OSDOCS-10112:nwt security restructring

_topic_maps/_topic_map.yml

@@ -1272,6 +1272,40 @@ Topics:
   File: networking-operators-overview
 - Name: Networking dashboards
   File: networking-dashboards
+- Name:  OpenShift network security
+  Dir: openshift_network_security
+  Distros: openshift-enterprise,openshift-origin
+  Topics:
+  - Name: About OVN-Kubernetes network policy
+    File: ovn-k-network-policy
+  - Name: AdminNetworkPolicy
+    File: ovn-k-anp
+  - Name: Network policy
+    Dir: network_policy
+    Distros: openshift-enterprise, openshift-origin
+    Topics:
+    - Name: About network policy
+      File: about-network-policy
+    - Name: Creating a network policy
+      File: creating-network-policy
+    - Name: Viewing a network policy
+      File: viewing-network-policy
+    - Name: Editing a network policy
+      File: editing-network-policy
+    - Name: Deleting a network policy
+      File: deleting-network-policy
+    - Name: Defining a default network policy for projects
+      File: default-network-policy
+    - Name: Configuring multitenant isolation with network policy
+      File: multitenant-network-policy
+  - Name: BaselineAdminNetworkPolicy
+    File: ovn-k-banp
+  - Name: Understanding the Ingress Node Firewall Operator
+    File: ingress-node-firewall-operator
+  - Name: Configuring an egress firewall for a project
+    File: configuring-egress-firewall-ovn
+  - Name: Configuring IPsec encryption
+    File: configuring-ipsec-ovn
 - Name: Understanding the Cluster Network Operator
   File: cluster-network-operator
   Distros: openshift-enterprise,openshift-origin
@@ -1283,9 +1317,6 @@ Topics:
   Distros: openshift-enterprise,openshift-origin
 - Name: Ingress sharding
   File: ingress-sharding
-- Name: Understanding the Ingress Node Firewall Operator
-  File: ingress-node-firewall-operator
-  Distros: openshift-enterprise,openshift-origin
 - Name: Configuring the Ingress Controller for manual DNS management
   File: ingress-controller-dnsmgt
   Distros: openshift-enterprise,openshift-origin
@@ -1339,23 +1370,6 @@ Topics:
     File: nw-creating-dns-records-on-infoblox
   - Name: Configuring the cluster-wide proxy on the External DNS Operator
     File: nw-configuring-cluster-wide-egress-proxy
-- Name: Network policy
-  Dir: network_policy
-  Topics:
-  - Name: About network policy
-    File: about-network-policy
-  - Name: Creating a network policy
-    File: creating-network-policy
-  - Name: Viewing a network policy
-    File: viewing-network-policy
-  - Name: Editing a network policy
-    File: editing-network-policy
-  - Name: Deleting a network policy
-    File: deleting-network-policy
-  - Name: Defining a default network policy for projects
-    File: default-network-policy
-  - Name: Configuring multitenant isolation with network policy
-    File: multitenant-network-policy
 - Name: CIDR range definitions
   File: cidr-range-definitions
 - Name: AWS Load Balancer Operator
@@ -1441,8 +1455,6 @@ Topics:
     File: ovn-kubernetes-architecture-assembly
   - Name: OVN-Kubernetes troubleshooting
     File: ovn-kubernetes-troubleshooting-sources
-  - Name: OVN-Kubernetes network policy
-    File: ovn-k-network-policy
   - Name: OVN-Kubernetes traffic tracing
     File: ovn-kubernetes-tracing-using-ovntrace
   - Name: Migrating from the OpenShift SDN network plugin
@@ -1453,12 +1465,8 @@ Topics:
     File: converting-to-dual-stack
   - Name: Logging for egress firewall and network policy rules
     File: logging-network-policy
-  - Name: Configuring IPsec encryption
-    File: configuring-ipsec-ovn
   - Name: Configure an external gateway on the default network
     File: configuring-secondary-external-gateway
-  - Name: Configuring an egress firewall for a project
-    File: configuring-egress-firewall-ovn
   - Name: Viewing an egress firewall for a project
     File: viewing-egress-firewall-ovn
   - Name: Editing an egress firewall for a project

_topic_maps/_topic_map_osd.yml

@@ -771,19 +771,26 @@ Topics:
   File: configuring-cluster-wide-proxy
 - Name: CIDR range definitions
   File: cidr-range-definitions
-- Name: Network policy
-  Dir: network_policy
+- Name: OpenShift network security
+  Dir: openshift_network_security
+  Distros: openshift-dedicated
   Topics:
-  - Name: About network policy
-    File: about-network-policy
-  - Name: Creating a network policy
-    File: creating-network-policy
-  - Name: Viewing a network policy
-    File: viewing-network-policy
-  - Name: Deleting a network policy
-    File: deleting-network-policy
-  - Name: Configuring multitenant isolation with network policy
-    File: multitenant-network-policy
+  - Name: About OVN-Kubernetes network policy
+    File: ovn-k-network-policy
+  - Name: Network policy
+    Dir: network_policy
+    Distros: openshift-dedicated
+    Topics:
+    - Name: About network policy
+      File: about-network-policy
+    - Name: Creating a network policy
+      File: creating-network-policy
+    - Name: Viewing a network policy
+      File: viewing-network-policy
+    - Name: Deleting a network policy
+      File: deleting-network-policy
+    - Name: Configuring multitenant isolation with network policy
+      File: multitenant-network-policy
 - Name: Configuring Routes
   Dir: routes
   Topics:

