TELCODOCS-405 updating multi-network policy to address SR-IOV support

Author: kquinn1204

images/292_OpenShift_Configuring_multi-network_policy_1122.png

@@ -13,7 +13,7 @@ kind: MultiNetworkPolicy
 
 * You must use the `multi-networkpolicy` resource name when using the CLI to interact with multi-network policies. For example, you can view a multi-network policy object with the `oc get multi-networkpolicy <name>` command where `<name>` is the name of a multi-network policy.
 
-* You must specify an annotation with the name of the network attachment definition that defines the macvlan additional network:
+* You must specify an annotation with the name of the network attachment definition that defines the macvlan or SR-IOV additional network:
 +
 [source,yaml]
 ----

images/292_OpenShift_Configuring_multiple-network_policy_1122.png

@@ -0,0 +1,148 @@
+// Module included in the following assemblies:
+//
+// * networking/multiple_networks/configuring-multi-network-policy.adoc
+:name: network
+:role: admin
+ifeval::[{product-version} >= 4.6]
+:ovn:
+endif::[]
+ifeval::["{context}" == "configuring-multi-network-policy"]
+:multi:
+:name: multi-network
+:role: cluster-admin
+endif::[]
+
+:_content-type: PROCEDURE
+[id="nw-networkpolicy-allow-traffic-from-all-applications_{context}"]
+= Creating a {name} policy allowing traffic to an application from all namespaces
+
+
+[NOTE]
+====
+If you log in with a user with the `cluster-admin` role, then you can create a network policy in any namespace in the cluster.
+====
+
+Follow this procedure to configure a policy that allows traffic from all pods in all namespaces to a particular application.
+
+.Prerequisites
+
+* Your cluster uses a cluster network provider that supports `NetworkPolicy` objects, such as
+ifndef::ovn[]
+the OpenShift SDN network provider with `mode: NetworkPolicy` set.
+endif::ovn[]
+ifdef::ovn[]
+the OVN-Kubernetes network provider or the OpenShift SDN network provider with `mode: NetworkPolicy` set.
+endif::ovn[]
+This mode is the default for OpenShift SDN.
+* You installed the OpenShift CLI (`oc`).
+* You are logged in to the cluster with a user with `{role}` privileges.
+* You are working in the namespace that the {name} policy applies to.
+
+.Procedure
+
+. Create a policy that allows traffic from all pods in all namespaces to a particular application. Save the YAML in the `web-allow-all-namespaces.yaml` file:
++
+[source,yaml]
+----
+ifndef::multi[]
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+endif::multi[]
+ifdef::multi[]
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+endif::multi[]
+metadata:
+  name: web-allow-all-namespaces
+  namespace: default
+ifdef::multi[]
+  annotations:
+    k8s.v1.cni.cncf.io/policy-for: <network_name>
+endif::multi[]
+spec:
+  podSelector:
+    matchLabels:
+      app: web <1>
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector: {} <2>
+----
+<1> Applies the policy only to `app:web` pods in default namespace.
+<2> Selects all pods in all namespaces.
++
+[NOTE]
+====
+By default, if you omit specifying a `namespaceSelector` it does not select any namespaces, which means the policy allows traffic only from the namespace the network policy is deployed to.
+====
+
+. Apply the policy by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f web-allow-all-namespaces.yaml
+----
++
+.Example output
+[source,terminal]
+----
+ifndef::multi[]
+networkpolicy.networking.k8s.io/web-allow-all-namespaces created
+endif::multi[]
+ifdef::multi[]
+multinetworkpolicy.k8s.cni.cncf.io/web-allow-all-namespaces created
+endif::multi[]
+----
+
+.Verification
+
+. Start a web service in the `default` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc run web --namespace=default --image=nginx --labels="app=web" --expose --port=80
+----
+
+. Run the following command to deploy an `alpine` image in the `secondary` namespace and to start a shell:
++
+[source,terminal]
+----
+$ oc run test-$RANDOM --namespace=secondary --rm -i -t --image=alpine -- sh
+----
+
+. Run the following command in the shell and observe that the request is allowed:
++
+[source,terminal]
+----
+# wget -qO- --timeout=2 http://web.default
+----
++
+.Expected output
++
+[source,terminal]
+----
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+html { color-scheme: light dark; }
+body { width: 35em; margin: 0 auto;
+font-family: Tahoma, Verdana, Arial, sans-serif; }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>
+----

