Updates egress netpol docs

Steven Smith · Steven Smith · commit a7ea4d511167 · 2025-09-18T11:34:27.000-04:00
diff --git a/modules/nw-networkpolicy-allow-application-all-namespaces.adoc b/modules/nw-networkpolicy-allow-application-all-namespaces.adoc
@@ -27,7 +27,7 @@ Follow this procedure to configure a policy that allows traffic from all pods in
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]
diff --git a/modules/nw-networkpolicy-allow-application-particular-namespace.adoc b/modules/nw-networkpolicy-allow-application-particular-namespace.adoc
@@ -30,7 +30,7 @@ Follow this procedure to configure a policy that allows traffic to a pod with th
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]
diff --git a/modules/nw-networkpolicy-allow-external-clients.adoc b/modules/nw-networkpolicy-allow-external-clients.adoc
@@ -34,7 +34,7 @@ Follow this procedure to configure a policy that allows external service from th
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]
diff --git a/modules/nw-networkpolicy-allow-internet.adoc b/modules/nw-networkpolicy-allow-internet.adoc
@@ -6,11 +6,11 @@
 [id="nw-networkpolicy-allow-ingress_{context}"]
 = Creating an allow ingress access network policy
 
-With the `deny-by-default` network policy in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `ingress-access` network policy. With this network policy, pods with the  `networking/allow-ingress-access=true` label can receive network traffic.
+With the `deny-by-default` network policy that denies both ingress and egress traffic in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `ingress-access` network policy. With this network policy, pods with the  `networking/allow-ingress-access=true` label can receive network traffic.
 
 .Prerequisites
 
-* You have created the `deny-by-default` network policy and applied it to the necessary namespaces.
+* You have created the `deny-by-default` network policy and applied it to the necessary namespaces. The policy denies ingress traffic to pods in the project.
 
 .Procedure
 
@@ -31,7 +31,7 @@ spec:
   ingress:
   - {}
 ----
-<1> Apply this label to pods to enable the pod to receive traffic from outside sources.
+<1> Apply this label to pods to enable the pods to receive traffic from outside sources.
 
 . Apply the network policy to the `project-a` namespace by entering the following command:
 +
@@ -74,11 +74,11 @@ busybox-pod-a   1/1     Running   0          13m   10.132.0.38   ip-10-0-132-187
 test-pod-a      1/1     Running   0          13m   10.132.0.40   ip-10-0-132-187.ec2.internal   <none>           <none>
 ----
 
-. Ensure that pods with the `networking/allow-ingress-access=true` label can receive traffic by entering the following command. If you followed these instructions, the `busybox-pod-a` pod in `project-a` can receive traffic from another pod. For example:
+. Ensure that pods with the `networking/allow-ingress-access=true` label can receive two ICMP packets by entering the following command. If you followed these instructions, the `busybox-pod-a` pod in `project-a` can receive traffic from another pod. For example:
 +
 [source,terminal]
 ----
-$ oc exec -it test-pod-b -n project-b -- ping 10.132.0.44
+$ oc exec -it test-pod-b -n project-b -- ping -c 2 10.132.0.44
 ----
 +
 .Example output
@@ -94,7 +94,7 @@ PING 10.132.0.44 (10.132.0.44): 56 data bytes
 +
 [source,terminal]
 ----
-$ oc exec -it busybox-pod-a -n project-a -- ping 10.132.0.40
+$ oc exec -it busybox-pod-a -n project-a -- ping -c 2 10.132.0.40
 ----
 +
 .Example output
diff --git a/modules/nw-networkpolicy-configuring-ingress-new-deployment.adoc b/modules/nw-networkpolicy-configuring-ingress-new-deployment.adoc
@@ -59,14 +59,15 @@ kind: NetworkPolicy
 metadata:
   name: allow-ingress-from-new
 spec:
-  podSelector: {}
-  policyTypes:
-  - Ingress
   ingress:
   - from:
-    - podSelector:
+    - namespaceSelector: {}
+      podSelector:
         matchLabels:
           networking/allow-all-connections: "true"
+  podSelector: {}
+  policyTypes:
+  - Ingress
 ----
 