_topic_maps/_topic_map_rosa.yml

@@ -997,19 +997,33 @@ Topics:
   File: configuring-cluster-wide-proxy
 - Name: CIDR range definitions
   File: cidr-range-definitions
-- Name: Network policy
-  Dir: network_policy
+- Name:  OpenShift network security
+  Dir: openshift_network_security
   Topics:
-  - Name: About network policy
-    File: about-network-policy
-  - Name: Creating a network policy
-    File: creating-network-policy
-  - Name: Viewing a network policy
-    File: viewing-network-policy
-  - Name: Deleting a network policy
-    File: deleting-network-policy
-  - Name: Configuring multitenant isolation with network policy
-    File: multitenant-network-policy
+  - Name: About OVN-Kubernetes network policy
+    File: ovn-k-network-policy
+  - Name: AdminNetworkPolicy
+    File: ovn-k-anp
+  - Name: Network policy
+    Dir: network_policy
+    Distros: openshift-rosa
+    Topics:
+    - Name: About network policy
+      File: about-network-policy
+    - Name: Creating a network policy
+      File: creating-network-policy
+    - Name: Viewing a network policy
+      File: viewing-network-policy
+    - Name: Editing a network policy
+      File: editing-network-policy
+    - Name: Deleting a network policy
+      File: deleting-network-policy
+    - Name: Defining a default network policy for projects
+      File: default-network-policy
+    - Name: Configuring multitenant isolation with network policy
+      File: multitenant-network-policy
+  - Name: BaselineAdminNetworkPolicy
+    File: ovn-k-banp
 - Name: OVN-Kubernetes network plugin
   Dir: ovn_kubernetes_network_provider
   Topics:

cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc

@@ -38,7 +38,7 @@ Visit the link:https://github.com/openshift-cs/managed-openshift/projects/2[ROSA
 Refer to the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-regions-az_rosa-service-definition[product regional availability] page for an up-to-date view of where ROSA is available.
 
 == Compliance certifications
-ROSA is currently compliant with SOC-2 type 2, SOC 3, ISO-27001, ISO 27017, ISO 27018, HIPAA, GDPR, and PCI-DSS. We are also currently working towards FedRAMP High. 
+ROSA is currently compliant with SOC-2 type 2, SOC 3, ISO-27001, ISO 27017, ISO 27018, HIPAA, GDPR, and PCI-DSS. We are also currently working towards FedRAMP High.
 
 == Nodes
 === Worker nodes across multiple AWS regions
@@ -92,11 +92,11 @@ Refer to the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-se
 == Notifications and communication
 Red Hat will provide notifications regarding new Red Hat and AWS features, updates, and scheduled maintenance through email and the {hybrid-console-second} service log.
 
-== Open Service Broker for AWS (OBSA)  
+== Open Service Broker for AWS (OBSA)
 You can use OSBA with ROSA. However, the preferred method is the more recent link:https://github.com/aws-controllers-k8s/community[AWS Controller for Kubernetes]. See link:https://aws.amazon.com/partners/servicebroker/[Open Service Broker for AWS] for more information on OSBA.
 
-== Offboarding  
-Customers can stop using ROSA at any time and move their applications to on-premise, a private cloud, or other cloud providers. Standard reserved instances (RI) policy applies for unused RI.   
+== Offboarding
+Customers can stop using ROSA at any time and move their applications to on-premise, a private cloud, or other cloud providers. Standard reserved instances (RI) policy applies for unused RI.
 
 == Authentication
 ROSA supports the following authentication mechanisms: OpenID Connect (a profile of OAuth2), Google OAuth, GitHub OAuth, GitLab, and LDAP.
@@ -155,7 +155,7 @@ ROSA allows multiple clusters to share the same VPC. The number of clusters on o
 ROSA uses the OpenShift OVN-Kubernetes default CNI network provider.
 
 == Cross-namespace networking
-Cluster admins can customize, and deny, cross-namespace on a project basis using NetworkPolicy objects. Refer to xref:../../networking/network_policy/multitenant-network-policy.adoc[Configuring multitenant isolation with network policy] for more information.
+Cluster admins can customize, and deny, cross-namespace on a project basis using NetworkPolicy objects. Refer to xref:../../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#nw-networkpolicy-multitenant-isolation_multitenant-network-policy[Configuring multitenant isolation with network policy] for more information.
 
 == Using Prometheus and Grafana
 You can use Prometheus and Grafana to monitor containers and manage capacity using OpenShift User Workload Monitoring. This is a check-box option in the {cluster-manager-url}.
@@ -178,8 +178,8 @@ You can define a custom domain for your applications. See xref:../../application
 == ROSA domain certificates
 Red Hat infrastructure (Hive) manages certificate rotation for default application ingress.
 
-== Disconnected environments  
-ROSA does not support an air-gapped, disconnected environment. The ROSA cluster must have egress to the internet to access our registry, S3, and send metrics. The service requires a number of egress endpoints. 
+== Disconnected environments
+ROSA does not support an air-gapped, disconnected environment. The ROSA cluster must have egress to the internet to access our registry, S3, and send metrics. The service requires a number of egress endpoints.
 Ingress can be limited to a PrivateLink for Red Hat SREs and a VPN for customer access.
 
 //== Creating your first ROSA cluster

getting_started/openshift-overview.adoc

@@ -91,7 +91,7 @@ of the {product-title} {product-version} control plane. See how {product-title}
 works in {product-title}. {product-title} supports multiple identity providers.
 
 * **xref:../networking/understanding-networking.adoc#understanding-networking[Manage networking]**: The cluster network in {product-title} is managed by the xref:../networking/cluster-network-operator.adoc#cluster-network-operator[Cluster Network Operator] (CNO). The CNO uses iptables rules in xref:../networking/openshift_sdn/configuring-kube-proxy.adoc#configuring-kube-proxy[kube-proxy] to direct traffic between nodes and pods running on those nodes. The Multus Container Network Interface adds the capability to attach xref:../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[multiple network interfaces] to a pod. Using
-xref:../networking/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic.
+xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic.
 
