Add egress firewall docs for OVN-Kubernetes

- https://issues.redhat.com/browse/OSDOCS-976
2026-02-05 12:46:18 +01:00 · 2020-03-26 21:32:33 -04:00
parent e9e60afa11
commit 571078338b
14 changed files with 327 additions and 84 deletions
--- a/_topic_map.yml
+++ b/_topic_map.yml
@@ -615,6 +615,8 @@ Topics:
    Distros: openshift-origin,openshift-enterprise,openshift-webscale
  - Name: Configuring an egress firewall for a project
    File: configuring-egress-firewall
+  - Name: Viewing an egress firewall for a project
+    File: viewing-egress-firewall
  - Name: Editing an egress firewall for a project
    File: editing-egress-firewall
  - Name: Removing an egress firewall from a project
@@ -640,6 +642,14 @@ Topics:
    File: migrate-from-openshift-sdn
  - Name: Rollback to the OpenShift SDN default CNI network provider
    File: rollback-to-openshift-sdn
+  - Name: Configuring an egress firewall for a project
+    File: configuring-egress-firewall
+  - Name: Viewing an egress firewall for a project
+    File: viewing-egress-firewall
+  - Name: Editing an egress firewall for a project
+    File: editing-egress-firewall
+  - Name: Removing an egress firewall from a project
+    File: removing-egress-firewall
  - Name: Enabling multicast for a project
    File: enabling-multicast
    Distros: openshift-origin,openshift-enterprise,openshift-webscale
--- a/modules/nw-egressnetworkpolicy-about.adoc
+++ b/modules/nw-egressnetworkpolicy-about.adoc
@@ -1,6 +1,16 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
+// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall.adoc
+
+ifeval::["{context}" == "ovn-configuring-egress-firewall"]
+:ovn:
+:kind: EgressFirewall
+endif::[]
+ifeval::["{context}" == "openshift-sdn-egress-firewall"]
+:openshift-sdn:
+:kind: EgressNetworkPolicy
+endif::[]

 [id="nw-egressnetworkpolicy-about_{context}"]
 = How an egress firewall works in a project
@@ -16,19 +26,31 @@ to internal hosts that are outside the {product-title} cluster.
 - A Pod cannot reach specified internal subnets or hosts outside the {product-title} cluster.
 - A Pod can connect to only specific external hosts.

-You configure an egress firewall policy by creating an EgressNetworkPolicy Custom Resource (CR) object and specifying an IP address range in CIDR format or by specifying a DNS name.
 For example, you can allow one project access to a specified IP range but deny the same access to a different project. Or you can restrict application developers from updating from Python pip mirrors, and force updates to come only from approved sources.

+You configure an egress firewall policy by creating an {kind} custom resource (CR) object. The egress firewall matches network traffic that meets any of the following criteria:
+
+- An IP address range in CIDR format
+ifdef::openshift-sdn[]
+- A DNS name that resolves to an IP address
+endif::openshift-sdn[]
+ifdef::ovn[]
+- A port number
+- A protocol that is one of the following protocols: TCP, UDP, and SCTP
+endif::ovn[]
+
+ifdef::openshift-sdn[]
 [IMPORTANT]
 ====
-You must have OpenShift SDN configured to use either the network policy or multitenant modes to configure egress firewall policy.
+You must have OpenShift SDN configured to use either the network policy or multitenant mode to configure an egress firewall.

-If you use network policy mode, egress policy is compatible with only one policy per namespace and will not work with projects that share a network, such as global projects.
+If you use network policy mode, an egress firewall is compatible with only one policy per namespace and will not work with projects that share a network, such as global projects.
 ====
+endif::openshift-sdn[]

 [WARNING]
 ====
-Egress firewall rules do not apply to traffic that goes through routers. Any user with permission to create a Route CR object can bypass egress network policy rules by creating a route that points to a forbidden destination.
+Egress firewall rules do not apply to traffic that goes through routers. Any user with permission to create a Route CR object can bypass egress firewall policy rules by creating a route that points to a forbidden destination.
 ====

 [id="limitations-of-an-egress-firewall_{context}"]
@@ -36,25 +58,28 @@ Egress firewall rules do not apply to traffic that goes through routers. Any use

 An egress firewall has the following limitations:

-* No project can have more than one EgressNetworkPolicy object.
+* No project can have more than one {kind} object.

