diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 0941eda38c..5457f09291 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1272,6 +1272,40 @@ Topics: File: networking-operators-overview - Name: Networking dashboards File: networking-dashboards +- Name: OpenShift network security + Dir: openshift_network_security + Distros: openshift-enterprise,openshift-origin + Topics: + - Name: About OVN-Kubernetes network policy + File: ovn-k-network-policy + - Name: AdminNetworkPolicy + File: ovn-k-anp + - Name: Network policy + Dir: network_policy + Distros: openshift-enterprise, openshift-origin + Topics: + - Name: About network policy + File: about-network-policy + - Name: Creating a network policy + File: creating-network-policy + - Name: Viewing a network policy + File: viewing-network-policy + - Name: Editing a network policy + File: editing-network-policy + - Name: Deleting a network policy + File: deleting-network-policy + - Name: Defining a default network policy for projects + File: default-network-policy + - Name: Configuring multitenant isolation with network policy + File: multitenant-network-policy + - Name: BaselineAdminNetworkPolicy + File: ovn-k-banp + - Name: Understanding the Ingress Node Firewall Operator + File: ingress-node-firewall-operator + - Name: Configuring an egress firewall for a project + File: configuring-egress-firewall-ovn + - Name: Configuring IPsec encryption + File: configuring-ipsec-ovn - Name: Understanding the Cluster Network Operator File: cluster-network-operator Distros: openshift-enterprise,openshift-origin @@ -1283,9 +1317,6 @@ Topics: Distros: openshift-enterprise,openshift-origin - Name: Ingress sharding File: ingress-sharding -- Name: Understanding the Ingress Node Firewall Operator - File: ingress-node-firewall-operator - Distros: openshift-enterprise,openshift-origin - Name: Configuring the Ingress Controller for manual DNS management File: ingress-controller-dnsmgt Distros: openshift-enterprise,openshift-origin @@ -1339,23 +1370,6 @@ Topics: File: nw-creating-dns-records-on-infoblox - Name: Configuring the cluster-wide proxy on the External DNS Operator File: nw-configuring-cluster-wide-egress-proxy -- Name: Network policy - Dir: network_policy - Topics: - - Name: About network policy - File: about-network-policy - - Name: Creating a network policy - File: creating-network-policy - - Name: Viewing a network policy - File: viewing-network-policy - - Name: Editing a network policy - File: editing-network-policy - - Name: Deleting a network policy - File: deleting-network-policy - - Name: Defining a default network policy for projects - File: default-network-policy - - Name: Configuring multitenant isolation with network policy - File: multitenant-network-policy - Name: CIDR range definitions File: cidr-range-definitions - Name: AWS Load Balancer Operator @@ -1441,8 +1455,6 @@ Topics: File: ovn-kubernetes-architecture-assembly - Name: OVN-Kubernetes troubleshooting File: ovn-kubernetes-troubleshooting-sources - - Name: OVN-Kubernetes network policy - File: ovn-k-network-policy - Name: OVN-Kubernetes traffic tracing File: ovn-kubernetes-tracing-using-ovntrace - Name: Migrating from the OpenShift SDN network plugin @@ -1453,12 +1465,8 @@ Topics: File: converting-to-dual-stack - Name: Logging for egress firewall and network policy rules File: logging-network-policy - - Name: Configuring IPsec encryption - File: configuring-ipsec-ovn - Name: Configure an external gateway on the default network File: configuring-secondary-external-gateway - - Name: Configuring an egress firewall for a project - File: configuring-egress-firewall-ovn - Name: Viewing an egress firewall for a project File: viewing-egress-firewall-ovn - Name: Editing an egress firewall for a project diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml index 0ba179d6d1..cf11922e10 100644 --- a/_topic_maps/_topic_map_osd.yml +++ b/_topic_maps/_topic_map_osd.yml @@ -771,19 +771,26 @@ Topics: File: configuring-cluster-wide-proxy - Name: CIDR range definitions File: cidr-range-definitions -- Name: Network policy - Dir: network_policy +- Name: OpenShift network security + Dir: openshift_network_security + Distros: openshift-dedicated Topics: - - Name: About network policy - File: about-network-policy - - Name: Creating a network policy - File: creating-network-policy - - Name: Viewing a network policy - File: viewing-network-policy - - Name: Deleting a network policy - File: deleting-network-policy - - Name: Configuring multitenant isolation with network policy - File: multitenant-network-policy + - Name: About OVN-Kubernetes network policy + File: ovn-k-network-policy + - Name: Network policy + Dir: network_policy + Distros: openshift-dedicated + Topics: + - Name: About network policy + File: about-network-policy + - Name: Creating a network policy + File: creating-network-policy + - Name: Viewing a network policy + File: viewing-network-policy + - Name: Deleting a network policy + File: deleting-network-policy + - Name: Configuring multitenant isolation with network policy + File: multitenant-network-policy - Name: Configuring Routes Dir: routes Topics: diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml index c0ea2c36d8..8a48a9b4ad 100644 --- a/_topic_maps/_topic_map_rosa.yml +++ b/_topic_maps/_topic_map_rosa.yml @@ -997,19 +997,33 @@ Topics: File: configuring-cluster-wide-proxy - Name: CIDR range definitions File: cidr-range-definitions -- Name: Network policy - Dir: network_policy +- Name: OpenShift network security + Dir: openshift_network_security Topics: - - Name: About network policy - File: about-network-policy - - Name: Creating a network policy - File: creating-network-policy - - Name: Viewing a network policy - File: viewing-network-policy - - Name: Deleting a network policy - File: deleting-network-policy - - Name: Configuring multitenant isolation with network policy - File: multitenant-network-policy + - Name: About OVN-Kubernetes network policy + File: ovn-k-network-policy + - Name: AdminNetworkPolicy + File: ovn-k-anp + - Name: Network policy + Dir: network_policy + Distros: openshift-rosa + Topics: + - Name: About network policy + File: about-network-policy + - Name: Creating a network policy + File: creating-network-policy + - Name: Viewing a network policy + File: viewing-network-policy + - Name: Editing a network policy + File: editing-network-policy + - Name: Deleting a network policy + File: deleting-network-policy + - Name: Defining a default network policy for projects + File: default-network-policy + - Name: Configuring multitenant isolation with network policy + File: multitenant-network-policy + - Name: BaselineAdminNetworkPolicy + File: ovn-k-banp - Name: OVN-Kubernetes network plugin Dir: ovn_kubernetes_network_provider Topics: diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc index 86401c0170..79dc36a55e 100644 --- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc +++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc @@ -38,7 +38,7 @@ Visit the link:https://github.com/openshift-cs/managed-openshift/projects/2[ROSA Refer to the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-regions-az_rosa-service-definition[product regional availability] page for an up-to-date view of where ROSA is available. == Compliance certifications -ROSA is currently compliant with SOC-2 type 2, SOC 3, ISO-27001, ISO 27017, ISO 27018, HIPAA, GDPR, and PCI-DSS. We are also currently working towards FedRAMP High. +ROSA is currently compliant with SOC-2 type 2, SOC 3, ISO-27001, ISO 27017, ISO 27018, HIPAA, GDPR, and PCI-DSS. We are also currently working towards FedRAMP High. == Nodes === Worker nodes across multiple AWS regions @@ -92,11 +92,11 @@ Refer to the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-se == Notifications and communication Red Hat will provide notifications regarding new Red Hat and AWS features, updates, and scheduled maintenance through email and the {hybrid-console-second} service log. -== Open Service Broker for AWS (OBSA) +== Open Service Broker for AWS (OBSA) You can use OSBA with ROSA. However, the preferred method is the more recent link:https://github.com/aws-controllers-k8s/community[AWS Controller for Kubernetes]. See link:https://aws.amazon.com/partners/servicebroker/[Open Service Broker for AWS] for more information on OSBA. -== Offboarding -Customers can stop using ROSA at any time and move their applications to on-premise, a private cloud, or other cloud providers. Standard reserved instances (RI) policy applies for unused RI. +== Offboarding +Customers can stop using ROSA at any time and move their applications to on-premise, a private cloud, or other cloud providers. Standard reserved instances (RI) policy applies for unused RI. == Authentication ROSA supports the following authentication