Merge pull request #52114 from JoeAldinger/OSDOCS-4072

OSDOCS-4072: adds ingress firewall node operator

Author: mburke5678

_topic_maps/_topic_map.yml

@@ -1026,6 +1026,9 @@ Topics:
 - Name: Understanding the Ingress Operator
   File: ingress-operator
   Distros: openshift-enterprise,openshift-origin
+- Name: Understanding the Ingress Node Firewall Operator
+  File: ingress-node-firewall-operator
+  Distros: openshift-enterprise,openshift-origin
 - Name: Configuring the Ingress Controller for manual DNS management
   File: ingress-controller-dnsmgt
   Distros: openshift-enterprise,openshift-origin

modules/nw-infw-operator-config-object.adoc

@@ -0,0 +1,70 @@
+// Module included in the following assemblies:
+//
+// * networking/ingress-node-firewall-operator.adoc
+
+:_content-type: CONCEPT
+[id="nw-infw-operator-config-object_{context}"]
+== Ingress Node Firewall configuration object
+
+The fields for the Ingress Node Firewall configuration object are described in the following table:
+
+.Ingress Node Firewall Configuration object
+[cols=".^2,.^2,.^6a",options="header"]
+|====
+|Field|Type|Description
+
+|`metadata.name`
+|`string`
+|The name of the CR object. The name of the firewall rules object must be `ingressnodefirewallconfig`.
+
+|`metadata.namespace`
+|`string`
+|Namespace for the Ingress Firewall Operator CR object. The `IngressNodeFirewallConfig` CR must be created inside the `openshift-ingress-node-firewall` namespace.
+
+|`spec.nodeSelector`
+|`string`
+|
+A node selection constraint used to target nodes through specified node labels. For example:
+
+[source,yaml]
+----
+spec:
+  nodeSelector:
+    node-role.kubernetes.io/worker: ""
+----
+
+[NOTE]
+====
+One label used in `nodeSelector` must match a label on the nodes in order for the daemon set to start. For example, if the node labels `node-role.kubernetes.io/worker` and `node-type.kubernetes.io/vm` are applied to a node, then at least one label must be set using `nodeSelector` for the daemon set to start.
+====
+
+|====
+
+[NOTE]
+====
+The Operator consumes the CR and creates an ingress node firewall daemon set on all the nodes that match the `nodeSelector`.
+====
+
+[discrete]
+[id="nw-ingress-node-firewall-example-cr-2_{context}"]
+== Ingress Node Firewall Operator example configuration
+
+A complete Ingress Node Firewall Configuration is specified in the following example:
+
+.Example Ingress Node Firewall Configuration object
+[source,yaml]
+----
+apiVersion: ingressnodefirewall.openshift.io/v1alpha1
+kind: IngressNodeFirewallConfig
+metadata:
+  name: ingressnodefirewallconfig
+  namespace: openshift-ingress-node-firewall
+spec:
+  nodeSelector:
+    node-role.kubernetes.io/worker: ""
+----
+
+[NOTE]
+====
+The Operator consumes the CR and creates an ingress node firewall daemon set on all the nodes that match the `nodeSelector`.
+====

modules/nw-infw-operator-cr.adoc

@@ -0,0 +1,20 @@
+// Module included in the following assemblies:
+//
+// * networking/ingress-node-firewall-operator.adoc
+
+:_content-type: CONCEPT
+[id="nw-infw-operator-cr_{context}"]
+= Ingress Node Firewall Operator
+
+The Ingress Node Firewall Operator provides ingress firewall rules at a node level by deploying the daemon set to nodes you specify and manage in the firewall configurations. To deploy the daemon set, you create an `IngressNodeFirewallConfig` custom resource (CR). The Operator applies the `IngressNodeFirewallConfig` CR to create ingress node firewall daemon set `daemon`, which run on all nodes that match the `nodeSelector`.
+
+You configure `rules` of the `IngressNodeFirewall` CR and apply them to clusters using the `nodeSelector` and setting values to "true".
+
+[IMPORTANT]
+====
+The Ingress Node Firewall Operator supports only stateless firewall rules.
+
+The maximum transmission units (MTU) parameter is 4Kb (kilobytes) in {product-title} {product-version}.
+
+Network interface controllers (NICs) that do not support native XDP drivers will run at a lower performance.
+====

modules/nw-infw-operator-deploying.adoc

@@ -0,0 +1,23 @@
+// Module included in the following assemblies:
+//
+// * networking/ingress-node-firewall-operator.adoc
+
+:_content-type: PROCEDURE
+[id="nw-infw-operator-deploying_{context}"]
+= Deploying Ingress Node Firewall Operator
+
+.Prerequisite
+* The Ingress Node Firewall Operator is installed.
+
+.Procedure
+
+To delploy the Ingress Node Firewall Operator, create a `IngressNodeFirewallConfig` custom resource that will deploy the Operator's daemon set. You can deploy one or multiple `IngressNodeFirewall` CRDs to nodes by applying firewall rules.
+
+. Create the `IngressNodeFirewallConfig` inside the `openshift-ingress-node-firewall` namespace named `ingressnodefirewallconfig`.
+
+. Run the following command to deploy Ingress Node Firewall Operator rules:
++
+[source,terminal]
+----
+$ oc apply -f rule.yaml
+----

