1. Proposed title of this feature request

Make BaselineAdminNetworkPolicies able to define rules related to pods on the same namespace

2. What is the nature and description of the request?

If a BaselineAdminNetworkPolicy is in place, the user must have an additional NetworkPolicy in each and every namespace to allow communication between pods of the same namespace. This is because the spec.ingress.from.pods has both namespaceSelector and podSelector fields mandatory and no way to specify "same namespace" in the namespaceSelector.

As it is quite typical to allow pods on the same namespace to talk to each other, the user would like to be able to enforce it via BaselineAdminNetworkPolicy. Requiring separate NetworkPolicy objects to be created to allow pod communication in the same namespace is not acceptable, as it defeats the very purpose of BaselineAdminNetworkPolicy of not needing to create tons of equal NetworkPolicy objects, one per namespace.

3. Why does the customer need this? (List the business requirements here)

Customer needs to set a bunch of not trivial firewall rules to all their application projects. BANPs fit that very purpose, except for allowing the pod traffic inside each namespace. Keeping one NetworkPolicy per namespace to workaround this is not a suitable long-term solution, due to the increased complexity of operation and the higher risk of reaching an OVN-Kubernetes scale issue.

4. List any affected packages or components.

OVN-Kubernetes