Adds egress netpol docs

Author: Steven Smith

_topic_maps/_topic_map.yml

@@ -1479,6 +1479,8 @@ Topics:
       File: default-network-policy
     - Name: Configuring multitenant isolation with network policy
       File: multitenant-network-policy
+    - Name: Configuring full multitenant isolation with network policy using ingress and egress
+      File: nw-networkpolicy-full-multitenant-isolation
   - Name: Audit logging for network security
     File: logging-network-security
   - Name: Egress Firewall

modules/nw-networkpolicy-allow-internet.adoc

@@ -0,0 +1,107 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-networkpolicy-allow-ingress_{context}"]
+= Creating an allow ingress access network policy
+
+With the `deny-by-default` network policy in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `ingress-access` network policy. With this network policy, pods with the  `networking/allow-ingress-access=true` label can receive network traffic.
+
+.Prerequisites
+
+* You have created the `deny-by-default` network policy and applied it to the necessary namespaces.
+
+.Procedure
+
+. Create the following `ingress-access` network policy to allow pods with the `networking/allow-ingress-access` label to receive traffic from outside sources. Save the YAML in the `ingress-access.yaml` file:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-access
+spec:
+  podSelector:
+    matchLabels:
+      networking/allow-ingress-access: "true" <1>
+  policyTypes:
+  - Ingress
+  ingress:
+  - {}
+----
+<1> Apply this label to pods to enable the pod to receive traffic from outside sources.
+
+. Apply the network policy to the `project-a` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f ingress-access.yaml -n project-a
+----
+
+. Apply the network policy to the `project-b` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f ingress-access.yaml -n project-b
+----
+
+. Apply the `networking/allow-ingress-access=true` label to pods that must receive outside traffic by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod busybox-pod-a networking/allow-ingress-access=true -n project-a
+----
++
+Repeat this step for all pods that must receive outside traffic.
+
+.Verification
+
+. Obtain the IP addresses of pods in `project-a` by running the following command:
++
+[source,terminal]
+----
+$ oc get pod -n project-a -o wide
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME            READY   STATUS    RESTARTS   AGE   IP            NODE                           NOMINATED NODE   READINESS GATES
+busybox-pod-a   1/1     Running   0          13m   10.132.0.38   ip-10-0-132-187.ec2.internal   <none>           <none>
+test-pod-a      1/1     Running   0          13m   10.132.0.40   ip-10-0-132-187.ec2.internal   <none>           <none>
+----
+
+. Ensure that pods with the `networking/allow-ingress-access=true` label can receive traffic by entering the following command. If you followed these instructions, the `busybox-pod-a` pod in `project-a` can receive traffic from another pod. For example:
++
+[source,terminal]
+----
+$ oc exec -it test-pod-b -n project-b -- ping 10.132.0.44
+----
++
+.Example output
++
+[source,terminal]
+----
+PING 10.132.0.44 (10.132.0.44): 56 data bytes
+64 bytes from 10.132.0.44: seq=0 ttl=42 time=1.137 ms
+64 bytes from 10.132.0.44: seq=1 ttl=42 time=0.672 ms
+----
+
+. Ensure that pods without the `networking/allow-ingress-access=true` label cannot receive traffic by entering the following command. If you followed these instructions, the `test-pod-a` pod in `project-a` cannot receive traffic. For example:
++
+[source,terminal]
+----
+$ oc exec -it busybox-pod-a -n project-a -- ping 10.132.0.40
+----
++
+.Example output
++
+[source,terminal]
+----
+PING 10.132.0.46 (10.132.0.46): 56 data bytes
+--- 10.132.0.46 ping statistics ---
+3 packets transmitted, 0 packets received, 100% packet loss
+----

modules/nw-networkpolicy-configuring-internet-egress-pods.adoc

@@ -0,0 +1,75 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/creating-network-policy.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-networkpolicy-configuring-internet-egress-pods_{context}"]
+= Configuring internet egress for pods
+
+With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace will need the able to reach external traffic. 
+
+The following procedure shows you how to designate labels to pods that require internet egress.
+
+.Prerequisites
+
+* You have created a network policy to deny all egress traffic.
+
+.Procedure
+
+. Create the following `internet-egress.yaml` file that both defines a network policy that allows traffic from pods with the matching label to access internet egress. For example:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: internet-egress
+spec:
+  podSelector:
+    matchLabels:
+      networking/allow-internet-egress: "true" <1>
+  egress:
+  - {}
+  policyTypes:
+  - Egress
+----
+
+. Apply the network policy to the `project-a` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f internet-egress.yaml -n project-a
+----
+
+. Apply the network policy to the `project-b` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f internet-egress.yaml -n project-b
+----
+
+. Apply the `networking/allow-internet-egress=true` label to pods that require egress by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod <pod_name> networking/allow-internet-egress=true -n project-a
+----
+
+.Verification
+
+* Check whether a labeled pod in a namespace where you applied the `internet-egress.yaml` network policy can resolve a DNS name by entering the following command:
++
+[source,terminal]
+----
+$ oc exec -it <pod_name> -n project-a -- nslookup google.com
+----
++
+.Example output
++
+[source,terminal]
+----
+...
+Name:	google.com
+Address: 142.250.125.102
+...
+----