mechanisms: OpenID Connect (a profile of OAuth2), Google OAuth, GitHub OAuth, GitLab, and LDAP. @@ -155,7 +155,7 @@ ROSA allows multiple clusters to share the same VPC. The number of clusters on o ROSA uses the OpenShift OVN-Kubernetes default CNI network provider. == Cross-namespace networking -Cluster admins can customize, and deny, cross-namespace on a project basis using NetworkPolicy objects. Refer to xref:../../networking/network_policy/multitenant-network-policy.adoc[Configuring multitenant isolation with network policy] for more information. +Cluster admins can customize, and deny, cross-namespace on a project basis using NetworkPolicy objects. Refer to xref:../../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#nw-networkpolicy-multitenant-isolation_multitenant-network-policy[Configuring multitenant isolation with network policy] for more information. == Using Prometheus and Grafana You can use Prometheus and Grafana to monitor containers and manage capacity using OpenShift User Workload Monitoring. This is a check-box option in the {cluster-manager-url}. @@ -178,8 +178,8 @@ You can define a custom domain for your applications. See xref:../../application == ROSA domain certificates Red Hat infrastructure (Hive) manages certificate rotation for default application ingress. -== Disconnected environments -ROSA does not support an air-gapped, disconnected environment. The ROSA cluster must have egress to the internet to access our registry, S3, and send metrics. The service requires a number of egress endpoints. +== Disconnected environments +ROSA does not support an air-gapped, disconnected environment. The ROSA cluster must have egress to the internet to access our registry, S3, and send metrics. The service requires a number of egress endpoints. Ingress can be limited to a PrivateLink for Red Hat SREs and a VPN for customer access. //== Creating your first ROSA cluster diff --git a/getting_started/openshift-overview.adoc b/getting_started/openshift-overview.adoc index c0459142a2..41c30a3663 100644 --- a/getting_started/openshift-overview.adoc +++ b/getting_started/openshift-overview.adoc @@ -91,7 +91,7 @@ of the {product-title} {product-version} control plane. See how {product-title} works in {product-title}. {product-title} supports multiple identity providers. * **xref:../networking/understanding-networking.adoc#understanding-networking[Manage networking]**: The cluster network in {product-title} is managed by the xref:../networking/cluster-network-operator.adoc#cluster-network-operator[Cluster Network Operator] (CNO). The CNO uses iptables rules in xref:../networking/openshift_sdn/configuring-kube-proxy.adoc#configuring-kube-proxy[kube-proxy] to direct traffic between nodes and pods running on those nodes. The Multus Container Network Interface adds the capability to attach xref:../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[multiple network interfaces] to a pod. Using -xref:../networking/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic. +xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic. * **xref:../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[Manage storage]**: {product-title} allows cluster administrators to configure persistent storage. diff --git a/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc b/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc index 7da5144e0e..a6071cb46a 100644 --- a/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc +++ b/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc @@ -155,9 +155,9 @@ Review the following networking changes to consider when transitioning from {pro The default network isolation mode for {product-title} 3.11 was `ovs-subnet`, though users frequently switched to use `ovn-multitenant`. The default network isolation mode for {product-title} {product-version} is controlled by a network policy. -If your {product-title} 3.11 cluster used the `ovs-subnet` or `ovs-multitenant` mode, it is recommended to switch to a network policy for your {product-title} {product-version} cluster. Network policies are supported upstream, are more flexible, and they provide the functionality that `ovs-multitenant` does. If you want to maintain the `ovs-multitenant` behavior while using a network policy in {product-title} {product-version}, follow the steps to xref:../networking/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[configure multitenant isolation using network policy]. +If your {product-title} 3.11 cluster used the `ovs-subnet` or `ovs-multitenant` mode, it is recommended to switch to a network policy for your {product-title} {product-version} cluster. Network policies are supported upstream, are more flexible, and they provide the functionality that `ovs-multitenant` does. If you want to maintain the `ovs-multitenant` behavior while using a network policy in {product-title} {product-version}, follow the steps to xref:../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[configure multitenant isolation using network policy]. -For more information, see xref:../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]. +For more information, see xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]. [discrete] ==== OVN-Kubernetes as the default networking plugin in Red Hat OpenShift Networking diff --git a/modules/nw-egressnetworkpolicy-about.adoc b/modules/nw-egressnetworkpolicy-about.adoc index 43d9d8d04d..b07f1a3f3f 100644 --- a/modules/nw-egressnetworkpolicy-about.adoc +++ b/modules/nw-egressnetworkpolicy-about.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // // * networking/openshift_sdn/configuring-egress-firewall.adoc -// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc +// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc ifeval::["{context}" == "configuring-egress-firewall-ovn"] :ovn: diff --git a/modules/nw-egressnetworkpolicy-create.adoc b/modules/nw-egressnetworkpolicy-create.adoc index 16a0c745da..19e096940a 100644 --- a/modules/nw-egressnetworkpolicy-create.adoc +++ b/modules/nw-egressnetworkpolicy-create.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // // * networking/openshift_sdn/configuring-egress-firewall.adoc -// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc +// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc ifeval::["{context}" == "openshift-sdn-egress-firewall"] :kind: EgressNetworkPolicy diff --git a/modules/nw-egressnetworkpolicy-object.adoc b/modules/nw-egressnetworkpolicy-object.adoc index 1f9c1ad153..58d65d46f6 100644 --- a/modules/nw-egressnetworkpolicy-object.adoc +++ b/modules/nw-egressnetworkpolicy-object.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // // * networking/openshift_sdn/configuring-egress-firewall.adoc -// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc +// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc ifeval::["{context}" == "openshift-sdn-egress-firewall"] :kind: EgressNetworkPolicy diff --git a/modules/nw-egressnetworkpolicy-view.adoc b/modules/nw-egressnetworkpolicy-view.adoc index 2acd7f1f3c..1fc4c284bd 100644 --- a/modules/nw-egressnetworkpolicy-view.adoc +++ b/modules/nw-egressnetworkpolicy-view.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // // * networking/openshift_sdn/configuring-egress-firewall.adoc -// * networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc +// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc ifeval::["{context}" == "openshift-sdn-viewing-egress-firewall"] :kind: EgressNetworkPolicy diff --git a/modules/nw-infw-operator-installing.adoc b/modules/nw-infw-operator-installing-cli.adoc similarity index 57% rename from modules/nw-infw-operator-installing.adoc rename to modules/nw-infw-operator-installing-cli.adoc index 2bd22f6268..89abfeb5de 100644 --- a/modules/nw-infw-operator-installing.adoc +++ b/modules/nw-infw-operator-installing-cli.adoc @@ -95,57 +95,4 @@ $ oc get csv -n openshift-ingress-node-firewall ---- NAME DISPLAY VERSION REPLACES PHASE ingress-node-firewall.{product-version}.0-202211122336 Ingress Node Firewall Operator {product-version}.0-202211122336 ingress-node-firewall.