topics-map-fix: renames nwt security

networking/network_security/AdminNetworkPolicy/_attributes

@@ -0,0 +1 @@
+../../_attributes/

networking/network_security/AdminNetworkPolicy/images

@@ -0,0 +1 @@
+../../images/

networking/network_security/AdminNetworkPolicy/modules

@@ -0,0 +1 @@
+../../modules/

networking/network_security/AdminNetworkPolicy/ovn-k-anp.adoc

@@ -0,0 +1,15 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ovn-k-anp"]
+= OVN-Kubernetes AdminNetworkPolicy
+include::_attributes/common-attributes.adoc[]
+:context: ovn-k-anp
+
+toc::[]
+
+include::modules/nw-ovn-k-adminnetwork-policy.adoc[leveloffset=+1]
+
+[discrete]
+.Additional resources
+* link:https://network-policy-api.sigs.k8s.io/[Network Policy API Working Group]
+
+include::modules/nw-ovn-k-adminnetwork-policy-action-rules.adoc[leveloffset=+2]

networking/network_security/AdminNetworkPolicy/ovn-k-banp.adoc

@@ -0,0 +1,9 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ovn-k-banp"]
+= OVN-Kubernetes BaselineAdminNetworkPolicy
+include::_attributes/common-attributes.adoc[]
+:context: ovn-k-banp
+
+toc::[]
+
+include::modules/nw-ovn-k-baseline-adminnetwork-policy.adoc[leveloffset=+1]

networking/network_security/AdminNetworkPolicy/snippets

@@ -0,0 +1 @@
+../../snippets/

networking/network_security/_attributes

@@ -0,0 +1 @@
+../../_attributes/

networking/network_security/configuring-egress-firewall-ovn.adoc

@@ -0,0 +1,16 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="configuring-egress-firewall-ovn"]
+= Configuring an egress firewall for a project
+include::_attributes/common-attributes.adoc[]
+:context: configuring-egress-firewall-ovn
+
+toc::[]
+
+As a cluster administrator, you can create an egress firewall for a project that restricts egress traffic leaving your {product-title} cluster.
+
+include::modules/nw-egressnetworkpolicy-about.adoc[leveloffset=+1]
+
+include::modules/nw-coredns-egress-firewall.adoc[leveloffset=+3]
+
+include::modules/nw-egressnetworkpolicy-object.adoc[leveloffset=+1]
+include::modules/nw-egressnetworkpolicy-create.adoc[leveloffset=+1]