modules/nw-networkpolicy-cross-namespace-communication.adoc

@@ -0,0 +1,127 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-networkpolicy-cross-namespace-communication_{context}"]
+= Creating a network policy for cross-namespace communication
+
+To allow pod-to-pod communication across namespaces, you must create a label for the primary namespace and add a `namespaceSelector` query and a `podSelector` query. 
+
+.Prerequisites
+
+* You have created the `deny-by-default` network policy and applied it to all necessary namespaces.
+
+.Procedure
+
+. Create the following `allow-n1-a-to-n2-b` network policy to allow pods across namespaces to communicate with each other. With this YAML, pods in the `project-a` that are labeled with `send-data` can communicate with pods in the `project-b` namespace that are labeled with `receive-data`. The namespaces must also be labeled to allow for communication. Save the YAML in the `allow-n1-a-to-n2-b` file:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-n1-a-to-n2-b
+spec:
+  podSelector:
+    matchLabels:
+      app: receive-data <1>
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          networking/namespace: n1 <2>
+      podSelector:
+        matchLabels:
+          app: send-data  <3>
+----
+<1> Apply the `app: receive-data` label to pods in the `project-b` namespace.
+<2> Apply the `n1` label to the `project-a` namespace.
+<3> Apply the `app: send-data` label to pods in the `project-a` namespace.
+
+. Apply the `allow-n1-a-to-n2-b` network policy to the `project-b` namespace by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f allow-n1-a-to-n2-b.yaml -n project-b
+----
+
+. Label the `project-a` namespace with the `networking/namespace=n1` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label namespace project-a networking/namespace=n1 --overwrite
+----
+
+. Label the `project-b` namespace with the `networking/namespace=n2` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label namespace project-b networking/namespace=n2 --overwrite
+----
+
+. If it is not already labeled, label the `busybox-pod` in `project-a` with the `send-data` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod busybox-pod app=send-data -n project-a
+----
+
+. If it is not already labeled, label the `test-pod` in `project-b` with the `receive-data` label by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod test-pod app=receive-data -n project-b --overwrite
+----
+
+.Verification
+
+. Obtain the IP addresses of pods in `project-b` by running the following command:
++
+[source,terminal]
+----
+$ oc get pod -n project-b -o wide
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME            READY   STATUS    RESTARTS   AGE   IP            NODE                           NOMINATED NODE   READINESS GATES
+busybox-pod-b   1/1     Running   0          51m   10.132.0.39   ip-10-0-132-187.ec2.internal   <none>           <none>
+test-pod-b      1/1     Running   0          51m   10.132.0.41   ip-10-0-132-187.ec2.internal   <none>           <none>
+----
+
+. Ensure that the `busybox-pod-a` pod in the  `project-a` namespace can send data to the `test-pod-b` pod in the `project-b` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc exec -it busybox-pod -n project-a -- ping 10.132.0.42
+----
++
+.Example output
++
+[source,terminal]
+----
+PING 10.132.0.40 (10.132.0.40): 56 data bytes
+64 bytes from 10.132.0.40: seq=0 ttl=42 time=1.201 ms
+64 bytes from 10.132.0.40: seq=1 ttl=42 time=0.640 ms
+----
+
+. Ensure that unlabeled pods cannot send and receive data by entering the following command. In this example, because the `test-pod-a` pod is not labeled with `send-data`, it cannot send data to the `test-pod-b` pod, even though that pod has the `receive-data` label.
++
+[source,terminal]
+----
+$ oc exec -it test-pod-a -n project-a -- ping 10.132.0.41
+----
++
+.Example output
++
+[source,terminal]
+----
+PING 10.132.0.41 (10.132.0.41): 56 data bytes
+--- 10.132.0.41 ping statistics ---
+2 packets transmitted, 0 packets received, 100% packet loss
+----

modules/nw-networkpolicy-deny-all-allowed.adoc

@@ -3,6 +3,7 @@
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
 // * networking/network_security/network_policy/creating-network-policy.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
 
 :name: network
 :role: admin