-* A maximum of 1 EgressNetworkPolicy object with a maximum of 50 rules can be defined per project.
+* A maximum of one {Kind} object with a maximum of 50 rules can be defined per project.

-* The `default` project cannot use egress network policy.
+ifdef::openshift-sdn[]
+* The `default` project cannot use an egress firewall.

 * When using the OpenShift SDN default Container Network Interface (CNI) network provider in multitenant mode, the following limitations apply:

  - Global projects cannot use an egress firewall. You can make a project global by using the `oc adm pod-network make-projects-global` command.

  - Projects merged by using the `oc adm pod-network join-projects` command cannot use an egress firewall in any of the joined projects.
+endif::openshift-sdn[]

-Violating any of these restrictions results in broken egress network policy for the project, and may cause all external network traffic to be dropped.
+Violating any of these restrictions results in a broken egress firewall for the project, and may cause all external network traffic to be dropped.

 [id="policy-rule-order_{context}"]
-== Matching order for egress network policy rules
+== Matching order for egress firewall policy rules

-The egress network policy rules are evaluated in the order that they are defined, from first to last. The first rule that matches an egress connection from a Pod applies. Any subsequent rules are ignored for that connection.
+The egress firewall policy rules are evaluated in the order that they are defined, from first to last. The first rule that matches an egress connection from a Pod applies. Any subsequent rules are ignored for that connection.

+ifdef::openshift-sdn[]
 [id="domain-name-server-resolution_{context}"]
 == How Domain Name Server (DNS) resolution works

@@ -64,7 +89,7 @@ If you use DNS names in any of your egress firewall policy rules, proper resolut

 * The Pod must resolve the domain from the same local name servers when necessary. Otherwise the IP addresses for the domain known by the egress firewall controller and the Pod can be different. If the IP addresses for a host name differ, the egress firewall might not be enforced consistently.

-* Because the egress firewall controller and Pods asynchronously poll the same local name server, the Pod might obtain the updated IP address before the egress controller does, which causes a race condition. Due to this current limitation, domain name usage in EgressNetworkPolicy objects is only recommended for domains with infrequent IP address changes.
+* Because the egress firewall controller and Pods asynchronously poll the same local name server, the Pod might obtain the updated IP address before the egress controller does, which causes a race condition. Due to this current limitation, domain name usage in {kind} objects is only recommended for domains with infrequent IP address changes.

 [NOTE]
 ====
@@ -72,3 +97,14 @@ The egress firewall always allows Pods access to the external interface of the n

 If you use domain names in your egress firewall policy and your DNS resolution is not handled by a DNS server on the local node, then you must add egress firewall rules that allow access to your DNS server’s IP addresses. if you are using domain names in your Pods.
 ====
+endif::openshift-sdn[]
+
+ifdef::ovn[]
+:!ovn:
+endif::[]
+ifdef::openshift-sdn[]
+:!openshift-sdn:
+endif::[]
+ifdef::kind[]
+:!kind:
+endif::[]
--- a/modules/nw-egressnetworkpolicy-create.adoc
+++ b/modules/nw-egressnetworkpolicy-create.adoc
@@ -1,6 +1,18 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
+// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall.adoc
+
+ifeval::["{context}" == "openshift-sdn-egress-firewall"]
+:kind: EgressNetworkPolicy
+:obj: egressnetworkpolicy.network.openshift.io/v1
+:cni: OpenShift SDN
+endif::[]
+ifeval::["{context}" == "ovn-configuring-egress-firewall"]
+:kind: EgressFirewall
+:obj: egressfirewall.k8s.ovn.org/v1
+:cni: OVN-Kubernetes
+endif::[]