networking/network_security/configuring-ipsec-ovn.adoc

@@ -0,0 +1,77 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="configuring-ipsec-ovn"]
+= Configuring IPsec encryption
+include::_attributes/common-attributes.adoc[]
+:context: configuring-ipsec-ovn
+
+toc::[]
+
+With IPsec enabled, you can encrypt both internal pod-to-pod cluster traffic between nodes and external traffic between pods and IPsec endpoints external to your cluster. All pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec in _Transport mode_.
+
+IPsec is disabled by default. It can be enabled either during or after installing the cluster. For information about cluster installation, see xref:../../installing/index.adoc#ocp-installation-overview[{product-title} installation overview].
+
+[IMPORTANT]
+====
+If your cluster uses link:https://www.redhat.com/en/topics/containers/what-are-hosted-control-planes[{hcp}] for Red Hat {product-title}, IPsec is not supported for IPsec encryption of either pod-to-pod or traffic to external hosts.
+====
+
+[NOTE]
+====
+IPsec on {ibm-cloud-name} supports only NAT-T. Using ESP is not supported.
+====
+
+Use the procedures in the following documentation to:
+
+* Enable and disable IPSec after cluster installation
+* Configure IPsec encryption for traffic between the cluster and external hosts
+* Verify that IPsec encrypts traffic between pods on different nodes
+
+include::modules/nw-own-ipsec-modes.adoc[leveloffset=+1]
+
+// Uses xrefs, so must be located here
+[id="{context}-prerequisites"]
+== Prerequisites
+
+For IPsec support for encrypting traffic to external hosts, ensure that the following prerequisites are met:
+
+* The OVN-Kubernetes network plugin must be configured in local gateway mode, where `ovnKubernetesConfig.gatewayConfig.routingViaHost=true`.
+* The NMState Operator is installed. This Operator is required for specifying the IPsec configuration. For more information, see xref:../../networking/k8s_nmstate/k8s-nmstate-about-the-k8s-nmstate-operator.adoc#k8s-nmstate-about-the-k8s-nmstate-operator[About the Kubernetes NMState Operator].
++
+--
+[NOTE]
+====
+The NMState Operator is supported on {gcp-first} only for configuring IPsec.
+====
+--
+* The Butane tool (`butane`) is installed. To install Butane, see xref:../../installing/install_config/installing-customizing.adoc#installation-special-config-butane-install_installing-customizing[Installing Butane].
+
+These prerequisites are required to add certificates into the host NSS database and to configure IPsec to communicate with external hosts.
+
+include::modules/nw-own-ipsec-required-ports.adoc[leveloffset=+1]
+
+[id="{context}-pod-to-pod-ipsec"]
+== IPsec encryption for pod-to-pod traffic
+
+For IPsec encryption of pod-to-pod traffic, the following sections describe which specific pod-to-pod traffic is encrypted, what kind of encryption protocol is used, and how X.509 certificates are handled. These sections do not apply to IPsec encryption between the cluster and external hosts, which you must configure manually for your specific external network infrastructure.
+
+include::modules/nw-ovn-ipsec-traffic.adoc[leveloffset=+2]
+include::modules/nw-ovn-ipsec-encryption.adoc[leveloffset=+2]
+include::modules/nw-ovn-ipsec-certificates.adoc[leveloffset=+2]
+
+include::modules/nw-ovn-ipsec-external.adoc[leveloffset=+1]
+// Enable & then optionally configure IPsec for external hosts
+include::modules/nw-ovn-ipsec-enable.adoc[leveloffset=+1]
+include::modules/nw-ovn-ipsec-north-south-enable.adoc[leveloffset=+1]
+
+include::modules/nw-ovn-ipsec-north-south-disable.adoc[leveloffset=+1]
+include::modules/nw-ovn-ipsec-disable.adoc[leveloffset=+1]
+
+
+[id="{context}_additional-resources"]
+== Additional resources
+
+* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/configuring-a-vpn-with-ipsec_securing-networks#libreswan-as-an-ipsec-vpn-implementation_configuring-a-vpn-with-ipsec[Configuring a VPN with IPsec] in {op-system-base-full} 9
+* xref:../../installing/install_config/installing-customizing.adoc#installation-special-config-butane-install_installing-customizing[Installing Butane]
+* xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes Container Network Interface (CNI) network plugin]
+* xref:../../networking/changing-cluster-network-mtu.adoc#changing-cluster-network-mtu[Changing the MTU for the cluster network]
+* xref:../../rest_api/operator_apis/network-operator-openshift-io-v1.adoc#network-operator-openshift-io-v1[Network [operator.openshift.io/v1\]] API

networking/network_security/egress_firewall/_attributes

@@ -0,0 +1 @@
+../../_attributes/

networking/network_security/egress_firewall/editing-egress-firewall-ovn.adoc

@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="editing-egress-firewall-ovn"]
+= Editing an egress firewall for a project
+include::_attributes/common-attributes.adoc[]
+:context: editing-egress-firewall-ovn
+
+toc::[]
+
+As a cluster administrator, you can modify network traffic rules for an existing egress firewall.
+
+include::modules/nw-egressnetworkpolicy-edit.adoc[leveloffset=+1]

networking/network_security/egress_firewall/images

@@ -0,0 +1 @@
+../../images/

networking/network_security/egress_firewall/modules

@@ -0,0 +1 @@
+../../modules/

networking/network_security/egress_firewall/removing-egress-firewall-ovn.adoc

@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="removing-egress-firewall-ovn"]
+= Removing an egress firewall from a project
+include::_attributes/common-attributes.adoc[]
+:context: removing-egress-firewall-ovn
+
+toc::[]
+
+As a cluster administrator, you can remove an egress firewall from a project to remove all restrictions on network traffic from the project that leaves the {product-title} cluster.
+
+include::modules/nw-egressnetworkpolicy-delete.adoc[leveloffset=+1]