modules/nw-multi-network-policy-differences.adoc

@@ -0,0 +1,198 @@
+// Module included in the following assemblies:
+//
+// * networking/multiple_networks/configuring-multi-network-policy.adoc
+:name: network
+:role: admin
+ifeval::[{product-version} >= 4.6]
+:ovn:
+endif::[]
+ifeval::["{context}" == "configuring-multi-network-policy"]
+:multi:
+:name: multi-network
+:role: cluster-admin
+endif::[]
+
+:_content-type: PROCEDURE
+[id="nw-networkpolicy-allow-traffic-from-a-namespace_{context}"]
+= Creating a {name} policy allowing traffic to an application from a namespace
+
+[NOTE]
+====
+If you log in with a user with the `cluster-admin` role, then you can create a network policy in any namespace in the cluster.
+====
+
+Follow this procedure to configure a policy that allows traffic to a pod with the label `app=web` from a particular namespace. You might want to do this to:
+
+* Restrict traffic to a production database only to namespaces where production workloads are deployed.
+* Enable monitoring tools deployed to a particular namespace to scrape metrics from the current namespace.
+
+.Prerequisites
+
+* Your cluster uses a cluster network provider that supports `NetworkPolicy` objects, such as
+ifndef::ovn[]
+the OpenShift SDN network provider with `mode: NetworkPolicy` set.
+endif::ovn[]
+ifdef::ovn[]
+the OVN-Kubernetes network provider or the OpenShift SDN network provider with `mode: NetworkPolicy` set.
+endif::ovn[]
+This mode is the default for OpenShift SDN.
+* You installed the OpenShift CLI (`oc`).
+* You are logged in to the cluster with a user with `{role}` privileges.
+* You are working in the namespace that the {name} policy applies to.
+
+.Procedure
+
+. Create a policy that allows traffic from all pods in a particular namespaces with a label `purpose=production`. Save the YAML in the `web-allow-prod.yaml` file:
++
+[source,yaml]
+----
+ifndef::multi[]
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+endif::multi[]
+ifdef::multi[]
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+endif::multi[]
+metadata:
+  name: web-allow-prod
+  namespace: default
+ifdef::multi[]
+  annotations:
+    k8s.v1.cni.cncf.io/policy-for: <network_name>
+endif::multi[]
+spec:
+  podSelector:
+    matchLabels:
+      app: web <1>
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          purpose: production <2>
+----
+<1> Applies the policy only to `app:web` pods in the default namespace.
+<2> Restricts traffic to only pods in namespaces that have the label `purpose=production`.
+
+. Apply the policy by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f web-allow-prod.yaml
+----
++
+.Example output
+[source,terminal]
+----
+ifndef::multi[]
+networkpolicy.networking.k8s.io/web-allow-prod created
+endif::multi[]
+ifdef::multi[]
+multinetworkpolicy.k8s.cni.cncf.io/web-allow-prod created
+endif::multi[]
+----
+
+.Verification
+
+. Start a web service in the `default` namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc run web --namespace=default --image=nginx --labels="app=web" --expose --port=80
+----
+
+. Run the following command to create the `prod` namespace:
++
+[source,terminal]
+----
+$ oc create namespace prod
+----
+
+. Run the following command to label the `prod` namespace:
++
+[source,terminal]
+----
+$ oc label namespace/prod purpose=production
+----
+
+. Run the following command to create the `dev` namespace:
++
+[source,terminal]
+----
+$ oc create namespace dev
+----
+
+. Run the following command to label the `dev` namespace:
++
+[source,terminal]
+----
+$ oc label namespace/dev purpose=testing
+----
+
+. Run the following command to deploy an `alpine` image in the `dev` namespace and to start a shell:
++
+[source,terminal]
+----
+$ oc run test-$RANDOM --namespace=dev --rm -i -t --image=alpine -- sh
+----
+
+. Run the following command in the shell and observe that the request is blocked:
++
+[source,terminal]
+----
+# wget -qO- --timeout=2 http://web.default
+----
++
+.Expected output
++
+[source,terminal]
+----
+wget: download timed out
+----
+
+. Run the following command to deploy an `alpine` image in the `prod` namespace and start a shell:
++
+[source,terminal]
+----
+$ oc run test-$RANDOM --namespace=prod --rm -i -t --image=alpine -- sh
+----
+
+. Run the following command in the shell and observe that the request is allowed:
++
+[source,terminal]
+----
+# wget -qO- --timeout=2 http://web.default
+----
++
+.Expected output
++
+[source,terminal]
+----
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+html { color-scheme: light dark; }
+body { width: 35em; margin: 0 auto;
+font-family: Tahoma, Verdana, Arial, sans-serif; }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>
+----
+
+