Adds egress netpol docs

Author: Steven Smith

_topic_maps/_topic_map.yml

@@ -1479,6 +1479,8 @@ Topics:
       File: default-network-policy
     - Name: Configuring multitenant isolation with network policy
       File: multitenant-network-policy
+    - Name: Configuring full multitenant isolation with network policy using ingress and egress
+      File: nw-networkpolicy-full-multitenant-isolation
   - Name: Audit logging for network security
     File: logging-network-security
   - Name: Egress Firewall

modules/nw-networkpolicy-allow-internet.adoc

@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-networkpolicy-allow-internet_{context}"]
+= Creating an allow internet access network policy
+
+With the `deny-by-default` network policy in place, no pods can talk to each other or receive traffic from the internet. As a result, you should allow some pods to receive traffic from outside sources. To do this, you can create designated labels that are applied to the pods that you want to allow access from the internet, and then create network policies that target those labels. 
+
+The following procedure shows you how to create an internet access network policy that uses the `networking/allow-internet-access=true` label so that labeled pods receive traffic from outside sources.
+
+.Prerequisites
+
+* You have created the `deny-by-default` network policy and applied it to the necessary namespaces.
+
+.Procedure
+
+. Create the following `internet-access` network policy to allow pods with the `networking/allow-internet-access` label to receive traffic from outside sources. Save the YAML in the `internet-access.yaml` file:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: internet-access
+spec:
+  podSelector:
+    matchLabels:
+      networking/allow-internet-access: "true" <1>
+  policyTypes:
+  - Ingress
+  ingress:
+  - {}
+----
+<1> Apply this label to pods to enable the pod to receive traffic from outside sources.
+
+. Apply the network policy by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f internet-access.yaml -n <namespace>
+----
++
+.Example output
++
+[source,terminal]
+----
+networkpolicy.networking.k8s.io/internet-access created
+----
+
+. Repeat step two for all necessary namespaces.

modules/nw-networkpolicy-deny-all-allowed.adoc

@@ -3,6 +3,7 @@
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
 // * networking/network_security/network_policy/creating-network-policy.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
 
 :name: network
 :role: admin

modules/nw-networkpolicy-multitenant-isolation-egress.adoc

@@ -0,0 +1,51 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/multitenant-network-policy.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-networkpolicy-multitenant-isolation-egress_{context}"]
+= Configuring full multitenant isolation by using network policy
+
+By default, if no egress network policy is applied to a pod, the pod is not isolated for egress traffic. When a pod is not isolated for egress, it can send traffic freely to any destination.
+
+With an egress multitenant isolation network policy, cluster administrators can control outbound traffic from pods. When an egress network policy is applied to a pod, that pod becomes _isolated_ for egress, meaning that egress traffic is allowed only if it is permitted by at least one matching egress rule.
+
+Egress network policies help ensure that only authorized outbound traffic, such as communication with external services or specific namespaces, is allowed, depending on the configuration.
+
+[IMPORTANT]
+====
+* Before configuring an egress network policy, cluster administrators should first configure ingress network policies. Attempting to configure both at the same time can make it difficult to determine which network policy is blocking traffic.
+
+* Egress network policies are harder to effectively implement than ingress network policies. Restricting outbound traffic might lead to unexpected issues.
+====
+
+.Prerequisites
+
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* You installed the OpenShift CLI (`oc`).
+* You are logged in to the cluster as a user with `admin` privileges.
+* You have configured an ingress network policy. The procedure in this section shows you how to create a complementary egress network policy that mirrors the following ingress network policy. This network policy allows pod-to-pod communication.
++
+.Ingress pod-to-pod network policy
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-n1-a-to-n2-b
+  namespace: <namespace_b>
+spec:
+  podSelector:
+    matchLabels:
+      app: test  # this is the label on test-pod-tenant-b
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          networking/namespace: n1  # label on namespace tenant-a
+      podSelector:
+        matchLabels:
+          app: test-pod  # this is the label on test-pod in tenant-a
+----

modules/nw-networkpolicy-multitenant-isolation-ingress.adoc

@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/creating-network-policy.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="nw-networkpolicy-multitenant-isolation-ingress_{context}"]
+= Multitenant ingress network policies
+
+The following example shows you how to set up a multitenant ingress network policy. Configuring ingress network policies can help improve the security of your deployment by isolating pods from unauthorized incoming traffic.

