From ca07a69d71ecaa5bc1a2bd61f08111a00c0b6b59 Mon Sep 17 00:00:00 2001 From: Gwynne Monahan Date: Mon, 29 Sep 2025 11:10:07 -0500 Subject: [PATCH] OSDOCS-16177 [NETOBSERV] Update network policy content --- ...network-observability-deploy-network-policy.adoc | 13 ++++++++----- .../network-observability-network-policy.adoc | 4 +--- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/modules/network-observability-deploy-network-policy.adoc b/modules/network-observability-deploy-network-policy.adoc index 6b4b03a81f..2e75daef35 100644 --- a/modules/network-observability-deploy-network-policy.adoc +++ b/modules/network-observability-deploy-network-policy.adoc @@ -5,11 +5,14 @@ :_mod-docs-content-type: PROCEDURE [id="network-observability-deploy-network-policy_{context}"] -= Configuring an ingress network policy by using the FlowCollector custom resource += Configuring network policy by using the FlowCollector custom resource -You can configure the `FlowCollector` custom resource (CR) to deploy an ingress network policy for network observability by setting the `spec.NetworkPolicy.enable` specification to `true`. By default, the specification is `false`. +[role="_abstract"] +You can set up ingress and egress network policies to control pod traffic. This enhances security and collects only the network flow data you need. This reduces noise, supports compliance, and improves visibility into network communication. -If you have installed Loki, Kafka or any exporter in a different namespace that also has a network policy, you must ensure that the Network Observability components can communicate with them. Consider the following about your setup: +You can configure the `FlowCollector` custom resource (CR) to deploy an egress and ingress network policy for network observability. By default, the `spec.NetworkPolicy.enable` specification is set to `true`. + +If you have installed Loki, Kafka or any exporter in a different namespace that also has a network policy, you must ensure that the network observability components can communicate with them. Consider the following about your setup: * Connection to Loki (as defined in the `FlowCollector` CR `spec.loki` parameter) * Connection to Kafka (as defined in the `FlowCollector` CR `spec.kafka` parameter) @@ -33,9 +36,9 @@ metadata: spec: namespace: netobserv networkPolicy: - enable: true <1> + enable: true <1> additionalNamespaces: ["openshift-console", "openshift-monitoring"] <2> # ... ---- -<1> By default, the `enable` value is `false`. +<1> By default, the `enable` value is `true`. <2> Default values are `["openshift-console", "openshift-monitoring"]`. diff --git a/observability/network_observability/network-observability-network-policy.adoc b/observability/network_observability/network-observability-network-policy.adoc index 07e8c39769..cbbfa54ad3 100644 --- a/observability/network_observability/network-observability-network-policy.adoc +++ b/observability/network_observability/network-observability-network-policy.adoc @@ -7,12 +7,10 @@ include::_attributes/common-attributes.adoc[] toc::[] -As a user with the `admin` role, you can create a network policy for the `netobserv` namespace to secure inbound access to the Network Observability Operator. +As a user with the `admin` role, you can create a network policy for the `netobserv` namespace to secure inbound and outbound access to the Network Observability Operator. include::modules/network-observability-deploy-network-policy.adoc[leveloffset=+1] -include::modules/network-observability-create-network-policy.adoc[leveloffset=+1] - [role="_additional-resources"] .Additional resources * xref:../../networking/network_security/network_policy/creating-network-policy.adoc#nw-networkpolicy-object_creating-network-policy[Creating a network policy using the CLI] \ No newline at end of file