Bump network-policy-api dependency to v0.1.5

Previously released version still contain go.mod dependency to
k8s.io/kubernetes, which should be removed.

In addition, there are following changes made in network-policy-api:
- sameLabels and notSameLabels are deprecated to make way for the
  future tenancy based API
- Peers are split into AdminNetworkPolicyIngress/EgressPeer since
  there will be a fqdn field added specifically for the egress peer
- Minor changes in terms of nesting of pod/ns selectors

Antrea implementation has been updated to reflect those changes.

Signed-off-by: Dyanngg <[email protected]>

ci/kind/test-netpol-v2-conformance-kind.sh

@@ -48,7 +48,7 @@ function quit {
   $TESTBED_CMD destroy kind
 }
 
-api_version="v0.1.0"
+api_version="v0.1.5"
 ipfamily="v4"
 feature_gates="AdminNetworkPolicy=true"
 setup_only=false
@@ -127,7 +127,9 @@ function setup_cluster {
 
 function run_test {
   # Install the network-policy-api CRDs in the kind cluster
-  kubectl apply -f https://github.com/kubernetes-sigs/network-policy-api/releases/download/"$api_version"/install.yaml
+  # TODO: Change the following yamls to the released install.yaml as soon as a release is cut for the latest API changes
+  kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/main/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml
+  kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/main/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
   echo "Generating Antrea manifest with args $manifest_args"
   $YML_CMD $manifest_args | kubectl apply -f -
 
@@ -141,8 +143,7 @@ function run_test {
   export KUBE_CONTAINER_RUNTIME_ENDPOINT=unix:///run/containerd/containerd.sock
   export KUBE_CONTAINER_RUNTIME_NAME=containerd
 
-  # TODO: use https://github.com/kubernetes-sigs/network-policy-api when conformance test config timeout and go dependency is fixed
-  git clone https://github.com/Dyanngg/network-policy-api.git
+  git clone https://github.com/kubernetes-sigs/network-policy-api
   pushd network-policy-api/conformance
   go mod download
   go test -v --debug=true -timeout=15m

go.mod

@@ -78,10 +78,10 @@ require (
 	k8s.io/kubectl v0.29.2
 	k8s.io/kubelet v0.29.2
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
-	sigs.k8s.io/controller-runtime v0.16.3
+	sigs.k8s.io/controller-runtime v0.17.0
 	sigs.k8s.io/mcs-api v0.1.0
-	sigs.k8s.io/network-policy-api v0.1.1
-	sigs.k8s.io/yaml v1.3.0
+	sigs.k8s.io/network-policy-api v0.1.5
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
@@ -124,7 +124,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.8.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fvbommel/sortorder v1.1.0 // indirect
@@ -215,7 +215,7 @@ require (
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.25.0 // indirect
+	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
 	golang.org/x/oauth2 v0.18.0 // indirect
 	golang.org/x/term v0.20.0 // indirect

go.sum

@@ -104,8 +104,6 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.16.12 h1:YU9UHPukkCCnETHEExOptF/BxPv
 github.com/aws/aws-sdk-go-v2/service/sts v1.16.12/go.mod h1:b53qpmhHk7mTL2J/tfG6f38neZiyBQSiNXGCuNKq4+4=
 github.com/aws/smithy-go v1.12.1 h1:yQRC55aXN/y1W10HgwHle01DRuV9Dpf31iGkotjt3Ag=
 github.com/aws/smithy-go v1.12.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
-github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -204,8 +202,8 @@ github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
 github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.0.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
-github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
-github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
+github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro=
+github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM=
 github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
@@ -242,8 +240,8 @@ github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ4
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
-github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo=
-github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA=
+github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
+github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
 github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
 github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
@@ -795,8 +793,8 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c=
-go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk=
+go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
+go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -1129,8 +1127,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 h1:TgtAeesdhpm2SGwkQasmbeqDo8th5wOBA5h/AjTKA4I=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0/go.mod h1:VHVDI/KrK4fjnV61bE2g3sA7tiETLn8sooImelsCx3Y=
 sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A=
-sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4=
-sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0=
+sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s=
+sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s=
 sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
@@ -1141,13 +1139,13 @@ sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM
 sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag=
 sigs.k8s.io/mcs-api v0.1.0 h1:edDbg0oRGfXw8TmZjKYep06LcJLv/qcYLidejnUp0PM=
 sigs.k8s.io/mcs-api v0.1.0/go.mod h1:gGiAryeFNB4GBsq2LBmVqSgKoobLxt+p7ii/WG5QYYw=
-sigs.k8s.io/network-policy-api v0.1.1 h1:KDW+AkvCCQI3h8yH8j0hurhvPLNtLeVvmZoqtMaG9ew=
-sigs.k8s.io/network-policy-api v0.1.1/go.mod h1:F7S5fsb7QEzlLjuMgTGfUT4LRHylRbx2xDDpHfJKKEs=
+sigs.k8s.io/network-policy-api v0.1.5 h1:xyS7VAaM9EfyB428oFk7WjWaCK6B129i+ILUF4C8l6E=
+sigs.k8s.io/network-policy-api v0.1.5/go.mod h1:D7Nkr43VLNd7iYryemnj8qf0N/WjBzTZDxYA+g4u1/Y=
 sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
-sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

