Merge pull request #74006 from JoeAldinger/OSDOCS-10112

/lgtm merging OSDOCS-10112:nwt security restructring

Author: JoeAldinger

_topic_maps/_topic_map.yml

@@ -1273,6 +1273,40 @@ Topics:
   File: networking-operators-overview
 - Name: Networking dashboards
   File: networking-dashboards
+- Name:  OpenShift network security
+  Dir: openshift_network_security
+  Distros: openshift-enterprise,openshift-origin
+  Topics:
+  - Name: About OVN-Kubernetes network policy
+    File: ovn-k-network-policy
+  - Name: AdminNetworkPolicy
+    File: ovn-k-anp
+  - Name: Network policy
+    Dir: network_policy
+    Distros: openshift-enterprise, openshift-origin
+    Topics:
+    - Name: About network policy
+      File: about-network-policy
+    - Name: Creating a network policy
+      File: creating-network-policy
+    - Name: Viewing a network policy
+      File: viewing-network-policy
+    - Name: Editing a network policy
+      File: editing-network-policy
+    - Name: Deleting a network policy
+      File: deleting-network-policy
+    - Name: Defining a default network policy for projects
+      File: default-network-policy
+    - Name: Configuring multitenant isolation with network policy
+      File: multitenant-network-policy
+  - Name: BaselineAdminNetworkPolicy
+    File: ovn-k-banp
+  - Name: Understanding the Ingress Node Firewall Operator
+    File: ingress-node-firewall-operator
+  - Name: Configuring an egress firewall for a project
+    File: configuring-egress-firewall-ovn
+  - Name: Configuring IPsec encryption
+    File: configuring-ipsec-ovn
 - Name: Understanding the Cluster Network Operator
   File: cluster-network-operator
   Distros: openshift-enterprise,openshift-origin
@@ -1284,9 +1318,6 @@ Topics:
   Distros: openshift-enterprise,openshift-origin
 - Name: Ingress sharding
   File: ingress-sharding
-- Name: Understanding the Ingress Node Firewall Operator
-  File: ingress-node-firewall-operator
-  Distros: openshift-enterprise,openshift-origin
 - Name: Configuring the Ingress Controller for manual DNS management
   File: ingress-controller-dnsmgt
   Distros: openshift-enterprise,openshift-origin
@@ -1340,23 +1371,6 @@ Topics:
     File: nw-creating-dns-records-on-infoblox
   - Name: Configuring the cluster-wide proxy on the External DNS Operator
     File: nw-configuring-cluster-wide-egress-proxy
-- Name: Network policy
-  Dir: network_policy
-  Topics:
-  - Name: About network policy
-    File: about-network-policy
-  - Name: Creating a network policy
-    File: creating-network-policy
-  - Name: Viewing a network policy
-    File: viewing-network-policy
-  - Name: Editing a network policy
-    File: editing-network-policy
-  - Name: Deleting a network policy
-    File: deleting-network-policy
-  - Name: Defining a default network policy for projects
-    File: default-network-policy
-  - Name: Configuring multitenant isolation with network policy
-    File: multitenant-network-policy
 - Name: CIDR range definitions
   File: cidr-range-definitions
 - Name: AWS Load Balancer Operator
@@ -1442,8 +1456,6 @@ Topics:
     File: ovn-kubernetes-architecture-assembly
   - Name: OVN-Kubernetes troubleshooting
     File: ovn-kubernetes-troubleshooting-sources
-  - Name: OVN-Kubernetes network policy
-    File: ovn-k-network-policy
   - Name: OVN-Kubernetes traffic tracing
     File: ovn-kubernetes-tracing-using-ovntrace
   - Name: Migrating from the OpenShift SDN network plugin
@@ -1454,12 +1466,8 @@ Topics:
     File: converting-to-dual-stack
   - Name: Logging for egress firewall and network policy rules
     File: logging-network-policy
-  - Name: Configuring IPsec encryption
-    File: configuring-ipsec-ovn
   - Name: Configure an external gateway on the default network
     File: configuring-secondary-external-gateway
-  - Name: Configuring an egress firewall for a project
-    File: configuring-egress-firewall-ovn
   - Name: Viewing an egress firewall for a project
     File: viewing-egress-firewall-ovn
   - Name: Editing an egress firewall for a project

