Merge pull request #75310 from JoeAldinger/OSDOCS-10396

OSDOCS-10396:ANP audit logging

Author: JoeAldinger

_topic_maps/_topic_map.yml

@@ -1280,10 +1280,16 @@ Topics:
   Dir: openshift_network_security
   Distros: openshift-enterprise,openshift-origin
   Topics:
-  - Name: About OVN-Kubernetes network policy
-    File: ovn-k-network-policy
-  - Name: AdminNetworkPolicy
-    File: ovn-k-anp
+  - Name: Understanding network policy APIs
+    File: network-policy-apis
+  - Name: Admin network policy
+    Dir: AdminNetworkPolicy
+    Distros: openshift-enterprise, openshift-origin
+    Topics:
+    - Name: About AdminNetworkPolicy
+      File: ovn-k-anp
+    - Name: About BaselineAdminNetworkPolicy
+      File: ovn-k-banp
   - Name: Network policy
     Dir: network_policy
     Distros: openshift-enterprise, openshift-origin
@@ -1302,8 +1308,8 @@ Topics:
       File: default-network-policy
     - Name: Configuring multitenant isolation with network policy
       File: multitenant-network-policy
-  - Name: BaselineAdminNetworkPolicy
-    File: ovn-k-banp
+  - Name: Audit logging for network security
+    File: logging-network-security
   - Name: Understanding the Ingress Node Firewall Operator
     File: ingress-node-firewall-operator
   - Name: Egress Firewall
@@ -1479,8 +1485,6 @@ Topics:
     File: rollback-to-openshift-sdn
   - Name: Converting to IPv4/IPv6 dual stack networking
     File: converting-to-dual-stack
-  - Name: Logging for egress firewall and network policy rules
-    File: logging-network-policy
   - Name: Configure an external gateway on the default network
     File: configuring-secondary-external-gateway
   - Name: Configuring an egress IP address

_topic_maps/_topic_map_osd.yml

@@ -837,8 +837,8 @@ Topics:
   Dir: openshift_network_security
   Distros: openshift-dedicated
   Topics:
-  - Name: About OVN-Kubernetes network policy
-    File: ovn-k-network-policy
+  - Name: Understanding network policy APIs
+    File: network-policy-apis
   - Name: Network policy
     Dir: network_policy
     Distros: openshift-dedicated

_topic_maps/_topic_map_rosa.yml

@@ -1060,10 +1060,16 @@ Topics:
 - Name:  OpenShift network security
   Dir: openshift_network_security
   Topics:
-  - Name: About OVN-Kubernetes network policy
-    File: ovn-k-network-policy
-  - Name: AdminNetworkPolicy
-    File: ovn-k-anp
+  - Name: Understanding network policy APIs
+    File: network-policy-apis
+  - Name: Admin network policy
+    Dir: AdminNetworkPolicy
+    Distros: openshift-rosa
+    Topics:
+    - Name: About AdminNetworkPolicy
+      File: ovn-k-anp
+    - Name: About BaselineAdminNetworkPolicy
+      File: ovn-k-banp
   - Name: Network policy
     Dir: network_policy
     Distros: openshift-rosa
@@ -1082,8 +1088,6 @@ Topics:
       File: default-network-policy
     - Name: Configuring multitenant isolation with network policy
       File: multitenant-network-policy
-  - Name: BaselineAdminNetworkPolicy
-    File: ovn-k-banp
 - Name: OVN-Kubernetes network plugin
   Dir: ovn_kubernetes_network_provider
   Topics:

modules/nw-anp-audit-logging-concept.adoc

@@ -0,0 +1,150 @@
+// Module included in the following assemblies:
+//
+// * networking/openshift_network_security/AdminNetworkPolicy/logging-anp-policy.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="nw-anp-audit-logging_{context}"]
+= AdminNetworkPolicy audit logging
+
+Audit logging is enabled per `AdminNetworkPolicy` CR by annotating an ANP policy with the `k8s.ovn.org/acl-logging` key such as in the following example:
+
+.Example of annotation for `AdminNetworkPolicy` CR
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  annotations:
+    k8s.ovn.org/acl-logging: '{ "deny": "alert", "allow": "alert", "pass" : "warning" }'
+  name: anp-tenant-log
+spec:
+  priority: 5
+  subject:
+    namespaces:
+      matchLabels:
+        tenant: backend-storage # Selects all pods owned by storage tenant.
+  ingress:
+    - name: "allow-all-ingress-product-development-and-customer" # Product development and customer tenant ingress to backend storage.
+      action: "Allow"
+      from:
+      - pods:
+          namespaceSelector:
+            matchExpressions:
+            - key: tenant
+              operator: In
+              values:
+              - product-development
+              - customer
+          podSelector: {}
+    - name: "pass-all-ingress-product-security"
+      action: "Pass"
+      from:
+      - namespaces:
+          matchLabels:
+              tenant: product-security
+    - name: "deny-all-ingress" # Ingress to backend from all other pods in the cluster.
+      action: "Deny"
+      from:
+      - namespaces: {}
+  egress:
+    - name: "allow-all-egress-product-development"
+      action: "Allow"
+      to:
+      - pods:
+          namespaceSelector:
+            matchLabels:
+              tenant: product-development
+          podSelector: {}
+    - name: "pass-egress-product-security"
+      action: "Pass"
+      to:
+      - namespaces:
+           matchLabels:
+             tenant: product-security
+    - name: "deny-all-egress" # Egress from backend denied to all other pods.
+      action: "Deny"
+      to:
+      - namespaces: {}
+----
+====
+
+Logs are generated whenever a specific OVN ACL is hit and meets the action criteria set in your logging annotation. For example, an event in which any of the namespaces with the label `tenant: product-development` accesses the namespaces with the label `tenant: backend-storage`, a log is generated.
+
+
+[NOTE]
+====
+ACL logging is limited to 60 characters. If your ANP `name` field is long, the rest of the log will be truncated.
+====
+
+The following is a direction index for the examples log entries that follow:
+
+[cols=".^4,.^6a",options="header"]
+|====
+|Direction|Rule
+
+|Ingress
+|
+Rule0:: Allow from tenant `product-development` and `customer` to tenant `backend-storage`; Ingress0: `Allow`
+Rule1:: Pass from `product-security`to tenant `backend-storage`; Ingress1: `Pass`
+Rule2::	Deny ingress from all pods; Ingress2: `Deny`
+
+|Egress
+|
+Rule0:: Allow to `product-development`; Egress0: `Allow`
+Rule1:: Pass to `product-security`; Egress1: `Pass`
+Rule2:: Deny egress to all other pods; Egress2: `Deny`
+
+|====
+
+.Example ACL log entry for `Allow` action of the `AdminNetworkPolicy` named `anp-tenant-log` with `Ingress:0` and `Egress:0`
+
+[%collapsible]
+====
+[source,text]
+----
+2024-06-10T16:27:45.194Z|00052|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:1a,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.26,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=57814,tp_dst=8080,tcp_flags=syn
+2024-06-10T16:28:23.130Z|00059|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:18,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.24,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=38620,tp_dst=8080,tcp_flags=ack
+2024-06-10T16:28:38.293Z|00069|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Egress:0", verdict=allow, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:19,dl_dst=0a:58:0a:80:02:1a,nw_src=10.128.2.25,nw_dst=10.128.2.26,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=47566,tp_dst=8080,tcp_flags=fin|ack=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=55704,tp_dst=8080,tcp_flags=ack
+----
+====
+
+.Example ACL log entry for `Pass` action of the `AdminNetworkPolicy` named `anp-tenant-log` with `Ingress:1` and `Egress:1`
+
+[%collapsible]
+====
+[source,text]
+----
+2024-06-10T16:33:12.019Z|00075|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:1", verdict=pass, severity=warning, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:1b,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.27,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=37394,tp_dst=8080,tcp_flags=ack
+2024-06-10T16:35:04.209Z|00081|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Egress:1", verdict=pass, severity=warning, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:19,dl_dst=0a:58:0a:80:02:1b,nw_src=10.128.2.25,nw_dst=10.128.2.27,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=34018,tp_dst=8080,tcp_flags=ack
+----
+====
+
+.Example ACL log entry for `Deny` action of the `AdminNetworkPolicy` named `anp-tenant-log` with `Egress:2` and `Ingress2`
+
+[%collapsible]
+====
+[source,text]
+----
+2024-06-10T16:43:05.287Z|00087|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Egress:2", verdict=drop, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:19,dl_dst=0a:58:0a:80:02:18,nw_src=10.128.2.25,nw_dst=10.128.2.24,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=51598,tp_dst=8080,tcp_flags=syn
+2024-06-10T16:44:43.591Z|00090|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:2", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:1c,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.28,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=33774,tp_dst=8080,tcp_flags=syn
+----
+====
+
+The following table describes ANP annotation:
+
+.Audit logging AdminNetworkPolicy annotation
+[cols=".^4,.^6a",options="header"]
+|====
+|Annotation|Value
+
+|`k8s.ovn.org/acl-logging`
+|
+You must specify at least one of `Allow`, `Deny`, or `Pass` to enable audit logging for a namespace.
+
+`Deny`:: Optional: Specify `alert`, `warning`, `notice`, `info`, or `debug`.
+`Allow`:: Optional: Specify `alert`, `warning`, `notice`, `info`, or `debug`.
+`Pass`:: Optional: Specify `alert`, `warning`, `notice`, `info`, or `debug`.
+|====
+