pkg/controller/networkpolicy/adminnetworkpolicy.go

@@ -137,59 +137,19 @@ func (n *NetworkPolicyController) deleteBANP(old interface{}) {
 	n.enqueueInternalNetworkPolicy(getBANPReference(banp))
 }
 
-// anpHasNamespaceLabelRule returns whether an AdminNetworkPolicy has rules defined by
-// advanced Namespace selection (sameLabels and notSameLabels)
-func anpHasNamespaceLabelRule(anp *v1alpha1.AdminNetworkPolicy) bool {
-	for _, ingress := range anp.Spec.Ingress {
-		for _, peer := range ingress.From {
-			if peer.Namespaces != nil && (len(peer.Namespaces.SameLabels) > 0 || len(peer.Namespaces.NotSameLabels) > 0) {
-				return true
-			}
-		}
-	}
-	for _, egress := range anp.Spec.Egress {
-		for _, peer := range egress.To {
-			if peer.Namespaces != nil && (len(peer.Namespaces.SameLabels) > 0 || len(peer.Namespaces.NotSameLabels) > 0) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// banpHasNamespaceLabelRule returns whether a BaselineAdminNetworkPolicy has rules defined by
-// advanced Namespace selection (sameLabels and notSameLabels)
-func banpHasNamespaceLabelRule(banp *v1alpha1.BaselineAdminNetworkPolicy) bool {
-	for _, ingress := range banp.Spec.Ingress {
-		for _, peer := range ingress.From {
-			if peer.Namespaces != nil && (len(peer.Namespaces.SameLabels) > 0 || len(peer.Namespaces.NotSameLabels) > 0) {
-				return true
-			}
-		}
-	}
-	for _, egress := range banp.Spec.Egress {
-		for _, peer := range egress.To {
-			if peer.Namespaces != nil && (len(peer.Namespaces.SameLabels) > 0 || len(peer.Namespaces.NotSameLabels) > 0) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
 // toAntreaServicesForPolicyCRD processes ports field for ANPs/BANPs and returns the translated
 // Antrea Services.
 func toAntreaServicesForPolicyCRD(npPorts []v1alpha1.AdminNetworkPolicyPort) []controlplane.Service {
 	var antreaServices []controlplane.Service
 	for _, npPort := range npPorts {
 		if npPort.PortNumber != nil {
-			port := intstr.FromInt(int(npPort.PortNumber.Port))
+			port := intstr.FromInt32(npPort.PortNumber.Port)
 			antreaServices = append(antreaServices, controlplane.Service{
 				Protocol: toAntreaProtocol(&npPort.PortNumber.Protocol),
 				Port:     &port,
 			})
 		} else if npPort.PortRange != nil {
-			portStart := intstr.FromInt(int(npPort.PortRange.Start))
+			portStart := intstr.FromInt32(npPort.PortRange.Start)
 			antreaServices = append(antreaServices, controlplane.Service{
 				Protocol: toAntreaProtocol(&npPort.PortRange.Protocol),
 				Port:     &portStart,
@@ -205,32 +165,32 @@ func toAntreaServicesForPolicyCRD(npPorts []v1alpha1.AdminNetworkPolicyPort) []c
 	return antreaServices
 }
 