 .. Apply the network policy by entering the following command:
@@ -83,23 +84,24 @@ $ oc apply -f allow-ingress-from-new.yaml -n project-a
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-ingress-to-new
+  name: allow-ingress-from-new
 spec:
-  podSelector:
-    matchLabels:
-      networking/allow-all-connections: "true"
-  policyTypes:
-  - Ingress
   ingress:
   - from:
-    - podSelector: {}
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          networking/allow-all-connections: "true"
+  podSelector: {}
+  policyTypes:
+  - Ingress
 ----
 
 .. Apply the network policy by entering the following command:
 +
 [source,terminal]
 ----
-$ oc apply -f allow-ingress-tp-new.yaml -n project-a
+$ oc apply -f allow-ingress-to-new.yaml -n project-a
 ----
 
 .. Apply the `networking/allow-all-connections=true` to pods in `project-a` that you want to be able to communicate with pods in `project-c` by running the following command:
@@ -160,7 +162,7 @@ spec:
 +
 [source,terminal]
 ----
-$ oc apply -f allow-ingress-tp-new.yaml -n project-c
+$ oc apply -f allow-ingress-to-new.yaml -n project-c
 ----
 
 .. Apply the `networking/allow-all-connections=true` to pods in `project-c` that you want to be able to communicate with pods in `project-a` by running the following command:
diff --git a/modules/nw-networkpolicy-configuring-internet-egress-pods.adoc b/modules/nw-networkpolicy-configuring-internet-egress-pods.adoc
@@ -3,10 +3,10 @@
 // * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="nw-networkpolicy-configuring-internet-egress-pods_{context}"]
-= Configuring internet egress for pods
+[id="nw-networkpolicy-configuring-external-egress-pods_{context}"]
+= Configuring external egress for pods
 
-With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace need to reach external traffic. 
+With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace need to reach external destinations. 
 
 The following procedure shows you how to designate labels to pods that require internet egress.
 
@@ -41,13 +41,6 @@ spec:
 $ oc apply -f internet-egress.yaml -n project-a
 ----
 
-. Apply the network policy to the `project-b` namespace by entering the following command:
-+
-[source,terminal]
-----
-$ oc apply -f internet-egress.yaml -n project-b
-----
-
 . Apply the `networking/allow-internet-egress=true` label to pods that require egress by entering the following command:
 +
 [source,terminal]
@@ -61,7 +54,7 @@ $ oc label pod busybox-pod-a networking/allow-internet-egress=true -n project-a
 +
 [source,terminal]
 ----
-$ oc exec -it <pod_name> -n project-a -- nslookup google.com
+$ oc exec -it busybox-pod-a -n project-a -- nslookup google.com
 ----
 +
 .Example output
diff --git a/modules/nw-networkpolicy-create-cli.adoc b/modules/nw-networkpolicy-create-cli.adoc
@@ -28,7 +28,7 @@ endif::multi,microshift[]
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]
diff --git a/modules/nw-networkpolicy-cross-namespace-communication.adoc b/modules/nw-networkpolicy-cross-namespace-communication.adoc
@@ -52,21 +52,21 @@ $ oc apply -f allow-n1-a-to-n2-b.yaml -n project-b
 +
 [source,terminal]
 ----
-$ oc label namespace project-a networking/namespace=n1 --overwrite
+$ oc label namespace project-a networking/namespace=n1
 ----
 
 . Label the `project-b` namespace with the `networking/namespace=n2` label by entering the following command:
 +
 [source,terminal]
 ----
-$ oc label namespace project-b networking/namespace=n2 --overwrite
+$ oc label namespace project-b networking/namespace=n2
 ----
 
