Merge pull request #60520 from ShaunaDiaz/OSDOCS-5762

kelbrown20 · web-flow · commit 6f2130136feb · 2023-06-05T11:28:01.000-04:00
OSDOCS-5762: clarify firewalld use language
diff --git a/microshift_networking/microshift-firewall.adoc b/microshift_networking/microshift-firewall.adoc
@@ -8,11 +8,28 @@ toc::[]
 
 Firewalls are not required in {product-title}, but using a firewall can prevent undesired access to the {product-title} API.
 
-include::modules/microshift-firewall-config.adoc[leveloffset=+1]
+include::modules/microshift-firewall-about.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources"]
+.Additional resources
+
+* xref:../microshift_networking/microshift-firewall.adoc#microshift-firewall-req-settings_microshift-firewall[Required firewall settings]
+* xref:..//microshift_networking/microshift-firewall.adoc#microshift-firewall-allow-traffic_microshift-firewall[Allowing network traffic through the firewall]
+
 include::modules/microshift-firewalld-install.adoc[leveloffset=+1]
 include::modules/microshift-firewall-req-settings.adoc[leveloffset=+1]
 include::modules/microshift-firewall-opt-settings.adoc[leveloffset=+1]
 include::modules/microshift-firewall-allow-traffic.adoc[leveloffset=+1]
 include::modules/microshift-firewall-apply-settings.adoc[leveloffset=+1]
 include::modules/microshift-firewall-verify-settings.adoc[leveloffset=+1]
-include::modules/microshift-firewall-known-issue.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_microshift-using-a-firewall"]
+.Additional resources
+
+* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[RHEL: Using and configuring firewalld]
+
+* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters#viewing-the-current-status-and-settings-of-firewalld_using-and-configuring-firewalld[RHEL: Viewing the current status of firewalld]
+
+include::modules/microshift-firewall-known-issue.adoc[leveloffset=+1]
diff --git a/modules/microshift-firewall-about.adoc b/modules/microshift-firewall-about.adoc
@@ -0,0 +1,25 @@
+// Module included in the following assemblies:
+//
+// * microshift_networking/microshift-firewall.adoc
+
+:_content-type: CONCEPT
+[id="microshift-firewall-about_{context}"]
+= About network traffic through the firewall
+
+Firewalld is a networking service that runs in the background and responds to connection requests, creating a dynamic customizable host-based firewall. If you are using {op-system-ostree-first} with {product-title}, firewalld should already be installed and you just need to configure it. Details are provided in procedures that follow. Overall, you must explicitly allow the following OVN-Kubernetes traffic when the `firewalld` service is running:
+
+CNI pod to CNI pod::
+CNI pod to Host-Network pod
+Host-Network pod to Host-Network pod
+
+CNI pod::
+The Kubernetes pod that uses the CNI network
+
+Host-Network pod::
+The Kubernetes pod that uses host network
+You can configure the `firewalld` service by using the following procedures. In most cases, firewalld is part of {rhel} installations. If you do not have firewalld, you can install it with the simple procedure in this section.
+
+[IMPORTANT]
+====
+{product-title} pods must have access to the internal CoreDNS component and API servers.
+====
diff --git a/modules/microshift-firewall-allow-traffic.adoc b/modules/microshift-firewall-allow-traffic.adoc
@@ -3,7 +3,7 @@
 // * microshift_networking/microshift-firewall.adoc
 
 :_content-type: PROCEDURE
-[id="microshift-firewall-network-traffic_{context}"]
+[id="microshift-firewall-allow-traffic_{context}"]
 = Allowing network traffic through the firewall
 
 You can allow network traffic through the firewall by first configuring the IP address range with either default or custom values, and then allow internal traffic from pods through the network gateway by inserting the DNS server.
diff --git a/modules/microshift-firewall-config.adoc b/modules/microshift-firewall-config.adoc
diff --git a/modules/microshift-firewalld-install.adoc b/modules/microshift-firewalld-install.adoc
@@ -6,11 +6,19 @@
 [id="microshift-firewall-install_{context}"]
 = Installing the firewalld service
 
-Use the following procedure to install and run the `firewalld` service for {product-title}.
+If you are using {op-system-ostree}, firewalld should be installed. To use the service, you can simply configure it. The following procedure can be used if you do not have firewalld, but want to use it.
+
 
 .Procedure
 
-. To install the `firewalld` service, run the following command:
+. Optional: Check for firewalld on your system by running the following command:
++
+[source,terminal]
+----
+$ rpm -q firewalld
+----
+
+. If the `firewalld` service is not installed, run the following command:
 +
 [source,terminal]
 ----
@@ -23,3 +31,4 @@ $ sudo dnf install -y firewalld
 ----
 $ sudo systemctl enable firewalld --now
 ----
+
