Adds egress netpol docs

Author: Steven Smith

_topic_maps/_topic_map.yml

@@ -1479,6 +1479,8 @@ Topics:
       File: default-network-policy
     - Name: Configuring multitenant isolation with network policy
       File: multitenant-network-policy
+    - Name: Configuring full multitenant isolation with network policy using ingress and egress
+      File: nw-networkpolicy-full-multitenant-isolation
   - Name: Audit logging for network security
     File: logging-network-security
   - Name: Egress Firewall

modules/nw-networkpolicy-allow-internet.adoc

@@ -0,0 +1,105 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-networkpolicy-allow-internet_{context}"]
+= Creating an allow internet access network policy
+
+With the `deny-by-default` network policy in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `internet-access` network policy. With this network policy, pods with the  `networking/allow-internet-access=true` label can receive network traffic.
+
+.Prerequisites
+
+* You have created the `deny-by-default` network policy and applied it to the necessary namespaces.
+
+.Procedure
+
+. Create the following `internet-access` network policy to allow pods with the `networking/allow-internet-access` label to receive traffic from outside sources. Save the YAML in the `internet-access.yaml` file:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: internet-access
+spec:
+  podSelector:
+    matchLabels:
+      networking/allow-internet-access: "true" <1>
+  policyTypes:
+  - Ingress
+  ingress:
+  - {}
+----
+<1> Apply this label to pods to enable the pod to receive traffic from outside sources.
+
+. Apply the network policy to the `project-a` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f internet-access.yaml -n project-a
+----
+
+. Apply the network policy to the `project-b` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f internet-access.yaml -n project-b
+----
+
+. Apply the `networking/allow-internet-access=true` label to pods that must receive outside traffic by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod busybox-pod networking/allow-internet-access=true -n project-a
+----
+
+.Verification
+
+. Obtain the IP addresses of pods in `project-a` by running the following command:
++
+[source,terminal]
+----
+$ oc get pod -n project-a -o wide
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME          READY   STATUS    RESTARTS   AGE     IP            NODE                           NOMINATED NODE   READINESS GATES
+busybox-pod   1/1     Running   0          4m9s    10.132.0.44   ip-10-0-143-210.ec2.internal   <none>           <none>
+test-pod      1/1     Running   0          3m47s   10.132.0.46   ip-10-0-143-210.ec2.internal   <none>           <none>
+----
+
+. Ensure that pods with the `networking/allow-internet-access=true` label can receive traffic by entering the following command. If you followed these instructions, the `busybox-pod` in `project-a` should be able to receive traffic. For example:
++
+[source,terminal]
+----
+$ oc exec -it test-pod -n project-b -- ping 10.132.0.44
+----
++
+.Example output
++
+[source,terminal]
+----
+PING 10.132.0.44 (10.132.0.44): 56 data bytes
+64 bytes from 10.132.0.44: seq=0 ttl=42 time=1.137 ms
+64 bytes from 10.132.0.44: seq=1 ttl=42 time=0.672 ms
+----
+
+. Ensure that pods without the `networking/allow-internet-access=true` label cannot receive traffic by entering the following command. If you followed these instructions, `test-pod` in `project-a`, which has an IP address of `10.143.0.46`, should not be able to receive traffic. For example:
++
+[source,terminal]
+----
+$ oc exec -it busybox-pod -n project-a -- ping 10.132.0.46
+----
++
+.Example output
++
+[source,terminal]
+----
+PING 10.132.0.46 (10.132.0.46): 56 data bytes
+--- 10.132.0.46 ping statistics ---
+3 packets transmitted, 0 packets received, 100% packet loss
+----

modules/nw-networkpolicy-configuring-internet-egress-pods.adoc

@@ -0,0 +1,75 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/creating-network-policy.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-networkpolicy-configuring-internet-egress-pods_{context}"]
+= Configuring internet egress for pods
+
+With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace will need the able to reach external traffic. 
+
+The following procedure shows you how to designate labels to pods that require internet egress.
+
+.Prerequisites
+
+* You have created a network policy to deny all egress traffic.
+
+.Procedure
+
+. Create the following `internet-egress.yaml` file that both defines a network policy that allows traffic from pods with the matching label to access internet egress. For example:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: internet-egress
+spec:
+  podSelector:
+    matchLabels:
+      networking/allow-internet-egress: "true" <1>
+  egress:
+  - {}
+  policyTypes:
+  - Egress
+----
+
+. Apply the network policy to the `project-a` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f internet-egress.yaml -n project-a
+----
+
+. Apply the network policy to the `project-b` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f internet-egress.yaml -n project-b
+----
+
+. Apply the `networking/allow-internet-egress=true` label to pods that require egress by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod <pod_name> networking/allow-internet-egress=true -n project-a
+----
+
+.Verification
+
+* Check whether a labeled pod in a namespace where you applied the `internet-egress.yaml` network policy can resolve a DNS name by entering the following command:
++
+[source,terminal]
+----
+$ oc exec -it <pod_name> -n project-a -- nslookup google.com
+----
++
+.Example output
++
+[source,terminal]
+----
+...
+Name:	google.com
+Address: 142.250.125.102
+...
+----