 . If it is not already labeled, label the `busybox-pod` in `project-a` with the `send-data` label by entering the following command:
 +
 [source,terminal]
 ----
-$ oc label pod busybox-pod-a app=send-data -n project-a
+$ oc label pod busybox-pod-a app=send-data -n project-a --overwrite
 ----
 
 . If it is not already labeled, label the `test-pod` in `project-b` with the `receive-data` label by entering the following command:
diff --git a/modules/nw-networkpolicy-delete-cli.adoc b/modules/nw-networkpolicy-delete-cli.adoc
@@ -27,7 +27,7 @@ endif::multi,microshift[]
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]
diff --git a/modules/nw-networkpolicy-deny-all-allowed.adoc b/modules/nw-networkpolicy-deny-all-allowed.adoc
@@ -21,12 +21,12 @@ This policy blocks all cross-pod networking other than network traffic allowed b
 
 [WARNING]
 ====
-Without configuring a `NetworkPolicy` custom resource (CR) that allows traffic communication, the following policy might cause communication problems across your cluster.
+Without configuring a network policy that allows traffic communication, the following policy might cause communication problems across your cluster.
 ====
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]
diff --git a/modules/nw-networkpolicy-deny-all-egress-network-policy.adoc b/modules/nw-networkpolicy-deny-all-egress-network-policy.adoc
@@ -10,13 +10,13 @@ Use the following procedure to create a `default-deny-all` network policy that i
 
 [WARNING]
 ====
-Without configuring a `NetworkPolicy` custom resource (CR) that allows traffic communication, the following policy might cause communication problems across your cluster.
+Without configuring a network policy that allows traffic communication, the following policy might cause communication problems across your cluster.
 Creating a `default-deny-all` network policy that isolates pods for egress breaks pod-to-pod communication for ingress. This behavior is expected, and every connection allowed in the ingress direction must also allowlist connections in the egress direction. After creating a `default-deny-all` network policy, you should "Configure internet for egress pods" and "Enable pod-to-pod communication". 
 ====
 
 .Prerequisites
 
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 * You installed the OpenShift CLI (`oc`).
 * You are logged in to the cluster with a user with admin privileges.
 * You have configured an ingress network policy.
@@ -84,7 +84,7 @@ $ oc exec -it test-pod-b -n project-b -- nslookup google.com
 ;; connection timed out; no servers could be reached
 ----
 
-. Test ingress connection between pods in the `project-a` and `project-b` namespaces by entering the following command. Because the `default-deny-all-egress` network policy breaks pod-to-pod communication for ingress, pods should not longer be able to communicate.
+. Test ingress connection between pods in the `project-a` and `project-b` namespaces by entering the following command. Because the `default-deny-all-egress` network policy breaks pod-to-pod communication for egress, pods should not longer be able to communicate.
 +
 [source,terminal]
 ----
diff --git a/modules/nw-networkpolicy-edit.adoc b/modules/nw-networkpolicy-edit.adoc
@@ -26,7 +26,7 @@ endif::multi,microshift[]
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]
diff --git a/modules/nw-networkpolicy-enable-pod-pod-communication-egress.adoc b/modules/nw-networkpolicy-enable-pod-pod-communication-egress.adoc
@@ -6,7 +6,7 @@
 [id="nw-networkpolicy-enable-pod-pod-communication-egress_{context}"]
 = Enabling pod-to-pod communication
 
-After creating a `default-deny-all` network policy that isolates pods for egress, pod-to-pod communication is broken for ingress. To re-establish ingress communication for pods, you must create a complementary egress network policy that _mirrors_ the network policy that allowed for ingress pod-to-pod communication across namespaces.
+After creating a egress `default-deny-all` network policy that isolates pods for egress, pod-to-pod communication is broken for ingress in the other namespace. To re-establish ingress communication for pods, you must create a complementary egress network policy that _mirrors_ the network policy that allowed for ingress pod-to-pod communication across namespaces.
 