 [id="nw-networkpolicy-create_{context}"]
 = Creating an egress firewall policy object
@@ -9,41 +21,50 @@ As a cluster administrator, you can create an egress firewall policy object for

 [IMPORTANT]
 ====
-If the project already has an EgressNetworkPolicy object defined, you must edit the existing policy to make changes to the egress firewall rules.
+If the project already has an {kind} object defined, you must edit the existing policy to make changes to the egress firewall rules.
 ====

 .Prerequisites

-* A cluster that uses the OpenShift SDN default Container Network Interface (CNI) network provider plug-in.
+* A cluster that uses the {cni} default Container Network Interface (CNI) network provider plug-in.
 * Install the OpenShift CLI (`oc`).
 * You must log in to the cluster as a cluster administrator.

 .Procedure

 . Create a policy rule:
-.. Create a `<policy-name>.yaml` file where `<policy-name>` describes the egress
+.. Create a `<policy_name>.yaml` file where `<policy_name>` describes the egress
 policy rules.
 .. In the file you created, define an egress policy object.

-. Enter the following command to create the policy object:
+. Enter the following command to create the policy object. Replace `<policy_name>` with the name of the policy and `<project>` with the project that the rule applies to.
 +
 [source,terminal]
 ----
-$ oc create -f <policy-name>.yaml -n <project>
+$ oc create -f <policy_name>.yaml -n <project>
 ----
 +
-In the following example, a new EgressNetworkPolicy object is created in a
-project named `project1`:
+In the following example, a new {kind} object is created in a project named `project1`:
 +
 [source,terminal]
 ----
-$ oc create -f default-rules.yaml -n project1
+$ oc create -f default.yaml -n project1
 ----
 +
 .Example output
-[source,terminal]
+[source,terminal,subs="attributes"]
 ----
-egressnetworkpolicy.network.openshift.io/default-rules created
+{obj} created
 ----
-+
-. Optional: Save the `<policy-name>.yaml` so that you can make changes later.
+
+. Optional: Save the `<policy_name>.yaml` file so that you can make changes later.
+
+ifdef::kind[]
+:!kind:
+endif::[]
+ifdef::obj[]
+:!obj:
+endif::[]
+ifdef::cni[]
+:!cni:
+endif::[]
--- a/modules/nw-egressnetworkpolicy-delete.adoc
+++ b/modules/nw-egressnetworkpolicy-delete.adoc
@@ -1,33 +1,52 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift-sdn/removing-egress-firewall.adoc
+// * networking/ovn_kubernetes_network_provider/removing-egress-firewall.adoc
+
+ifeval::["{context}" == "openshift-sdn-egress-firewall"]
+:kind: EgressNetworkPolicy
+:res: egressnetworkpolicy
+:cni: OpenShift SDN
+endif::[]
+ifeval::["{context}" == "ovn-removing-egress-firewall"]
+:kind: EgressFirewall
+:res: egressfirewall
+:cni: OVN-Kubernetes
+endif::[]

 [id="nw-egressnetworkpolicy-delete_{context}"]
-
-= Removing an EgressNetworkPolicy object
+= Removing an {kind} object

 As a cluster administrator, you can remove an egress firewall from a project.

 .Prerequisites

-* A cluster using the OpenShift SDN network plug-in.
+* A cluster using the {cni} default Container Network Interface (CNI) network provider plug-in.
 * Install the OpenShift CLI (`oc`).
 * You must log in to the cluster as a cluster administrator.