 * **xref:../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[Manage storage]**: {product-title} allows cluster administrators to configure persistent storage.
 

migrating_from_ocp_3_to_4/planning-migration-3-4.adoc

@@ -155,9 +155,9 @@ Review the following networking changes to consider when transitioning from {pro
 
 The default network isolation mode for {product-title} 3.11 was `ovs-subnet`, though users frequently switched to use `ovn-multitenant`. The default network isolation mode for {product-title} {product-version} is controlled by a network policy.
 
-If your {product-title} 3.11 cluster used the `ovs-subnet` or `ovs-multitenant` mode, it is recommended to switch to a network policy for your {product-title} {product-version} cluster. Network policies are supported upstream, are more flexible, and they provide the functionality that `ovs-multitenant` does. If you want to maintain the `ovs-multitenant` behavior while using a network policy in {product-title} {product-version}, follow the steps to xref:../networking/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[configure multitenant isolation using network policy].
+If your {product-title} 3.11 cluster used the `ovs-subnet` or `ovs-multitenant` mode, it is recommended to switch to a network policy for your {product-title} {product-version} cluster. Network policies are supported upstream, are more flexible, and they provide the functionality that `ovs-multitenant` does. If you want to maintain the `ovs-multitenant` behavior while using a network policy in {product-title} {product-version}, follow the steps to xref:../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[configure multitenant isolation using network policy].
 
-For more information, see xref:../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy].
+For more information, see xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy].
 
 [discrete]
 ==== OVN-Kubernetes as the default networking plugin in Red Hat OpenShift Networking

modules/nw-egressnetworkpolicy-about.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc
+// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "configuring-egress-firewall-ovn"]
 :ovn:

modules/nw-egressnetworkpolicy-create.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc
+// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "openshift-sdn-egress-firewall"]
 :kind: EgressNetworkPolicy

modules/nw-egressnetworkpolicy-object.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc
+// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "openshift-sdn-egress-firewall"]
 :kind: EgressNetworkPolicy

modules/nw-egressnetworkpolicy-view.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc
+// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "openshift-sdn-viewing-egress-firewall"]
 :kind: EgressNetworkPolicy

modules/nw-infw-operator-installing-cli.adoc

@@ -95,57 +95,4 @@ $ oc get csv -n openshift-ingress-node-firewall
 ----
 NAME                                        DISPLAY                          VERSION               REPLACES                                    PHASE
 ingress-node-firewall.{product-version}.0-202211122336   Ingress Node Firewall Operator   {product-version}.0-202211122336   ingress-node-firewall.{product-version}.0-202211102047   Succeeded
-----
-
-[id="install-operator-web-console_{context}"]
-== Installing the Ingress Node Firewall Operator using the web console
-
-As a cluster administrator, you can install the Operator using the web console.
-
-.Prerequisites
-
-* You have installed the OpenShift CLI (`oc`).
-* You have an account with administrator privileges.
-
-.Procedure
-
-
-. Install the Ingress Node Firewall Operator:
-
-.. In the {product-title} web console, click *Operators* -> *OperatorHub*.
-
-.. Select *Ingress Node Firewall Operator* from the list of available Operators, and then click *Install*.
-
-.. On the *Install Operator* page, under *Installed Namespace*, select *Operator recommended Namespace*.
-
-.. Click *Install*.
-
-. Verify that the Ingress Node Firewall Operator is installed successfully:
-
-.. Navigate to the *Operators* -> *Installed Operators* page.
-
-.. Ensure that *Ingress Node Firewall Operator* is listed in the *openshift-ingress-node-firewall* project with a *Status* of *InstallSucceeded*.
-+
-[NOTE]
-====
-During installation an Operator might display a *Failed* status.
-If the installation later succeeds with an *InstallSucceeded* message, you can ignore the *Failed* message.
-====
-
-+
-If the Operator does not have a *Status* of *InstallSucceeded*, troubleshoot using the following steps:
-
-+
-* Inspect the *Operator Subscriptions* and *Install Plans* tabs for any failures or errors under *Status*.
-* Navigate to the *Workloads* -> *Pods* page and check the logs for pods in the `openshift-ingress-node-firewall` project.
-* Check the namespace of the YAML file. If the annotation is missing, you can add the annotation `workload.openshift.io/allowed=management` to the Operator namespace with the following command:
-+
-[source,terminal]
-----
-$ oc annotate ns/openshift-ingress-node-firewall workload.openshift.io/allowed=management
-----
-+
-[NOTE]
-====
-For {sno} clusters, the `openshift-ingress-node-firewall` namespace requires the `workload.openshift.io/allowed=management` annotation.
-====
+----

modules/nw-infw-operator-installing-console.adoc

@@ -0,0 +1,57 @@
+// Module included in the following assemblies:
+//
+// * networking/ingress-node-firewall-operator.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="install-operator-web-console_{context}"]
+== Installing the Ingress Node Firewall Operator using the web console
+
+As a cluster administrator, you can install the Operator using the web console.
+
+.Prerequisites
+
+* You have installed the OpenShift CLI (`oc`).
+* You have an account with administrator privileges.
+
+.Procedure
+
+
+. Install the Ingress Node Firewall Operator:
+
+.. In the {product-title} web console, click *Operators* -> *OperatorHub*.
+
+.. Select *Ingress Node Firewall Operator* from the list of available Operators, and then click *Install*.
+
+.. On the *Install Operator* page, under *Installed Namespace*, select *Operator recommended Namespace*.
+
+.. Click *Install*.
+
+. Verify that the Ingress Node Firewall Operator is installed successfully:
+
+.. Navigate to the *Operators* -> *Installed Operators* page.
+
+.. Ensure that *Ingress Node Firewall Operator* is listed in the *openshift-ingress-node-firewall* project with a *Status* of *InstallSucceeded*.
++
+[NOTE]
+====
+During installation an Operator might display a *Failed* status.
+If the installation later succeeds with an *InstallSucceeded* message, you can ignore the *Failed* message.
+====
+
++
+If the Operator does not have a *Status* of *InstallSucceeded*, troubleshoot using the following steps:
+
++
+* Inspect the *Operator Subscriptions* and *Install Plans* tabs for any failures or errors under *Status*.
+* Navigate to the *Workloads* -> *Pods* page and check the logs for pods in the `openshift-ingress-node-firewall` project.
+* Check the namespace of the YAML file. If the annotation is missing, you can add the annotation `workload.openshift.io/allowed=management` to the Operator namespace with the following command:
++
+[source,terminal]
+----
+$ oc annotate ns/openshift-ingress-node-firewall workload.openshift.io/allowed=management
+----
++
+[NOTE]
+====
+For {sno} clusters, the `openshift-ingress-node-firewall` namespace requires the `workload.openshift.io/allowed=management` annotation.
+====