_topic_maps/_topic_map_osd.yml

@@ -771,19 +771,26 @@ Topics:
   File: configuring-cluster-wide-proxy
 - Name: CIDR range definitions
   File: cidr-range-definitions
-- Name: Network policy
-  Dir: network_policy
+- Name: OpenShift network security
+  Dir: openshift_network_security
+  Distros: openshift-dedicated
   Topics:
-  - Name: About network policy
-    File: about-network-policy
-  - Name: Creating a network policy
-    File: creating-network-policy
-  - Name: Viewing a network policy
-    File: viewing-network-policy
-  - Name: Deleting a network policy
-    File: deleting-network-policy
-  - Name: Configuring multitenant isolation with network policy
-    File: multitenant-network-policy
+  - Name: About OVN-Kubernetes network policy
+    File: ovn-k-network-policy
+  - Name: Network policy
+    Dir: network_policy
+    Distros: openshift-dedicated
+    Topics:
+    - Name: About network policy
+      File: about-network-policy
+    - Name: Creating a network policy
+      File: creating-network-policy
+    - Name: Viewing a network policy
+      File: viewing-network-policy
+    - Name: Deleting a network policy
+      File: deleting-network-policy
+    - Name: Configuring multitenant isolation with network policy
+      File: multitenant-network-policy
 - Name: Configuring Routes
   Dir: routes
   Topics:

_topic_maps/_topic_map_rosa.yml

@@ -997,19 +997,33 @@ Topics:
   File: configuring-cluster-wide-proxy
 - Name: CIDR range definitions
   File: cidr-range-definitions
-- Name: Network policy
-  Dir: network_policy
+- Name:  OpenShift network security
+  Dir: openshift_network_security
   Topics:
-  - Name: About network policy
-    File: about-network-policy
-  - Name: Creating a network policy
-    File: creating-network-policy
-  - Name: Viewing a network policy
-    File: viewing-network-policy
-  - Name: Deleting a network policy
-    File: deleting-network-policy
-  - Name: Configuring multitenant isolation with network policy
-    File: multitenant-network-policy
+  - Name: About OVN-Kubernetes network policy
+    File: ovn-k-network-policy
+  - Name: AdminNetworkPolicy
+    File: ovn-k-anp
+  - Name: Network policy
+    Dir: network_policy
+    Distros: openshift-rosa
+    Topics:
+    - Name: About network policy
+      File: about-network-policy
+    - Name: Creating a network policy
+      File: creating-network-policy
+    - Name: Viewing a network policy
+      File: viewing-network-policy
+    - Name: Editing a network policy
+      File: editing-network-policy
+    - Name: Deleting a network policy
+      File: deleting-network-policy
+    - Name: Defining a default network policy for projects
+      File: default-network-policy
+    - Name: Configuring multitenant isolation with network policy
+      File: multitenant-network-policy
+  - Name: BaselineAdminNetworkPolicy
+    File: ovn-k-banp
 - Name: OVN-Kubernetes network plugin
   Dir: ovn_kubernetes_network_provider
   Topics:

cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc

@@ -38,7 +38,7 @@ Visit the link:https://github.com/openshift-cs/managed-openshift/projects/2[ROSA
 Refer to the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-regions-az_rosa-service-definition[product regional availability] page for an up-to-date view of where ROSA is available.
 
 == Compliance certifications
-ROSA is currently compliant with SOC-2 type 2, SOC 3, ISO-27001, ISO 27017, ISO 27018, HIPAA, GDPR, and PCI-DSS. We are also currently working towards FedRAMP High. 
+ROSA is currently compliant with SOC-2 type 2, SOC 3, ISO-27001, ISO 27017, ISO 27018, HIPAA, GDPR, and PCI-DSS. We are also currently working towards FedRAMP High.
 
 == Nodes
 === Worker nodes across multiple AWS regions
@@ -92,11 +92,11 @@ Refer to the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-se
 == Notifications and communication
 Red Hat will provide notifications regarding new Red Hat and AWS features, updates, and scheduled maintenance through email and the {hybrid-console-second} service log.
 
-== Open Service Broker for AWS (OBSA)  
+== Open Service Broker for AWS (OBSA)
 You can use OSBA with ROSA. However, the preferred method is the more recent link:https://github.com/aws-controllers-k8s/community[AWS Controller for Kubernetes]. See link:https://aws.amazon.com/partners/servicebroker/[Open Service Broker for AWS] for more information on OSBA.
 
-== Offboarding  
-Customers can stop using ROSA at any time and move their applications to on-premise, a private cloud, or other cloud providers. Standard reserved instances (RI) policy applies for unused RI.   
+== Offboarding
+Customers can stop using ROSA at any time and move their applications to on-premise, a private cloud, or other cloud providers. Standard reserved instances (RI) policy applies for unused RI.
 