modules/nw-infw-operator-installing.adoc

@@ -0,0 +1,151 @@
+// Module included in the following assemblies:
+//
+// * networking/ingress-node-firewall-operator.adoc
+
+:_content-type: PROCEDURE
+[id="installing-infw-operator_{context}"]
+= Installing the Ingress Node Firewall Operator
+
+As a cluster administrator, you can install the Ingress Node Firewall Operator by using the {product-title} CLI or the web console.
+
+[id="install-operator-cli_{context}"]
+== Installing the Ingress Node Firewall Operator using the CLI
+
+As a cluster administrator, you can install the Operator using the CLI.
+
+.Prerequisites
+
+* You have installed the OpenShift CLI (`oc`).
+* You have an account with administrator privileges.
+
+.Procedure
+
+. To create the `openshift-ingress-node-firewall` namespace, enter the following command:
++
+[source,terminal]
+----
+$ cat << EOF| oc create -f -
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: v1.24
+  name: openshift-ingress-node-firewall
+EOF
+----
+
+. To create an `OperatorGroup` CR, enter the following command:
++
+[source,terminal]
+----
+$ cat << EOF| oc create -f -
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: ingress-node-firewall-operators
+  namespace: openshift-ingress-node-firewall
+EOF
+----
+
+. Subscribe to the Ingress Node Firewall Operator.
+
+.. To create a `Subscription` CR for the Ingress Node Firewall Operator, enter the following command:
++
+[source,terminal]
+----
+$ cat << EOF| oc create -f -
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: ingress-node-firewall-sub
+  namespace: openshift-ingress-node-firewall
+spec:
+  name: ingress-node-firewall
+  channel: stable
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+EOF
+----
+
+. To verify that the Operator is installed, enter the following command:
++
+[source,terminal]
+----
+$ oc get ip -n openshift-ingress-node-firewall
+----
++
+.Example output
+[source,terminal]
+----
+NAME            CSV                                         APPROVAL    APPROVED
+install-5cvnz   ingress-node-firewall.4.12.0-202211122336   Automatic   true
+----
+
+. To verify the version of the Operator, enter the following command:
+
++
+[source,terminal]
+----
+$ oc get csv -n openshift-ingress-node-firewall
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                        DISPLAY                          VERSION               REPLACES                                    PHASE
+ingress-node-firewall.4.12.0-202211122336   Ingress Node Firewall Operator   4.12.0-202211122336   ingress-node-firewall.4.12.0-202211102047   Succeeded
+----
+
+[id="install-operator-web-console_{context}"]
+== Installing the Ingress Node Firewall Operator using the web console
+
+As a cluster administrator, you can install the Operator using the web console.
+
+.Prerequisites
+
+* You have installed the OpenShift CLI (`oc`).
+* You have an account with administrator privileges.
+
+.Procedure
+
+
+. Install the Ingress Node Firewall Operator:
+
+.. In the {product-title} web console, click *Operators* -> *OperatorHub*.
+
+.. Select *Ingress Node Firewall Operator* from the list of available Operators, and then click *Install*.
+
+.. On the *Install Operator* page, under *Installed Namespace*, select *Operator recommended Namespace*.
+
+.. Click *Install*.
+
+. Verify that the Ingress Node Firewall Operator is installed successfully:
+
+.. Navigate to the *Operators* -> *Installed Operators* page.
+
+.. Ensure that *Ingress Node Firewall Operator* is listed in the *openshift-ingress-node-firewall* project with a *Status* of *InstallSucceeded*.
++
+[NOTE]
+====
+During installation an Operator might display a *Failed* status.
+If the installation later succeeds with an *InstallSucceeded* message, you can ignore the *Failed* message.
+====
+
++
+If the Operator does not have a *Status* of *InstallSucceeded*, troubleshoot using the following steps:
+
++
+* Inspect the *Operator Subscriptions* and *Install Plans* tabs for any failures or errors under *Status*.
+* Navigate to the *Workloads* -> *Pods* page and check the logs for pods in the `openshift-ingress-node-firewall` project.
+* Check the namespace of the YAML file. If the annotation is missing, you can add the annotation `workload.openshift.io/allowed=management` to the Operator namespace with the following command:
++
+[source,terminal]
+----
+$ oc annotate ns/openshift-ingress-node-firewall workload.openshift.io/allowed=management
+----
++
+[NOTE]
+====
+For {sno} clusters, the `openshift-ingress-node-firewall` namespace requires the `workload.openshift.io/allowed=management` annotation.
+====