modules/nw-networkpolicy-about.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/about-network-policy.adoc
+// * networking/openshift_network_security/network_policy/about-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
 :_mod-docs-content-type: CONCEPT

modules/nw-networkpolicy-allow-application-all-namespaces.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
-// * networking/network_policy/creating-network-policy.adoc
+// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
 
 :name: network

modules/nw-networkpolicy-allow-application-particular-namespace.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
-// * networking/network_policy/creating-network-policy.adoc
+// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
 
 :name: network

modules/nw-networkpolicy-allow-external-clients.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
-// * networking/network_policy/creating-network-policy.adoc
+// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
 
 :name: network
 :role: admin

modules/nw-networkpolicy-create-cli.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
-// * networking/network_policy/creating-network-policy.adoc
+// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
 

modules/nw-networkpolicy-create-ocm.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/creating-network-policy.adoc
+// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 

modules/nw-networkpolicy-delete-cli.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/deleting-network-policy.adoc
+// * networking/openshift_network_security/network_policy/deleting-network-policy.adoc
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
 // * microshift_networking/microshift-network-policy/microshift-editing-network-policy.adoc
 

modules/nw-networkpolicy-delete-ocm.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/deleting-network-policy.adoc
+// * networking/openshift_network_security/network_policy/deleting-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
 :_mod-docs-content-type: PROCEDURE

modules/nw-networkpolicy-deny-all-allowed.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
-// * networking/network_policy/creating-network-policy.adoc
+// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
 
 :name: network

modules/nw-networkpolicy-edit.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/editing-network-policy.adoc
+// * networking/openshift_network_security/network_policy/editing-network-policy.adoc
 // * microshift_networking/microshift-network-policy/microshift-editing-network-policy.adoc
 
 :name: network

modules/nw-networkpolicy-multitenant-isolation.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/multitenant-network-policy.adoc
+// * networking/openshift_network_security/network_policy/multitenant-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
 :_mod-docs-content-type: PROCEDURE

modules/nw-networkpolicy-object.adoc

@@ -1,8 +1,8 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/creating-network-policy.adoc
-// * networking/network_policy/viewing-network-policy.adoc
-// * networking/network_policy/editing-network-policy.adoc
+// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
+// * networking/openshift_network_security/network_policy/viewing-network-policy.adoc
+// * networking/openshift_network_security/network_policy/editing-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
 // * microshift_networking/microshift-network-policy/microshift-editing-network-policy.adoc

modules/nw-networkpolicy-optimize-ovn.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/about-network-policy.adoc
+// * networking/openshift_network_security/network_policy/about-network-policy.adoc
 
 [id="nw-networkpolicy-optimize-ovn_{context}"]
 = Optimizations for network policy with OVN-Kubernetes network plugin

modules/nw-networkpolicy-optimize.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/about-network-policy.adoc
+// * networking/openshift_network_security/network_policy/about-network-policy.adoc
 
 [id="nw-networkpolicy-optimize-sdn_{context}"]
 = Optimizations for network policy with OpenShift SDN

modules/nw-networkpolicy-project-defaults.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/default-network-policy.adoc
+// * networking/openshift_network_security/network_policy/default-network-policy.adoc
 // * networking/configuring-networkpolicy.adoc
 // * post_installation_configuration/network-configuration.adoc
 

modules/nw-networkpolicy-view-cli.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/viewing-network-policy.adoc
+// * networking/openshift_network_security/network_policy/viewing-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
 

modules/nw-networkpolicy-view-ocm.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/network_policy/viewing-network-policy.adoc
+// * networking/openshift_network_security/network_policy/viewing-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
 :_mod-docs-content-type: PROCEDURE

modules/nw-ovn-ipsec-certificates.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-ovn-ipsec-certificates_{context}"]

modules/nw-ovn-ipsec-enable.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-ovn-ipsec-enable_{context}"]

modules/nw-ovn-ipsec-encryption.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-ovn-ipsec-encryption_{context}"]

modules/nw-ovn-ipsec-external.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-ovn-ipsec-external_{context}"]

modules/nw-ovn-ipsec-north-south-disable.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-ovn-ipsec-north-south-disable_{context}"]

modules/nw-ovn-ipsec-north-south-enable.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-ovn-ipsec-north-south-enable_{context}"]

modules/nw-ovn-ipsec-traffic.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-ovn-ipsec-traffic_{context}"]

modules/nw-ovn-k-adminnetwork-policy.adoc

@@ -20,11 +20,6 @@ An ANP allows administrators to specify the following:
 
 * A list of egress rules to be applied for all egress traffic from the `subject`.
 
-[NOTE]
-====
-The `AdminNetworkPolicy` resource is a `TechnologyPreviewNoUpgrade` feature that can be enabled on test clusters that are not in production. For more information on feature gates and `TechnologyPreviewNoUpgrade` features, see "Enabling features using feature gates" in the "Additional resources" of this section.
-====
-
 [discrete]
 [id="adminnetworkpolicy-example_{context}"]
 == AdminNetworkPolicy example

modules/nw-ovn-k-baseline-adminnetwork-policy.adoc

@@ -18,11 +18,6 @@ A BANP allows administrators to specify:
 
 * A list of egress rules to be applied for all egress traffic from the `subject`.
 
