Adds egress netpol docs #92159

stevsmit · 2025-04-14T19:39:21Z

Version(s):

Issue:
https://issues.redhat.com/browse/OCPBUGS-54674

Link to docs preview:
https://92159--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation

QE review:

QE has approved this change.

Additional information:

ocpdocs-previewbot · 2025-04-14T19:58:13Z

🤖 Fri Apr 18 19:14:41 - Prow CI generated the docs preview:

https://92159--ocpdocs-pr.netlify.app/
https://92159--ocpdocs-pr.netlify.app/microshift/latest/microshift_networking/microshift_network_policy/microshift-creating-network-policy.html
https://92159--ocpdocs-pr.netlify.app/openshift-dedicated/latest/networking/network_security/network_policy/creating-network-policy.html
https://92159--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/multiple_networks/secondary_networks/configuring-multi-network-policy.html
https://92159--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/network_security/network_policy/creating-network-policy.html
https://92159--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.html
https://92159--ocpdocs-pr.netlify.app/openshift-rosa/latest/networking/network_security/network_policy/creating-network-policy.html

ocpdocs-vale-bot · 2025-04-17T20:00:54Z

modules/nw-networkpolicy-cross-namespace-communication.adoc

+
+.Procedure
+
+. Create the following `allow-n1-a-to-n2-b` network policy to allow pods across namespaces to communicate with each other. With this YAML, pods in the `project-a` namespace can communicate with pods in the `project-b` namespace, so long as those namespaces are labeled `networking/namespace: n1` and `networking/namespace: n2`, respectively. Save the YAML in the `allow-n1-a-to-n2-b` file:


🤖 [error] RedHat.TermsErrors: Use 'if' or 'when' rather than 'so long as'. For more information, see RedHat.TermsErrors.

openshift-ci · 2025-04-18T19:15:45Z

@stevsmit: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

bergerhoffer · 2025-06-16T18:53:54Z

The branch/enterprise-4.20 label has been added to this PR.

This is because your PR targets the main branch and is labeled for enterprise-4.19. And any PR going into main must also target the latest version branch (enterprise-4.20).

If the update in your PR does NOT apply to version 4.20 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main.

asood-rh · 2025-06-16T21:06:49Z

modules/nw-networkpolicy-allow-internet.adoc

+  ingress:
+  - {}
+----
+<1> Apply this label to pods to enable the pod to receive traffic from outside sources.


Suggested change

<1> Apply this label to pods to enable the pod to receive traffic from outside sources.

<1> Apply this label to pods to enable the pods to receive traffic from outside sources.

asood-rh · 2025-06-17T12:54:30Z

modules/nw-networkpolicy-allow-internet.adoc

+
+[source,terminal]
+----
+$ oc exec -it test-pod-b -n project-b -- ping 10.132.0.44


Suggested change

$ oc exec -it test-pod-b -n project-b -- ping 10.132.0.44

$ oc exec -it test-pod-b -n project-b -- ping -c 2 10.132.0.44

You could just say send 2 ICMP packets

asood-rh · 2025-06-17T12:57:31Z

modules/nw-networkpolicy-allow-internet.adoc

+
+[source,terminal]
+----
+$ oc exec -it busybox-pod-a -n project-a -- ping 10.132.0.40


Suggested change

$ oc exec -it busybox-pod-a -n project-a -- ping 10.132.0.40

$ oc exec -it busybox-pod-a -n project-a -- ping -c 2 10.132.0.40

This would ensure user does not have to issue Ctl C to stop sending ICMP packets

asood-rh · 2025-06-17T13:16:18Z

modules/nw-networkpolicy-allow-internet.adoc

+
+.Prerequisites
+
+* You have created the `deny-by-default` network policy and applied it to the necessary namespaces.


Suggested change

* You have created the `deny-by-default` network policy and applied it to the necessary namespaces.

* You have created the `deny-by-default` network policy and applied it to the necessary namespaces. The policy denies ingress traffic to pods in the project.

asood-rh · 2025-06-17T15:23:30Z

modules/nw-policy-cluster-preparation.adoc

+
+.Prerequisites
+
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.


Suggested change

* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.

* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.

