openshift · EricPonvelle · Sep 2, 2022 · Jul 26, 2022
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1039,7 +1039,7 @@ Topics:
     File: deleting-network-policy
   - Name: Defining a default network policy for projects
     File: default-network-policy
-  - Name: Configuring multitenant network policy
+  - Name: Configuring multitenant isolation with network policy
     File: multitenant-network-policy
 - Name: AWS Load Balancer Operator
   Dir: aws_load_balancer_operator

diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml
@@ -197,6 +197,19 @@ Topics:
   File: configuring-cluster-wide-proxy
 - Name: CIDR range definitions
   File: cidr-range-definitions
+- Name: Network policy
+  Dir: network_policy
+  Topics:
+  - Name: About network policy
+    File: about-network-policy
+  - Name: Creating a network policy
+    File: creating-network-policy
+  - Name: Viewing a network policy
+    File: viewing-network-policy
+  - Name: Deleting a network policy
+    File: deleting-network-policy
+  - Name: Configuring multitenant isolation with network policy
+    File: multitenant-network-policy
 ---
 Name: Applications
 Dir: applications

diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml
@@ -301,6 +301,19 @@ Topics:
   File: configuring-cluster-wide-proxy
 - Name: CIDR range definitions
   File: cidr-range-definitions
+- Name: Network policy
+  Dir: network_policy
+  Topics:
+  - Name: About network policy
+    File: about-network-policy
+  - Name: Creating a network policy
+    File: creating-network-policy
+  - Name: Viewing a network policy
+    File: viewing-network-policy
+  - Name: Deleting a network policy
+    File: deleting-network-policy
+  - Name: Configuring multitenant isolation with network policy
+    File: multitenant-network-policy
 ---
 Name: Application development
 Dir: applications

diff --git a/modules/nw-networkpolicy-create.adoc → modules/nw-networkpolicy-create-cli.adoc b/modules/nw-networkpolicy-create.adoc → modules/nw-networkpolicy-create-cli.adoc
@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * networking/multiple_networks/configuring-multi-network-policy.adoc
 // * networking/network_policy/creating-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
@@ -15,8 +16,8 @@ ifeval::["{context}" == "configuring-multi-network-policy"]
 endif::[]
 
 :_content-type: PROCEDURE
-[id="nw-networkpolicy-create_{context}"]
-= Creating a {name} policy
+[id="nw-networkpolicy-create-cli_{context}"]
+= Creating a {name} policy using the CLI
 
 To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a {name} policy.
 
@@ -80,16 +81,16 @@ spec:
   podSelector:
   ingress: []
 ----
-ifdef::multi[]
 +
+ifdef::multi[]
 --
 where
 
 `<network_name>`:: Specifies the name of a network attachment definition.
 --
 endif::multi[]
-+
 .Allow ingress from all pods in the same namespace
++
 [source,yaml]
 ----
 ifndef::multi[]