 .Procedure

-To remove an egress network policy object for a project, complete the following steps:
-
-. Find the name of the EgressNetworkPolicy object for the project. Replace `<project>` with the name of the project.
+. Find the name of the {kind} object for the project. Replace `<project>` with the name of the project.
 +
-[source,terminal]
+[source,terminal,subs="attributes+"]
 ----
-$ oc get -n <project> egressnetworkpolicy
+$ oc get -n <project> {res}
 ----

-. Enter the following command to delete the EgressNetworkPolicy object. Replace `<project>` with the name of the project and `<name>` with the name of the object.
+. Enter the following command to delete the {kind} object. Replace `<project>` with the name of the project and `<name>` with the name of the object.
 +
-[source,terminal]
+[source,terminal,subs="attributes+"]
 ----
-$ oc delete -n <project> egressnetworkpolicy <name>
+$ oc delete -n <project> {res} <name>
 ----
+
+ifdef::kind[]
+:!kind:
+endif::[]
+ifdef::res[]
+:!res:
+endif::[]
+ifdef::cni[]
+:!cni:
+endif::[]
--- a/modules/nw-egressnetworkpolicy-edit.adoc
+++ b/modules/nw-egressnetworkpolicy-edit.adoc
@@ -1,45 +1,61 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift-sdn/editing-egress-firewall.adoc
+// * networking/openshift_sdn/editing-egress-firewall.adoc
+// * networking/ovn_kubernetes_network_provider/editing-egress-firewall.adoc
+
+ifeval::["{context}" == "openshift-sdn-egress-firewall"]
+:kind: EgressNetworkPolicy
+:res: egressnetworkpolicy
+:cni: OpenShift SDN
+endif::[]
+ifeval::["{context}" == "ovn-editing-egress-firewall"]
+:kind: EgressFirewall
+:res: egressfirewall
+:cni: OVN-Kubernetes
+endif::[]

 [id="nw-egressnetworkpolicy-edit_{context}"]
-
-= Editing an EgressNetworkPolicy object
+= Editing an {kind} object

 As a cluster administrator, you can update the egress firewall for a project.

 .Prerequisites

-* A cluster using the OpenShift SDN network plug-in.
+* A cluster using the {cni} default Container Network Interface (CNI) network provider plug-in.
 * Install the OpenShift CLI (`oc`).
 * You must log in to the cluster as a cluster administrator.

 .Procedure

-To edit an existing egress network policy object for a project, complete the following steps:
-
-. Find the name of the EgressNetworkPolicy object for the project. Replace `<project>` with the name of the project.
+. Find the name of the {kind} object for the project. Replace `<project>` with the name of the project.
 +
-[source,terminal]
+[source,terminal,subs="attributes+"]
 ----
-$ oc get -n <project> egressnetworkpolicy
+$ oc get -n <project> {res}
 ----

-. Optional: If you did not save a copy of the EgressNetworkPolicy object when you created the egress network firewall, enter the following command to create a copy.
+. Optional: If you did not save a copy of the {kind} object when you created the egress network firewall, enter the following command to create a copy.
 +
-[source,terminal]
+[source,terminal,subs="attributes+"]
 ----
-$ oc get -n <project> \ <1>
-  egressnetworkpolicy <name> \ <2>
-  -o yaml > <filename>.yaml <3>
+$ oc get -n <project> {res} <name> -o yaml > <filename>.yaml
 ----
-<1> Replace `<project>` with the name of the project
-<2> Replace `<name>` with the name of the object.
-<3> Replace `<filename>` with the name of the file to save the YAML.
+
+Replace `<project>` with the name of the project. Replace `<name>` with the name of the object. Replace `<filename>` with the name of the file to save the YAML to.

