openshift
diff --git a/‎_topic_map.yml‎
Lines changed: 2 additions & 0 deletions b/‎_topic_map.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎modules/nw-multi-network-policy-differences.adoc‎
Lines changed: 31 additions & 0 deletions b/‎modules/nw-multi-network-policy-differences.adoc‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎modules/nw-multi-network-policy-enable.adoc‎
Lines changed: 40 additions & 0 deletions b/‎modules/nw-multi-network-policy-enable.adoc‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎modules/nw-networkpolicy-create.adoc‎
Lines changed: 66 additions & 9 deletions b/‎modules/nw-networkpolicy-create.adoc‎
Lines changed: 66 additions & 9 deletions
diff --git a/‎modules/nw-networkpolicy-delete.adoc‎
Lines changed: 28 additions & 9 deletions b/‎modules/nw-networkpolicy-delete.adoc‎
Lines changed: 28 additions & 9 deletions
@@ -892,6 +892,8 @@ Topics:
     File: understanding-multiple-networks
   - Name: About virtual routing and forwarding
     File: about-virtual-routing-and-forwarding
+  - Name: Configuring multi-network policy
+    File: configuring-multi-network-policy
   - Name: Attaching a pod to an additional network
     File: attaching-pod
   - Name: Removing a pod from an additional network
 
@@ -0,0 +1,31 @@
+[id="nw-multi-network-policy-differences_{context}"]
+= Differences between multi-network policy and network policy
+
+Although the `MultiNetworkPolicy` API implements the `NetworkPolicy` API, there are several important differences:
+
+* You must use the `MultiNetworkPolicy` API:
++
+[source,yaml]
+----
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+----
+
+* You must use the `multi-networkpolicy` resource name when using the CLI to interact with multi-network policies. For example, you can view a multi-network policy object with the `oc get multi-networkpolicy <name>` command where `<name>` is the name of a multi-network policy.
+
+* You must specify an annotation with the name of the network attachment definition that defines the macvlan additional network:
++
+[source,yaml]
+----
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+metadata:
+  annotations:
+    k8s.v1.cni.cncf.io/policy-for: <network_name>
+----
++
+--
+where:
+
+`<network_name>`:: Specifies the name of a network attachment definition.
+--
@@ -0,0 +1,40 @@
+// Module included in the following assemblies:
+//
+// * networking/multiple_networks/configuring-multi-network-policy.adoc
+
+[id="nw-multi-network-policy-enable_{context}"]
+= Enabling multi-network policy for the cluster
+
+As a cluster administrator, you can enable multi-network policy support on your cluster.
+
+.Prerequisites
+
+* Install the OpenShift CLI (`oc`).
+* Log in to the cluster with a user with `cluster-admin` privileges.
+
+.Procedure
+
+. Create the `multinetwork-enable-patch.yaml` file with the following YAML:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: Network
+metadata:
+  name: cluster
+spec:
+  useMultiNetworkPolicy: true
+----
+
+. Configure the cluster to enable multi-network policy:
++
+[source,terminal]
+----
+$ oc patch network.operator.openshift.io cluster --type=merge --patch-file=multinetwork-enable-patch.yaml
+----
++
+.Example output
+[source,text]
+----
+network.operator.openshift.io/cluster patched
+----
@@ -3,19 +3,28 @@
 // * networking/network_policy/creating-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
+:name: network
+:role: admin
 ifeval::[{product-version} >= 4.6]
 :ovn:
 endif::[]
+ifeval::["{context}" == "configuring-multi-network-policy"]
+:multi:
+:name: multi-network
+:role: cluster-admin
+endif::[]
 
 [id="nw-networkpolicy-create_{context}"]
-= Creating a network policy
+= Creating a {name} policy
 
-To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a network policy.
+To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a {name} policy.
 
+ifndef::multi[]
 [NOTE]
 ====
 If you log in with a user with the `cluster-admin` role, then you can create a network policy in any namespace in the cluster.
 ====
+endif::multi[]
 
 .Prerequisites
 
@@ -28,8 +37,11 @@ the OVN-Kubernetes network provider or the OpenShift SDN network provider with `
 endif::ovn[]
 This mode is the default for OpenShift SDN.
 * You installed the OpenShift CLI (`oc`).
-* You are logged in to the cluster with a user with `admin` privileges.
-* You are working in the namespace that the network policy applies to.
+* You are logged in to the cluster with a user with `{role}` privileges.
+* You are working in the namespace that the {name} policy applies to.
+ifndef::multi[]
+* Your cluster is using a cluster network provider that supports `NetworkPolicy` objects, such as the OpenShift SDN network provider with `mode: NetworkPolicy` set. This mode is the default for OpenShift SDN.
+endif::multi[]
 
 .Procedure
 
@@ -44,39 +56,74 @@ $ touch <policy_name>.yaml
 --
 where:
 