-// splitPolicyPeersByScope splits the ANP/BANP peers in the rule by whether the peer is cluster scoped
-// or per-namespace scoped. Per-namespace peers are those whose defined by sameLabels and
-// notSameLabels.
-func splitPolicyPeerByScope(peers []v1alpha1.AdminNetworkPolicyPeer) ([]v1alpha1.AdminNetworkPolicyPeer, []v1alpha1.AdminNetworkPolicyPeer) {
-	var clusterPeers, perNSLabelPeers []v1alpha1.AdminNetworkPolicyPeer
+// toAntreaIngressPeerForPolicyCRD processes AdminNetworkPolicyIngressPeers and yield Antrea NetworkPolicyPeers.
+func (n *NetworkPolicyController) toAntreaIngressPeerForPolicyCRD(peers []v1alpha1.AdminNetworkPolicyIngressPeer) (*controlplane.NetworkPolicyPeer, []*antreatypes.AddressGroup) {
+	var addressGroups []*antreatypes.AddressGroup
 	for _, peer := range peers {
-		if peer.Pods != nil && peer.Pods.Namespaces.NamespaceSelector != nil {
-			clusterPeers = append(clusterPeers, peer)
-		} else if peer.Namespaces != nil && peer.Namespaces.NamespaceSelector != nil {
-			clusterPeers = append(clusterPeers, peer)
-		} else {
-			perNSLabelPeers = append(perNSLabelPeers, peer)
+		if peer.Pods != nil {
+			addressGroup := n.createAddressGroup("", &peer.Pods.PodSelector, &peer.Pods.NamespaceSelector, nil, nil)
+			addressGroups = append(addressGroups, addressGroup)
+		} else if peer.Namespaces != nil {
+			addressGroup := n.createAddressGroup("", nil, peer.Namespaces, nil, nil)
+			addressGroups = append(addressGroups, addressGroup)
 		}
 	}
-	return clusterPeers, perNSLabelPeers
+	return &controlplane.NetworkPolicyPeer{
+		AddressGroups: getAddressGroupNames(addressGroups),
+	}, addressGroups
 }
 
-// toAntreaPeerForPolicyCRD processes AdminNetworkPolicyPeers and yield Antrea NetworkPolicyPeers.
-func (n *NetworkPolicyController) toAntreaPeerForPolicyCRD(peers []v1alpha1.AdminNetworkPolicyPeer) (*controlplane.NetworkPolicyPeer, []*antreatypes.AddressGroup) {
+// toAntreaEgressPeerForPolicyCRD processes AdminNetworkPolicyEgressPeers and yield Antrea NetworkPolicyPeers.
+func (n *NetworkPolicyController) toAntreaEgressPeerForPolicyCRD(peers []v1alpha1.AdminNetworkPolicyEgressPeer) (*controlplane.NetworkPolicyPeer, []*antreatypes.AddressGroup) {
 	var addressGroups []*antreatypes.AddressGroup
 	for _, peer := range peers {
 		if peer.Pods != nil {
-			addressGroup := n.createAddressGroup("", &peer.Pods.PodSelector, peer.Pods.Namespaces.NamespaceSelector, nil, nil)
+			addressGroup := n.createAddressGroup("", &peer.Pods.PodSelector, &peer.Pods.NamespaceSelector, nil, nil)
 			addressGroups = append(addressGroups, addressGroup)
 		} else if peer.Namespaces != nil {
-			addressGroup := n.createAddressGroup("", nil, peer.Namespaces.NamespaceSelector, nil, nil)
+			addressGroup := n.createAddressGroup("", nil, peer.Namespaces, nil, nil)
 			addressGroups = append(addressGroups, addressGroup)
 		}
 	}
@@ -265,7 +225,8 @@ func banpActionToCRDAction(action v1alpha1.BaselineAdminNetworkPolicyRuleAction)
 }
 
 func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminNetworkPolicy) (*antreatypes.NetworkPolicy, map[string]*antreatypes.AppliedToGroup, map[string]*antreatypes.AddressGroup) {
-	appliedToPerRule := anpHasNamespaceLabelRule(anp)
+	// AdminNetworkPolicy tenant rules are not yet available in the API
+	appliedToPerRule := false
 	appliedToGroups := map[string]*antreatypes.AppliedToGroup{}
 	addressGroups := map[string]*antreatypes.AddressGroup{}
 	var rules []controlplane.NetworkPolicyRule
@@ -275,9 +236,8 @@ func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminN
 		if anpIngressRule.Ports != nil {
 			services = toAntreaServicesForPolicyCRD(*anpIngressRule.Ports)
 		}
-		clusterPeers, _ := splitPolicyPeerByScope(anpIngressRule.From)
-		if len(clusterPeers) > 0 {
-			peer, ags := n.toAntreaPeerForPolicyCRD(clusterPeers)
+		if len(anpIngressRule.From) > 0 {
+			peer, ags := n.toAntreaIngressPeerForPolicyCRD(anpIngressRule.From)
 			rule := controlplane.NetworkPolicyRule{
 				Direction: controlplane.DirectionIn,
 				From:      *peer,
@@ -289,16 +249,14 @@ func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminN
 			rules = append(rules, rule)
 			addressGroups = mergeAddressGroups(addressGroups, ags...)
 		}
-		//TODO: implement SameLabels and NotSameLabels for per NS label ingress peers
 	}
 	for idx, anpEgressRule := range anp.Spec.Egress {
 		var services []controlplane.Service
 		if anpEgressRule.Ports != nil {
 			services = toAntreaServicesForPolicyCRD(*anpEgressRule.Ports)
 		}
-		clusterPeers, _ := splitPolicyPeerByScope(anpEgressRule.To)
-		if len(clusterPeers) > 0 {
-			peer, ags := n.toAntreaPeerForPolicyCRD(clusterPeers)
+		if len(anpEgressRule.To) > 0 {
+			peer, ags := n.toAntreaEgressPeerForPolicyCRD(anpEgressRule.To)
 			rule := controlplane.NetworkPolicyRule{
 				Direction: controlplane.DirectionOut,
 				To:        *peer,
@@ -310,12 +268,9 @@ func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminN
 			rules = append(rules, rule)
 			addressGroups = mergeAddressGroups(addressGroups, ags...)
 		}
-		//TODO: implement SameLabels and NotSameLabels for per NS label egress peers
 	}
 	priority := float64(anp.Spec.Priority)
-	if !appliedToPerRule {
-		appliedToGroups = mergeAppliedToGroups(appliedToGroups, n.processClusterSubject(anp.Spec.Subject)...)
-	}
+	appliedToGroups = mergeAppliedToGroups(appliedToGroups, n.processClusterSubject(anp.Spec.Subject)...)
 	internalNetworkPolicy := &antreatypes.NetworkPolicy{
 		Name:       internalNetworkPolicyKeyFunc(anp),
 		Generation: anp.Generation,
@@ -335,7 +290,8 @@ func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminN
 }
 