-. Enter the following command to replace the EgressNetworkPolicy object. Replace `<filename>` with the name of the file containing the updated EgressNetworkPolicy object.
+. After making changes to the policy rules, enter the following command to replace the {kind} object. Replace `<filename>` with the name of the file containing the updated {kind} object.
 +
 [source,terminal]
 ----
 $ oc replace -f <filename>.yaml
 ----
+
+ifdef::kind[]
+:!kind:
+endif::[]
+ifdef::res[]
+:!res:
+endif::[]
+ifdef::cni[]
+:!cni:
+endif::[]
--- a/modules/nw-egressnetworkpolicy-object.adoc
+++ b/modules/nw-egressnetworkpolicy-object.adoc
@@ -1,70 +1,164 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
+// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall.adoc
+
+ifeval::["{context}" == "openshift-sdn-egress-firewall"]
+:kind: EgressNetworkPolicy
+:api: network.openshift.io/v1
+:openshift-sdn:
+endif::[]
+ifeval::["{context}" == "ovn-configuring-egress-firewall"]
+:kind: EgressFirewall
+:api: k8s.ovn.org/v1
+:ovn:
+endif::[]

 [id="nw-egressnetworkpolicy-object_{context}"]
-= EgressNetworkPolicy custom resource (CR) object
+= {kind} custom resource (CR) object

-The following YAML describes an EgressNetworkPolicy CR object:
+You can define one or more rules for an egress firewall. A rule is either an `Allow` rule or a `Deny` rule, with a specification for the traffic that the rule applies to.

-[source,yaml]
+The following YAML describes an {kind} CR object:
+
+.{kind} object
+[source,yaml,subs="attributes+"]
 ----
-apiVersion: network.openshift.io/v1
-kind: EgressNetworkPolicy
+apiVersion: {api}
+kind: {kind}
 metadata:
+ifdef::openshift-sdn[]
  name: <name> <1>
+endif::openshift-sdn[]
+ifdef::ovn[]
+  name: <name> <1>
+endif::ovn[]
 spec:
  egress: <2>
    ...
 ----
-<1> Specify a `name` for your egress firewall policy.
+ifdef::openshift-sdn[]
+<1> A name for your egress firewall policy.
+endif::openshift-sdn[]
+ifdef::ovn[]
+<1> The name for the object must be `default`.
+endif::ovn[]

-<2> Specify a collection of one or more egress network policy rules as described in the following section.
+<2> A collection of one or more egress network policy rules as described in the following section.

 [id="egressnetworkpolicy-rules_{context}"]
-== EgressNetworkPolicy rules
+== {kind} rules

-The following YAML describes an egress firewall rule object. The `egress` key expects an array of one or more objects.
+The following YAML describes an egress firewall rule object. The `egress` stanza expects an array of one or more objects.

+// - OVN-Kubernetes does not support DNS
+// - OpenShift SDN does not support port and protocol specification
+
+.Egress policy rule stanza
+ifdef::openshift-sdn[]
 [source,yaml]
 ----
 egress:
 - type: <type> <1>
  to: <2>
    cidrSelector: <cidr> <3>
-    dnsName: <dns-name> <4>
+    dnsName: <dns_name> <4>
 ----
-<1> Specify the type of rule. The value must be either `Allow` or `Deny`.
+<1> The type of rule. The value must be either `Allow` or `Deny`.

-<2> Specify a value for either the `cidrSelector` key or the `dnsName` key for the rule. You cannot use both keys in a rule.
+<2> A stanza describing an egress traffic match rule. A value for either the `cidrSelector` field or the `dnsName` field for the rule. You cannot use both fields in the same rule.

-<3> Specify an IP address range in CIDR format.
+<3> An IP address range in CIDR format.

-<4> Specify a domain name.
+<4> A domain name.
+endif::openshift-sdn[]
+ifdef::ovn[]
+[source,yaml]
+----
+egress:
+- type: <type> <1>
+  to: <2>
+    cidrSelector: <cidr> <3>
+    ports: <4>
+      ...
+----
+<1> The type of rule. The value must be either `Allow` or `Deny`.
+
+<2> A stanza describing an egress traffic match rule.
+
+<3> An IP address range in CIDR format.
+
+<4> Optional: A stanza describing a collection of network ports and protocols for the rule.
+
+.Ports stanza
+[source,yaml]
+----
+ports:
+- port: <port> <1>
+  protocol: <protocol> <2>
+----
+<1> Optional: A network port, such as `80` or `443`.
+
+<2> Optional: A network protocol. If specified, the value must be either `TCP`, `UDP`, or `SCTP`. If not specified, the rule matches all TCP, UDP, and SCTP traffic.
+endif::ovn[]