modules/nw-networkpolicy-cross-namespace-communication.adoc

@@ -0,0 +1,108 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-networkpolicy-cross-namespace-communication_{context}"]
+= Creating a network policy for cross-namespace communication
+
+To allow pod-to-pod communication across namespaces, you must create a label for the primary namespace and add a `namespaceSelector` query and a `podSelector` query. 
+
+.Prerequisites
+
+* You have created the `deny-by-default` network policy and applied it to all necessary namespaces.
+
+.Procedure
+
+. Create the following `allow-n1-a-to-n2-b` network policy to allow pods across namespaces to communicate with each other. With this YAML, pods in the `project-a` namespace can communicate with pods in the `project-b` namespace, so long as those namespaces are labeled `networking/namespace: n1` and `networking/namespace: n2`, respectively. Save the YAML in the `allow-n1-a-to-n2-b` file:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-n1-a-to-n2-b
+spec:
+  podSelector:
+    matchLabels:
+      app: receive-data  # this label goes on pods in project-b
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          networking/namespace: n1  # this label goes on the project-a namespace
+      podSelector:
+        matchLabels:
+          app: send-data  # this label goes on pods in project-a
+----
+
+. Apply the `allow-n1-a-to-n2-b` network policy to the `project-b` namespace by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f allow-n1-a-to-n2-b.yaml -n project-b
+----
+
+. Label the `project-a` namespace with the `networking/namespace=n1` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label namespace project-a networking/namespace=n1 --overwrite
+----
+
+. Label the `project-b` namespace with the `networking/namespace=n2` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label namespace project-b networking/namespace=n2 --overwrite
+----
+
+. If it is not already labeled, label the `busybox-pod` in `project-a` with the `send-data` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod busybox-pod app=send-data -n project-a
+----
+
+. If it is not already labeled, label the `test-pod` in `project-b` with the `receive-data` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod test-pod app=receive-data -n project-b --overwrite
+----
+
+.Verification
+
+. Obtain the IP addresses of pods in `project-b` by running the following command:
++
+[source,terminal]
+----
+$ oc get pod -n project-b -o wide
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME                READY   STATUS    RESTARTS   AGE     IP            NODE                           NOMINATED NODE   READINESS GATES
+busybox-pod         1/1     Running   0          47m     10.132.0.40   ip-10-0-132-137.ec2.internal   <none>           <none>
+test-pod            1/1     Running   0          47m     10.132.0.42   ip-10-0-132-137.ec2.internal   <none>           <none>
+----
+
+. Ensure that `busybox-pod` in `project-a`, labeled with `send-data`, can send data to `test-pod` in `project-b` by entering the following command:
++
+[source,terminal]
+----
+$ oc exec -it busybox-pod -n tenant-a -- ping 10.132.0.42
+----
++
+.Example output
++
+[source,terminal]
+----
+PING 10.132.0.40 (10.132.0.40): 56 data bytes
+64 bytes from 10.132.0.40: seq=0 ttl=42 time=1.201 ms
+64 bytes from 10.132.0.40: seq=1 ttl=42 time=0.640 ms
+----

modules/nw-networkpolicy-deny-all-allowed.adoc

@@ -3,6 +3,7 @@
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
 // * networking/network_security/network_policy/creating-network-policy.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
 
 :name: network
 :role: admin

modules/nw-networkpolicy-deny-all-egress-network-policy.adoc

@@ -0,0 +1,86 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/creating-network-policy.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-networkpolicy-deny-all-egress-network-policy_{context}"]
+= Creating a default deny all egress network policy
+
+Use the following procedure to create a `default-deny-all` network policy that isolates all pods for egress. 
+
+[WARNING]
+====
+Without configuring a `NetworkPolicy` custom resource (CR) that allows traffic communication, the following policy might cause communication problems across your cluster.
+Creating a `default-deny-all` network policy that isolates pods for egress breaks pod-to-pod communication for ingress. This behavior is expected, and every connection allowed in the ingress direction must also allowlist connections in the egress direction. After creating a `default-deny-all` network policy, you should "Configure internet for egress pods" and "Enable pod-to-pod communication". 
+====
+
+.Prerequisites
+
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* You installed the OpenShift CLI (`oc`).
+* You are logged in to the cluster with a user with admin privileges.
+* You have configured an ingress network policy.
+* You have created at least two projects in your cluster.
+* You have created pods in your cluster.
+
+.Procedure
+
+. Create the following YAML that defines a `deny-by-default-egress` network policy to deny egress for all pods in the namespace. Save the YAML in the `deny-by-default-egress.yaml` file:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-by-default-egress
+spec:
+  podSelector: {}
+  egress:
+  - to:
+    ports:
+    - protocol: TCP
+      port: 53 <1>
+    - protocol: UDP
+      port: 53 <1>
+  policyTypes:
+  - Egress
+----
+<1> Allows connections to port `53` on any IP to facilitate DNS lookups. 
+
+. Apply the policy by entering the following command:
++
+[IMPORTANT]
+====
+Do not apply this network policy to the `kube-system` namespace, as it can break cluster functionality.
+====
++
+[source,terminal]
+----
+$ oc apply -f deny-by-default-egress.yaml -n project-a
+----
+
+. Because network policies are namespaced resources, you must create this network policy for each namespace. Apply the policy to other applicable namespaces by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f deny-by-default-egress.yaml -n project-b
+----
++
+With the application of the `deny-by-default-egress` network policy, pods in those namespaces are made incapable of egress traffic.
+
+.Verification
+
+* Test egress connection on a pod by entering the following command. If the network policy was successfully applied, then the pod is unable to reach the endpoint: 
++
+[source,terminal]
+----
+$ oc exec -it <example_pod> -n <namespace_b> -- nslookup google.com
+----
++
+.Example output
++
+[source,terminal]
+----
+;; connection timed out; no servers could be reached
+command terminated with exit code 1
+----