-[NOTE]
-====
-`BaselineAdminNetworkPolicy` is a `TechnologyPreviewNoUpgrade` feature that can be enabled on test clusters that are not in production.
-====
-
 [discrete]
 [id="baselineddminnetworkpolicy-example_{context}"]
 == BaselineAdminNetworkPolicy example

modules/nw-own-ipsec-modes.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-ovn-ipsec-modes_{context}"]

modules/nw-own-ipsec-required-ports.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc
+// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="network-connectivity-requirements-ipsec_{context}"]

networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc

@@ -57,12 +57,12 @@ include::modules/nw-ingress-sharding-route-configuration.adoc[leveloffset=+1]
 
 The Ingress Operator manages wildcard DNS. For more information, see the following:
 
-* xref:../../networking/ingress-operator.adoc#configuring-ingress[Ingress Operator in {product-title}].
+* xref:../../networking/ingress-operator.adoc#configuring-ingress[Ingress Operator in {product-title}]
 
-* xref:../../installing/installing_bare_metal/installing-bare-metal.adoc#installing-bare-metal[Installing a cluster on bare metal].
+* xref:../../installing/installing_bare_metal/installing-bare-metal.adoc#installing-bare-metal[Installing a cluster on bare metal]
 
-* xref:../../installing/installing_vsphere/upi/installing-vsphere.adoc#installing-vsphere[Installing a cluster on vSphere].
+* xref:../../installing/installing_vsphere/upi/installing-vsphere.adoc#installing-vsphere[Installing a cluster on vSphere]
 
-* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy].
+* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 
 endif::[]

networking/multiple_networks/configuring-multi-network-policy.adoc

@@ -43,7 +43,7 @@ include::modules/nw-networkpolicy-allow-application-particular-namespace.adoc[le
 [role="_additional-resources"]
 == Additional resources
 
-* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 * xref:../../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[Understanding multiple networks]
 * xref:../../networking/multiple_networks/configuring-additional-network.adoc#nw-multus-macvlan-object_configuring-additional-network[Configuring a macvlan network]
 * xref:../../networking/hardware_networks/configuring-sriov-device.adoc#configuring-sriov-device[Configuring an SR-IOV network device]

networking/networking-operators-overview.adoc

@@ -26,7 +26,7 @@ The External DNS Operator deploys and manages ExternalDNS to provide the name re
 
 [id="ingress-node-firewall-operator-1"]
 == Ingress Node Firewall Operator
-The Ingress Node Firewall Operator uses an extended Berkley Packet Filter (eBPF) and eXpress Data Path (XDP) plugin to process node firewall rules, update statistics and generate events for dropped traffic. The operator manages ingress node firewall resources, verifies firewall configuration, does not allow incorrectly configured rules that can prevent cluster access, and loads ingress node firewall XDP programs to the selected interfaces in the rule's object(s). For more information, see xref:../networking/ingress-node-firewall-operator.adoc#ingress-node-firewall-operator[Understanding the Ingress Node Firewall Operator]
+The Ingress Node Firewall Operator uses an extended Berkley Packet Filter (eBPF) and eXpress Data Path (XDP) plugin to process node firewall rules, update statistics and generate events for dropped traffic. The operator manages ingress node firewall resources, verifies firewall configuration, does not allow incorrectly configured rules that can prevent cluster access, and loads ingress node firewall XDP programs to the selected interfaces in the rule's object(s). For more information, see xref:../networking/openshift_network_security/ingress-node-firewall-operator.adoc#ingress-node-firewall-operator[Understanding the Ingress Node Firewall Operator].
 
 [id="network-observability-operator-overview-operator"]
 == Network Observability Operator

networking/openshift_network_security/ingress-node-firewall-operator.adoc

@@ -10,7 +10,9 @@ The Ingress Node Firewall Operator allows administrators to manage firewall conf
 
 include::modules/nw-infw-operator-cr.adoc[leveloffset=+1]
 
-include::modules/nw-infw-operator-installing.adoc[leveloffset=+1]
+include::modules/nw-infw-operator-installing-cli.adoc[leveloffset=+1]
+
+include::modules/nw-infw-operator-installing-console.adoc[leveloffset=+1]
 
 include::modules/nw-infw-operator-deploying.adoc[leveloffset=+1]
 

networking/openshift_network_security/network_policy/_attributes

@@ -0,0 +1 @@
+../../_attributes/

networking/openshift_network_security/network_policy/about-network-policy.adoc

@@ -20,15 +20,15 @@ include::modules/nw-networkpolicy-optimize-ovn.adoc[leveloffset=+1]
 [id="about-network-policy-next-steps"]
 == Next steps
 
-* xref:../../networking/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]
+* xref:../../../networking/openshift_network_security/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]
 ifndef::openshift-rosa,openshift-dedicated[]
-* Optional: xref:../../networking/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy]
+* Optional: xref:../../../networking/openshift_network_security/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy for projects]
 
 [role="_additional-resources"]
 [id="about-network-policy-additional-resources"]
 == Additional resources
 
-* xref:../../authentication/using-rbac.adoc#rbac-projects-namespaces_using-rbac[Projects and namespaces]
-* xref:../../networking/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[Configuring multitenant network policy]
-* xref:../../rest_api/network_apis/networkpolicy-networking-k8s-io-v1.adoc#networkpolicy-networking-k8s-io-v1[NetworkPolicy API]
+* xref:../../../authentication/using-rbac.adoc#rbac-projects-namespaces_using-rbac[Projects and namespaces]
+* xref:../../../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[Configuring multitenant isolation with network policy]
+* xref:../../../rest_api/network_apis/networkpolicy-networking-k8s-io-v1.adoc#networkpolicy-networking-k8s-io-v1[NetworkPolicy API]
 endif::[]

networking/openshift_network_security/network_policy/creating-network-policy.adoc

