diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index cbf4b45104bb..a62878fb07f4 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1039,7 +1039,7 @@ Topics: File: deleting-network-policy - Name: Defining a default network policy for projects File: default-network-policy - - Name: Configuring multitenant network policy + - Name: Configuring multitenant isolation with network policy File: multitenant-network-policy - Name: AWS Load Balancer Operator Dir: aws_load_balancer_operator diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml index 4a0e5e0f52a0..07a20dc0af58 100644 --- a/_topic_maps/_topic_map_osd.yml +++ b/_topic_maps/_topic_map_osd.yml @@ -197,6 +197,19 @@ Topics: File: configuring-cluster-wide-proxy - Name: CIDR range definitions File: cidr-range-definitions +- Name: Network policy + Dir: network_policy + Topics: + - Name: About network policy + File: about-network-policy + - Name: Creating a network policy + File: creating-network-policy + - Name: Viewing a network policy + File: viewing-network-policy + - Name: Deleting a network policy + File: deleting-network-policy + - Name: Configuring multitenant isolation with network policy + File: multitenant-network-policy --- Name: Applications Dir: applications diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml index f7d658579046..8bca8a8d2a0f 100644 --- a/_topic_maps/_topic_map_rosa.yml +++ b/_topic_maps/_topic_map_rosa.yml @@ -301,6 +301,19 @@ Topics: File: configuring-cluster-wide-proxy - Name: CIDR range definitions File: cidr-range-definitions +- Name: Network policy + Dir: network_policy + Topics: + - Name: About network policy + File: about-network-policy + - Name: Creating a network policy + File: creating-network-policy + - Name: Viewing a network policy + File: viewing-network-policy + - Name: Deleting a network policy + File: deleting-network-policy + - Name: Configuring multitenant isolation with network policy + File: multitenant-network-policy --- Name: Application development Dir: applications diff --git a/modules/nw-networkpolicy-create.adoc b/modules/nw-networkpolicy-create-cli.adoc similarity index 95% rename from modules/nw-networkpolicy-create.adoc rename to modules/nw-networkpolicy-create-cli.adoc index fa41c9b09241..d4b25fe6f36f 100644 --- a/modules/nw-networkpolicy-create.adoc +++ b/modules/nw-networkpolicy-create-cli.adoc @@ -1,5 +1,6 @@ // Module included in the following assemblies: // +// * networking/multiple_networks/configuring-multi-network-policy.adoc // * networking/network_policy/creating-network-policy.adoc // * post_installation_configuration/network-configuration.adoc @@ -15,8 +16,8 @@ ifeval::["{context}" == "configuring-multi-network-policy"] endif::[] :_content-type: PROCEDURE -[id="nw-networkpolicy-create_{context}"] -= Creating a {name} policy +[id="nw-networkpolicy-create-cli_{context}"] += Creating a {name} policy using the CLI To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a {name} policy. @@ -80,16 +81,16 @@ spec: podSelector: ingress: [] ---- -ifdef::multi[] + +ifdef::multi[] -- where ``:: Specifies the name of a network attachment definition. -- endif::multi[] -+ .Allow ingress from all pods in the same namespace ++ [source,yaml] ---- ifndef::multi[] diff --git a/modules/nw-networkpolicy-create-ocm.adoc b/modules/nw-networkpolicy-create-ocm.adoc new file mode 100644 index 000000000000..ada7415a1bcd --- /dev/null +++ b/modules/nw-networkpolicy-create-ocm.adoc @@ -0,0 +1,62 @@ +// Module included in the following assemblies: +// +// * networking/network_policy/creating-network-policy.adoc +// * post_installation_configuration/network-configuration.adoc + +:_content-type: PROCEDURE +[id="nw-networkpolicy-create-ocm_{context}"] += Creating a network policy using {cluster-manager} + +To define granular rules describing the ingress or egress network traffic allowed for namespaces in your cluster, you can create a network policy. + +.Prerequisites + +* You logged in to {cluster-manager-url}. +* You created an {product-title} cluster. +* You configured an identity provider for your cluster. +* You added your user account to the configured identity provider. +* You created a project within your {product-title} cluster. + +.Procedure + +. From {cluster-manager-url}, click on the cluster you want to access. + +. Click *Open console* to navigate to the OpenShift web console. + +. Click on your identity provider and provide your credentials to log in to the cluster. + +. From the administrator perspective, under *Networking*, click *NetworkPolicies*. + +. Click *Create NetworkPolicy*. + +. Provide a name for the policy in the *Policy name* field. + +. Optional: You can provide the label and selector for a specific pod if this policy applies only to