 == Authentication
 ROSA supports the following authentication mechanisms: OpenID Connect (a profile of OAuth2), Google OAuth, GitHub OAuth, GitLab, and LDAP.
@@ -155,7 +155,7 @@ ROSA allows multiple clusters to share the same VPC. The number of clusters on o
 ROSA uses the OpenShift OVN-Kubernetes default CNI network provider.
 
 == Cross-namespace networking
-Cluster admins can customize, and deny, cross-namespace on a project basis using NetworkPolicy objects. Refer to xref:../../networking/network_policy/multitenant-network-policy.adoc[Configuring multitenant isolation with network policy] for more information.
+Cluster admins can customize, and deny, cross-namespace on a project basis using NetworkPolicy objects. Refer to xref:../../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#nw-networkpolicy-multitenant-isolation_multitenant-network-policy[Configuring multitenant isolation with network policy] for more information.
 
 == Using Prometheus and Grafana
 You can use Prometheus and Grafana to monitor containers and manage capacity using OpenShift User Workload Monitoring. This is a check-box option in the {cluster-manager-url}.
@@ -178,8 +178,8 @@ You can define a custom domain for your applications. See xref:../../application
 == ROSA domain certificates
 Red Hat infrastructure (Hive) manages certificate rotation for default application ingress.
 
-== Disconnected environments  
-ROSA does not support an air-gapped, disconnected environment. The ROSA cluster must have egress to the internet to access our registry, S3, and send metrics. The service requires a number of egress endpoints. 
+== Disconnected environments
+ROSA does not support an air-gapped, disconnected environment. The ROSA cluster must have egress to the internet to access our registry, S3, and send metrics. The service requires a number of egress endpoints.
 Ingress can be limited to a PrivateLink for Red Hat SREs and a VPN for customer access.
 
 //== Creating your first ROSA cluster

getting_started/openshift-overview.adoc

@@ -91,7 +91,7 @@ of the {product-title} {product-version} control plane. See how {product-title}
 works in {product-title}. {product-title} supports multiple identity providers.
 
 * **xref:../networking/understanding-networking.adoc#understanding-networking[Manage networking]**: The cluster network in {product-title} is managed by the xref:../networking/cluster-network-operator.adoc#cluster-network-operator[Cluster Network Operator] (CNO). The CNO uses iptables rules in xref:../networking/openshift_sdn/configuring-kube-proxy.adoc#configuring-kube-proxy[kube-proxy] to direct traffic between nodes and pods running on those nodes. The Multus Container Network Interface adds the capability to attach xref:../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[multiple network interfaces] to a pod. Using
-xref:../networking/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic.
+xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic.
 
 * **xref:../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[Manage storage]**: {product-title} allows cluster administrators to configure persistent storage.
 

migrating_from_ocp_3_to_4/planning-migration-3-4.adoc

@@ -155,9 +155,9 @@ Review the following networking changes to consider when transitioning from {pro
 
 The default network isolation mode for {product-title} 3.11 was `ovs-subnet`, though users frequently switched to use `ovn-multitenant`. The default network isolation mode for {product-title} {product-version} is controlled by a network policy.
 
-If your {product-title} 3.11 cluster used the `ovs-subnet` or `ovs-multitenant` mode, it is recommended to switch to a network policy for your {product-title} {product-version} cluster. Network policies are supported upstream, are more flexible, and they provide the functionality that `ovs-multitenant` does. If you want to maintain the `ovs-multitenant` behavior while using a network policy in {product-title} {product-version}, follow the steps to xref:../networking/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[configure multitenant isolation using network policy].
+If your {product-title} 3.11 cluster used the `ovs-subnet` or `ovs-multitenant` mode, it is recommended to switch to a network policy for your {product-title} {product-version} cluster. Network policies are supported upstream, are more flexible, and they provide the functionality that `ovs-multitenant` does. If you want to maintain the `ovs-multitenant` behavior while using a network policy in {product-title} {product-version}, follow the steps to xref:../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[configure multitenant isolation using network policy].
 
-For more information, see xref:../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy].
+For more information, see xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy].
 
 [discrete]
 ==== OVN-Kubernetes as the default networking plugin in Red Hat OpenShift Networking

modules/nw-egressnetworkpolicy-about.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc
+// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "configuring-egress-firewall-ovn"]
 :ovn:

modules/nw-egressnetworkpolicy-create.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc
+// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "openshift-sdn-egress-firewall"]
 :kind: EgressNetworkPolicy

modules/nw-egressnetworkpolicy-object.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc
+// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "openshift-sdn-egress-firewall"]
 :kind: EgressNetworkPolicy

modules/nw-egressnetworkpolicy-view.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc
+// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "openshift-sdn-viewing-egress-firewall"]
 :kind: EgressNetworkPolicy