@@ -31,6 +31,6 @@ ifndef::openshift-rosa,openshift-dedicated[]
 [role="_additional-resources"]
 == Additional resources
 
-* xref:../../web_console/web-console.adoc#web-console[Accessing the web console]
-* xref:../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging for egress firewall and network policy rules]
+* xref:../../../web_console/web-console.adoc#web-console[Accessing the web console]
+* xref:../../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging for egress firewall and network policy rules]
 endif::[]

networking/openshift_network_security/network_policy/editing-network-policy.adoc

@@ -15,4 +15,4 @@ include::modules/nw-networkpolicy-object.adoc[leveloffset=+1]
 [role="_additional-resources"]
 [id="editing-network-policy-additional-resources"]
 == Additional resources
-* xref:../../networking/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]
+* xref:../../../networking/openshift_network_security/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]

networking/openshift_network_security/network_policy/images

@@ -0,0 +1 @@
+../../images/

networking/openshift_network_security/network_policy/modules

@@ -0,0 +1 @@
+../../modules/

networking/openshift_network_security/network_policy/multitenant-network-policy.adoc

@@ -22,11 +22,11 @@ ifndef::openshift-rosa,openshift-dedicated[]
 [id="multitenant-network-policy-next-steps"]
 == Next steps
 
-* xref:../../networking/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy]
+* xref:../../../networking/openshift_network_security/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy for a project]
 
 [role="_additional-resources"]
 [id="multitenant-network-policy-additional-resources"]
 == Additional resources
 
-* xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#nw-openshift-sdn-modes_about-openshift-sdn[OpenShift SDN network isolation modes]
+* xref:../../../networking/openshift_sdn/about-openshift-sdn.adoc#nw-openshift-sdn-modes_about-openshift-sdn[OpenShift SDN network isolation modes]
 endif::[]

networking/openshift_network_security/ovn-k-anp.adoc

@@ -0,0 +1,15 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ovn-k-anp"]
+= OVN-Kubernetes AdminNetworkPolicy
+include::_attributes/common-attributes.adoc[]
+:context: ovn-k-anp
+
+toc::[]
+
+include::modules/nw-ovn-k-adminnetwork-policy.adoc[leveloffset=+1]
+
+[discrete]
+.Additional resources
+* link:https://network-policy-api.sigs.k8s.io/[Network Policy API Working Group]
+
+include::modules/nw-ovn-k-adminnetwork-policy-action-rules.adoc[leveloffset=+2]

networking/openshift_network_security/ovn-k-banp.adoc

@@ -0,0 +1,9 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ovn-k-banp"]
+= OVN-Kubernetes BaselineAdminNetworkPolicy
+include::_attributes/common-attributes.adoc[]
+:context: ovn-k-banp
+
+toc::[]
+
+include::modules/nw-ovn-k-baseline-adminnetwork-policy.adoc[leveloffset=+1]

networking/openshift_network_security/ovn-k-network-policy.adoc

@@ -0,0 +1,19 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="about-ovn-k-network-policy"]
+= About OVN-Kubernetes network policy
+include::_attributes/common-attributes.adoc[]
+:context: ovn-k-network-policy
+
+toc::[]
+
+Kubernetes offers two features that users can use to enforce network security. One feature that allows users to enforce network policy is the `NetworkPolicy` API that is designed mainly for application developers and namespace tenants to protect their namespaces by creating namespace-scoped policies. For more information, see xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#nw-networkpolicy-about_about-network-policy[About network policy].
+
+The second feature is `AdminNetworkPolicy` which consists of two APIs: the `AdminNetworkPolicy` (ANP) API and the `BaselineAdminNetworkPolicy` (BANP) API. ANP and BANP are designed for cluster and network administrators to protect their entire cluster by creating cluster-scoped policies. Cluster administrators can use ANPs to enforce non-overridable policies that take precedence over `NetworkPolicy` objects. Administrators can use BANP to set up and enforce optional cluster-scoped network policy rules that are overridable by users using `NetworkPolicy` objects when necessary. When used together, ANP and BANP can create a multi-tenancy policy that administrators can use to secure their cluster.
+
+OVN-Kubernetes CNI in {product-title} implements these network policies using Access Control List (ACL) Tiers to evaluate and apply them. ACLs are evaluated in descending order from Tier 1 to Tier 3.
+
+Tier 1 evaluates `AdminNetworkPolicy` (ANP) objects. Tier 2 evaluates `NetworkPolicy` objects. Tier 3 evaluates `BaselineAdminNetworkPolicy` (BANP) objects.
+
+image::615_OpenShift_OVN-K_ACLs_0324.png[OVK-Kubernetes Access Control List (ACL)]
+
+When traffic matches an ANP rule, the rules in that ANP are evaluated first. When the match is an ANP `allow` or `deny` rule, any existing `NetworkPolicy` and `BaselineAdminNetworkPolicy` (BANP) objects in the cluster are skipped from evaluation. When the match is an ANP `pass` rule, then evaluation moves from tier 1 of the ACL to tier 2 where the `NetworkPolicy` policy is evaluated.

networking/openshift_network_security/snippets

@@ -0,0 +1 @@
+../../snippets/

networking/openshift_sdn/migrate-to-openshift-sdn.adoc

@@ -21,7 +21,7 @@ include::modules/nw-ovn-kubernetes-rollback.adoc[leveloffset=+1]
 