 The following procedure shows you how to create a complementary egress network policy named `egress-allow-n1-a-to-n2-b`. The `egress-allow-n1-a-to-n2-b` network policy mirrors the the `allow-n1-a-to-n2-b` network policy that was created in "Creating a network policy for cross-namespace communication" and is applied to the opposite namespace that the `allow-n1-a-to-n2-b` network policy was applied to. Mirroring the `allow-n1-a-to-n2-b` network policy requires you to adjust the following fields of that network policy:
 
@@ -16,7 +16,7 @@ The following procedure shows you how to create a complementary egress network p
 
 .Prerequisites 
 
-* You have created the following `allow-n1-a-to-n2-b` ingress network policy:
+* You have created the following `allow-n1-a-to-n2-b` ingress network policy in the `project-b` namespace:
 +
 [source,yaml]
 ----
@@ -34,7 +34,7 @@ spec:
   - from:
     - namespaceSelector:
         matchLabels:
-          networking/namespace:
+          networking/namespace: n1
       podSelector:
         matchLabels:
           app: send-data
@@ -49,7 +49,7 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-n1-a-to-n2-b-egress
+  name: egress-allow-n1-a-to-n2-b
 spec:
   podSelector:
     matchLabels:
@@ -70,7 +70,7 @@ spec:
 +
 [source,terminal]
 ----
-$ oc apply -f allow-n1-a-to-n2-b-egress.yaml -n project-a
+$ oc apply -f egress-allow-n1-a-to-n2-b.yaml -n project-a
 ----
 
 .Verification
@@ -79,7 +79,7 @@ $ oc apply -f allow-n1-a-to-n2-b-egress.yaml -n project-a
 +
 [source,terminal]
 ----
-$ oc get pod -n project-a -o wide
+$ oc get pod -n project-b -o wide
 ----
 +
 .Example output
diff --git a/modules/nw-networkpolicy-multitenant-isolation.adoc b/modules/nw-networkpolicy-multitenant-isolation.adoc
@@ -11,7 +11,7 @@ project namespaces.
 
 .Prerequisites
 
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 * You installed the OpenShift CLI (`oc`).
 * You are logged in to the cluster with a user with `admin` privileges.
 
diff --git a/modules/nw-networkpolicy-same-namespace-communication.adoc b/modules/nw-networkpolicy-same-namespace-communication.adoc
@@ -6,7 +6,7 @@
 [id="nw-networkpolicy-same-namespace-communication_{context}"]
 = Creating a network policy for same namespace communication
 
-With the `deny-by-default` network policy in place, a second option to enable communication is to create a network policy that allows for same namespace communication using the following `allow-same-namespace` network policy.
+With the `deny-by-default` network policy in place, a second option to enable pod to pod communication within namespace is to create a network policy that allows for same namespace communication using the following `allow-same-namespace` network policy.
 
 .Prerequisites
 
diff --git a/modules/nw-policy-cluster-preparation.adoc b/modules/nw-policy-cluster-preparation.adoc
@@ -12,7 +12,7 @@ The following procedure creates the projects and pods that are used throughout t
 
 .Prerequisites
 
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 * You have installed the OpenShift CLI (`oc`).
 * You are logged in as a user with cluster admin privileges.
 
diff --git a/modules/nw-policy-default-deny-ingress.adoc b/modules/nw-policy-default-deny-ingress.adoc
@@ -10,12 +10,12 @@ The following `default-deny-all` network policy blocks all cross-pod networking
 
 [WARNING]
 ====
-Without configuring a `NetworkPolicy` custom resource (CR) that allows traffic communication, the following policy might cause communication problems across your cluster.
+Without configuring a network policy that allows traffic communication, the following policy might cause communication problems across your cluster.
 ====
 
 .Prerequisites
 
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 * You have installed the OpenShift CLI (`oc`).
 * You are logged in as a user with cluster admin privileges.
 * You have created at least two namespaces. The following examples use `project-a` and `project-b` namespaces.