-`<policy_name>`:: Specifies the network policy file name.
+`<policy_name>`:: Specifies the {name} policy file name.
 --
 
-.. Define a network policy in the file that you just created, such as in the following examples:
+.. Define a {name} policy in the file that you just created, such as in the following examples:
 +
 .Deny ingress from all pods in all namespaces
 [source,yaml]
 ----
+ifndef::multi[]
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
+endif::multi[]
+ifdef::multi[]
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+endif::multi[]
 metadata:
   name: deny-by-default
+ifdef::multi[]
+  annotations:
+    k8s.v1.cni.cncf.io/policy-for: <network_name>
+endif::multi[]
 spec:
   podSelector:
   ingress: []
 ----
+ifdef::multi[]
++
+--
+where
+
+`<network_name>`:: Specifies the name of a network attachment definition.
+--
+endif::multi[]
 +
 .Allow ingress from all pods in the same namespace
 [source,yaml]
 ----
+ifndef::multi[]
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
+endif::multi[]
+ifdef::multi[]
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+endif::multi[]
 metadata:
   name: allow-same-namespace
+ifdef::multi[]
+  annotations:
+    k8s.v1.cni.cncf.io/policy-for: <network_name>
+endif::multi[]
 spec:
   podSelector:
   ingress:
   - from:
     - podSelector: {}
 ----
+ifdef::multi[]
++
+--
+where
 
+`<network_name>`:: Specifies the name of a network attachment definition.
+--
+endif::multi[]
 
-. To create the network policy object, enter the following command:
+. To create the {name} policy object, enter the following command:
 +
 [source,terminal]
 ----
@@ -86,16 +133,26 @@ $ oc apply -f <policy_name>.yaml -n <namespace>
 --
 where:
 
-`<policy_name>`:: Specifies the network policy file name.
+`<policy_name>`:: Specifies the {name} policy file name.
 `<namespace>`:: Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.
 --
 +
 .Example output
 [source,terminal]
 ----
-networkpolicy "default-deny" created
+ifndef::multi[]
+networkpolicy.networking.k8s.io/default-deny created
+endif::multi[]
+ifdef::multi[]
+multinetworkpolicy.k8s.cni.cncf.io/default-deny created
+endif::multi[]
 ----
 
 ifdef::ovn[]
 :!ovn:
 endif::ovn[]
+ifdef::multi[]
+:!multi:
+endif::multi[]
+:!name:
+:!role:
@@ -3,19 +3,28 @@
 // * networking/network_policy/deleting-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
+:name: network
+:role: admin
 ifeval::[{product-version} >= 4.6]
 :ovn:
 endif::[]
+ifeval::["{context}" == "configuring-multi-network-policy"]
+:multi:
+:name: multi-network
+:role: cluster-admin
+endif::[]
 
 [id="nw-networkpolicy-delete_{context}"]
-= Deleting a network policy
+= Deleting a {name} policy
 
-You can delete a network policy in a namespace.
+You can delete a {name} policy in a namespace.
 
+ifndef::multi[]
 [NOTE]
 ====
 If you log in with a user with the `cluster-admin` role, then you can delete any network policy in the cluster.
 ====
+endif::multi[]
 
 .Prerequisites
 
@@ -28,31 +37,41 @@ the OVN-Kubernetes network provider or the OpenShift SDN network provider with `
 endif::ovn[]
 This mode is the default for OpenShift SDN.
 * You installed the OpenShift CLI (`oc`).
-* You are logged in to the cluster with a user with `admin` privileges.
-* You are working in the namespace where the network policy exists.
+* You are logged in to the cluster with a user with `{role}` privileges.
+* You are working in the namespace where the {name} policy exists.
 
 .Procedure
 
-* To delete a `NetworkPolicy` object, enter the following command:
+* To delete a {name} policy object, enter the following command:
 +
-[source,terminal]
+[source,terminal,subs="attributes+"]
 ----
-$ oc delete networkpolicy <policy_name> -n <namespace>
+$ oc delete {name}policy <policy_name> -n <namespace>
 ----
 +
 --
 where:
 
-`<policy_name>`:: Specifies the name of the network policy.
+`<policy_name>`:: Specifies the name of the {name} policy.
 `<namespace>`:: Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.
 --
 +
 .Example output
 [source,text]
 ----
-networkpolicy.networking.k8s.io/allow-same-namespace deleted
+ifndef::multi[]
+networkpolicy.networking.k8s.io/default-deny deleted
+endif::multi[]
+ifdef::multi[]
+multinetworkpolicy.k8s.cni.cncf.io/default-deny deleted
+endif::multi[]
 ----
 
 ifdef::ovn[]
 :!ovn:
 endif::ovn[]
+ifdef::multi[]
+:!multi:
+endif::multi[]
+:!name:
+:!role: