From 99862354ec62736cb0403279627abe8fc73c711e Mon Sep 17 00:00:00 2001 From: JoeAldinger Date: Mon, 9 Dec 2024 09:38:59 -0500 Subject: [PATCH] OCPBUGS-45841:clarifies overlapping ANP rules --- modules/nw-ovn-k-adminnetwork-policy.adoc | 2 +- modules/nw-ovn-k-anp-best-practices.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nw-ovn-k-adminnetwork-policy.adoc b/modules/nw-ovn-k-adminnetwork-policy.adoc index 38c8036dce..7904649657 100644 --- a/modules/nw-ovn-k-adminnetwork-policy.adoc +++ b/modules/nw-ovn-k-adminnetwork-policy.adoc @@ -63,7 +63,7 @@ spec: custom-anp: tenant-1 ---- <1> Specify a name for your ANP. -<2> The `spec.priority` field supports a maximum of 100 ANP in the values of 0-99 in a cluster. The lower the value the higher the precedence. Creating `AdminNetworkPolicy` with the same priority creates a nondeterministic outcome. +<2> The `spec.priority` field supports a maximum of 100 ANPs in the range of values `0-99` in a cluster. The lower the value, the higher the precedence because the range is read in order from the lowest to highest value. Because there is no guarantee which policy takes precedence when ANPs are created at the same priority, set ANPs at different priorities so that precedence is deliberate. <3> Specify the namespace to apply the ANP resource. <4> ANP have both ingress and egress rules. ANP rules for `spec.ingress` field accepts values of `Pass`, `Deny`, and `Allow` for the `action` field. <5> Specify a name for the `ingress.name`. diff --git a/modules/nw-ovn-k-anp-best-practices.adoc b/modules/nw-ovn-k-anp-best-practices.adoc index b47d8d514f..92ae8a69e8 100644 --- a/modules/nw-ovn-k-anp-best-practices.adoc +++ b/modules/nw-ovn-k-anp-best-practices.adoc @@ -9,7 +9,7 @@ When building `AdminNetworkPolicy` (ANP) resources, you might consider the following when creating your policies: -* Because there is no guarantee which policy will take precedence when overlapping ANP are created, you should create ANP at different priorities so that precedence is well defined. +* You can create ANPs that have the same priority. If you do create two ANPs at the same priority, ensure that they do not apply overlapping rules to the same traffic. Only one rule per value is applied and there is no guarantee which rule is applied when there is more than one at the same priority value. Because there is no guarantee which policy takes precedence when overlapping ANPs are created, set ANPs at different priorities so that precedence is well defined. * Administrators must create ANP that apply to user namespaces not system namespaces.