 * xref:../../networking/cluster-network-operator.adoc#nw-operator-configuration-parameters-for-openshift-sdn_cluster-network-operator[Configuration parameters for the OpenShift SDN network plugin]
 * xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[Backing up etcd]
-* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 * OpenShift SDN capabilities
 - xref:../../networking/openshift_sdn/assigning-egress-ips.adoc#assigning-egress-ips[Configuring egress IPs for a project]
 - xref:../../networking/openshift_sdn/configuring-egress-firewall.adoc#configuring-egress-firewall[Configuring an egress firewall for a project]

networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc

@@ -46,9 +46,9 @@ include::modules/nw-ovn-kubernetes-session-affinity.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
-* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/openshift_network_security/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
+* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 * xref:../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging network policy events]
 * xref:../../networking/ovn_kubernetes_network_provider/enabling-multicast.adoc#nw-ovn-kubernetes-enabling-multicast[Enabling multicast for a project]
-* xref:../../networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn[Configuring IPsec encryption]
+* xref:../../networking/openshift_network_security/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn[Configuring IPsec encryption]
 * xref:../../rest_api/operator_apis/network-operator-openshift-io-v1.adoc#network-operator-openshift-io-v1[Network [operator.openshift.io/v1\]]

networking/ovn_kubernetes_network_provider/logging-network-policy.adoc

@@ -49,5 +49,5 @@ include::modules/nw-networkpolicy-audit-disable.adoc[leveloffset=+1]
 [role="_additional-resources"]
 == Additional resources
 
-* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
-* xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
+* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/openshift_network_security/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]

networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc

@@ -22,12 +22,12 @@ include::modules/nw-ovn-kubernetes-migration.adoc[leveloffset=+1]
 * link:https://access.redhat.com/labs/ocpnc/[Red Hat OpenShift Network Calculator]
 * xref:../../networking/cluster-network-operator.adoc#nw-operator-configuration-parameters-for-ovn-sdn_cluster-network-operator[Configuration parameters for the OVN-Kubernetes network plugin]
 * xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[Backing up etcd]
-* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 * xref:../../networking/changing-cluster-network-mtu.adoc#nw-cluster-mtu-change_changing-cluster-network-mtu[Changing the cluster MTU]
 * xref:../../networking/changing-cluster-network-mtu.adoc#mtu-value-selection_changing-cluster-network-mtu[MTU value selection]
 * OVN-Kubernetes capabilities
 - xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.adoc#configuring-egress-ips-ovn[Configuring an egress IP address]
-- xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
+- xref:../../networking/openshift_network_security/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
 - xref:../../networking/ovn_kubernetes_network_provider/enabling-multicast.adoc#nw-ovn-kubernetes-enabling-multicast[Enabling multicast for a project]
 * OpenShift SDN capabilities
 - xref:../../networking/openshift_sdn/assigning-egress-ips.adoc#assigning-egress-ips[Configuring egress IPs for a project]

networking/ovn_kubernetes_network_provider/ovn-k-network-policy.adoc

@@ -1,39 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="ovn-k-network-policy"]
-= OVN-Kubernetes network policy
-include::_attributes/common-attributes.adoc[]
-:context: ovn-k-network-policy
-
-toc::[]
-
-:FeatureName: The `AdminNetworkPolicy` resource
-include::snippets/technology-preview.adoc[]
-
-Kubernetes offers two features that users can use to enforce network security. One feature that allows users to enforce network policy is the `NetworkPolicy` API that is designed mainly for application developers and namespace tenants to protect their namespaces by creating namespace-scoped policies. For more information, see xref:../../networking/network_policy/about-network-policy.adoc#nw-networkpolicy-about_about-network-policy[About network policy].
-
-The second feature is `AdminNetworkPolicy` which is comprised of two API: the `AdminNetworkPolicy` (ANP) API and the `BaselineAdminNetworkPolicy` (BANP) API. ANP and BANP are designed for cluster and network administrators to protect their entire cluster by creating cluster-scoped policies. Cluster administrators can use ANPs to enforce non-overridable policies that take precedence over `NetworkPolicy` objects. Administrators can use BANP to setup and enforce optional cluster-scoped network policy rules that are overridable by users using `NetworkPolicy` objects if need be. When used together ANP and BANP can create multi-tenancy policy that administrators can use to secure their cluster.
-
-OVN-Kubernetes CNI in {product-title} implements these network policies using Access Control List (ACLs) Tiers to evaluate and apply them. ACLs are evaluated in descending order from Tier 1 to Tier 3.
-
-Tier 1 evaluates `AdminNetworkPolicy` (ANP) objects. Tier 2 evaluates `NetworkPolicy` objects. Tier 3 evaluates `BaselineAdminNetworkPolicy` (BANP) objects.
-
-.OVK-Kubernetes Access Control List (ACL)
-
-image::615_OpenShift_OVN-K_ACLs_0324.png[OVN-Kubernetes Access Control List]
-
-If traffic matches an ANP rule, the rules in that ANP will be evaluated first. If the match is an ANP `allow` or `deny` rule, any existing `NetworkPolicies` and `BaselineAdminNetworkPolicy` (BANP) in the cluster will be intentionally skipped from evaluation. If the match is an ANP `pass` rule, then evaluation moves from tier 1 of the ACLs to tier 2 where the `NetworkPolicy` policy is evaluated.
-
-include::modules/nw-ovn-k-adminnetwork-policy.adoc[leveloffset=+1]
-
-[discrete]
-.Additional resources
-* xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling-features[Enabling features using feature gates]
-* link:https://network-policy-api.sigs.k8s.io/[Network Policy API Working Group]
-
-include::modules/nw-ovn-k-adminnetwork-policy-action-rules.adoc[leveloffset=+2]
-
-include::modules/nw-ovn-k-baseline-adminnetwork-policy.adoc[leveloffset=+1]
-
-
-
-

networking/zero-trust-networking.adoc

@@ -30,7 +30,7 @@ Ensure that all traffic on the wire is encrypted and the endpoints are identifia
 
 Leverage:
 
