. <3> If this field is empty, the configuration matches all the pods. Therefore, the policy applies to all pods in the `my-project` namespace. <4> Specifies a list of rule types that the `NetworkPolicy` relates to. <5> Specifies `Ingress` only `policyTypes`.