diff --git a/modules/nw-networkpolicy-create-ocm.adoc b/modules/nw-networkpolicy-create-ocm.adoc
@@ -0,0 +1,62 @@
+// Module included in the following assemblies:
+//
+// * networking/network_policy/creating-network-policy.adoc
+// * post_installation_configuration/network-configuration.adoc
+
+:_content-type: PROCEDURE
+[id="nw-networkpolicy-create-ocm_{context}"]
+= Creating a network policy using {cluster-manager}
+
+To define granular rules describing the ingress or egress network traffic allowed for namespaces in your cluster, you can create a network policy.
+
+.Prerequisites
+
+* You logged in to {cluster-manager-url}.
+* You created an {product-title} cluster.
+* You configured an identity provider for your cluster.
+* You added your user account to the configured identity provider.
+* You created a project within your {product-title} cluster.
+
+.Procedure
+
+. From {cluster-manager-url}, click on the cluster you want to access.
+
+. Click *Open console* to navigate to the OpenShift web console.
+
+. Click on your identity provider and provide your credentials to log in to the cluster.
+
+. From the administrator perspective, under *Networking*, click *NetworkPolicies*.
+
+. Click *Create NetworkPolicy*.
+
+. Provide a name for the policy in the *Policy name* field.
+
+. Optional: You can provide the label and selector for a specific pod if this policy applies only to one or more specific pods. If you do not select a specific pod, then this policy will be applicable to all pods on the cluster.
+
+. Optional: You can block all ingress and egress traffic by using the *Deny all ingress traffic* or *Deny all egress traffic* checkboxes. 
+
+. You can also add any combination of ingress and egress rules, allowing you to specify the port, namespace, or IP blocks you want to approve.
+
+. Add ingress rules to your policy:
+
+.. Select *Add ingress rule* to configure a new rule. This action creates a new *Ingress rule* row with an *Add allowed source* drop-down menu that enables you to specify how you want to limit inbound traffic. The drop-down menu offers three options to limit your ingress traffic:
++
+*** *Allow pods from the same namespace* limits traffic to pods within the same namespace. You can specify the pods in a namespace, but leaving this option blank allows all of the traffic from pods in the namespace.
+
+*** *Allow pods from inside the cluster* limits traffic to pods within the same cluster as the policy. You can specify namespaces and pods from which you want to allow inbound traffic. Leaving this option blank allows inbound traffic from all namespaces and pods within this cluster.
+
+*** *Allow peers by IP block* limits traffic from a specified Classless Inter-Domain Routing (CIDR) IP block. You can block certain IPs with the exceptions option. Leaving the CIDR field blank allows all inbound traffic from all external sources.
+
+.. You can restrict all of your inbound traffic to a port. If you do not add any ports then all ports are accessible to traffic.
+
+. Add egress rules to your network policy:
+
+.. Select *Add egress rule* to configure a new rule. This action creates a new *Egress rule* row with an *Add allowed destination*"* drop-down menu that enables you to specify how you want to limit outbound traffic. The drop-down menu offers three options to limit your egress traffic:
++
+*** *Allow pods from the same namespace* limits outbound traffic to pods within the same namespace. You can specify the pods in a namespace, but leaving this option blank allows all of the traffic from pods in the namespace.
+
+*** *Allow pods from inside the cluster* limits traffic to pods within the same cluster as the policy. You can specify namespaces and pods from which you want to allow outbound traffic. Leaving this option blank allows outbound traffic from all namespaces and pods within this cluster.
+
+*** *Allow peers by IP block* limits traffic from a specified CIDR IP block. You can block certain IPs with the exceptions option. Leaving the CIDR field blank allows all outbound traffic from all external sources.
+
+.. You can restrict all of your outbound traffic to a port. If you do not add any ports then all ports are accessible to traffic.
diff --git a/modules/nw-networkpolicy-delete.adoc → modules/nw-networkpolicy-delete-cli.adoc b/modules/nw-networkpolicy-delete.adoc → modules/nw-networkpolicy-delete-cli.adoc
@@ -15,8 +15,8 @@ ifeval::["{context}" == "configuring-multi-network-policy"]
 endif::[]
 
 :_content-type: PROCEDURE
-[id="nw-networkpolicy-delete_{context}"]
-= Deleting a {name} policy
+[id="nw-networkpolicy-delete-cli_{context}"]
+= Deleting a {name} policy using the CLI
 
 You can delete a {name} policy in a namespace.
 

diff --git a/modules/nw-networkpolicy-delete-ocm.adoc b/modules/nw-networkpolicy-delete-ocm.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * networking/network_policy/deleting-network-policy.adoc
+// * post_installation_configuration/network-configuration.adoc
+
+:_content-type: PROCEDURE
+[id="nw-networkpolicy-delete-ocm_{context}"]
+= Deleting a network policy using {cluster-manager}
+
+You can delete a network policy in a namespace.
+
+.Prerequisites
+
+* You logged in to {cluster-manager-url}.
+* You created an {product-title} cluster.
+* You configured an identity provider for your cluster.
+* You added your user account to the configured identity provider.
+
+.Procedure
+
+. From the *Administrator* perspective in the {cluster-manager} web console, under *Networking*, click *NetworkPolicies*.
+
+. Use one of the following methods for deleting your network policy:
+
+** Delete the policy from the *Network Policies* table:
+.. From the *Network Policies* table, select the stack menu on the row of the network policy you want to delete and then, click *Delete NetworkPolicy*.
+
+** Delete the policy using the *Actions* drop-down menu from the individual network policy details:
+.. Click on *Actions* drop-down menu for your network policy.
+.. Select *Delete NetworkPolicy* from the menu.
diff --git a/modules/nw-networkpolicy-view.adoc → modules/nw-networkpolicy-view-cli.adoc b/modules/nw-networkpolicy-view.adoc → modules/nw-networkpolicy-view-cli.adoc
@@ -12,8 +12,8 @@ ifeval::["{context}" == "configuring-multi-network-policy"]
 endif::[]
 