-* {product-title}: With transparent xref:../networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn-pod-to-pod-ipsec[pod-to-pod IPsec], the source and destination of the traffic can be identified by the IP address. There is the capability for egress traffic to be xref:../networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc#nw-ovn-ipsec-north-south-enable_configuring-ipsec-ovn[encrypted using IPsec]. By using the xref:../networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.adoc#configuring-egress-ips-ovn[egress IP] feature, the source IP address of the traffic can be used to identify the source of the traffic inside the cluster.
+* {product-title}: With transparent xref:../networking/openshift_network_security/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn-pod-to-pod-ipsec[pod-to-pod IPsec], the source and destination of the traffic can be identified by the IP address. There is the capability for egress traffic to be xref:../networking/openshift_network_security/configuring-ipsec-ovn.adoc#nw-ovn-ipsec-north-south-enable_configuring-ipsec-ovn[encrypted using IPsec]. By using the xref:../networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.adoc#configuring-egress-ips-ovn[egress IP] feature, the source IP address of the traffic can be used to identify the source of the traffic inside the cluster.
 * xref:../service_mesh/v2x/ossm-about.adoc#ossm-about[{SMProductName}]: Provides powerful xref:../service_mesh/v2x/ossm-security.adoc#ossm-security-mtls_ossm-security[mTLS capabilities] that can transparently augment traffic leaving a pod to provide authentication and encryption.
 * xref:../security/cert_manager_operator/index.adoc#cert-manager-operator-about[OpenShift cert-manager Operator]: Use custom resource definitions (CRDs) to request certificates that can be mounted for your programs to use for SSL/TLS protocols.
 
@@ -53,7 +53,7 @@ It is critical to be able to control access to services based on the identity of
 
 Leverage:
 
-* {product-title}: Can enforce isolation in the networking layer of the platform using the Kubernetes xref:../networking/network_policy/about-network-policy.adoc#about-network-policy[`NetworkPolicy`] and xref:../networking/ovn_kubernetes_network_provider/ovn-k-network-policy.adoc#adminnetworkpolicy_ovn-k-network-policy[`AdminNetworkPolicy`] objects.
+* {product-title}: Can enforce isolation in the networking layer of the platform using the Kubernetes xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[`NetworkPolicy`] and xref:../networking/openshift_network_security/ovn-k-anp.adoc#ovn-k-anp[`AdminNetworkPolicy`] objects.
 * xref:../service_mesh/v2x/ossm-about.adoc#ossm-about[{SMProductName}]: Sophisticated L4 and L7 xref:../service_mesh/v2x/ossm-security.adoc#ossm-security[control of traffic] using standard Istio objects and using mTLS to identify the source and destination of traffic and then apply policies based on that information.
 
 [id="zero-trust-transaction-level-verification"]

observability/logging/cluster-logging-deploying.adoc

@@ -52,12 +52,15 @@ include::modules/cluster-logging-deploy-multitenant.adoc[leveloffset=+2]
 .Additional resources
 
 ifdef::openshift-enterprise,openshift-origin[]
-* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN default CNI network provider]
+* xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes default Container Network Interface (CNI) network provider]
+* xref:../../networking/openshift_network_security/ovn-k-network-policy.adoc#ovn-k-network-policy[About OVN-Kubernetes network policy]
 * xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN default CNI network provider]
 * xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes default Container Network Interface (CNI) network provider]
 endif::[]
 ifdef::openshift-rosa,openshift-dedicated[]
-* link:https://docs.openshift.com/container-platform/latest/networking/network_policy/about-network-policy.html[About network policy]
+* link:https://docs.openshift.com/container-platform/latest/networking/openshift_network_security/about-network-policy.html[About network policy]
 * link:https://docs.openshift.com/container-platform/latest/networking/openshift_sdn/about-openshift-sdn.html[About the OpenShift SDN default CNI network provider]
 * link:https://docs.openshift.com/container-platform/latest/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.html[About the OVN-Kubernetes default Container Network Interface (CNI) network provider]
 endif::[]

observability/network_observability/network-observability-network-policy.adoc

@@ -13,4 +13,4 @@ include::modules/network-observability-sample-network-policy-YAML.adoc[leveloffs
 
 [role="_additional-resources"]
 .Additional resources
-xref:../../networking/network_policy/creating-network-policy.adoc#nw-networkpolicy-object_creating-network-policy[Creating a network policy using the CLI]
+xref:../../networking/openshift_network_security/network_policy/creating-network-policy.adoc#nw-networkpolicy-object_creating-network-policy[Creating a network policy using the CLI]

security/container_security/security-network.adoc

@@ -21,7 +21,7 @@ include::modules/security-network-policies.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
-* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 
 // Multiple pod networks
 include::modules/security-network-multiple-pod.adoc[leveloffset=+1]

welcome/index.adoc

@@ -252,7 +252,7 @@ Manage machines, provide services to users, and follow monitoring and logging re
 - **Manage xref:../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[ingress], xref:../security/certificates/api-server.adoc#api-server-certificates[API server], and xref:../security/certificates/service-serving-certificate.adoc#add-service-serving[service] certificates**: {product-title} creates certificates by default for the Ingress Operator, the API server, and for services needed by complex middleware applications that require encryption. You might need to change, add, or rotate these certificates.
 
 - **xref:../networking/understanding-networking.adoc#understanding-networking[Manage networking]**: The cluster network in {product-title} is managed by the xref:../networking/cluster-network-operator.adoc#cluster-network-operator[Cluster Network Operator] (CNO). The CNO uses `iptables` rules in xref:../networking/openshift_sdn/configuring-kube-proxy.adoc#configuring-kube-proxy[kube-proxy] to direct traffic between nodes and pods running on those nodes. The Multus Container Network Interface adds the capability to attach xref:../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[multiple network interfaces] to a pod. By using
-xref:../networking/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic.
+xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic.
 
 - **xref:../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[Manage storage]**: With {product-title}, a cluster administrator can configure persistent storage by using
 xref:../storage/persistent_storage/persistent-storage-ocs.adoc#red-hat-openshift-data-foundation[Red Hat OpenShift Data Foundation],