networking/network_security/egress_firewall/snippets

@@ -0,0 +1 @@
+../../snippets/

networking/network_security/egress_firewall/viewing-egress-firewall-ovn.adoc

@@ -0,0 +1,13 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="viewing-egress-firewall-ovn"]
+= Viewing an egress firewall for a project
+include::_attributes/common-attributes.adoc[]
+:context: viewing-egress-firewall-ovn
+
+toc::[]
+
+As a cluster administrator, you can list the names of any existing egress firewalls and view the traffic rules for a specific egress firewall.
+
+include::snippets/sdn-deprecation-statement.adoc[]
+
+include::modules/nw-egressnetworkpolicy-view.adoc[leveloffset=+1]

networking/network_security/images

@@ -0,0 +1 @@
+../../images/

networking/network_security/ingress-node-firewall-operator.adoc

@@ -0,0 +1,25 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ingress-node-firewall-operator"]
+= Ingress Node Firewall Operator in {product-title}
+include::_attributes/common-attributes.adoc[]
+:context: ingress-node-firewall-operator
+
+toc::[]
+
+The Ingress Node Firewall Operator allows administrators to manage firewall configurations at the node level.
+
+include::modules/nw-infw-operator-cr.adoc[leveloffset=+1]
+
+include::modules/nw-infw-operator-installing-cli.adoc[leveloffset=+1]
+
+include::modules/nw-infw-operator-installing-console.adoc[leveloffset=+1]
+
+include::modules/nw-infw-operator-deploying.adoc[leveloffset=+1]
+
+include::modules/nw-infw-operator-config-object.adoc[leveloffset=+1]
+
+include::modules/nw-infw-operator-rules-object.adoc[leveloffset=+2]
+
+include::modules/nw-infw-operator-viewing.adoc[leveloffset=+1]
+
+include::modules/nw-infw-operator-troubleshooting.adoc[leveloffset=+1]

networking/network_security/logging-network-security.adoc

@@ -0,0 +1,37 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="logging-network-security"]
+= Audit logging for network security
+include::_attributes/common-attributes.adoc[]
+:context: logging-network-security
+
+toc::[]
+
+The OVN-Kubernetes network plugin uses Open Virtual Network (OVN) access control lists (ACLs) to manage `AdminNetworkPolicy`, `BaselineAdminNetworkPolicy`, `NetworkPolicy`, and `EgressFirewall` objects. Audit logging exposes `allow` and `deny` ACL events for `NetworkPolicy`, `EgressFirewall` and `BaselineAdminNetworkPolicy` custom resources (CR). Logging also exposes `allow`, `deny`, and `pass` ACL events for `AdminNetworkPolicy` (ANP) CR.
+
+[NOTE]
+====
+Audit logging is available for only the xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[OVN-Kubernetes network plugin].
+====
+
+include::modules/nw-audit-configuration.adoc[leveloffset=+1]
+
+include::modules/nw-operator-cr.adoc[tag=policy-audit]
+
+include::modules/nw-networkpolicy-audit-concept.adoc[leveloffset=+1]
+
+include::modules/nw-anp-audit-logging-concept.adoc[leveloffset=+1]
+
+include::modules/nw-banp-audit-logging-concept.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-audit-configure.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-audit-enable.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-audit-disable.adoc[leveloffset=+1]
+
+[id="{context}-additional-resources"]
+[role="_additional-resources"]
+== Additional resources
+
+* xref:../../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/network_security/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]