 :_content-type: PROCEDURE
-[id="nw-networkpolicy-view_{context}"]
-= Viewing {name} policies
+[id="nw-networkpolicy-view-cli_{context}"]
+= Viewing {name} policies using the CLI
 
 You can examine the {name} policies in a namespace.
 

diff --git a/modules/nw-networkpolicy-view-ocm.adoc b/modules/nw-networkpolicy-view-ocm.adoc
@@ -0,0 +1,32 @@
+// Module included in the following assemblies:
+//
+// * networking/network_policy/viewing-network-policy.adoc
+// * post_installation_configuration/network-configuration.adoc
+
+:_content-type: PROCEDURE
+[id="nw-networkpolicy-view-ocm_{context}"]
+= Viewing network policies using {cluster-manager}
+
+You can view the configuration details of your network policy in {cluster-manager-first}.
+
+.Prerequisites
+
+* You logged in to {cluster-manager-url}.
+* You created an {product-title} cluster.
+* You configured an identity provider for your cluster.
+* You added your user account to the configured identity provider.
+* You created a network policy.
+
+.Procedure
+
+. From the *Administrator* perspective in the {cluster-manager} web console, under *Networking*, click *NetworkPolicies*.
+. Select the desired network policy to view.
+. In the *Network Policy* details page, you can view all of the associated ingress and egress rules.
+. Select *YAML* on the network policy details to view the policy configuration in YAML format.
+ifdef::openshift-rosa,openshift-dedicated[]
++
+[NOTE]
+====
+You can only view the details of these policies. You cannot edit these policies.
+====
+endif::[]
diff --git a/networking/multiple_networks/configuring-multi-network-policy.adoc b/networking/multiple_networks/configuring-multi-network-policy.adoc
@@ -27,10 +27,10 @@ As a cluster administrator, you can create, edit, view, and delete multi-network
 
 * You have enabled multi-network policy support for your cluster.
 
-include::modules/nw-networkpolicy-create.adoc[leveloffset=+2]
+include::modules/nw-networkpolicy-create-cli.adoc[leveloffset=+2]
 include::modules/nw-networkpolicy-edit.adoc[leveloffset=+2]
-include::modules/nw-networkpolicy-view.adoc[leveloffset=+2]
-include::modules/nw-networkpolicy-delete.adoc[leveloffset=+2]
+include::modules/nw-networkpolicy-view-cli.adoc[leveloffset=+2]
+include::modules/nw-networkpolicy-delete-cli.adoc[leveloffset=+2]
 
 [id="{context}_additional-resources"]
 [role="_additional-resources"]

diff --git a/networking/network_policy/about-network-policy.adoc b/networking/network_policy/about-network-policy.adoc
@@ -2,6 +2,8 @@
 [id="about-network-policy"]
 = About network policy
 include::_attributes/common-attributes.adoc[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
+
 :context: about-network-policy
 
 toc::[]
@@ -16,6 +18,7 @@ include::modules/nw-networkpolicy-optimize.adoc[leveloffset=+1]
 == Next steps
 
 * xref:../../networking/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]
+ifndef::openshift-rosa,openshift-dedicated[]
 * Optional: xref:../../networking/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy]
 
 [role="_additional-resources"]
@@ -25,3 +28,4 @@ include::modules/nw-networkpolicy-optimize.adoc[leveloffset=+1]
 * xref:../../authentication/using-rbac.adoc#rbac-projects-namespaces_using-rbac[Projects and namespaces]
 * xref:../../networking/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[Configuring multitenant network policy]
 * xref:../../rest_api/network_apis/networkpolicy-networking-k8s-io-v1.adoc#networkpolicy-networking-k8s-io-v1[NetworkPolicy API]
+endif::[]
diff --git a/networking/network_policy/creating-network-policy.adoc b/networking/network_policy/creating-network-policy.adoc
@@ -2,17 +2,24 @@
 [id="creating-network-policy"]
 = Creating a network policy
 include::_attributes/common-attributes.adoc[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
 :context: creating-network-policy
 
 toc::[]
 
 As a user with the `admin` role, you can create a network policy for a namespace.
 