{product-version}.0-202211102047 Succeeded ----- - -[id="install-operator-web-console_{context}"] -== Installing the Ingress Node Firewall Operator using the web console - -As a cluster administrator, you can install the Operator using the web console. - -.Prerequisites - -* You have installed the OpenShift CLI (`oc`). -* You have an account with administrator privileges. - -.Procedure - - -. Install the Ingress Node Firewall Operator: - -.. In the {product-title} web console, click *Operators* -> *OperatorHub*. - -.. Select *Ingress Node Firewall Operator* from the list of available Operators, and then click *Install*. - -.. On the *Install Operator* page, under *Installed Namespace*, select *Operator recommended Namespace*. - -.. Click *Install*. - -. Verify that the Ingress Node Firewall Operator is installed successfully: - -.. Navigate to the *Operators* -> *Installed Operators* page. - -.. Ensure that *Ingress Node Firewall Operator* is listed in the *openshift-ingress-node-firewall* project with a *Status* of *InstallSucceeded*. -+ -[NOTE] -==== -During installation an Operator might display a *Failed* status. -If the installation later succeeds with an *InstallSucceeded* message, you can ignore the *Failed* message. -==== - -+ -If the Operator does not have a *Status* of *InstallSucceeded*, troubleshoot using the following steps: - -+ -* Inspect the *Operator Subscriptions* and *Install Plans* tabs for any failures or errors under *Status*. -* Navigate to the *Workloads* -> *Pods* page and check the logs for pods in the `openshift-ingress-node-firewall` project. -* Check the namespace of the YAML file. If the annotation is missing, you can add the annotation `workload.openshift.io/allowed=management` to the Operator namespace with the following command: -+ -[source,terminal] ----- -$ oc annotate ns/openshift-ingress-node-firewall workload.openshift.io/allowed=management ----- -+ -[NOTE] -==== -For {sno} clusters, the `openshift-ingress-node-firewall` namespace requires the `workload.openshift.io/allowed=management` annotation. -==== +---- \ No newline at end of file diff --git a/modules/nw-infw-operator-installing-console.adoc b/modules/nw-infw-operator-installing-console.adoc new file mode 100644 index 0000000000..bac96889d0 --- /dev/null +++ b/modules/nw-infw-operator-installing-console.adoc @@ -0,0 +1,57 @@ +// Module included in the following assemblies: +// +// * networking/ingress-node-firewall-operator.adoc + +:_mod-docs-content-type: PROCEDURE +[id="install-operator-web-console_{context}"] +== Installing the Ingress Node Firewall Operator using the web console + +As a cluster administrator, you can install the Operator using the web console. + +.Prerequisites + +* You have installed the OpenShift CLI (`oc`). +* You have an account with administrator privileges. + +.Procedure + + +. Install the Ingress Node Firewall Operator: + +.. In the {product-title} web console, click *Operators* -> *OperatorHub*. + +.. Select *Ingress Node Firewall Operator* from the list of available Operators, and then click *Install*. + +.. On the *Install Operator* page, under *Installed Namespace*, select *Operator recommended Namespace*. + +.. Click *Install*. + +. Verify that the Ingress Node Firewall Operator is installed successfully: + +.. Navigate to the *Operators* -> *Installed Operators* page. + +.. Ensure that *Ingress Node Firewall Operator* is listed in the *openshift-ingress-node-firewall* project with a *Status* of *InstallSucceeded*. ++ +[NOTE] +==== +During installation an Operator might display a *Failed* status. +If the installation later succeeds with an *InstallSucceeded* message, you can ignore the *Failed* message. +==== + ++ +If the Operator does not have a *Status* of *InstallSucceeded*, troubleshoot using the following steps: + ++ +* Inspect the *Operator Subscriptions* and *Install Plans* tabs for any failures or errors under *Status*. +* Navigate to the *Workloads* -> *Pods* page and check the logs for pods in the `openshift-ingress-node-firewall` project. +* Check the namespace of the YAML file. If the annotation is missing, you can add the annotation `workload.openshift.io/allowed=management` to the Operator namespace with the following command: ++ +[source,terminal] +---- +$ oc annotate ns/openshift-ingress-node-firewall workload.openshift.io/allowed=management +---- ++ +[NOTE] +==== +For {sno} clusters, the `openshift-ingress-node-firewall` namespace requires the `workload.openshift.io/allowed=management` annotation. +==== diff --git a/modules/nw-networkpolicy-about.adoc b/modules/nw-networkpolicy-about.adoc index 9fd94366fa..bc679530b5 100644 --- a/modules/nw-networkpolicy-about.adoc +++ b/modules/nw-networkpolicy-about.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/about-network-policy.adoc +// * networking/openshift_network_security/network_policy/about-network-policy.adoc // * post_installation_configuration/network-configuration.adoc :_mod-docs-content-type: CONCEPT diff --git a/modules/nw-networkpolicy-allow-application-all-namespaces.adoc b/modules/nw-networkpolicy-allow-application-all-namespaces.adoc index 366ae5c227..b0a875fed9 100644 --- a/modules/nw-networkpolicy-allow-application-all-namespaces.adoc +++ b/modules/nw-networkpolicy-allow-application-all-namespaces.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // // * networking/multiple_networks/configuring-multi-network-policy.adoc -// * networking/network_policy/creating-network-policy.adoc +// * networking/openshift_network_security/network_policy/creating-network-policy.adoc // * microshift_networking/microshift-creating-network-policy.adoc :name: network diff --git a/modules/nw-networkpolicy-allow-application-particular-namespace.adoc b/modules/nw-networkpolicy-allow-application-particular-namespace.adoc index 2038f45ea9..c03b795cb6 100644 --- a/modules/nw-networkpolicy-allow-application-particular-namespace.adoc +++ b/modules/nw-networkpolicy-allow-application-particular-namespace.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // // * networking/multiple_networks/configuring-multi-network-policy.adoc -// * networking/network_policy/creating-network-policy.adoc +// * networking/openshift_network_security/network_policy/creating-network-policy.adoc // * microshift_networking/microshift-creating-network-policy.adoc :name: network diff --git a/modules/nw-networkpolicy-allow-external-clients.adoc b/modules/nw-networkpolicy-allow-external-clients.adoc index c25fb177cf..c7ece7ae4c 100644 --- a/modules/nw-networkpolicy-allow-external-clients.adoc +++ b/modules/nw-networkpolicy-allow-external-clients.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // // * networking/multiple_networks/configuring-multi-network-policy.adoc -// * networking/network_policy/creating-network-policy.adoc +// * networking/openshift_network_security/network_policy/creating-network-policy.adoc :name: network :role: admin diff --git a/modules/nw-networkpolicy-create-cli.adoc b/modules/nw-networkpolicy-create-cli.adoc index efb87b9999..15af96ffac 100644 --- a/modules/nw-networkpolicy-create-cli.adoc +++ b/modules/nw-networkpolicy-create-cli.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // // * networking/multiple_networks/configuring-multi-network-policy.adoc -// * networking/network_policy/creating-network-policy.adoc +// * networking/openshift_network_security/network_policy/creating-network-policy.adoc // * post_installation_configuration/network-configuration.adoc // * microshift_networking/microshift-creating-network-policy.adoc diff --git a/modules/nw-networkpolicy-create-ocm.adoc b/modules/nw-networkpolicy-create-ocm.adoc index 3aeaeacb62..7a2d80ba74 100644 --- a/modules/nw-networkpolicy-create-ocm.adoc +++ b/modules/nw-networkpolicy-create-ocm.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/creating-network-policy.adoc +// * networking/openshift_network_security/network_policy/creating-network-policy.adoc // * networking/multiple_networks/configuring-multi-network-policy.adoc // * post_installation_configuration/network-configuration.adoc diff --git a/modules/nw-networkpolicy-delete-cli.adoc b/modules/nw-networkpolicy-delete-cli.adoc index 502efd7683..29616754ff 100644 --- a/modules/nw-networkpolicy-delete-cli.adoc +++ b/modules/nw-networkpolicy-delete-cli.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/deleting-network-policy.adoc +// * networking/openshift_network_security/network_policy/deleting-network-policy.adoc // * networking/multiple_networks/configuring-multi-network-policy.adoc // * microshift_networking/microshift-network-policy/microshift-editing-network-policy.adoc diff --git a/modules/nw-networkpolicy-delete-ocm.adoc b/modules/nw-networkpolicy-delete-ocm.adoc index 47c9010389..1865920d7d 100644 --- a/modules/nw-networkpolicy-delete-ocm.adoc +++ b/modules/nw-networkpolicy-delete-ocm.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/deleting-network-policy.adoc +// * networking/openshift_network_security/network_policy/deleting-network-policy.adoc // * post_installation_configuration/network-configuration.adoc :_mod-docs-content-type: PROCEDURE diff --git a/modules/nw-networkpolicy-deny-all-allowed.adoc b/modules/nw-networkpolicy-deny-all-allowed.adoc index ebaff2f2fb..b0885d2fd6 100644 --- a/modules/nw-networkpolicy-deny-all-allowed.adoc +++ b/modules/nw-networkpolicy-deny-all-allowed.