Adds egress netpol docs

_topic_maps/_topic_map.yml

@@ -1479,6 +1479,8 @@ Topics:
       File: default-network-policy
     - Name: Configuring multitenant isolation with network policy
       File: multitenant-network-policy
+    - Name: Configuring full multitenant isolation with ingress and egress network policies
+      File: nw-networkpolicy-full-multitenant-isolation
   - Name: Audit logging for network security
     File: logging-network-security
   - Name: Egress Firewall

modules/nw-networkpolicy-allow-application-all-namespaces.adoc

@@ -27,7 +27,7 @@ Follow this procedure to configure a policy that allows traffic from all pods in
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]

modules/nw-networkpolicy-allow-application-particular-namespace.adoc

@@ -30,7 +30,7 @@ Follow this procedure to configure a policy that allows traffic to a pod with th
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]

modules/nw-networkpolicy-allow-external-clients.adoc

@@ -34,7 +34,7 @@ Follow this procedure to configure a policy that allows external service from th
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]

modules/nw-networkpolicy-allow-internet.adoc

@@ -0,0 +1,107 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-networkpolicy-allow-ingress_{context}"]
+= Creating an allow ingress access network policy
+
+With the `deny-by-default` network policy that denies both ingress and egress traffic in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `ingress-access` network policy. With this network policy, pods with the  `networking/allow-ingress-access=true` label can receive network traffic.
+
+.Prerequisites
+
+* You have created the `deny-by-default` network policy and applied it to the necessary namespaces. The policy denies ingress traffic to pods in the project.
+
+.Procedure
+
+. Create the following `ingress-access` network policy to allow pods with the `networking/allow-ingress-access` label to receive traffic from outside sources. Save the YAML in the `ingress-access.yaml` file:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-access
+spec:
+  podSelector:
+    matchLabels:
+      networking/allow-ingress-access: "true" <1>
+  policyTypes:
+  - Ingress
+  ingress:
+  - {}
+----
+<1> Apply this label to pods to enable the pods to receive traffic from outside sources.
+
+. Apply the network policy to the `project-a` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f ingress-access.yaml -n project-a
+----
+
+. Apply the network policy to the `project-b` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f ingress-access.yaml -n project-b
+----
+
+. Apply the `networking/allow-ingress-access=true` label to pods that must receive outside traffic by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod busybox-pod-a networking/allow-ingress-access=true -n project-a
+----
++
+Repeat this step for all pods that must receive outside traffic.
+
+.Verification
+
+. Obtain the IP addresses of pods in `project-a` by running the following command:
++
+[source,terminal]
+----
+$ oc get pod -n project-a -o wide
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME            READY   STATUS    RESTARTS   AGE   IP            NODE                           NOMINATED NODE   READINESS GATES
+busybox-pod-a   1/1     Running   0          13m   10.132.0.38   ip-10-0-132-187.ec2.internal   <none>           <none>
+test-pod-a      1/1     Running   0          13m   10.132.0.40   ip-10-0-132-187.ec2.internal   <none>           <none>
+----
+
+. Ensure that pods with the `networking/allow-ingress-access=true` label can receive two ICMP packets by entering the following command. If you followed these instructions, the `busybox-pod-a` pod in `project-a` can receive traffic from another pod. For example:
++
+[source,terminal]
+----
+$ oc exec -it test-pod-b -n project-b -- ping -c 2 10.132.0.44
+----
++
+.Example output
++
+[source,terminal]
+----
+PING 10.132.0.44 (10.132.0.44): 56 data bytes
+64 bytes from 10.132.0.44: seq=0 ttl=42 time=1.137 ms
+64 bytes from 10.132.0.44: seq=1 ttl=42 time=0.672 ms
+----
+
+. Ensure that pods without the `networking/allow-ingress-access=true` label cannot receive traffic by entering the following command. If you followed these instructions, the `test-pod-a` pod in `project-a` cannot receive traffic. For example:
++
+[source,terminal]
+----
+$ oc exec -it busybox-pod-a -n project-a -- ping -c 2 10.132.0.40
+----
++
+.Example output
++
+[source,terminal]
+----
+PING 10.132.0.40 (10.132.0.40): 56 data bytes
+--- 10.132.0.40 ping statistics ---
+3 packets transmitted, 0 packets received, 100% packet loss
+----