modules/nw-networkpolicy-pod-pod-communication.adoc

@@ -0,0 +1,62 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-networkpolicy-pod-pod-communication_{context}"]
+= Creating a pod-to-pod communication network policy
+
+After you have created the `deny-by-default` and `internet-access` network policies, you can create a network policy that allows pods to communicate with each other.
+
+The following chapters provides three different examples of network policies that allow for pod-to-pod communication. Choose the network policy that best suits your needs.
+
+.Prerequisites
+
+* You have created the `deny-by-default` network policy and applied it to all necessary namespaces.
+* You have created an `internet-access` network policy and applied it to all necessary namespaces.
+
+.Procedure
+
+. Depending on your needs, create one of the following network policies to enable pod-to-pod communication:
++
+* Use the following `allow-same-namespace` YAML to allow all pods in the same namespace the ability to communicate with each other:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-same-namespace
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector: {}
+----
++
+* Advanced users who know exactly which pod-to-pod connections should be allowed in their application can explicitly allow each connection. For example, if you want pods in *Deployment A* to communicate with pods in *Deployment B*, use the following `allow-server-to-access` network policy reference to allow that connection. Note that you must update the pod's labels to match those defined in the following YAML:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-server-to-access
+spec:
+  podSelector:
+    matchLabels:
+      deployment-b-pod-label-1-key: deployment-b-pod-label-1-value
+      deployment-b-pod-label-2-key: deployment-b-pod-label-2-value
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          deployment-a-pod-label-1-key: deployment-a-pod-label-1-value
+          deployment-a-pod-label-2-key: deployment-a-pod-label-2-value
+----
++
+* To allow communication across namespaces, you can create a label for the source namespace and add a `namespaceSelector` query next to the `podSelector` query

modules/nw-networkpolicy-same-namespace-communication.adoc

@@ -0,0 +1,72 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-networkpolicy-same-namespace-communication_{context}"]
+= Creating a network policy for same namespace communication
+
+Advanced users who know exactly which pod-to-pod connections should be allowed in their application can explicitly allow each connection. The following `allow-server-to-access` network policy allows pods in *Deployment A* to communicate with pods in *Deployment B*, and shows you how to reference that connection.
+
+.Prerequisites
+
+* You have created the `deny-by-default` network policy and applied it to all necessary namespaces.
+* You have created an `internet-access` network policy and applied it to all necessary namespaces.
+
+.Procedure
+
+. Create the following `allow-server-to-access` network policy to allow pods across deployments to communicate with each other. Save the YAML in the `allow-server-to-access` file:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-server-to-access
+spec:
+  podSelector: # target pods
+    matchLabels:
+      deployment-b-pod-label-1-key: deployment-b-pod-label-1-value
+      deployment-b-pod-label-2-key: deployment-b-pod-label-2-value
+  policyTypes:
+  - Ingress
+  ingress:
+  - from: # allow traffic from
+    - podSelector:
+        matchLabels:
+          deployment-a-pod-label-1-key: deployment-a-pod-label-1-value
+          deployment-a-pod-label-2-key: deployment-a-pod-label-2-value
+----
++
+[NOTE]
+====
+This network policy allows pods to communicate from *Deployment A* -> *Deployment B*, but not *Deployment B* -> *Deployment A*. To allow communication in reverse direction, a separate policy applied to *Deployment A's* pods would need created and applied.
+====
+
+. Label the pods in *Deployment B* with the `deployment-b-pod-label-1-key=deployment-b-pod-label-1-value` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod <deployment-b-pod-name> deployment-b-pod-label-1-key=deployment-b-pod-label-1-value
+----
+
+. Label the pods in *Deployment B* with the `deployment-b-pod-label-2-key=deployment-b-pod-label-2-value` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod <deployment-b-pod-name> deployment-b-pod-label-2-key=deployment-b-pod-label-2-value
+----
+
+. Label the pods in *Deployment A* with the `deployment-a-pod-label-1-key=deployment-a-pod-label-1-value` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod <deployment-a-pod-name> deployment-a-pod-label-1-key=deployment-a-pod-label-1-value
+----
+
+. Label the pods in *Deployment A* with the `deployment-a-pod-label-2-key=deployment-a-pod-label-2-value` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod <deployment-a-pod-name> deployment-a-pod-label-2-key=deployment-a-pod-label-2-value
+----

networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc

@@ -0,0 +1,25 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="nw-networkpolicy-full-multitenant-isolation"]
+= Configuring full multitenant isolation with network policy using ingress and egress
+include::_attributes/common-attributes.adoc[]
+:context: multitenant-network-policy
+
+toc::[]
+
+As a cluster administrator, you can configure ingress and egress network policies to enforce full multitenant isolation between project namespaces. This ensures that pods can only communicate with explicitly allowed services or destinations, which helps improve the security of your deployment.
+
+[NOTE]
+====
+Configuring network policies as described in this section provides network isolation similar to the multitenant mode of OpenShift SDN in previous versions of {product-title}.
+====
+
+
+//ingress
+include::modules/nw-networkpolicy-multitenant-isolation-ingress.adoc[leveloffset=+1]
+include::modules/nw-networkpolicy-deny-all-allowed.adoc[leveloffset=+2]
+include::modules/nw-networkpolicy-allow-internet.adoc[leveloffset=+2]
+include::modules/nw-networkpolicy-pod-pod-communication.adoc[leveloffset=+2]
+include::modules/nw-networkpolicy-same-namespace-communication.adoc[leveloffset=+3]
+
+//egress
+include::modules/nw-networkpolicy-multitenant-isolation-egress.adoc[leveloffset=+1]