 [id="egressnetworkpolicy-example_{context}"]
-== Example EgressNetworkPolicy CR object
+== Example {kind} CR objects

 The following example defines several egress firewall policy rules:

-[source,yaml]
+[source,yaml,subs="attributes+"]
 ----
-apiVersion: network.openshift.io/v1
-kind: EgressNetworkPolicy
+apiVersion: {api}
+kind: {kind}
 metadata:
-  name: default-rules <1>
+  name: default
 spec:
-  egress: <2>
+  egress: <1>
  - type: Allow
    to:
      cidrSelector: 1.2.3.0/24
+ifdef::openshift-sdn[]
  - type: Allow
    to:
      dnsName: www.example.com
+endif::openshift-sdn[]
  - type: Deny
    to:
      cidrSelector: 0.0.0.0/0
 ----
-<1> The name for the policy object.
+<1> A collection of egress firewall policy rule objects.

-<2> A collection of egress firewall policy rule objects.
+ifdef::ovn[]
+The following example defines a policy rule that denies traffic to the host at the `172.16.1.1` IP address, if the traffic is using either the TCP protocol and destination port `80` or any protocol and destination port `443`.
+
+[source,yaml,subs="attributes+"]
+----
+apiVersion: {api}
+kind: {kind}
+metadata:
+  name: default
+spec:
+  egress:
+  - type: Deny
+    to:
+      cidrSelector: 172.16.1.1
+      ports:
+      - port: 80
+        protocol: TCP
+      - port: 443
+----
+endif::ovn[]
+
+ifdef::kind[]
+:!kind:
+endif::[]
+ifdef::api[]
+:!api:
+endif::[]
+ifdef::ovn[]
+:!ovn:
+endif::[]
+ifdef::openshift-sdn[]
+:!openshift-sdn:
+endif::[]
--- a/networking/openshift_sdn/configuring-egress-firewall.adoc
+++ b/networking/openshift_sdn/configuring-egress-firewall.adoc
@@ -1,14 +1,12 @@
 [id="configuring-egress-firewall"]
-= Configuring an egress firewall to control access to external IP addresses
+= Configuring an egress firewall for a project
 include::modules/common-attributes.adoc[]
-:context: configuring-an-egress-firewall
+:context: openshift-sdn-egress-firewall

 toc::[]

-As a cluster administrator, you can create an egress firewall for a project that will restrict egress traffic leaving your {product-title} cluster.
+As a cluster administrator, you can create an egress firewall for a project that restricts egress traffic leaving your {product-title} cluster.

 include::modules/nw-egressnetworkpolicy-about.adoc[leveloffset=+1]
-
 include::modules/nw-egressnetworkpolicy-object.adoc[leveloffset=+1]
-
 include::modules/nw-egressnetworkpolicy-create.adoc[leveloffset=+1]
--- a/networking/openshift_sdn/editing-egress-firewall.adoc
+++ b/networking/openshift_sdn/editing-egress-firewall.adoc
@@ -1,12 +1,10 @@
 [id="editing-egress-firewall"]
 = Editing an egress firewall for a project
 include::modules/common-attributes.adoc[]
-:context: editing-egress-network-policy
+:context: openshift-sdn-egress-firewall

 toc::[]

 As a cluster administrator, you can modify network traffic rules for an existing egress firewall.