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // // * networking/multiple_networks/configuring-multi-network-policy.adoc -// * networking/network_policy/creating-network-policy.adoc +// * networking/openshift_network_security/network_policy/creating-network-policy.adoc // * microshift_networking/microshift-creating-network-policy.adoc :name: network diff --git a/modules/nw-networkpolicy-edit.adoc b/modules/nw-networkpolicy-edit.adoc index 6450a5f639..08a983fb48 100644 --- a/modules/nw-networkpolicy-edit.adoc +++ b/modules/nw-networkpolicy-edit.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/editing-network-policy.adoc +// * networking/openshift_network_security/network_policy/editing-network-policy.adoc // * microshift_networking/microshift-network-policy/microshift-editing-network-policy.adoc :name: network diff --git a/modules/nw-networkpolicy-multitenant-isolation.adoc b/modules/nw-networkpolicy-multitenant-isolation.adoc index 1af29fdaf6..e11c2a9740 100644 --- a/modules/nw-networkpolicy-multitenant-isolation.adoc +++ b/modules/nw-networkpolicy-multitenant-isolation.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/multitenant-network-policy.adoc +// * networking/openshift_network_security/network_policy/multitenant-network-policy.adoc // * post_installation_configuration/network-configuration.adoc :_mod-docs-content-type: PROCEDURE diff --git a/modules/nw-networkpolicy-object.adoc b/modules/nw-networkpolicy-object.adoc index ca2f9f1d39..72770bcd35 100644 --- a/modules/nw-networkpolicy-object.adoc +++ b/modules/nw-networkpolicy-object.adoc @@ -1,8 +1,8 @@ // Module included in the following assemblies: // -// * networking/network_policy/creating-network-policy.adoc -// * networking/network_policy/viewing-network-policy.adoc -// * networking/network_policy/editing-network-policy.adoc +// * networking/openshift_network_security/network_policy/creating-network-policy.adoc +// * networking/openshift_network_security/network_policy/viewing-network-policy.adoc +// * networking/openshift_network_security/network_policy/editing-network-policy.adoc // * post_installation_configuration/network-configuration.adoc // * microshift_networking/microshift-creating-network-policy.adoc // * microshift_networking/microshift-network-policy/microshift-editing-network-policy.adoc diff --git a/modules/nw-networkpolicy-optimize-ovn.adoc b/modules/nw-networkpolicy-optimize-ovn.adoc index 401531bcd4..a3d1bf72e5 100644 --- a/modules/nw-networkpolicy-optimize-ovn.adoc +++ b/modules/nw-networkpolicy-optimize-ovn.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/about-network-policy.adoc +// * networking/openshift_network_security/network_policy/about-network-policy.adoc [id="nw-networkpolicy-optimize-ovn_{context}"] = Optimizations for network policy with OVN-Kubernetes network plugin diff --git a/modules/nw-networkpolicy-optimize.adoc b/modules/nw-networkpolicy-optimize.adoc index 477809d9be..523887a3e1 100644 --- a/modules/nw-networkpolicy-optimize.adoc +++ b/modules/nw-networkpolicy-optimize.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/about-network-policy.adoc +// * networking/openshift_network_security/network_policy/about-network-policy.adoc [id="nw-networkpolicy-optimize-sdn_{context}"] = Optimizations for network policy with OpenShift SDN diff --git a/modules/nw-networkpolicy-project-defaults.adoc b/modules/nw-networkpolicy-project-defaults.adoc index ee005167c3..f7f3bac74d 100644 --- a/modules/nw-networkpolicy-project-defaults.adoc +++ b/modules/nw-networkpolicy-project-defaults.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/default-network-policy.adoc +// * networking/openshift_network_security/network_policy/default-network-policy.adoc // * networking/configuring-networkpolicy.adoc // * post_installation_configuration/network-configuration.adoc diff --git a/modules/nw-networkpolicy-view-cli.adoc b/modules/nw-networkpolicy-view-cli.adoc index 7ac163b925..58678e2c25 100644 --- a/modules/nw-networkpolicy-view-cli.adoc +++ b/modules/nw-networkpolicy-view-cli.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/viewing-network-policy.adoc +// * networking/openshift_network_security/network_policy/viewing-network-policy.adoc // * post_installation_configuration/network-configuration.adoc // * networking/multiple_networks/configuring-multi-network-policy.adoc diff --git a/modules/nw-networkpolicy-view-ocm.adoc b/modules/nw-networkpolicy-view-ocm.adoc index c34718e6a4..41a55920f5 100644 --- a/modules/nw-networkpolicy-view-ocm.adoc +++ b/modules/nw-networkpolicy-view-ocm.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/network_policy/viewing-network-policy.adoc +// * networking/openshift_network_security/network_policy/viewing-network-policy.adoc // * post_installation_configuration/network-configuration.adoc :_mod-docs-content-type: PROCEDURE diff --git a/modules/nw-ovn-ipsec-certificates.adoc b/modules/nw-ovn-ipsec-certificates.adoc index 0775e46739..bab1738d49 100644 --- a/modules/nw-ovn-ipsec-certificates.adoc +++ b/modules/nw-ovn-ipsec-certificates.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc +// * networking/openshift_network_security/configuring-ipsec-ovn.adoc :_mod-docs-content-type: CONCEPT [id="nw-ovn-ipsec-certificates_{context}"] diff --git a/modules/nw-ovn-ipsec-enable.adoc b/modules/nw-ovn-ipsec-enable.adoc index 49a8e3c4e9..67f4a7d3dd 100644 --- a/modules/nw-ovn-ipsec-enable.adoc +++ b/modules/nw-ovn-ipsec-enable.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc +// * networking/openshift_network_security/configuring-ipsec-ovn.adoc :_mod-docs-content-type: PROCEDURE [id="nw-ovn-ipsec-enable_{context}"] diff --git a/modules/nw-ovn-ipsec-encryption.adoc b/modules/nw-ovn-ipsec-encryption.adoc index d9c3b40b7b..4f906ef038 100644 --- a/modules/nw-ovn-ipsec-encryption.adoc +++ b/modules/nw-ovn-ipsec-encryption.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc +// * networking/openshift_network_security/configuring-ipsec-ovn.adoc :_mod-docs-content-type: CONCEPT [id="nw-ovn-ipsec-encryption_{context}"] diff --git a/modules/nw-ovn-ipsec-external.adoc b/modules/nw-ovn-ipsec-external.adoc index 216b596472..364d1d4aca 100644 --- a/modules/nw-ovn-ipsec-external.adoc +++ b/modules/nw-ovn-ipsec-external.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc +// * networking/openshift_network_security/configuring-ipsec-ovn.adoc :_mod-docs-content-type: CONCEPT [id="nw-ovn-ipsec-external_{context}"] diff --git a/modules/nw-ovn-ipsec-north-south-disable.adoc b/modules/nw-ovn-ipsec-north-south-disable.adoc index 76d19cc9df..6ecf439865 100644 --- a/modules/nw-ovn-ipsec-north-south-disable.adoc +++ b/modules/nw-ovn-ipsec-north-south-disable.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc +// * networking/openshift_network_security/configuring-ipsec-ovn.adoc :_mod-docs-content-type: PROCEDURE [id="nw-ovn-ipsec-north-south-disable_{context}"] diff --git a/modules/nw-ovn-ipsec-north-south-enable.adoc b/modules/nw-ovn-ipsec-north-south-enable.adoc index b9b16bf1c7..a5e49618d6 100644 --- a/modules/nw-ovn-ipsec-north-south-enable.adoc +++ b/modules/nw-ovn-ipsec-north-south-enable.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc +// * networking/openshift_network_security/configuring-ipsec-ovn.adoc :_mod-docs-content-type: PROCEDURE [id="nw-ovn-ipsec-north-south-enable_{context}"] diff --git a/modules/nw-ovn-ipsec-traffic.adoc b/modules/nw-ovn-ipsec-traffic.adoc index db7915d4b7..b40ea168ba 100644 --- a/modules/nw-ovn-ipsec-traffic.adoc +++ b/modules/nw-ovn-ipsec-traffic.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc +// * networking/openshift_network_security/configuring-ipsec-ovn.adoc :_mod-docs-content-type: CONCEPT [id="nw-ovn-ipsec-traffic_{context}"] diff --git a/modules/nw-ovn-k-adminnetwork-policy.adoc b/modules/nw-ovn-k-adminnetwork-policy.adoc index 2c94d31e4d..dc4708171b 100644 --- a/modules/nw-ovn-k-adminnetwork-policy.adoc +++ b/modules/nw-ovn-k-adminnetwork-policy.adoc @@ -20,11 +20,6 @@ An ANP allows administrators to specify the following: * A list of egress rules to be applied for all egress traffic from the `subject`. -[NOTE] -==== -The `AdminNetworkPolicy` resource is a `TechnologyPreviewNoUpgrade` feature that can be enabled on test clusters that are not in production. For more information on feature gates and `TechnologyPreviewNoUpgrade` features, see "Enabling features using feature gates" in the "Additional resources" of this section. -==== - [discrete] [id="adminnetworkpolicy-example_{context}"] == AdminNetworkPolicy example diff --git a/modules/nw-ovn-k-baseline-adminnetwork-policy.adoc b/modules/nw-ovn-k-baseline-adminnetwork-policy.adoc index d3f5e3a135..35bd841fb6 100644 --- a/modules/nw-ovn-k-baseline-adminnetwork-policy.adoc +++ b/modules/nw-ovn-k-baseline-adminnetwork-policy.adoc @@ -18,11 +18,6 @@ A BANP allows administrators to specify: * A list of egress rules to be applied for all egress traffic from the `subject`. -[NOTE] -==== -`BaselineAdminNetworkPolicy` is a `TechnologyPreviewNoUpgrade` feature that can be enabled on test clusters that are not in production. -==== - [discrete] [id="baselineddminnetworkpolicy-example_{context}"] == BaselineAdminNetworkPolicy example diff --git a/modules/nw-own-ipsec-modes.adoc b/modules/nw-own-ipsec-modes.adoc index 35a1c5c7b1..3ed7639a25 100644 --- a/modules/nw-own-ipsec-modes.adoc +++ b/modules/nw-own-ipsec-modes.