networking/network_security/modules

@@ -0,0 +1 @@
+../../modules/

networking/network_security/network-policy-apis.adoc

@@ -0,0 +1,21 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="network-policy-apis"]
+= Understanding network policy APIs
+include::_attributes/common-attributes.adoc[]
+:context: network-policy-apis
+
+toc::[]
+
+Kubernetes offers two features that users can use to enforce network security. One feature that allows users to enforce network policy is the `NetworkPolicy` API that is designed mainly for application developers and namespace tenants to protect their namespaces by creating namespace-scoped policies.
+
+The second feature is `AdminNetworkPolicy` which consists of two APIs: the `AdminNetworkPolicy` (ANP) API and the `BaselineAdminNetworkPolicy` (BANP) API. ANP and BANP are designed for cluster and network administrators to protect their entire cluster by creating cluster-scoped policies. Cluster administrators can use ANPs to enforce non-overridable policies that take precedence over `NetworkPolicy` objects. Administrators can use BANP to set up and enforce optional cluster-scoped network policy rules that are overridable by users using `NetworkPolicy` objects when necessary. When used together, ANP, BANP, and network policy can achieve full multi-tenant isolation that administrators can use to secure their cluster.
+
+OVN-Kubernetes CNI in {product-title} implements these network policies using Access Control List (ACL) Tiers to evaluate and apply them. ACLs are evaluated in descending order from Tier 1 to Tier 3.
+
+Tier 1 evaluates `AdminNetworkPolicy` (ANP) objects. Tier 2 evaluates `NetworkPolicy` objects. Tier 3 evaluates `BaselineAdminNetworkPolicy` (BANP) objects.
+
+image::615_OpenShift_OVN-K_ACLs_0324.png[OVK-Kubernetes Access Control List (ACL)]
+
+ANPs are evaluated first. When the match is an ANP `allow` or `deny` rule, any existing `NetworkPolicy` and `BaselineAdminNetworkPolicy` (BANP) objects in the cluster are skipped from evaluation. When the match is an ANP `pass` rule, then evaluation moves from tier 1 of the ACL to tier 2 where the `NetworkPolicy` policy is evaluated. If no `NetworkPolicy` matches the traffic then evaluation moves from tier 2 ACLs to tier 3 ACLs where BANP is evaluated.
+
+include::modules/nw-anp-np-reference.adoc[leveloffset=+1]

networking/network_security/network_policy/_attributes

@@ -0,0 +1 @@
+../../_attributes/

networking/network_security/network_policy/about-network-policy.adoc

@@ -0,0 +1,34 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="about-network-policy"]
+= About network policy
+include::_attributes/common-attributes.adoc[]
+ifdef::openshift-dedicated,openshift-rosa[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
+endif::openshift-dedicated,openshift-rosa[]
+:context: about-network-policy
+
+toc::[]
+
+As a cluster administrator, you can define network policies that restrict traffic to pods in your cluster.
+
+include::modules/nw-networkpolicy-about.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-optimize.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-optimize-ovn.adoc[leveloffset=+1]
+
+[id="about-network-policy-next-steps"]
+== Next steps
+
+* xref:../../../networking/network_security/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]
+ifndef::openshift-rosa,openshift-dedicated[]
+* Optional: xref:../../../networking/network_security/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy for projects]
+
+[role="_additional-resources"]
+[id="about-network-policy-additional-resources"]
+== Additional resources
+
+* xref:../../../authentication/using-rbac.adoc#rbac-projects-namespaces_using-rbac[Projects and namespaces]
+* xref:../../../networking/network_security/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[Configuring multitenant isolation with network policy]
+* xref:../../../rest_api/network_apis/networkpolicy-networking-k8s-io-v1.adoc#networkpolicy-networking-k8s-io-v1[NetworkPolicy API]
+endif::[]

networking/network_security/network_policy/creating-network-policy.adoc

@@ -0,0 +1,36 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="creating-network-policy"]
+= Creating a network policy
+include::_attributes/common-attributes.adoc[]
+ifdef::openshift-dedicated,openshift-rosa[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
+endif::openshift-dedicated,openshift-rosa[]
+:context: creating-network-policy
+
+toc::[]
+
+As a user with the `admin` role, you can create a network policy for a namespace.
+
+include::modules/nw-networkpolicy-object.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-create-cli.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-deny-all-allowed.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-allow-external-clients.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-allow-application-all-namespaces.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-allow-application-particular-namespace.adoc[leveloffset=+1]
+
+ifdef::openshift-rosa,openshift-dedicated[]
+include::modules/nw-networkpolicy-create-ocm.adoc[leveloffset=+1]
+endif::[]
+
+ifndef::openshift-rosa,openshift-dedicated[]
+[role="_additional-resources"]
+== Additional resources
+
+* xref:../../../web_console/web-console.adoc#web-console[Accessing the web console]
+* xref:../../../networking/network_security/logging-network-security.adoc#logging-network-security[Logging for egress firewall and network policy rules]
+endif::[]

