Documentation improvement on action=Pass / priority and ANP vs ACNP

[jsalatiel]

According to the documentation, we have:

action: Each ingress or egress rule of a ClusterNetworkPolicy must have the action field set. As of now, the available actions are ["Allow", "Drop", "Reject", "Pass"]. ... A "Pass" rule, on the other hand, skips this packet for further ACNP rule evaluations (all ACNP rules that has lower priority than the current "Pass" rule will be skipped, except for the Baseline Tier rules), and delegates the decision to developer created namespaced NetworkPolicies. If no NetworkPolicy matches this traffic, then the Baseline Tier rules will still be matched against.

priority: The priority field determines the relative priority of the policy among all ClusterNetworkPolicies in the given cluster. This field is mandatory. A lower priority value indicates higher precedence. Priority values can range from 1.0 to 10000.0. Note: Policies with the same priorities will be enforced indeterministically.

Question 1 ) action: Pass appears also to be valid in ANP, not only ACNP. At least it is accepted in the yaml. So can I assume it is really a valid action for ANP?
Question 2) If I have one ANP with action: Pass and higher priority, will it SKIP further ACNP with lower priority? Or Pass is restricted to their own type? ( ACNP vs ANP )
Question 3) If one ANP has same priority as an ACNP ( and same tier ), will that be enforced indeterministically? Or ACNP will be enforced first ?

[Dyanngg]

Hi @jsalatiel, we already have a PR in flight addressing these, namely #3512.
To answer your questions though:

1. Pass is a valid action in ANP as well
2. It will skip further ACNP/ANPs with lower priorities
3. It will cause indeterministic behavior.

[jsalatiel]

Thanks