 include::modules/nw-egressnetworkpolicy-edit.adoc[leveloffset=+1]
-
-include::modules/nw-egressnetworkpolicy-object.adoc[leveloffset=+1]
--- a/networking/openshift_sdn/removing-egress-firewall.adoc
+++ b/networking/openshift_sdn/removing-egress-firewall.adoc
@@ -1,11 +1,10 @@
 [id="removing-egress-firewall"]
 = Removing an egress firewall from a project
 include::modules/common-attributes.adoc[]
-:context: removing-egress-network-policy
+:context: openshift-sdn-egress-firewall

 toc::[]

 As a cluster administrator, you can remove an egress firewall from a project to remove all restrictions on network traffic from the project that leaves the {product-title} cluster.

 include::modules/nw-egressnetworkpolicy-delete.adoc[leveloffset=+1]
-
--- a/networking/openshift_sdn/viewing-egress-firewall.adoc
+++ b/networking/openshift_sdn/viewing-egress-firewall.adoc
@@ -0,0 +1,10 @@
+[id="openshift-sdn-viewing-egress-firewall"]
+= Editing an egress firewall for a project
+include::modules/common-attributes.adoc[]
+:context: openshift-sdn-viewing-egress-firewall
+
+toc::[]
+
+As a cluster administrator, you can modify network traffic rules for an existing egress firewall.
+
+include::modules/nw-egressnetworkpolicy-view.adoc[leveloffset=+1]
--- a/networking/ovn_kubernetes_network_provider/configuring-egress-firewall.adoc
+++ b/networking/ovn_kubernetes_network_provider/configuring-egress-firewall.adoc
@@ -0,0 +1,12 @@
+[id="ovn-configuring-egress-firewall"]
+= Configuring an egress firewall for a project
+include::modules/common-attributes.adoc[]
+:context: ovn-configuring-egress-firewall
+
+toc::[]
+
+As a cluster administrator, you can create an egress firewall for a project that restricts egress traffic leaving your {product-title} cluster.
+
+include::modules/nw-egressnetworkpolicy-about.adoc[leveloffset=+1]
+include::modules/nw-egressnetworkpolicy-object.adoc[leveloffset=+1]
+include::modules/nw-egressnetworkpolicy-create.adoc[leveloffset=+1]
--- a/networking/ovn_kubernetes_network_provider/editing-egress-firewall.adoc
+++ b/networking/ovn_kubernetes_network_provider/editing-egress-firewall.adoc
@@ -0,0 +1,10 @@
+[id="ovn-editing-egress-firewall"]
+= Editing an egress firewall for a project
+include::modules/common-attributes.adoc[]
+:context: ovn-editing-egress-firewall
+
+toc::[]
+
+As a cluster administrator, you can modify network traffic rules for an existing egress firewall.
+
+include::modules/nw-egressnetworkpolicy-edit.adoc[leveloffset=+1]
--- a/networking/ovn_kubernetes_network_provider/removing-egress-firewall.adoc
+++ b/networking/ovn_kubernetes_network_provider/removing-egress-firewall.adoc
@@ -0,0 +1,10 @@
+[id="ovn-removing-egress-firewall"]
+= Removing an egress firewall from a project
+include::modules/common-attributes.adoc[]
+:context: ovn-removing-egress-firewall
+
+toc::[]
+
+As a cluster administrator, you can remove an egress firewall from a project to remove all restrictions on network traffic from the project that leaves the {product-title} cluster.
+
+include::modules/nw-egressnetworkpolicy-delete.adoc[leveloffset=+1]
--- a/networking/ovn_kubernetes_network_provider/viewing-egress-firewall.adoc
+++ b/networking/ovn_kubernetes_network_provider/viewing-egress-firewall.adoc
@@ -0,0 +1,10 @@
+[id="ovn-viewing-egress-firewall"]
+= Viewing an egress firewall for a project
+include::modules/common-attributes.adoc[]
+:context: ovn-viewing-egress-firewall
+
+toc::[]
+
+As a cluster administrator, you can list the names of any existing egress firewalls and view the traffic rules for a specific egress firewall.
+
+include::modules/nw-egressnetworkpolicy-view.adoc[leveloffset=+1]