one or more specific pods. If you do not select a specific pod, then this policy will be applicable to all pods on the cluster. + +. Optional: You can block all ingress and egress traffic by using the *Deny all ingress traffic* or *Deny all egress traffic* checkboxes. + +. You can also add any combination of ingress and egress rules, allowing you to specify the port, namespace, or IP blocks you want to approve. + +. Add ingress rules to your policy: + +.. Select *Add ingress rule* to configure a new rule. This action creates a new *Ingress rule* row with an *Add allowed source* drop-down menu that enables you to specify how you want to limit inbound traffic. The drop-down menu offers three options to limit your ingress traffic: ++ +*** *Allow pods from the same namespace* limits traffic to pods within the same namespace. You can specify the pods in a namespace, but leaving this option blank allows all of the traffic from pods in the namespace. + +*** *Allow pods from inside the cluster* limits traffic to pods within the same cluster as the policy. You can specify namespaces and pods from which you want to allow inbound traffic. Leaving this option blank allows inbound traffic from all namespaces and pods within this cluster. + +*** *Allow peers by IP block* limits traffic from a specified Classless Inter-Domain Routing (CIDR) IP block. You can block certain IPs with the exceptions option. Leaving the CIDR field blank allows all inbound traffic from all external sources. + +.. You can restrict all of your inbound traffic to a port. If you do not add any ports then all ports are accessible to traffic. + +. Add egress rules to your network policy: + +.. Select *Add egress rule* to configure a new rule. This action creates a new *Egress rule* row with an *Add allowed destination*"* drop-down menu that enables you to specify how you want to limit outbound traffic. The drop-down menu offers three options to limit your egress traffic: ++ +*** *Allow pods from the same namespace* limits outbound traffic to pods within the same namespace. You can specify the pods in a namespace, but leaving this option blank allows all of the traffic from pods in the namespace. + +*** *Allow pods from inside the cluster* limits traffic to pods within the same cluster as the policy. You can specify namespaces and pods from which you want to allow outbound traffic. Leaving this option blank allows outbound traffic from all namespaces and pods within this cluster. + +*** *Allow peers by IP block* limits traffic from a specified CIDR IP block. You can block certain IPs with the exceptions option. Leaving the CIDR field blank allows all outbound traffic from all external sources. + +.. You can restrict all of your outbound traffic to a port. If you do not add any ports then all ports are accessible to traffic. \ No newline at end of file diff --git a/modules/nw-networkpolicy-delete.adoc b/modules/nw-networkpolicy-delete-cli.adoc similarity index 96% rename from modules/nw-networkpolicy-delete.adoc rename to modules/nw-networkpolicy-delete-cli.adoc index d954ffd09d29..21fb14c7d734 100644 --- a/modules/nw-networkpolicy-delete.adoc +++ b/modules/nw-networkpolicy-delete-cli.adoc @@ -15,8 +15,8 @@ ifeval::["{context}" == "configuring-multi-network-policy"] endif::[] :_content-type: PROCEDURE -[id="nw-networkpolicy-delete_{context}"] -= Deleting a {name} policy +[id="nw-networkpolicy-delete-cli_{context}"] += Deleting a {name} policy using the CLI You can delete a {name} policy in a namespace. diff --git a/modules/nw-networkpolicy-delete-ocm.adoc b/modules/nw-networkpolicy-delete-ocm.adoc new file mode 100644 index 000000000000..f38af5d7523c --- /dev/null +++ b/modules/nw-networkpolicy-delete-ocm.adoc @@ -0,0 +1,30 @@ +// Module included in the following assemblies: +// +// * networking/network_policy/deleting-network-policy.adoc +// * post_installation_configuration/network-configuration.adoc + +:_content-type: PROCEDURE +[id="nw-networkpolicy-delete-ocm_{context}"] += Deleting a network policy using {cluster-manager} + +You can delete a network policy in a namespace. + +.Prerequisites + +* You logged in to {cluster-manager-url}. +* You created an {product-title} cluster. +* You configured an identity provider for your cluster. +* You added your user account to the configured identity provider. + +.Procedure + +. From the *Administrator* perspective in the {cluster-manager} web console, under *Networking*, click *NetworkPolicies*. + +. Use one of the following methods for deleting your network policy: + +** Delete the policy from the *Network Policies* table: +.. From the *Network Policies* table, select the stack menu on the row of the network policy you want to delete and then, click *Delete