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc +// * networking/openshift_network_security/configuring-ipsec-ovn.adoc :_mod-docs-content-type: CONCEPT [id="nw-ovn-ipsec-modes_{context}"] diff --git a/modules/nw-own-ipsec-required-ports.adoc b/modules/nw-own-ipsec-required-ports.adoc index 13bbaacc40..af426fbca0 100644 --- a/modules/nw-own-ipsec-required-ports.adoc +++ b/modules/nw-own-ipsec-required-ports.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc +// * networking/openshift_network_security/configuring-ipsec-ovn.adoc :_mod-docs-content-type: CONCEPT [id="network-connectivity-requirements-ipsec_{context}"] diff --git a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc index 81fc0f14d4..3c8bac590d 100644 --- a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc +++ b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc @@ -57,12 +57,12 @@ include::modules/nw-ingress-sharding-route-configuration.adoc[leveloffset=+1] The Ingress Operator manages wildcard DNS. For more information, see the following: -* xref:../../networking/ingress-operator.adoc#configuring-ingress[Ingress Operator in {product-title}]. +* xref:../../networking/ingress-operator.adoc#configuring-ingress[Ingress Operator in {product-title}] -* xref:../../installing/installing_bare_metal/installing-bare-metal.adoc#installing-bare-metal[Installing a cluster on bare metal]. +* xref:../../installing/installing_bare_metal/installing-bare-metal.adoc#installing-bare-metal[Installing a cluster on bare metal] -* xref:../../installing/installing_vsphere/upi/installing-vsphere.adoc#installing-vsphere[Installing a cluster on vSphere]. +* xref:../../installing/installing_vsphere/upi/installing-vsphere.adoc#installing-vsphere[Installing a cluster on vSphere] -* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy]. +* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy] endif::[] diff --git a/networking/multiple_networks/configuring-multi-network-policy.adoc b/networking/multiple_networks/configuring-multi-network-policy.adoc index ea87bbb438..b370feb516 100644 --- a/networking/multiple_networks/configuring-multi-network-policy.adoc +++ b/networking/multiple_networks/configuring-multi-network-policy.adoc @@ -43,7 +43,7 @@ include::modules/nw-networkpolicy-allow-application-particular-namespace.adoc[le [role="_additional-resources"] == Additional resources -* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy] +* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy] * xref:../../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[Understanding multiple networks] * xref:../../networking/multiple_networks/configuring-additional-network.adoc#nw-multus-macvlan-object_configuring-additional-network[Configuring a macvlan network] * xref:../../networking/hardware_networks/configuring-sriov-device.adoc#configuring-sriov-device[Configuring an SR-IOV network device] diff --git a/networking/networking-operators-overview.adoc b/networking/networking-operators-overview.adoc index 6db9ed9b81..55b449f165 100644 --- a/networking/networking-operators-overview.adoc +++ b/networking/networking-operators-overview.adoc @@ -26,7 +26,7 @@ The External DNS Operator deploys and manages ExternalDNS to provide the name re [id="ingress-node-firewall-operator-1"] == Ingress Node Firewall Operator -The Ingress Node Firewall Operator uses an extended Berkley Packet Filter (eBPF) and eXpress Data Path (XDP) plugin to process node firewall rules, update statistics and generate events for dropped traffic. The operator manages ingress node firewall resources, verifies firewall configuration, does not allow incorrectly configured rules that can prevent cluster access, and loads ingress node firewall XDP programs to the selected interfaces in the rule's object(s). For more information, see xref:../networking/ingress-node-firewall-operator.adoc#ingress-node-firewall-operator[Understanding the Ingress Node Firewall Operator] +The Ingress Node Firewall Operator uses an extended Berkley Packet Filter (eBPF) and eXpress Data Path (XDP) plugin to process node firewall rules, update statistics and generate events for dropped traffic. The operator manages ingress node firewall resources, verifies firewall configuration, does not allow incorrectly configured rules that can prevent cluster access, and loads ingress node firewall XDP programs to the selected interfaces in the rule's object(s). For more information, see xref:../networking/openshift_network_security/ingress-node-firewall-operator.adoc#ingress-node-firewall-operator[Understanding the Ingress Node Firewall Operator]. [id="network-observability-operator-overview-operator"] == Network Observability Operator diff --git a/networking/network_policy/_attributes b/networking/openshift_network_security/_attributes similarity index 100% rename from networking/network_policy/_attributes rename to networking/openshift_network_security/_attributes diff --git a/networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc b/networking/openshift_network_security/configuring-egress-firewall-ovn.adoc similarity index 100% rename from networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc rename to networking/openshift_network_security/configuring-egress-firewall-ovn.adoc diff --git a/networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc b/networking/openshift_network_security/configuring-ipsec-ovn.adoc similarity index 100% rename from networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc rename to networking/openshift_network_security/configuring-ipsec-ovn.adoc diff --git a/networking/network_policy/images b/networking/openshift_network_security/images similarity index 100% rename from networking/network_policy/images rename to networking/openshift_network_security/images diff --git a/networking/ingress-node-firewall-operator.adoc b/networking/openshift_network_security/ingress-node-firewall-operator.adoc similarity index 83% rename from networking/ingress-node-firewall-operator.adoc rename to networking/openshift_network_security/ingress-node-firewall-operator.adoc index fb33bad0b5..4237206b6b 100644 --- a/networking/ingress-node-firewall-operator.adoc +++ b/networking/openshift_network_security/ingress-node-firewall-operator.adoc @@ -10,7 +10,9 @@ The Ingress Node Firewall Operator allows administrators to manage firewall conf include::modules/nw-infw-operator-cr.adoc[leveloffset=+1] -include::modules/nw-infw-operator-installing.adoc[leveloffset=+1] +include::modules/nw-infw-operator-installing-cli.adoc[leveloffset=+1] + +include::modules/nw-infw-operator-installing-console.adoc[leveloffset=+1] include::modules/nw-infw-operator-deploying.adoc[leveloffset=+1] diff --git a/networking/network_policy/modules b/networking/openshift_network_security/modules similarity index 100% rename from networking/network_policy/modules rename to networking/openshift_network_security/modules diff --git a/networking/openshift_network_security/network_policy/_attributes b/networking/openshift_network_security/network_policy/_attributes new file mode 120000 index 0000000000..20cc1dcb77 --- /dev/null +++ b/networking/openshift_network_security/network_policy/_attributes @@ -0,0 +1 @@ +../../_attributes/ \ No newline at end of file diff --git a/networking/network_policy/about-network-policy.adoc b/networking/openshift_network_security/network_policy/about-network-policy.adoc similarity index 52% rename from networking/network_policy/about-network-policy.adoc rename to networking/openshift_network_security/network_policy/about-network-policy.adoc index 4e703277f7..c025688296 100644 --- a/networking/network_policy/about-network-policy.adoc +++ b/networking/openshift_network_security/network_policy/about-network-policy.adoc @@ -20,15 +20,15 @@ include::modules/nw-networkpolicy-optimize-ovn.adoc[leveloffset=+1] [id="about-network-policy-next-steps"] == Next steps -* xref:../../networking/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy] +* xref:../../../networking/openshift_network_security/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy] ifndef::openshift-rosa,openshift-dedicated[] -* Optional: xref:../../networking/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy] +* Optional: xref:../../../networking/openshift_network_security/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy for projects] [role="_additional-resources"] [id="about-network-policy-additional-resources"] == Additional