We do not have such a mode in OVNK clusters.

asood-rh · 2025-06-17T17:01:12Z

modules/nw-networkpolicy-allow-internet.adoc

+[id="nw-networkpolicy-allow-ingress_{context}"]
+= Creating an allow ingress access network policy
+
+With the `deny-by-default` network policy in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `ingress-access` network policy. With this network policy, pods with the  `networking/allow-ingress-access=true` label can receive network traffic.


Suggested change

With the `deny-by-default` network policy in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `ingress-access` network policy. With this network policy, pods with the `networking/allow-ingress-access=true` label can receive network traffic.

With the `deny-by-default` network policy, that denies both ingress and egress traffic, in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `ingress-access` network policy. With this network policy, pods with the `networking/allow-ingress-access=true` label can receive network traffic.

@stevsmit If it is both ingress or egress pod traffic, it has to be default deny ingress and egress.
If it is about ingress then it should just refer to incoming traffic.

asood-rh · 2025-06-17T17:08:21Z

modules/nw-networkpolicy-configuring-internet-egress-pods.adoc

+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-networkpolicy-configuring-internet-egress-pods_{context}"]
+= Configuring internet egress for pods


Suggested change

= Configuring internet egress for pods

= Configuring external egress for pods

asood-rh · 2025-06-17T19:16:13Z

modules/nw-policy-default-deny-ingress.adoc

+
+[WARNING]
+====
+Without configuring a `NetworkPolicy` custom resource (CR) that allows traffic communication, the following policy might cause communication problems across your cluster.


Suggested change

Without configuring a `NetworkPolicy` custom resource (CR) that allows traffic communication, the following policy might cause communication problems across your cluster.

Without configuring a `NetworkPolicy` that allows traffic communication, the following policy might cause communication problems across your cluster.

(B)ANP would be custom resouce, network policy is API.

asood-rh · 2025-06-17T20:50:56Z

modules/nw-networkpolicy-configuring-ingress-new-deployment.adoc

+
+[source,terminal]
+----
+$ oc apply -f allow-ingress-tp-new.yaml -n project-a


Suggested change

$ oc apply -f allow-ingress-tp-new.yaml -n project-a

$ oc apply -f allow-ingress-to-new.yaml -n project-a

asood-rh · 2025-06-17T20:51:21Z

modules/nw-networkpolicy-configuring-ingress-new-deployment.adoc

+
+[source,terminal]
+----
+$ oc apply -f allow-ingress-tp-new.yaml -n project-c


Suggested change

$ oc apply -f allow-ingress-tp-new.yaml -n project-c

$ oc apply -f allow-ingress-to-new.yaml -n project-c

asood-rh · 2025-06-17T20:54:23Z

modules/nw-networkpolicy-configuring-ingress-new-deployment.adoc

+    - podSelector:
+        matchLabels:
+          networking/allow-all-connections: "true"
+----


If the intent is to allow the ingress from new project-c then the policy needs to be as below in project-a

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-from-new spec: ingress: - from: - namespaceSelector: {} podSelector: matchLabels: networking/allow-all-connections: "true" podSelector: {} policyTypes: - Ingress

asood-rh · 2025-06-17T20:57:21Z

modules/nw-networkpolicy-configuring-ingress-new-deployment.adoc

+  ingress:
+  - from:
+    - podSelector: {}
+----


Same as above for cross project ingress traffic

asood-rh · 2025-06-17T21:23:25Z

modules/nw-networkpolicy-configuring-internet-egress-pods.adoc

+[id="nw-networkpolicy-configuring-internet-egress-pods_{context}"]
+= Configuring internet egress for pods
+
+With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace need to reach external traffic. 


Suggested change

With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace need to reach external traffic.

