install/0000_00_cluster-version-operator_02_networkpolicy: Add inclusion annotations

Somehow we'd missed these in 07c6b5c (OTA-1521: Add a default-deny
network policy for CVO namespace, 2025-05-27, #1198), so the policy
had not been getting applied to any clusters [1].

While I'm at it, I've also shifted the YAML comments into a
kubernetes.io/description annotation, as we do for most of our
manifests, so the purpose and implementation notes are available to
curious cluster-admins the same as they're available to CVO devs.

[1]: https://issues.redhat.com/browse/OCPBUGS-77762

Author: wking

install/0000_00_cluster-version-operator_02_networkpolicy.yaml

@@ -1,14 +1,16 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  # This NetworkPolicy is used to deny all ingress and egress traffic by default in this namespace,
-  # serving as a baseline. At the moment no other Network Policy should be needed:
-  # - CVO is a host-networked Pod, so it is not affected by network policies
-  # - Bare `version` Pods spawned by CVO do not require any network communication
   name: default-deny
   namespace: openshift-cluster-version
+  annotations:
+    kubernetes.io/description: |
+      This NetworkPolicy is used to deny all ingress and egress traffic by default in this namespace, matching all Pods, and serving as a baseline. At the moment no other Network Policy should be needed:
+      - The cluster-version operator (CVO) is a host-networked Pod, so it is not affected by network policies.
+      - Bare `version-...` Pods spawned by CVO do not require any network communication.
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
 spec:
-  # Match all pods in the namespace
   podSelector: {}
   policyTypes:
   - Ingress