resources -* xref:../../authentication/using-rbac.adoc#rbac-projects-namespaces_using-rbac[Projects and namespaces] -* xref:../../networking/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[Configuring multitenant network policy] -* xref:../../rest_api/network_apis/networkpolicy-networking-k8s-io-v1.adoc#networkpolicy-networking-k8s-io-v1[NetworkPolicy API] +* xref:../../../authentication/using-rbac.adoc#rbac-projects-namespaces_using-rbac[Projects and namespaces] +* xref:../../../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[Configuring multitenant isolation with network policy] +* xref:../../../rest_api/network_apis/networkpolicy-networking-k8s-io-v1.adoc#networkpolicy-networking-k8s-io-v1[NetworkPolicy API] endif::[] diff --git a/networking/network_policy/creating-network-policy.adoc b/networking/openshift_network_security/network_policy/creating-network-policy.adoc similarity index 81% rename from networking/network_policy/creating-network-policy.adoc rename to networking/openshift_network_security/network_policy/creating-network-policy.adoc index 18da83ed95..93cc1c69f4 100644 --- a/networking/network_policy/creating-network-policy.adoc +++ b/networking/openshift_network_security/network_policy/creating-network-policy.adoc @@ -31,6 +31,6 @@ ifndef::openshift-rosa,openshift-dedicated[] [role="_additional-resources"] == Additional resources -* xref:../../web_console/web-console.adoc#web-console[Accessing the web console] -* xref:../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging for egress firewall and network policy rules] +* xref:../../../web_console/web-console.adoc#web-console[Accessing the web console] +* xref:../../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging for egress firewall and network policy rules] endif::[] diff --git a/networking/network_policy/default-network-policy.adoc b/networking/openshift_network_security/network_policy/default-network-policy.adoc similarity index 100% rename from networking/network_policy/default-network-policy.adoc rename to networking/openshift_network_security/network_policy/default-network-policy.adoc diff --git a/networking/network_policy/deleting-network-policy.adoc b/networking/openshift_network_security/network_policy/deleting-network-policy.adoc similarity index 100% rename from networking/network_policy/deleting-network-policy.adoc rename to networking/openshift_network_security/network_policy/deleting-network-policy.adoc diff --git a/networking/network_policy/editing-network-policy.adoc b/networking/openshift_network_security/network_policy/editing-network-policy.adoc similarity index 77% rename from networking/network_policy/editing-network-policy.adoc rename to networking/openshift_network_security/network_policy/editing-network-policy.adoc index b1237fce53..fc4f98edd8 100644 --- a/networking/network_policy/editing-network-policy.adoc +++ b/networking/openshift_network_security/network_policy/editing-network-policy.adoc @@ -15,4 +15,4 @@ include::modules/nw-networkpolicy-object.adoc[leveloffset=+1] [role="_additional-resources"] [id="editing-network-policy-additional-resources"] == Additional resources -* xref:../../networking/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy] +* xref:../../../networking/openshift_network_security/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy] diff --git a/networking/openshift_network_security/network_policy/images b/networking/openshift_network_security/network_policy/images new file mode 120000 index 0000000000..847b03ed05 --- /dev/null +++ b/networking/openshift_network_security/network_policy/images @@ -0,0 +1 @@ +../../images/ \ No newline at end of file diff --git a/networking/openshift_network_security/network_policy/modules b/networking/openshift_network_security/network_policy/modules new file mode 120000 index 0000000000..36719b9de7 --- /dev/null +++ b/networking/openshift_network_security/network_policy/modules @@ -0,0 +1 @@ +../../modules/ \ No newline at end of file diff --git a/networking/network_policy/multitenant-network-policy.adoc b/networking/openshift_network_security/network_policy/multitenant-network-policy.adoc similarity index 75% rename from networking/network_policy/multitenant-network-policy.adoc rename to networking/openshift_network_security/network_policy/multitenant-network-policy.adoc index f5c81cc569..7a73489af4 100644 --- a/networking/network_policy/multitenant-network-policy.adoc +++ b/networking/openshift_network_security/network_policy/multitenant-network-policy.adoc @@ -22,11 +22,11 @@ ifndef::openshift-rosa,openshift-dedicated[] [id="multitenant-network-policy-next-steps"] == Next steps -* xref:../../networking/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy] +* xref:../../../networking/openshift_network_security/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy for a project] [role="_additional-resources"] [id="multitenant-network-policy-additional-resources"] == Additional resources -* xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#nw-openshift-sdn-modes_about-openshift-sdn[OpenShift SDN network isolation modes] +* xref:../../../networking/openshift_sdn/about-openshift-sdn.adoc#nw-openshift-sdn-modes_about-openshift-sdn[OpenShift SDN network isolation modes] endif::[] \ No newline at end of file diff --git a/networking/network_policy/snippets b/networking/openshift_network_security/network_policy/snippets similarity index 100% rename from networking/network_policy/snippets rename to networking/openshift_network_security/network_policy/snippets diff --git a/networking/network_policy/viewing-network-policy.adoc b/networking/openshift_network_security/network_policy/viewing-network-policy.adoc similarity index 100% rename from networking/network_policy/viewing-network-policy.adoc rename to networking/openshift_network_security/network_policy/viewing-network-policy.adoc diff --git a/networking/openshift_network_security/ovn-k-anp.adoc b/networking/openshift_network_security/ovn-k-anp.adoc new file mode 100644 index 0000000000..80e4eb71a2 --- /dev/null +++ b/networking/openshift_network_security/ovn-k-anp.adoc @@ -0,0 +1,15 @@ +:_mod-docs-content-type: ASSEMBLY +[id="ovn-k-anp"] += OVN-Kubernetes AdminNetworkPolicy +include::_attributes/common-attributes.adoc[] +:context: ovn-k-anp + +toc::[] + +include::modules/nw-ovn-k-adminnetwork-policy.adoc[leveloffset=+1] + +[discrete] +.Additional resources +* link:https://network-policy-api.sigs.k8s.io/[Network Policy API Working Group] + +include::modules/nw-ovn-k-adminnetwork-policy-action-rules.adoc[leveloffset=+2] diff --git a/networking/openshift_network_security/ovn-k-banp.adoc b/networking/openshift_network_security/ovn-k-banp.adoc new file mode 100644 index 0000000000..a27b903b3b --- /dev/null +++ b/networking/openshift_network_security/ovn-k-banp.adoc @@ -0,0 +1,9 @@ +:_mod-docs-content-type: ASSEMBLY +[id="ovn-k-banp"] += OVN-Kubernetes BaselineAdminNetworkPolicy +include::_attributes/common-attributes.adoc[] +:context: ovn-k-banp + +toc::[] + +include::modules/nw-ovn-k-baseline-adminnetwork-policy.adoc[leveloffset=+1] diff --git a/networking/openshift_network_security/ovn-k-network-policy.adoc b/networking/openshift_network_security/ovn-k-network-policy.adoc new file mode 100644 index 0000000000..32a935b3c9 --- /dev/null +++ b/networking/openshift_network_security/ovn-k-network-policy.adoc @@ -0,0 +1,19 @@ +:_mod-docs-content-type: ASSEMBLY +[id="about-ovn-k-network-policy"] += About OVN-Kubernetes network policy +include::_attributes/common-attributes.adoc[] +:context: ovn-k-network-policy + +toc::[] + +Kubernetes offers two features that users can use to enforce network security. One feature that allows users to enforce network policy is the `NetworkPolicy` API that is designed mainly for application developers and namespace tenants to protect their namespaces by creating namespace-scoped policies. For more information, see xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#nw-networkpolicy-about_about-network-policy[About network policy]. + +The second feature is `AdminNetworkPolicy` which consists of two APIs: the `AdminNetworkPolicy` (ANP) API and the `BaselineAdminNetworkPolicy` (BANP) API. ANP and BANP are designed for cluster and network administrators to protect their entire cluster by creating cluster-scoped policies. Cluster administrators can use ANPs to enforce non-overridable policies that take precedence over `NetworkPolicy` objects. Administrators can use BANP to set up and enforce optional cluster-scoped network policy rules that are overridable by users using `NetworkPolicy` objects when necessary. When used together, ANP and BANP can create a multi-tenancy policy that administrators can use to secure their cluster. + +OVN-Kubernetes CNI in {product-title} implements