update concept docs for NetworkPolicy

api/core/v1alpha1/networkpolicyrule_types.go

@@ -17,7 +17,7 @@ type NetworkPolicyRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// NetworkRef is the network the load balancer is assigned to.
+	// NetworkRef is the network to which network policy is applied.
 	NetworkRef LocalUIDReference `json:"networkRef"`
 	// Targets are the targets of the network policy.
 	Targets []TargetNetworkInterface `json:"targets,omitempty"`

docs/concepts/ironcore-integration.md

@@ -41,6 +41,21 @@ For its instances, the `apinet` `LoadBalancer` is created with a `template`
 that specifies instance anti-affinity to ensure instances are distributed
 cross-zone.
 
+### `NetworkPolicy`
+
+For a `networking.ironcore.dev/NetworkPolicy` a corresponding
+`core.apinet.ironcore.dev/NetworkPolicy` is created in the `apinet` cluster.
+The name of the `NetworkPolicy` in the `apinet` cluster is the `uid` of the
+`NetworkPolicy` in the `ironcore` cluster.
+The `NetworkPolicy` applies to `NetworkInterfaces` within a specific `Network`, filtered by the label specified in the `NetworkPolicy` spec.
+
+Based on the `PolicyTypes` (`egress` and/or `ingress`), rules can be specified to limit the traffic on the target object to and from various objects like `LoadBalancer`, `NetworkInterface` or `IPBlock` on certain `ports`.
+
+When a `NetworkPolicy` is applied, a `NetworkPolicyRule` object is created with the specified policy rules. `Metalnetlet` then reads the `NetworkPolicyRule` and enforces these policy (firewall) rules on the target `NetworkInterface`s.
+
+for example refer to [NetworkPolicy object](./objects.md#networkpolicy)
+
+
 ### `NATGateway`
 
 For a `networking.ironcore.dev/NATGateway` a corresponding

docs/concepts/objects.md

@@ -158,6 +158,51 @@ spec:
   template: {}
 ```
 
+### `NetworkPolicy`
+
+A `NetworkPolicy` limits traffic to and from NetworkInterfaces within a specific network. When a `NetworkPolicy` is applied, a `NetworkPolicyRule` object is created to contain the policy rules specified in the `NetworkPolicy`. 
+
+Then, `metalnetlet` translates these policy rules from the `NetworkPolicyRule` object and applies them to the `NetworkInterface`s.
+
+Example manifest
+```yaml
+apiVersion: core.apinet.ironcore.dev/v1alpha1
+kind: NetworkPolicy
+metadata:
+  namespace: default
+  name: my-networkpolicy
+spec:
+  networkRef:
+    name: my-network
+  networkInterfaceSelector:
+    matchLabels:
+      app: db
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 172.17.0.0/16
+    - objectSelector:
+        kind: NetworkInterface
+        matchLabels:
+    - objectSelector:
+        kind: LoadBalancer
+        matchLabels:
+          app: web
+    ports:
+    - protocol: TCP
+      port: 5432
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 10.0.0.0/24
+    ports:
+    - protocol: TCP
+      port: 8080
+```
+
 ## `NATGateway`
 
 A `NATGateway` allows NAT-ing external IPs to multiple target

gen/swagger.json

@@ -62071,7 +62071,7 @@
 					"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
 				},
 				"networkRef": {
-					"description": "NetworkRef is the network the load balancer is assigned to.",
+					"description": "NetworkRef is the network to which network policy is applied.",
 					"$ref": "#/definitions/com.github.ironcore-dev.ironcore-net.api.core.v1alpha1.LocalUIDReference"
 				},
 				"priority": {

gen/v3/apis__core.apinet.ironcore.dev__v1alpha1_openapi.json

@@ -23259,7 +23259,7 @@
 						]
 					},
 					"networkRef": {
-						"description": "NetworkRef is the network the load balancer is assigned to.",
+						"description": "NetworkRef is the network to which network policy is applied.",
 						"default": {},
 						"allOf": [
 							{