Address PR review comments from danwinship.

- Reword Accept action text per reviewer suggestion
- Replace "gress" with "each rule" in api-overview
- Fix formatting of "at the minimum", field references
- Document that Networks peer matches ICMP/ICMPv6 traffic

Prepared with the assistance of Claude Code.

Author: fasaxc

apis/v1alpha2/clusternetworkpolicy_types.go

@@ -190,9 +190,9 @@ type ClusterNetworkPolicyIngressRule struct {
 	// Action specifies the effect this rule will have on matching
 	// traffic. Currently, the following actions are supported:
 	//
-	// - Accept: Accepts the selected traffic, and ensures that response
-	//   traffic including "related" ICMP traffic is also allowed. No further
-	//   ingress ClusterNetworkPolicy or NetworkPolicy rules will be processed.
+	// - Accept: Accepts the selected traffic, including replies to that
+	//   traffic and related ICMP traffic. No further ingress
+	//   ClusterNetworkPolicy or NetworkPolicy rules will be processed.
 	//
 	//   Note: while Accept ensures traffic is accepted by
 	//   Kubernetes network policy, it is still possible that the
@@ -245,11 +245,11 @@ type ClusterNetworkPolicyEgressRule struct {
 	Name string `json:"name,omitempty"`
 
 	// Action specifies the effect this rule will have on matching
-	// traffic.  Currently the following actions are supported:
+	// traffic. Currently, the following actions are supported:
 	//
-	// - Accept: Accepts the selected traffic, and ensures that response
-	//   traffic including "related" ICMP traffic is also allowed. No further
-	//   egress ClusterNetworkPolicy or NetworkPolicy rules will be processed
+	// - Accept: Accepts the selected traffic, including replies to that
+	//   traffic and related ICMP traffic. No further egress
+	//   ClusterNetworkPolicy or NetworkPolicy rules will be processed
 	//   but any ingress rules at the destination do apply.
 	//
 	// - Deny: Drops the selected traffic. No further ClusterNetworkPolicy or
@@ -376,6 +376,11 @@ type ClusterNetworkPolicyEgressPeer struct {
 	// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
 	// add a rule that Passes all pod traffic before the Networks rule.
 	//
+	// Networks matches both regular IP traffic and ICMP traffic to/from
+	// the specified CIDRs. For example, a Networks entry of "0.0.0.0/0"
+	// will match both IPv4 and ICMP traffic, while "0::/0" will match
+	// both IPv6 and ICMPv6 traffic.
+	//
 	// Each item in Networks should be provided in the CIDR format and should be
 	// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
 	//

config/crd/experimental/policy.networking.k8s.io_clusternetworkpolicies.yaml

@@ -75,11 +75,11 @@ spec:
                     action:
                       description: |-
                         Action specifies the effect this rule will have on matching
-                        traffic.  Currently the following actions are supported:
+                        traffic. Currently, the following actions are supported:
 
-                        - Accept: Accepts the selected traffic, and ensures that response
-                          traffic including "related" ICMP traffic is also allowed. No further
-                          egress ClusterNetworkPolicy or NetworkPolicy rules will be processed
+                        - Accept: Accepts the selected traffic, including replies to that
+                          traffic and related ICMP traffic. No further egress
+                          ClusterNetworkPolicy or NetworkPolicy rules will be processed
                           but any ingress rules at the destination do apply.
 
                         - Deny: Drops the selected traffic. No further ClusterNetworkPolicy or
@@ -373,6 +373,11 @@ spec:
                               or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
                               add a rule that Passes all pod traffic before the Networks rule.
 
+                              Networks matches both regular IP traffic and ICMP traffic to/from
+                              the specified CIDRs. For example, a Networks entry of "0.0.0.0/0"
+                              will match both IPv4 and ICMP traffic, while "0::/0" will match
+                              both IPv6 and ICMPv6 traffic.
+
                               Each item in Networks should be provided in the CIDR format and should be
                               IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
 
@@ -590,9 +595,9 @@ spec:
                         Action specifies the effect this rule will have on matching
                         traffic. Currently, the following actions are supported:
 
-                        - Accept: Accepts the selected traffic, and ensures that response
-                          traffic including "related" ICMP traffic is also allowed. No further
-                          ingress ClusterNetworkPolicy or NetworkPolicy rules will be processed.
+                        - Accept: Accepts the selected traffic, including replies to that
+                          traffic and related ICMP traffic. No further ingress
+                          ClusterNetworkPolicy or NetworkPolicy rules will be processed.
 