modules/nw-networkpolicy-configuring-ingress-new-deployment.adoc

@@ -0,0 +1,173 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-networkpolicy-ingress-new-deployments_{context}"]
+= Creating a network policy for new projects
+
+After you have created a network policy that defines specific connections, new pods within a project are unable to communicate with existing pods in the same project, until the proper network policy has been applied to that pod. To address this behavior, you can create the following `allow-ingress-from-new` and `allow-ingress-to-new` network policies in a project, which allows new pods with the `networking/allow-all-connections=true` label to communicate with existing pods until more granular policies are created. 
+
+.Prerequisites
+
+* You have created the `deny-by-default` network policy and applied it to a project.
+
+.Procedure
+
+. Create a new project, for example, `project-c`, by running the following command:
++
+[source,terminal]
+----
+$ oc new-project project-c
+----
+
+. In the `project-c` namespace, create a new pod by running the following command:
++
+[source,terminal]
+----
+$ cat <<EOF | oc apply -f - -n project-c
+apiVersion: v1
+kind: Pod
+metadata:
+  name: busybox-pod
+  labels:
+    app: busybox
+spec:
+  containers:
+  - name: busybox
+    image: alpine:latest 
+    command: [ "sleep", "3600" ]
+    securityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - "ALL"
+      seccompProfile:
+        type: "RuntimeDefault"
+EOF
+----
+
+. In the `project-a` namespace:
+
+.. Create the following `allow-ingress-from-new` network policy, which allows pods in this project the ability to receive ingress from a new project:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-from-new
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          networking/allow-all-connections: "true"
+  podSelector: {}
+  policyTypes:
+  - Ingress
+----
+
+.. Apply the network policy by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f allow-ingress-from-new.yaml -n project-a
+----
+
+.. Create the following `allow-ingress-to-new` network policy, which allows pods in this project the ability to send ingress to a new project:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-from-new
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          networking/allow-all-connections: "true"
+  podSelector: {}
+  policyTypes:
+  - Ingress
+----
+
+.. Apply the network policy by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f allow-ingress-to-new.yaml -n project-a
+----
+
+.. Apply the `networking/allow-all-connections=true` to pods in `project-a` that you want to be able to communicate with pods in `project-c` by running the following command:
++
+[source,terminal]
+----
+$ oc label pod <pod_name> networking/allow-all-connections=true -n project-a
+----
+
+. In the `project-c` namespace:
+
+.. Create the following `allow-ingress-from-new` network policy, which allows pods in this project the ability to receive ingress from a new project:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-from-new
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          networking/allow-all-connections: "true"
+----
+
+.. Apply the network policy by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f allow-ingress-from-new.yaml -n project-c
+----
+
+.. Create the following `allow-ingress-to-new` network policy, which allows pods in this project the ability to send ingress to a new project:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-to-new
+spec:
+  podSelector:
+    matchLabels:
+      networking/allow-all-connections: "true"
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector: {}
+----
+
+.. Apply the network policy by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f allow-ingress-to-new.yaml -n project-c
+----
+
+.. Apply the `networking/allow-all-connections=true` to pods in `project-c` that you want to be able to communicate with pods in `project-a` by running the following command:
++
+[source,terminal]
+----
+$ oc label pod busybox-pod networking/allow-all-connections=true -n project-c
+----

modules/nw-networkpolicy-configuring-internet-egress-pods.adoc

@@ -0,0 +1,68 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-networkpolicy-configuring-external-egress-pods_{context}"]
+= Configuring external egress for pods
+
+With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace need to reach external destinations. 
+
+The following procedure shows you how to designate labels to pods that require internet egress.
+
+.Prerequisites
+
+* You have created a network policy to deny all egress traffic.
+
+.Procedure
+
+. Create the following `internet-egress.yaml` file that both defines a network policy that allows traffic from pods with the matching label to access internet egress. For example:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: internet-egress
+spec:
+  podSelector:
+    matchLabels:
+      networking/allow-internet-egress: "true" <1>
+  egress:
+  - {}
+  policyTypes:
+  - Egress
+----
+
+. Apply the network policy to the `project-a` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f internet-egress.yaml -n project-a
+----
+
+. Apply the `networking/allow-internet-egress=true` label to pods that require egress by entering the following command:
++
+[source,terminal]
+----
+$ oc label pod busybox-pod-a networking/allow-internet-egress=true -n project-a
+----
+
+.Verification
+
+* Check whether a labeled pod in a namespace where you applied the `internet-egress.yaml` network policy can resolve a DNS name by entering the following command:
++
+[source,terminal]
+----
+$ oc exec -it busybox-pod-a -n project-a -- nslookup google.com
+----
++
+.Example output
++
+[source,terminal]
+----
+...
+Name:	google.com
+Address: 142.250.125.102
+...
+----

modules/nw-networkpolicy-create-cli.adoc

@@ -28,7 +28,7 @@ endif::multi,microshift[]
 
 .Prerequisites
 ifndef::microshift[]
-* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
+* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin.
 endif::microshift[]
 * You installed the OpenShift CLI (`oc`).
 ifndef::microshift[]