modules/nw-anp-np-reference.adoc

@@ -0,0 +1,67 @@
+// Module included in the following assemblies:
+//
+// * networking/openshift_network_security/logging-network-security.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-anp-differences-networkpolicy_{context}"]
+= Key differences between AdminNetworkPolicy and NetworkPolicy custom resources
+
+The following table explains key differences between the cluster scoped `AdminNetworkPolicy` API and the namespace scoped `NetworkPolicy` API.
+
+[cols="1,1,1"]
+|===
+|Policy elements | AdminNetworkPolicy | NetworkPolicy
+
+|Applicable user
+|Cluster administrator or equivalent
+|Namespace owners
+
+|Scope
+|Cluster
+|Namespaced
+
+|Drop traffic
+|Supported with an explicit `Deny` action set as a rule.
+|Supported via implicit `Deny` isolation at policy creation time.
+
+|Delegate traffic
+|Supported with an `Pass` action set as a rule.
+|Not applicable
+
+|Allow traffic
+|Supported with an explicit `Allow` action set as a rule.
+|The default action for all rules is to allow.
+
+|Rule precedence within the policy
+|Depends on the order in which they appear within an ANP. The higher the rule's position the higher the precedence.
+|Rules are additive
+
+|Policy precedence
+|Among ANPs the `priority` field sets the order for evaluation. The lower the priority number higher the policy precedence.
+|There is no policy ordering between policies.
+
+|Feature precedence
+|Evaluated first via tier 1 ACL and BANP is evaluated last via tier 3 ACL.
+|Enforced after ANP and before BANP, they are evaluated in tier 2 of the ACL.
+
+|Matching pod selection
+|Can apply different rules across namespaces.
+|Can apply different rules across pods in single namespace.
+
+|Cluster egress traffic
+|Supported via `nodes` and `networks` peers
+|Supported through `ipBlock` field along with accepted CIDR syntax.
+
+|Cluster ingress traffic
+|Not supported
+|Not supported
+
+|Fully qualified domain names (FQDN) peer support
+|Not supported
+|Not supported
+
+|Namespace selectors
+|Supports advanced selection of Namespaces with the use of `namespaces.matchLabels` field
+|Supports label based namespace selection with the use of `namespaceSelector` field
+
+|===

modules/nw-audit-configuration.adoc

@@ -0,0 +1,28 @@
+// Module included in the following assemblies:
+//
+// * networking/openshift_network_security/logging-network-security.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-policy-audit-configuration-{context}"]
+= Audit configuration
+
+The configuration for audit logging is specified as part of the OVN-Kubernetes cluster network provider configuration. The following YAML illustrates the default values for the audit logging:
+
+.Audit logging configuration
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: Network
+metadata:
+  name: cluster
+spec:
+  defaultNetwork:
+    ovnKubernetesConfig:
+      policyAuditConfig:
+        destination: "null"
+        maxFileSize: 50
+        rateLimit: 20
+        syslogFacility: local0
+----
+
+The following table describes the configuration fields for audit logging.