 func (n *NetworkPolicyController) processBaselineAdminNetworkPolicy(banp *v1alpha1.BaselineAdminNetworkPolicy) (*antreatypes.NetworkPolicy, map[string]*antreatypes.AppliedToGroup, map[string]*antreatypes.AddressGroup) {
-	appliedToPerRule := banpHasNamespaceLabelRule(banp)
+	// BaselineAdminNetworkPolicy tenant rules are not yet available in the API
+	appliedToPerRule := false
 	appliedToGroups := map[string]*antreatypes.AppliedToGroup{}
 	addressGroups := map[string]*antreatypes.AddressGroup{}
 	var rules []controlplane.NetworkPolicyRule
@@ -345,9 +301,8 @@ func (n *NetworkPolicyController) processBaselineAdminNetworkPolicy(banp *v1alph
 		if banpIngressRule.Ports != nil {
 			services = toAntreaServicesForPolicyCRD(*banpIngressRule.Ports)
 		}
-		clusterPeers, _ := splitPolicyPeerByScope(banpIngressRule.From)
-		if len(clusterPeers) > 0 {
-			peer, ags := n.toAntreaPeerForPolicyCRD(clusterPeers)
+		if len(banpIngressRule.From) > 0 {
+			peer, ags := n.toAntreaIngressPeerForPolicyCRD(banpIngressRule.From)
 			rule := controlplane.NetworkPolicyRule{
 				Direction: controlplane.DirectionIn,
 				From:      *peer,
@@ -359,16 +314,14 @@ func (n *NetworkPolicyController) processBaselineAdminNetworkPolicy(banp *v1alph
 			rules = append(rules, rule)
 			addressGroups = mergeAddressGroups(addressGroups, ags...)
 		}
-		//TODO: implement SameLabels and NotSameLabels for per NS label ingress peers
 	}
 	for idx, banpEgressRule := range banp.Spec.Egress {
 		var services []controlplane.Service
 		if banpEgressRule.Ports != nil {
 			services = toAntreaServicesForPolicyCRD(*banpEgressRule.Ports)
 		}
-		clusterPeers, _ := splitPolicyPeerByScope(banpEgressRule.To)
-		if len(clusterPeers) > 0 {
-			peer, ags := n.toAntreaPeerForPolicyCRD(clusterPeers)
+		if len(banpEgressRule.To) > 0 {
+			peer, ags := n.toAntreaEgressPeerForPolicyCRD(banpEgressRule.To)
 			rule := controlplane.NetworkPolicyRule{
 				Direction: controlplane.DirectionOut,
 				To:        *peer,
@@ -380,11 +333,8 @@ func (n *NetworkPolicyController) processBaselineAdminNetworkPolicy(banp *v1alph
 			rules = append(rules, rule)
 			addressGroups = mergeAddressGroups(addressGroups, ags...)
 		}
-		//TODO: implement SameLabels and NotSameLabels for per NS label egress peers
-	}
-	if !appliedToPerRule {
-		appliedToGroups = mergeAppliedToGroups(appliedToGroups, n.processClusterSubject(banp.Spec.Subject)...)
 	}
+	appliedToGroups = mergeAppliedToGroups(appliedToGroups, n.processClusterSubject(banp.Spec.Subject)...)
 	internalNetworkPolicy := &antreatypes.NetworkPolicy{
 		Name:       internalNetworkPolicyKeyFunc(banp),
 		Generation: banp.Generation,