NetworkPolicy*. + +** Delete the policy using the *Actions* drop-down menu from the individual network policy details: +.. Click on *Actions* drop-down menu for your network policy. +.. Select *Delete NetworkPolicy* from the menu. \ No newline at end of file diff --git a/modules/nw-networkpolicy-view.adoc b/modules/nw-networkpolicy-view-cli.adoc similarity index 96% rename from modules/nw-networkpolicy-view.adoc rename to modules/nw-networkpolicy-view-cli.adoc index 352eeb790e3b..49c5ab312f29 100644 --- a/modules/nw-networkpolicy-view.adoc +++ b/modules/nw-networkpolicy-view-cli.adoc @@ -12,8 +12,8 @@ ifeval::["{context}" == "configuring-multi-network-policy"] endif::[] :_content-type: PROCEDURE -[id="nw-networkpolicy-view_{context}"] -= Viewing {name} policies +[id="nw-networkpolicy-view-cli_{context}"] += Viewing {name} policies using the CLI You can examine the {name} policies in a namespace. diff --git a/modules/nw-networkpolicy-view-ocm.adoc b/modules/nw-networkpolicy-view-ocm.adoc new file mode 100644 index 000000000000..cf86706fd5cb --- /dev/null +++ b/modules/nw-networkpolicy-view-ocm.adoc @@ -0,0 +1,32 @@ +// Module included in the following assemblies: +// +// * networking/network_policy/viewing-network-policy.adoc +// * post_installation_configuration/network-configuration.adoc + +:_content-type: PROCEDURE +[id="nw-networkpolicy-view-ocm_{context}"] += Viewing network policies using {cluster-manager} + +You can view the configuration details of your network policy in {cluster-manager-first}. + +.Prerequisites + +* You logged in to {cluster-manager-url}. +* You created an {product-title} cluster. +* You configured an identity provider for your cluster. +* You added your user account to the configured identity provider. +* You created a network policy. + +.Procedure + +. From the *Administrator* perspective in the {cluster-manager} web console, under *Networking*, click *NetworkPolicies*. +. Select the desired network policy to view. +. In the *Network Policy* details page, you can view all of the associated ingress and egress rules. +. Select *YAML* on the network policy details to view the policy configuration in YAML format. +ifdef::openshift-rosa,openshift-dedicated[] ++ +[NOTE] +==== +You can only view the details of these policies. You cannot edit these policies. +==== +endif::[] \ No newline at end of file diff --git a/networking/multiple_networks/configuring-multi-network-policy.adoc b/networking/multiple_networks/configuring-multi-network-policy.adoc index d799ec94c8e1..3961e3499164 100644 --- a/networking/multiple_networks/configuring-multi-network-policy.adoc +++ b/networking/multiple_networks/configuring-multi-network-policy.adoc @@ -27,10 +27,10 @@ As a cluster administrator, you can create, edit, view, and delete multi-network * You have enabled multi-network policy support for your cluster. -include::modules/nw-networkpolicy-create.adoc[leveloffset=+2] +include::modules/nw-networkpolicy-create-cli.adoc[leveloffset=+2] include::modules/nw-networkpolicy-edit.adoc[leveloffset=+2] -include::modules/nw-networkpolicy-view.adoc[leveloffset=+2] -include::modules/nw-networkpolicy-delete.adoc[leveloffset=+2] +include::modules/nw-networkpolicy-view-cli.adoc[leveloffset=+2] +include::modules/nw-networkpolicy-delete-cli.adoc[leveloffset=+2] [id="{context}_additional-resources"] [role="_additional-resources"] diff --git a/networking/network_policy/about-network-policy.adoc b/networking/network_policy/about-network-policy.adoc index 2afd169cb711..df201d49519c 100644 --- a/networking/network_policy/about-network-policy.adoc +++ b/networking/network_policy/about-network-policy.adoc @@ -2,6 +2,8 @@ [id="about-network-policy"] = About network policy include::_attributes/common-attributes.adoc[] +include::_attributes/attributes-openshift-dedicated.adoc[] + :context: about-network-policy toc::[] @@ -16,6 +18,7 @@ include::modules/nw-networkpolicy-optimize.adoc[leveloffset=+1] == Next steps * xref:../../networking/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy] +ifndef::openshift-rosa,openshift-dedicated[] * Optional: xref:../../networking/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy] [role="_additional-resources"] @@ -25,3 +28,4 @@ include::modules/nw-networkpolicy-optimize.adoc[leveloffset=+1] * xref:../../authentication/using-rbac.adoc#rbac-projects-namespaces_using-rbac[Projects and namespaces] * xref:../../networking/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[Configuring multitenant network policy] * xref:../../rest_api/network_apis/networkpolicy-networking-k8s-io-v1.adoc#networkpolicy-networking-k8s-io-v1[NetworkPolicy API] +endif::[] \ No newline at end of file diff --git a/networking/network_policy/creating-network-policy.adoc