Merge pull request #33202 from rolfedh/RHDEVDOCS-3053

neal-timpe · web-flow · commit e94380c231c2 · 2021-06-15T08:49:31.000-04:00
RHDEVDOCS-3053: Tracker for PR #33193, Fix missing label on OpenShift …
diff --git a/logging/cluster-logging-deploying.adoc b/logging/cluster-logging-deploying.adoc
@@ -24,26 +24,38 @@ The process for deploying OpenShift Logging to {product-title} involves:
 
 include::modules/cluster-logging-deploy-console.adoc[leveloffset=+1]
 
+.Additional resources
+
+* xref:../operators/admin/olm-adding-operators-to-cluster.adoc#olm-installing-operators-from-operatorhub_olm-adding-operators-to-a-cluster[Installing Operators from the OperatorHub]
+
 == Post-installation tasks
 
 If you plan to use Kibana, you must xref:#cluster-logging-visualizer-indices_cluster-logging-deploying[manually create your Kibana index patterns and visualizations] to explore and visualize data in Kibana.
 
+If your cluster network provider enforces network isolation, xref:#cluster-logging-deploy-multitenant_cluster-logging-deploying[allow network traffic between the projects that contain the OpenShift Logging operators].
+
+
 include::modules/cluster-logging-deploy-cli.adoc[leveloffset=+1]
 
 == Post-installation tasks
 
 If you plan to use Kibana, you must xref:#cluster-logging-visualizer-indices_cluster-logging-deploying[manually create your Kibana index patterns and visualizations] to explore and visualize data in Kibana.
 
+If your cluster network provider enforces network isolation, xref:#cluster-logging-deploy-multitenant_cluster-logging-deploying[allow network traffic between the projects that contain the OpenShift Logging operators].
+
 include::modules/cluster-logging-visualizer-indices.adoc[leveloffset=+2]
 
 include::modules/cluster-logging-deploy-multitenant.adoc[leveloffset=+2]
 
+.Additional resources
+
+* xref:../networking/network_policy/about-network-policy.adoc[About network policy]
+* xref:../networking/openshift_sdn/about-openshift-sdn.adoc[About the OpenShift SDN default CNI network provider]
+* xref:../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc[About the OVN-Kubernetes default Container Network Interface (CNI) network provider]
+
+
 // include::modules/cluster-logging-deploy-memory.adoc[leveloffset=+1]
 
 // include::modules/cluster-logging-deploy-certificates.adoc[leveloffset=+1]
 
 // include::modules/cluster-logging-deploy-label.adoc[leveloffset=+1]
-
-== Additional resources
-
-* For more information on installing Operators, see xref:../operators/admin/olm-adding-operators-to-cluster.adoc#olm-installing-operators-from-operatorhub_olm-adding-operators-to-a-cluster[Installing Operators from the OperatorHub].
diff --git a/modules/cluster-logging-deploy-multitenant.adoc b/modules/cluster-logging-deploy-multitenant.adoc
@@ -3,28 +3,43 @@
 // * logging/cluster-logging-deploying.adoc
 
 [id="cluster-logging-deploy-multitenant_{context}"]
-= Installing OpenShift Logging into a multitenant network
+= Allowing traffic between projects when network isolation is enabled
 
-If you are deploying OpenShift Logging into a cluster that uses multitenant isolation mode, projects are isolated from other projects. As a result, network traffic is not allowed between pods or services in different projects.
+Your cluster network provider might enforce network isolation. If so, you must allow network traffic between the projects that contain the operators deployed by OpenShift Logging.
 
-Because the OpenShift Elasticsearch Operator and the Red Hat OpenShift Logging Operator are installed in different projects, you must explicitly allow access between the  `openshift-operators-redhat` and `openshift-logging` projects. How you allow this access depends on how you configured multitenant isolation mode.
+Network isolation blocks network traffic between pods or services that are in different projects. OpenShift Logging installs the _OpenShift Elasticsearch Operator_ in the `openshift-operators-redhat` project and the _Red Hat OpenShift Logging Operator_ in the `openshift-logging` project. Therefore, you must allow traffic between these two projects.
 
-.Procedure
+{product-title} offers two supported choices for the default Container Network Interface (CNI) network provider, OpenShift SDN and OVN-Kubernetes. These two providers implement various network isolation policies.
 
-To allow traffic between the OpenShift Elasticsearch Operator and the Red Hat OpenShift Logging Operator, perform one of the following:
+OpenShift SDN has three modes:
 
-* If you configured multitenant isolation mode with the OpenShift SDN CNI plug-in set to the *Multitenant* mode, use the following command to join the two projects:
-+
-For example:
+network policy:: This is the default mode. If no policy is defined, it allows all traffic. However, if a user defines a policy, they typically start by denying all traffic and then adding exceptions. This process might break applications that are running in different projects. Therefore, explicitly configure the policy to allow traffic to egress from one logging-related project to the other.
+
+multitenant:: This mode enforces network isolation. You must join the two logging-related projects to allow traffic between them.
+
+subnet:: This mode allows all traffic. It does not enforce network isolation. No action is needed.
+
+OVN-Kubernetes always uses a *network policy*. Therefore, as with OpenShift SDN, you must configure the policy to allow traffic to egress from one logging-related project to the other.
+
+.Procedure
+
+* If you are using OpenShift SDN in *multitenant* mode, join the two projects. For example:
 +
 [source,terminal]
 ----
 $ oc adm pod-network join-projects --to=openshift-operators-redhat openshift-logging
 ----
 
-* If you configured multitenant isolation mode with the OpenShift SDN CNI plug-in set to the *NetworkPolicy* mode, create a network policy object in the `openshift-logging` namespace that allows ingress from the `openshift-operators-redhat` project to the `openshift-logging` project.
+* Otherwise, for OpenShift SDN in *network policy* mode and OVN-Kubernetes, perform the following actions:
+
+.. Set a label on the `openshift-operators-redhat` namespace. For example:
 +
-For example:
+[source,terminal]
+----
+$ oc label namespace openshift-operators-redhat project=openshift-operators-redhat
+----
+
+.. Create a network policy object in the `openshift-logging` namespace that allows ingress from the `openshift-operators-redhat` project to the `openshift-logging` project. For example:
 +
 [source,yaml]
 ----
@@ -39,4 +54,3 @@ spec:
           matchLabels:
             project: openshift-operators-redhat
 ----
-
diff --git a/modules/cnf-performing-end-to-end-tests-for-platform-verification.adoc b/modules/cnf-performing-end-to-end-tests-for-platform-verification.adoc
@@ -24,7 +24,7 @@ Validations include:
 * Having the SR-IOV Operator installed
 * Having the PTP Operator installed
 * Enabling the `contain-mount-namespace` mode via machine config
-* Using OVN kubernetes as the SDN
+* Using OVN-kubernetes as the cluster network provider
 
 Latency tests, a part of the CNF-test container, also require the same validations. For more information about running a latency test, see the Running the latency tests section.
 
