Adds egress netpol docs

[stevsmit]

Version(s):

Issue:
https://issues.redhat.com/browse/OCPBUGS-54674

Link to docs preview:
https://92159--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation

QE review:

• QE has approved this change.

Additional information:

[ocpdocs-previewbot]

🤖 Thu Sep 18 16:15:49 - Prow CI generated the docs preview:
https://92159--ocpdocs-pr.netlify.app
Complete list of updated preview URLs: artifacts/updated_preview_urls.txt

[bergerhoffer]

The branch/enterprise-4.20 label has been added to this PR.

This is because your PR targets the main branch and is labeled for enterprise-4.19. And any PR going into main must also target the latest version branch (enterprise-4.20).

If the update in your PR does NOT apply to version 4.20 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main.

[stevsmit]

/remove-lifecycle stale

[openshift-ci]

@stevsmit: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[asood-rh]

To simplify the example, please get rid of project-b

[asood-rh]

Suggested change

	$ oc exec -it test-pod-b -n project-b -- ping -c 2 10.132.0.44
	$ oc exec -it test-pod-a -n project-a -- ping -c 2 10.132.0.38

[asood-rh]

Suggested change

	PING 10.132.0.44 (10.132.0.44): 56 data bytes
	PING 10.132.0.38 (10.132.0.38): 56 data bytes

[asood-rh]

Suggested change

	64 bytes from 10.132.0.44: seq=0 ttl=42 time=1.137 ms
	64 bytes from 10.132.0.38: seq=0 ttl=42 time=1.137 ms

[asood-rh]

Suggested change

	64 bytes from 10.132.0.44: seq=1 ttl=42 time=0.672 ms
	64 bytes from 10.132.0.38: seq=1 ttl=42 time=0.672 ms

[asood-rh]

Suggested change

	$ oc new-project project-c
	oc new-project project-c

[asood-rh]

This nit makes cut and paste easier

[asood-rh]

Suggested change

	$ cat <<EOF | oc apply -f - -n project-c
	cat <<EOF | oc apply -f - -n project-c

[asood-rh]

I believe this one should be

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-to-new
spec:
  podSelector:
    matchLabels:
      networking/allow-all-connections: "true"
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector: {}

[asood-rh]

Suggested change

	$ oc apply -f allow-n1-a-to-n2-b.yaml -n project-b
	oc apply -f allow-n1-a-to-n2-b.yaml -n project-b

[asood-rh]

This policy is allow egress to dns.

[asood-rh]

Policy YAML that works

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-to-openshift-dns
spec:
  egress:
  - ports:
    - port: 5353
      protocol: TCP
    - port: 5353
      protocol: UDP
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: openshift-dns
  podSelector: {}
  policyTypes:
  - Egress

[asood-rh]

Suggested change

	$ oc apply -f default-deny-all-egress.yaml -n project-a
	$ oc apply -f allow-egress-to-openshift-dns -n project-a

[asood-rh]

Suggested change

	<1> Allows connections to port `53` on any IP to facilitate DNS lookups.
	<1> Allows connections to port `5353` on any IP to facilitate DNS lookups.

[asood-rh]

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all-egress
spec:
  podSelector: {}
  policyTypes:
  - Egress
 

[asood-rh]

Suggested change

	Do not apply this network policy to the `kube-system` namespace, as it can break cluster functionality.
	Do not apply default-deny-all-egress network policy to the `kube-system` namespace, as it can break cluster functionality.

[asood-rh]

Suggested change

	With the application of the `default-deny-all-egress` network policy, pods in those namespaces cannot receive external traffic.
	With the application of the `default-deny-all-egress` network policy, pods in those namespaces cannot send external traffic.

[asood-rh]

Suggested change

	. Test ingress connection between pods in the `project-a` and `project-b` namespaces by entering the following command. Because the `default-deny-all-egress` network policy breaks pod-to-pod communication for egress, pods should not longer be able to communicate.
	. Test egress connection between pods in the `project-a` and `project-b` namespaces by entering the following command. Because the `default-deny-all-egress` network policy breaks pod-to-pod communication for egress, pods should not longer be able to communicate.

[bergerhoffer]

The branch/enterprise-4.21 label has been added to this PR.

This is because your PR targets the main branch and is labeled for enterprise-4.20. And any PR going into main must also target the latest version branch (enterprise-4.21).

If the update in your PR does NOT apply to version 4.21 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[bergerhoffer]

The branch/enterprise-4.22 label has been added to this PR.

This is because your PR targets the main branch and is labeled for enterprise-4.21. And any PR going into main must also target the latest version branch (enterprise-4.22).

If the update in your PR does NOT apply to version 4.22 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main.