networking/network_security/network_policy/default-network-policy.adoc

@@ -0,0 +1,15 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="default-network-policy"]
+= Defining a default network policy for projects
+include::_attributes/common-attributes.adoc[]
+:context: default-network-policy
+
+toc::[]
+
+As a cluster administrator, you can modify the new project template to
+automatically include network policies when you create a new project.
+If you do not yet have a customized template for new projects, you must first create one.
+
+include::modules/modifying-template-for-new-projects.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-project-defaults.adoc[leveloffset=+1]

networking/network_security/network_policy/deleting-network-policy.adoc

@@ -0,0 +1,17 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="deleting-network-policy"]
+= Deleting a network policy
+include::_attributes/common-attributes.adoc[]
+ifdef::openshift-dedicated,openshift-rosa[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
+endif::openshift-dedicated,openshift-rosa[]
+:context: deleting-network-policy
+
+toc::[]
+
+As a user with the `admin` role, you can delete a network policy from a namespace.
+
+include::modules/nw-networkpolicy-delete-cli.adoc[leveloffset=+1]
+ifdef::openshift-dedicated,openshift-rosa[]
+include::modules/nw-networkpolicy-delete-ocm.adoc[leveloffset=+1]
+endif::[]

networking/network_security/network_policy/editing-network-policy.adoc

@@ -0,0 +1,18 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="editing-network-policy"]
+= Editing a network policy
+include::_attributes/common-attributes.adoc[]
+:context: editing-network-policy
+
+toc::[]
+
+As a user with the `admin` role, you can edit an existing network policy for a namespace.
+
+include::modules/nw-networkpolicy-edit.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-object.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="editing-network-policy-additional-resources"]
+== Additional resources
+* xref:../../../networking/network_security/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]

networking/network_security/network_policy/images

@@ -0,0 +1 @@
+../../images/

networking/network_security/network_policy/modules

@@ -0,0 +1 @@
+../../modules/

networking/network_security/network_policy/multitenant-network-policy.adoc

@@ -0,0 +1,32 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="multitenant-network-policy"]
+= Configuring multitenant isolation with network policy
+include::_attributes/common-attributes.adoc[]
+ifdef::openshift-dedicated,openshift-rosa[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
+endif::openshift-dedicated,openshift-rosa[]
+:context: multitenant-network-policy
+
+toc::[]
+
+As a cluster administrator, you can configure your network policies to provide multitenant network isolation.
+
+[NOTE]
+====
+If you are using the OpenShift SDN network plugin, configuring network policies as described in this section provides network isolation similar to multitenant mode but with network policy mode set.
+====
+
+include::modules/nw-networkpolicy-multitenant-isolation.adoc[leveloffset=+1]
+
+ifndef::openshift-rosa,openshift-dedicated[]
+[id="multitenant-network-policy-next-steps"]
+== Next steps
+
+* xref:../../../networking/network_security/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy for a project]
+
+[role="_additional-resources"]
+[id="multitenant-network-policy-additional-resources"]
+== Additional resources
+
+* xref:../../../networking/openshift_sdn/about-openshift-sdn.adoc#nw-openshift-sdn-modes_about-openshift-sdn[OpenShift SDN network isolation modes]
+endif::[]

networking/network_security/network_policy/snippets

@@ -0,0 +1 @@
+../../snippets/

networking/network_security/network_policy/viewing-network-policy.adoc

@@ -0,0 +1,20 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="viewing-network-policy"]
+= Viewing a network policy
+include::_attributes/common-attributes.adoc[]
+ifdef::openshift-dedicated,openshift-rosa[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
+endif::openshift-dedicated,openshift-rosa[]
+:context: viewing-network-policy
+
+toc::[]
+
+As a user with the `admin` role, you can view a network policy for a namespace.
+
+include::modules/nw-networkpolicy-object.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-view-cli.adoc[leveloffset=+1]
+
+ifdef::openshift-dedicated,openshift-rosa[]
+include::modules/nw-networkpolicy-view-ocm.adoc[leveloffset=+1]
+endif::[]

networking/network_security/snippets

@@ -0,0 +1 @@
+../../snippets/