these network policies using Access Control List (ACL) Tiers to evaluate and apply them. ACLs are evaluated in descending order from Tier 1 to Tier 3. + +Tier 1 evaluates `AdminNetworkPolicy` (ANP) objects. Tier 2 evaluates `NetworkPolicy` objects. Tier 3 evaluates `BaselineAdminNetworkPolicy` (BANP) objects. + +image::615_OpenShift_OVN-K_ACLs_0324.png[OVK-Kubernetes Access Control List (ACL)] + +When traffic matches an ANP rule, the rules in that ANP are evaluated first. When the match is an ANP `allow` or `deny` rule, any existing `NetworkPolicy` and `BaselineAdminNetworkPolicy` (BANP) objects in the cluster are skipped from evaluation. When the match is an ANP `pass` rule, then evaluation moves from tier 1 of the ACL to tier 2 where the `NetworkPolicy` policy is evaluated. \ No newline at end of file diff --git a/networking/openshift_network_security/snippets b/networking/openshift_network_security/snippets new file mode 120000 index 0000000000..5a3f5add14 --- /dev/null +++ b/networking/openshift_network_security/snippets @@ -0,0 +1 @@ +../../snippets/ \ No newline at end of file diff --git a/networking/openshift_sdn/migrate-to-openshift-sdn.adoc b/networking/openshift_sdn/migrate-to-openshift-sdn.adoc index 28835a451f..921a775ba6 100644 --- a/networking/openshift_sdn/migrate-to-openshift-sdn.adoc +++ b/networking/openshift_sdn/migrate-to-openshift-sdn.adoc @@ -21,7 +21,7 @@ include::modules/nw-ovn-kubernetes-rollback.adoc[leveloffset=+1] * xref:../../networking/cluster-network-operator.adoc#nw-operator-configuration-parameters-for-openshift-sdn_cluster-network-operator[Configuration parameters for the OpenShift SDN network plugin] * xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[Backing up etcd] -* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy] +* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy] * OpenShift SDN capabilities - xref:../../networking/openshift_sdn/assigning-egress-ips.adoc#assigning-egress-ips[Configuring egress IPs for a project] - xref:../../networking/openshift_sdn/configuring-egress-firewall.adoc#configuring-egress-firewall[Configuring an egress firewall for a project] diff --git a/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc b/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc index 941edb13b4..5689b1acb1 100644 --- a/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc +++ b/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc @@ -46,9 +46,9 @@ include::modules/nw-ovn-kubernetes-session-affinity.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources -* xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project] -* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy] +* xref:../../networking/openshift_network_security/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project] +* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy] * xref:../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging network policy events] * xref:../../networking/ovn_kubernetes_network_provider/enabling-multicast.adoc#nw-ovn-kubernetes-enabling-multicast[Enabling multicast for a project] -* xref:../../networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn[Configuring IPsec encryption] +* xref:../../networking/openshift_network_security/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn[Configuring IPsec encryption] * xref:../../rest_api/operator_apis/network-operator-openshift-io-v1.adoc#network-operator-openshift-io-v1[Network [operator.openshift.io/v1\]] diff --git a/networking/ovn_kubernetes_network_provider/logging-network-policy.adoc b/networking/ovn_kubernetes_network_provider/logging-network-policy.adoc index ba32774032..9004a7181f 100644 --- a/networking/ovn_kubernetes_network_provider/logging-network-policy.adoc +++ b/networking/ovn_kubernetes_network_provider/logging-network-policy.adoc @@ -49,5 +49,5 @@ include::modules/nw-networkpolicy-audit-disable.adoc[leveloffset=+1] [role="_additional-resources"] == Additional resources -* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy] -* xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project] +* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy] +* xref:../../networking/openshift_network_security/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project] diff --git a/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc b/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc index 8cfd1c7ef0..3ea0be4fd4 100644 --- a/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc +++ b/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc @@ -22,12 +22,12 @@ include::modules/nw-ovn-kubernetes-migration.adoc[leveloffset=+1] * link:https://access.redhat.com/labs/ocpnc/[Red Hat OpenShift Network Calculator] * xref:../../networking/cluster-network-operator.adoc#nw-operator-configuration-parameters-for-ovn-sdn_cluster-network-operator[Configuration parameters for the OVN-Kubernetes network plugin] * xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[Backing up etcd] -* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy] +* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy] * xref:../../networking/changing-cluster-network-mtu.adoc#nw-cluster-mtu-change_changing-cluster-network-mtu[Changing the cluster MTU] * xref:../../networking/changing-cluster-network-mtu.adoc#mtu-value-selection_changing-cluster-network-mtu[MTU value selection] * OVN-Kubernetes capabilities - xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.adoc#configuring-egress-ips-ovn[Configuring an egress IP address] -- xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project] +- xref:../../networking/openshift_network_security/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project] - xref:../../networking/ovn_kubernetes_network_provider/enabling-multicast.adoc#nw-ovn-kubernetes-enabling-multicast[Enabling multicast for a project] * OpenShift SDN capabilities - xref:../../networking/openshift_sdn/assigning-egress-ips.adoc#assigning-egress-ips[Configuring egress IPs for a project] diff --git a/networking/ovn_kubernetes_network_provider/ovn-k-network-policy.adoc b/networking/ovn_kubernetes_network_provider/ovn-k-network-policy.adoc deleted file mode 100644 index d10c532adb..0000000000 --- a/networking/ovn_kubernetes_network_provider/ovn-k-network-policy.adoc +++ /dev/null @@ -1,39 +0,0 @@ -:_mod-docs-content-type: ASSEMBLY -[id="ovn-k-network-policy"] -= OVN-Kubernetes network policy -include::_attributes/common-attributes.adoc[] -:context: ovn-k-network-policy - -toc::[] - -:FeatureName: The `AdminNetworkPolicy` resource -include::snippets/technology-preview.adoc[] - -Kubernetes offers two features that users can use to enforce network security. One feature that allows users to enforce network policy is the `NetworkPolicy` API that is designed mainly for application developers and namespace tenants to protect their namespaces by creating namespace-scoped policies. For more information, see xref:../../networking/network_policy/about-network-policy.adoc#nw-networkpolicy-about_about-network-policy[About network policy]. - -The second feature is `AdminNetworkPolicy` which is comprised of two API: the `AdminNetworkPolicy` (ANP) API and the `BaselineAdminNetworkPolicy` (BANP) API. ANP and BANP are designed for cluster and network administrators to protect their entire cluster by creating cluster-scoped policies. Cluster administrators can use ANPs to enforce non-overridable policies that take precedence over `NetworkPolicy` objects. Administrators can use BANP to setup and enforce optional cluster-scoped network policy rules that are overridable by users using `NetworkPolicy` objects if need be. When used together ANP and BANP can create multi-tenancy policy that administrators can use to secure their cluster. - -OVN-Kubernetes CNI in {product-title} implements these network policies using Access Control List (ACLs) Tiers to evaluate and apply them. ACLs are evaluated in descending order from Tier 1 to Tier 3. - -Tier 1 evaluates `AdminNetworkPolicy` (ANP) objects. Tier 2 evaluates `NetworkPolicy` objects. Tier 3 evaluates `BaselineAdminNetworkPolicy` (BANP) objects. - -.OVK-Kubernetes Access Control List (ACL) - -image::615_OpenShift_OVN-K_ACLs_0324.png[OVN-Kubernetes Access Control List] - -If traffic matches an ANP rule, the rules in that ANP will be evaluated first. If the match is an ANP `allow` or `deny` rule, any existing `NetworkPolicies` and `BaselineAdminNetworkPolicy` (BANP) in the cluster will be intentionally skipped from evaluation. If the match is an ANP `pass` rule, then evaluation moves from tier 1 of the ACLs to tier 2 where the `NetworkPolicy` policy is evaluated. - -include::modules/nw-ovn-k-adminnetwork-policy.adoc[leveloffset=+1] - -[discrete] -.Additional resources -* xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling-features[Enabling