feat: Added Custom Ingress Network Policy docs

[cbalan]

Content Description

Preview Link

https://deploy-preview-1430--vcluster-docs-site.netlify.app/docs

Internal Reference

Closes DOC-978

@netlify /docs

[netlify]

✅ Deploy Preview for vcluster-docs-site ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	43923f2
🔍 Latest deploy log	https://app.netlify.com/projects/vcluster-docs-site/deploys/693a9e2f0304e2000884ed77
😎 Deploy Preview	https://deploy-preview-1430--vcluster-docs-site.netlify.app/docs
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

DOC-978: External Docs for Custom Ingress Network Policy

[Piotr1215]

Looks good! A few small suggestions. Could you please include a preview link in the PR description? It makes it easier for reviewers.

[deniseschannon]

I didn't review the preview, but here are the general comments that @guowenatk and @Piotr1215 should be considering when reviewing this doc based on the enablement session:

1. Confirming if the tenancy options for the feature is updated to reflect the new support
2. Making it clear that enabling this feature is about configuring how vCluster deployed pods on the host cluster can interact with each other as well as other pods on the host cluster. As reviewers who didn't develop the feature, this should be easy for you to understand.
3. A call out that it's up to the user to confirm that the CNI on the host cluster needs to support and have network policies enabled. This will not automatically enable anything.
4. When this is disabled, what are the permissions that vcluster control plane/workload pods have? My assumption is that it follows whatever the permissions are for pods on the host cluster, which is typically all permissions, but good to be explicit about it.
5. When this is enabled, what is the default network policy that is deployed on the virtual cluster? I need to see a yaml of the default resource that we're deploying, comments about how changes for the resource on the host cluster will be overwritten based on the vcluster.yaml.

[Piotr1215]

The network policy examples across different integration pages look good. A few suggestions to improve the main network-policy.mdx page - mainly around adding prerequisite info and showing what gets deployed by default.

Maybe to make the intro a bit more clear we could write something like:
Enabling this creates Kubernetes NetworkPolicy resources in the host namespace that control how vCluster pods (both control plane and workloads) communicate with each other and with other pods on the host cluster.

[Piotr1215]

Is this duplicate namespaceSelector intentional? It looks like it might be a copy-paste error.

Suggested change

	kubernetes.io/metadata.name: my-host-namespace
	ingress:
	- from:
	# Example allowing vcluster workload traffic from all pods in the my-host-namespace namespace.
	# Depending on your use case, a more restrictive pod selector may be used.
	- namespaceSelector:
	matchLabels:
	kubernetes.io/metadata.name: my-host-namespace

[Piotr1215]

Should there be a prerequisite warning about CNI support? In the isolated workloads doc there's a warning that network policies require a CNI that supports NetworkPolicy enforcement - would be helpful to call that out here too.

[Piotr1215]

What happens when this is disabled (the default)? It would help users to know that without network policies, vCluster pods can communicate freely with all pods on the host cluster.

[Piotr1215]

Could you add a section showing the actual NetworkPolicy resources that get created when this is enabled? Users would benefit from seeing the default YAML (like vc-work-{name} and vc-cp-{name}) and knowing that these are managed by vCluster and manual changes on the host cluster will be overwritten.