diff --git a/modules/nw-networkpolicy-about.adoc b/modules/nw-networkpolicy-about.adoc index 4256a49872..267e8ff189 100644 --- a/modules/nw-networkpolicy-about.adoc +++ b/modules/nw-networkpolicy-about.adoc @@ -11,7 +11,7 @@ In {product-title} {product-version}, OpenShift SDN supports using network polic [NOTE] ==== -IPBlock is supported by network policy with limitations for OpenShift SDN; itsupports IPBlock without except clauses. If you create a policy with an IPBlock section including an except clause, the SDN pods log generates warnings and the entire IPBlock section of that policy is ignored. +IPBlock is supported by network policy with limitations for OpenShift SDN; it supports IPBlock without except clauses. If you create a policy with an IPBlock section that includes an except clause, the SDN pods log warnings and the entire IPBlock section of that policy is ignored. ==== [WARNING] @@ -42,7 +42,12 @@ spec: * Only allow connections from the {product-title} Ingress Controller: + -To make a project allow only connections from the {product-title} Ingress Controller, add the following `NetworkPolicy` object: +To make a project allow only connections from the {product-title} Ingress Controller, add the following `NetworkPolicy` object. ++ +[IMPORTANT] +==== +For the OVN-Kubernetes network provider plug-in, when the Ingress Controller is configured to use the `HostNetwork` endpoint publishing strategy, there is no supported way to apply network policy so that ingress traffic is allowed and all other traffic is denied. +==== + [source,yaml] ---- @@ -64,7 +69,7 @@ spec: If the Ingress Controller is configured with `endpointPublishingStrategy: HostNetwork`, then the Ingress Controller pod runs on the host network. When running on the host network, the traffic from the Ingress Controller is assigned the `netid:0` Virtual Network ID (VNID). The `netid` for the namespace that is associated with the Ingress Operator is different, so the `matchLabel` in the `allow-from-openshift-ingress` network policy does not match traffic from the `default` Ingress Controller. -Because the `default` namespace is assigned the `netid:0` VNID, you can allow traffic from the `default` Ingress Controller by labeling your `default` namespace with `network.openshift.io/policy-group: ingress`. +With OpenShift SDN, the `default` namespace is assigned the `netid:0` VNID and you can allow traffic from the `default` Ingress Controller by labeling your `default` namespace with `network.openshift.io/policy-group: ingress`. * Only accept connections from pods within a project: + diff --git a/modules/nw-networkpolicy-multitenant-isolation.adoc b/modules/nw-networkpolicy-multitenant-isolation.adoc index b5559f6455..38fb652a9c 100644 --- a/modules/nw-networkpolicy-multitenant-isolation.adoc +++ b/modules/nw-networkpolicy-multitenant-isolation.adoc @@ -19,7 +19,12 @@ project namespaces. .Procedure . Create the following `NetworkPolicy` objects: -.. A policy named `allow-from-openshift-ingress`: +.. A policy named `allow-from-openshift-ingress`. ++ +[IMPORTANT] +==== +For the OVN-Kubernetes network provider plug-in, when the Ingress Controller is configured to use the `HostNetwork` endpoint publishing strategy, there is no supported way to apply network policy so that ingress traffic is allowed and all other traffic is denied. +==== + [source,terminal] ----