Merge pull request #49806 from JoeAldinger/OSDOCS-3908

OSDOCS-3908: enhances egressfirewall to include nodeSelector

Author: stevsmit

modules/nw-egressnetworkpolicy-about.adoc

@@ -46,11 +46,7 @@ endif::ovn[]
 
 [IMPORTANT]
 ====
-If your egress firewall includes a deny rule for `0.0.0.0/0`, access to your {product-title} API servers is blocked. You must include the IP address range that the API servers listen on in your egress firewall rules.
-
-ifdef::ovn[]
-If you use the OVN-Kubernetes network plugin, you must include the built-in join network `100.64.0.0/16` to allow access when using node ports together with an egress firewall. If you changed this join network during cluster installation, use the value that you specified instead of `100.64.0.0/16`.
-endif::ovn[]
+If your egress firewall includes a deny rule for `0.0.0.0/0`, access to your {product-title} API servers is blocked. You must either add allow rules for each IP address or use the `nodeSelector` type allow rule in your egress policy rules to connect to API servers.
 
 The following example illustrates the order of the egress firewall rules necessary to ensure API server access:
 

modules/nw-egressnetworkpolicy-object.adoc

@@ -49,7 +49,7 @@ endif::ovn[]
 [id="egressnetworkpolicy-rules_{context}"]
 == {kind} rules
 
-The following YAML describes an egress firewall rule object. The `egress` stanza expects an array of one or more objects.
+The following YAML describes an egress firewall rule object. The user can select either an IP address range in CIDR format, a domain name, or use the `nodeSelector` to allow or deny egress traffic. The `egress` stanza expects an array of one or more objects.
 
 // - OVN-Kubernetes does not support DNS
 // - OpenShift SDN does not support port and protocol specification
@@ -77,14 +77,16 @@ egress:
   to: <2>
     cidrSelector: <cidr> <3>
     dnsName: <dns_name> <4>
-  ports: <5>
+    nodeSelector: <label_name>: <label_value> <5>
+  ports: <6>
       ...
 ----
 <1> The type of rule. The value must be either `Allow` or `Deny`.
 <2> A stanza describing an egress traffic match rule that specifies the `cidrSelector` field or the `dnsName` field. You cannot use both fields in the same rule.
 <3> An IP address range in CIDR format.
 <4> A DNS domain name.
-<5> Optional: A stanza describing a collection of network ports and protocols for the rule.
+<5> Labels are key/value pairs that the user defines. Labels are attached to objects, such as pods. The `nodeSelector` allows for one or more node labels to be selected and attached to pods.
+<6> Optional: A stanza describing a collection of network ports and protocols for the rule.
 
 .Ports stanza
 [source,yaml]
@@ -143,6 +145,31 @@ spec:
       protocol: TCP
     - port: 443
 ----
+
+[id="configuringNodeSelector-example_{context}"]
+== Example nodeSelector for {kind}
+
+As a cluster administrator, you can allow or deny egress traffic to nodes in your cluster by specifying a label using `nodeSelector`. Labels can be applied to one or more nodes. The following is an example with the `region=east` label:
+
+[source,yaml]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: default
+spec:
+    egress:
+    - to:
+        nodeSelector:
+          matchLabels:
+            region: east
+      type: Allow
+----
+
+[TIP]
+====
+Instead of adding manual rules per node IP address, use node selectors to create a label that allows pods behind an egress firewall to access host network pods.
+====
 endif::ovn[]
 
 ifdef::kind[]