With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace need to reach external destinations.

asood-rh · 2025-06-17T21:25:42Z

modules/nw-networkpolicy-configuring-internet-egress-pods.adoc

+$ oc apply -f internet-egress.yaml -n project-a
+----
+
+. Apply the network policy to the `project-b` namespace by entering the following command:


Do not need to add policy in project-b when demonstrating egress to external destination. Makes sense if egress to another namespace needs to be demonstrated

asood-rh · 2025-06-17T21:36:27Z

modules/nw-networkpolicy-configuring-internet-egress-pods.adoc

+
+[source,terminal]
+----
+$ oc exec -it <pod_name> -n project-a -- nslookup google.com


Suggested change

$ oc exec -it <pod_name> -n project-a -- nslookup google.com

$ oc exec -it busybox-pod-a -n project-a -- nslookup google.com

As the pod was labelled in previous step.
$ oc exec -it test-pod-a -n project-a -- nslookup google.com can be used to demonstrate egress traffic does not work if the pod does not have a required label.

asood-rh · 2025-06-18T01:23:51Z

modules/nw-networkpolicy-deny-all-egress-network-policy.adoc

+
+[WARNING]
+====
+Without configuring a `NetworkPolicy` custom resource (CR) that allows traffic communication, the following policy might cause communication problems across your cluster.


Suggested change

Without configuring a `NetworkPolicy` custom resource (CR) that allows traffic communication, the following policy might cause communication problems across your cluster.

Without configuring a `NetworkPolicy` that allows traffic communication, the following policy might cause communication problems across your cluster.

asood-rh · 2025-06-18T01:28:12Z

modules/nw-networkpolicy-deny-all-egress-network-policy.adoc

+
+.Prerequisites
+
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.


Suggested change

* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.

* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.

The plugin is deprecated so should not mention it in latest documentation. The OVN-Kubernetes plugin does not have the mentioned mode.

asood-rh · 2025-06-18T01:39:26Z

modules/nw-networkpolicy-deny-all-egress-network-policy.adoc

+;; connection timed out; no servers could be reached
+----
+
+. Test ingress connection between pods in the `project-a` and `project-b` namespaces by entering the following command. Because the `default-deny-all-egress` network policy breaks pod-to-pod communication for ingress, pods should not longer be able to communicate.


Suggested change

. Test ingress connection between pods in the `project-a` and `project-b` namespaces by entering the following command. Because the `default-deny-all-egress` network policy breaks pod-to-pod communication for ingress, pods should not longer be able to communicate.

. Test ingress connection between pods in the `project-a` and `project-b` namespaces by entering the following command. Because the `default-deny-all-egress` network policy breaks pod-to-pod communication for egress, pods should not longer be able to communicate.

asood-rh · 2025-06-18T01:48:31Z

modules/nw-policy-default-deny-ingress.adoc

+
+.Prerequisites
+
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.


Suggested change

* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.

* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.

asood-rh · 2025-06-18T01:57:17Z

modules/nw-networkpolicy-same-namespace-communication.adoc

+[id="nw-networkpolicy-same-namespace-communication_{context}"]
+= Creating a network policy for same namespace communication
+
+With the `deny-by-default` network policy in place, a second option to enable communication is to create a network policy that allows for same namespace communication using the following `allow-same-namespace` network policy.


Suggested change

With the `deny-by-default` network policy in place, a second option to enable communication is to create a network policy that allows for same namespace communication using the following `allow-same-namespace` network policy.

With the `deny-by-default` network policy in place, a second option to enable pod to pod communication within namespace is to create a network policy that allows for same namespace communication using the following `allow-same-namespace` network policy.

asood-rh · 2025-06-18T02:22:37Z

modules/nw-networkpolicy-cross-namespace-communication.adoc

+
+[source,terminal]
+----
+$ oc label namespace project-a networking/namespace=n1 --overwrite


Suggested change

$ oc label namespace project-a networking/namespace=n1 --overwrite

$ oc label namespace project-a networking/namespace=n1

--overwrite is not needed as the label does not exist on the namespace

asood-rh · 2025-06-18T02:22:51Z

modules/nw-networkpolicy-cross-namespace-communication.adoc

+
+[source,terminal]
+----
+$ oc label namespace project-b networking/namespace=n2 --overwrite


Suggested change

$ oc label namespace project-b networking/namespace=n2 --overwrite

$ oc label namespace project-b networking/namespace=n2

asood-rh · 2025-06-18T02:24:39Z

modules/nw-networkpolicy-cross-namespace-communication.adoc

+
+[source,terminal]
+----
+$ oc label pod busybox-pod-a app=send-data -n project-a


Suggested change

$ oc label pod busybox-pod-a app=send-data -n project-a

$ oc label pod busybox-pod-a app=send-data -n project-a --overwrite

asood-rh · 2025-06-18T02:37:05Z