                           Note: while Accept ensures traffic is accepted by
                           Kubernetes network policy, it is still possible that the

config/crd/standard/policy.networking.k8s.io_clusternetworkpolicies.yaml

@@ -75,11 +75,11 @@ spec:
                     action:
                       description: |-
                         Action specifies the effect this rule will have on matching
-                        traffic.  Currently the following actions are supported:
+                        traffic. Currently, the following actions are supported:
 
-                        - Accept: Accepts the selected traffic, and ensures that response
-                          traffic including "related" ICMP traffic is also allowed. No further
-                          egress ClusterNetworkPolicy or NetworkPolicy rules will be processed
+                        - Accept: Accepts the selected traffic, including replies to that
+                          traffic and related ICMP traffic. No further egress
+                          ClusterNetworkPolicy or NetworkPolicy rules will be processed
                           but any ingress rules at the destination do apply.
 
                         - Deny: Drops the selected traffic. No further ClusterNetworkPolicy or
@@ -335,6 +335,11 @@ spec:
                               or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
                               add a rule that Passes all pod traffic before the Networks rule.
 
+                              Networks matches both regular IP traffic and ICMP traffic to/from
+                              the specified CIDRs. For example, a Networks entry of "0.0.0.0/0"
+                              will match both IPv4 and ICMP traffic, while "0::/0" will match
+                              both IPv6 and ICMPv6 traffic.
+
                               Each item in Networks should be provided in the CIDR format and should be
                               IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
 
@@ -492,9 +497,9 @@ spec:
                         Action specifies the effect this rule will have on matching
                         traffic. Currently, the following actions are supported:
 
-                        - Accept: Accepts the selected traffic, and ensures that response
-                          traffic including "related" ICMP traffic is also allowed. No further
-                          ingress ClusterNetworkPolicy or NetworkPolicy rules will be processed.
+                        - Accept: Accepts the selected traffic, including replies to that
+                          traffic and related ICMP traffic. No further ingress
+                          ClusterNetworkPolicy or NetworkPolicy rules will be processed.
 
                           Note: while Accept ensures traffic is accepted by
                           Kubernetes network policy, it is still possible that the

site-src/api-overview.md

@@ -78,11 +78,10 @@ traffic, ClusterNetworkPolicy will enable administrators to set `Pass`,
 be read as-is, i.e. there will not be any implicit isolation effects for the Pods
 selected by the ClusterNetworkPolicy, as opposed to implicit deny NetworkPolicy rules imply.
 
-- **Accept**: Accepts the selected traffic, and ensures that
-  response traffic including "related" ICMP traffic (e.g. ICMP
-  errors such as "destination unreachable" or "packet too big")
-  is also allowed. No further ClusterNetworkPolicy or
-  NetworkPolicy rules will be processed.
+- **Accept**: Accepts the selected traffic, including replies to that
+  traffic and related ICMP traffic (e.g. ICMP errors such as
+  "destination unreachable" or "packet too big"). No further
+  ClusterNetworkPolicy or NetworkPolicy rules will be processed.
 
 - **Deny**: Drops the selected traffic. No further
   ClusterNetworkPolicy or NetworkPolicy rules will be
@@ -121,10 +120,10 @@ before policies with higher priority values in the same tier.
 ### Rules 
 
 Each CNP should define at least one `Ingress` or `Egress` relevant in-cluster traffic flow
-along with the associated Action that should occur. In each `gress` rule the user
-should AT THE MINIMUM define an `Action`, and at least one `ClusterNetworkPolicyPeer`.
-Optionally the user may also define select `Protocols` to filter traffic on and also
-a name for each rule to make management and reporting easier for Admins.
+along with the associated Action that should occur. In each rule the user
+should *at the minimum* define an `Action`, and at least one peer (`To` or `From` entry).
+Optionally the user may also select `Protocols` to filter traffic on and also
+a `Name` for each rule to make management and reporting easier for Admins.
 
 The `Protocols` field supports protocol-specific matching for TCP, UDP, and SCTP
 (including destination port numbers, port ranges, and named ports).