features using feature gates] -* link:https://network-policy-api.sigs.k8s.io/[Network Policy API Working Group] - -include::modules/nw-ovn-k-adminnetwork-policy-action-rules.adoc[leveloffset=+2] - -include::modules/nw-ovn-k-baseline-adminnetwork-policy.adoc[leveloffset=+1] - - - - diff --git a/networking/zero-trust-networking.adoc b/networking/zero-trust-networking.adoc index c5bdb643f2..8dd1302e3f 100644 --- a/networking/zero-trust-networking.adoc +++ b/networking/zero-trust-networking.adoc @@ -30,7 +30,7 @@ Ensure that all traffic on the wire is encrypted and the endpoints are identifia Leverage: -* {product-title}: With transparent xref:../networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn-pod-to-pod-ipsec[pod-to-pod IPsec], the source and destination of the traffic can be identified by the IP address. There is the capability for egress traffic to be xref:../networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.adoc#nw-ovn-ipsec-north-south-enable_configuring-ipsec-ovn[encrypted using IPsec]. By using the xref:../networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.adoc#configuring-egress-ips-ovn[egress IP] feature, the source IP address of the traffic can be used to identify the source of the traffic inside the cluster. +* {product-title}: With transparent xref:../networking/openshift_network_security/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn-pod-to-pod-ipsec[pod-to-pod IPsec], the source and destination of the traffic can be identified by the IP address. There is the capability for egress traffic to be xref:../networking/openshift_network_security/configuring-ipsec-ovn.adoc#nw-ovn-ipsec-north-south-enable_configuring-ipsec-ovn[encrypted using IPsec]. By using the xref:../networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.adoc#configuring-egress-ips-ovn[egress IP] feature, the source IP address of the traffic can be used to identify the source of the traffic inside the cluster. * xref:../service_mesh/v2x/ossm-about.adoc#ossm-about[{SMProductName}]: Provides powerful xref:../service_mesh/v2x/ossm-security.adoc#ossm-security-mtls_ossm-security[mTLS capabilities] that can transparently augment traffic leaving a pod to provide authentication and encryption. * xref:../security/cert_manager_operator/index.adoc#cert-manager-operator-about[OpenShift cert-manager Operator]: Use custom resource definitions (CRDs) to request certificates that can be mounted for your programs to use for SSL/TLS protocols. @@ -53,7 +53,7 @@ It is critical to be able to control access to services based on the identity of Leverage: -* {product-title}: Can enforce isolation in the networking layer of the platform using the Kubernetes xref:../networking/network_policy/about-network-policy.adoc#about-network-policy[`NetworkPolicy`] and xref:../networking/ovn_kubernetes_network_provider/ovn-k-network-policy.adoc#adminnetworkpolicy_ovn-k-network-policy[`AdminNetworkPolicy`] objects. +* {product-title}: Can enforce isolation in the networking layer of the platform using the Kubernetes xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[`NetworkPolicy`] and xref:../networking/openshift_network_security/ovn-k-anp.adoc#ovn-k-anp[`AdminNetworkPolicy`] objects. * xref:../service_mesh/v2x/ossm-about.adoc#ossm-about[{SMProductName}]: Sophisticated L4 and L7 xref:../service_mesh/v2x/ossm-security.adoc#ossm-security[control of traffic] using standard Istio objects and using mTLS to identify the source and destination of traffic and then apply policies based on that information. [id="zero-trust-transaction-level-verification"] diff --git a/observability/logging/cluster-logging-deploying.adoc b/observability/logging/cluster-logging-deploying.adoc index ac5b6c7239..0c8f3cd628 100644 --- a/observability/logging/cluster-logging-deploying.adoc +++ b/observability/logging/cluster-logging-deploying.adoc @@ -52,12 +52,15 @@ include::modules/cluster-logging-deploy-multitenant.adoc[leveloffset=+2] .Additional resources ifdef::openshift-enterprise,openshift-origin[] -* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy] +* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy] +* xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN default CNI network provider] +* xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes default Container Network Interface (CNI) network provider] +* xref:../../networking/openshift_network_security/ovn-k-network-policy.adoc#ovn-k-network-policy[About OVN-Kubernetes network policy] * xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN default CNI network provider] * xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes default Container Network Interface (CNI) network provider] endif::[] ifdef::openshift-rosa,openshift-dedicated[] -* link:https://docs.openshift.com/container-platform/latest/networking/network_policy/about-network-policy.html[About network policy] +* link:https://docs.openshift.com/container-platform/latest/networking/openshift_network_security/about-network-policy.html[About network policy] * link:https://docs.openshift.com/container-platform/latest/networking/openshift_sdn/about-openshift-sdn.html[About the OpenShift SDN default CNI network provider] * link:https://docs.openshift.com/container-platform/latest/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.html[About the OVN-Kubernetes default Container Network Interface (CNI) network provider] endif::[] diff --git a/observability/network_observability/network-observability-network-policy.adoc b/observability/network_observability/network-observability-network-policy.adoc index db71ea6045..04f4e4d5e7 100644 --- a/observability/network_observability/network-observability-network-policy.adoc +++ b/observability/network_observability/network-observability-network-policy.adoc @@ -13,4 +13,4 @@ include::modules/network-observability-sample-network-policy-YAML.adoc[leveloffs [role="_additional-resources"] .Additional resources -xref:../../networking/network_policy/creating-network-policy.adoc#nw-networkpolicy-object_creating-network-policy[Creating a network policy using the CLI] \ No newline at end of file +xref:../../networking/openshift_network_security/network_policy/creating-network-policy.adoc#nw-networkpolicy-object_creating-network-policy[Creating a network policy using the CLI] \ No newline at end of file diff --git a/security/container_security/security-network.adoc b/security/container_security/security-network.adoc index d6d477de6a..4c786c0499 100644 --- a/security/container_security/security-network.adoc +++ b/security/container_security/security-network.adoc @@ -21,7 +21,7 @@ include::modules/security-network-policies.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources -* xref:../../networking/network_policy/about-network-policy.adoc#about-network-policy[About network policy] +* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy] // Multiple pod networks include::modules/security-network-multiple-pod.adoc[leveloffset=+1] diff --git a/welcome/index.adoc b/welcome/index.adoc index ad70a777f1..b655c1b466 100644 --- a/welcome/index.adoc +++ b/welcome/index.adoc @@ -252,7 +252,7 @@ Manage machines, provide services to users, and follow monitoring and logging re - **Manage xref:../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[ingress], xref:../security/certificates/api-server.adoc#api-server-certificates[API server], and xref:../security/certificates/service-serving-certificate.adoc#add-service-serving[service] certificates**: {product-title} creates certificates by default for the Ingress Operator, the API server, and for services needed by complex middleware applications that require encryption. You might need to change, add, or rotate these certificates. - **xref:../networking/understanding-networking.adoc#understanding-networking[Manage networking]**: The cluster network in {product-title} is managed by the xref:../networking/cluster-network-operator.adoc#cluster-network-operator[Cluster Network Operator] (CNO). The CNO uses `iptables` rules in xref:../networking/openshift_sdn/configuring-kube-proxy.adoc#configuring-kube-proxy[kube-proxy] to direct traffic between nodes and pods running on those nodes. The Multus Container Network Interface adds the capability to attach xref:../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[multiple network interfaces] to a pod. By using -xref:../networking/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic. +xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic. - **xref:../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[Manage storage]**: With {product-title}, a cluster administrator can configure persistent storage by using xref:../storage/persistent_storage/persistent-storage-ocs.adoc#red-hat-openshift-data-foundation[Red Hat OpenShift Data Foundation],