b/networking/network_policy/creating-network-policy.adoc index 4167cfe8a292..e2d725e91d25 100644 --- a/networking/network_policy/creating-network-policy.adoc +++ b/networking/network_policy/creating-network-policy.adoc @@ -2,17 +2,24 @@ [id="creating-network-policy"] = Creating a network policy include::_attributes/common-attributes.adoc[] +include::_attributes/attributes-openshift-dedicated.adoc[] :context: creating-network-policy toc::[] As a user with the `admin` role, you can create a network policy for a namespace. -include::modules/nw-networkpolicy-create.adoc[leveloffset=+1] - include::modules/nw-networkpolicy-object.adoc[leveloffset=+1] +include::modules/nw-networkpolicy-create-cli.adoc[leveloffset=+1] + +ifdef::openshift-rosa,openshift-dedicated[] +include::modules/nw-networkpolicy-create-ocm.adoc[leveloffset=+1] +endif::[] + +ifndef::openshift-rosa,openshift-dedicated[] [role="_additional-resources"] == Additional resources * xref:../../web_console/web-console.adoc#web-console[Accessing the web console] +endif::[] diff --git a/networking/network_policy/deleting-network-policy.adoc b/networking/network_policy/deleting-network-policy.adoc index 3a110af3aa75..aec16d738763 100644 --- a/networking/network_policy/deleting-network-policy.adoc +++ b/networking/network_policy/deleting-network-policy.adoc @@ -2,10 +2,14 @@ [id="deleting-network-policy"] = Deleting a network policy include::_attributes/common-attributes.adoc[] +include::_attributes/attributes-openshift-dedicated.adoc[] :context: deleting-network-policy toc::[] As a user with the `admin` role, you can delete a network policy from a namespace. -include::modules/nw-networkpolicy-delete.adoc[leveloffset=+1] +include::modules/nw-networkpolicy-delete-cli.adoc[leveloffset=+1] +ifdef::openshift-dedicated,openshift-rosa[] +include::modules/nw-networkpolicy-delete-ocm.adoc[leveloffset=+1] +endif::[] \ No newline at end of file diff --git a/networking/network_policy/multitenant-network-policy.adoc b/networking/network_policy/multitenant-network-policy.adoc index fc4ecf74dcf3..b3757aa7f9e6 100644 --- a/networking/network_policy/multitenant-network-policy.adoc +++ b/networking/network_policy/multitenant-network-policy.adoc @@ -2,6 +2,7 @@ [id="multitenant-network-policy"] = Configuring multitenant isolation with network policy include::_attributes/common-attributes.adoc[] +include::_attributes/attributes-openshift-dedicated.adoc[] :context: multitenant-network-policy toc::[] @@ -15,6 +16,7 @@ If you are using the OpenShift SDN cluster network provider, configuring network include::modules/nw-networkpolicy-multitenant-isolation.adoc[leveloffset=+1] +ifndef::openshift-rosa,openshift-dedicated[] [id="multitenant-network-policy-next-steps"] == Next steps @@ -25,3 +27,4 @@ include::modules/nw-networkpolicy-multitenant-isolation.adoc[leveloffset=+1] == Additional resources * xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#nw-openshift-sdn-modes_about-openshift-sdn[OpenShift SDN network isolation modes] +endif::[] \ No newline at end of file diff --git a/networking/network_policy/viewing-network-policy.adoc b/networking/network_policy/viewing-network-policy.adoc index ef5a1d51ce5a..a11d443dec17 100644 --- a/networking/network_policy/viewing-network-policy.adoc +++ b/networking/network_policy/viewing-network-policy.adoc @@ -2,12 +2,17 @@ [id="viewing-network-policy"] = Viewing a network policy include::_attributes/common-attributes.adoc[] +include::_attributes/attributes-openshift-dedicated.adoc[] :context: viewing-network-policy toc::[] As a user with the `admin` role, you can view a network policy for a namespace. -include::modules/nw-networkpolicy-view.adoc[leveloffset=+1] - include::modules/nw-networkpolicy-object.adoc[leveloffset=+1] + +include::modules/nw-networkpolicy-view-cli.adoc[leveloffset=+1] + +ifdef::openshift-dedicated,openshift-rosa[] +include::modules/nw-networkpolicy-view-ocm.adoc[leveloffset=+1] +endif::[] \ No newline at end of file diff --git a/post_installation_configuration/network-configuration.adoc b/post_installation_configuration/network-configuration.adoc index c0d693fa951f..aa74e695e284 100644 --- a/post_installation_configuration/network-configuration.adoc +++ b/post_installation_configuration/network-configuration.adoc @@ -80,7 +80,7 @@ As a cluster administrator or project administrator, you can configure network p include::modules/nw-networkpolicy-about.adoc[leveloffset=+2] include::modules/nw-networkpolicy-object.adoc[leveloffset=+2] -include::modules/nw-networkpolicy-create.adoc[leveloffset=+2] +include::modules/nw-networkpolicy-create-cli.adoc[leveloffset=+2] include::modules/nw-networkpolicy-multitenant-isolation.adoc[leveloffset=+2] ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]