-include::modules/nw-networkpolicy-create.adoc[leveloffset=+1]
-
 include::modules/nw-networkpolicy-object.adoc[leveloffset=+1]
 
+include::modules/nw-networkpolicy-create-cli.adoc[leveloffset=+1]
+
+ifdef::openshift-rosa,openshift-dedicated[]
+include::modules/nw-networkpolicy-create-ocm.adoc[leveloffset=+1]
+endif::[]
+
+ifndef::openshift-rosa,openshift-dedicated[]
 [role="_additional-resources"]
 == Additional resources
 
 * xref:../../web_console/web-console.adoc#web-console[Accessing the web console]
+endif::[]
diff --git a/networking/network_policy/deleting-network-policy.adoc b/networking/network_policy/deleting-network-policy.adoc
@@ -2,10 +2,14 @@
 [id="deleting-network-policy"]
 = Deleting a network policy
 include::_attributes/common-attributes.adoc[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
 :context: deleting-network-policy
 
 toc::[]
 
 As a user with the `admin` role, you can delete a network policy from a namespace.
 
-include::modules/nw-networkpolicy-delete.adoc[leveloffset=+1]
+include::modules/nw-networkpolicy-delete-cli.adoc[leveloffset=+1]
+ifdef::openshift-dedicated,openshift-rosa[]
+include::modules/nw-networkpolicy-delete-ocm.adoc[leveloffset=+1]
+endif::[]
diff --git a/networking/network_policy/multitenant-network-policy.adoc b/networking/network_policy/multitenant-network-policy.adoc
@@ -2,6 +2,7 @@
 [id="multitenant-network-policy"]
 = Configuring multitenant isolation with network policy
 include::_attributes/common-attributes.adoc[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
 :context: multitenant-network-policy
 
 toc::[]
@@ -15,6 +16,7 @@ If you are using the OpenShift SDN cluster network provider, configuring network
 
 include::modules/nw-networkpolicy-multitenant-isolation.adoc[leveloffset=+1]
 
+ifndef::openshift-rosa,openshift-dedicated[]
 [id="multitenant-network-policy-next-steps"]
 == Next steps
 
@@ -25,3 +27,4 @@ include::modules/nw-networkpolicy-multitenant-isolation.adoc[leveloffset=+1]
 == Additional resources
 
 * xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#nw-openshift-sdn-modes_about-openshift-sdn[OpenShift SDN network isolation modes]
+endif::[]
diff --git a/networking/network_policy/viewing-network-policy.adoc b/networking/network_policy/viewing-network-policy.adoc
@@ -2,12 +2,17 @@
 [id="viewing-network-policy"]
 = Viewing a network policy
 include::_attributes/common-attributes.adoc[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
 :context: viewing-network-policy
 
 toc::[]
 
 As a user with the `admin` role, you can view a network policy for a namespace.
 
-include::modules/nw-networkpolicy-view.adoc[leveloffset=+1]
-
 include::modules/nw-networkpolicy-object.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-view-cli.adoc[leveloffset=+1]
+
+ifdef::openshift-dedicated,openshift-rosa[]
+include::modules/nw-networkpolicy-view-ocm.adoc[leveloffset=+1]
+endif::[]
diff --git a/post_installation_configuration/network-configuration.adoc b/post_installation_configuration/network-configuration.adoc
@@ -80,7 +80,7 @@ As a cluster administrator or project administrator, you can configure network p
 
 include::modules/nw-networkpolicy-about.adoc[leveloffset=+2]
 include::modules/nw-networkpolicy-object.adoc[leveloffset=+2]
-include::modules/nw-networkpolicy-create.adoc[leveloffset=+2]
+include::modules/nw-networkpolicy-create-cli.adoc[leveloffset=+2]
 include::modules/nw-networkpolicy-multitenant-isolation.adoc[leveloffset=+2]
 
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]