From c9736ab795796ed32553b080ecccf993f204e8da Mon Sep 17 00:00:00 2001 From: JoeAldinger Date: Tue, 12 Aug 2025 10:50:46 -0400 Subject: [PATCH] OSDOCS-13364:adds ovn-k conditional for egress firewall --- modules/nw-egressnetworkpolicy-about.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/nw-egressnetworkpolicy-about.adoc b/modules/nw-egressnetworkpolicy-about.adoc index af6af8d26e37..58aeb4d21928 100644 --- a/modules/nw-egressnetworkpolicy-about.adoc +++ b/modules/nw-egressnetworkpolicy-about.adoc @@ -42,7 +42,7 @@ You configure an egress firewall policy by creating an {kind} custom resource (C ifdef::ovn[] - A port number - A protocol that is one of the following protocols: TCP, UDP, and SCTP -endif::ovn[] + [IMPORTANT] ==== @@ -75,6 +75,7 @@ To find the IP address for your API servers, run `oc get ep kubernetes -n defaul For more information, see link:https://bugzilla.redhat.com/show_bug.cgi?id=1988324[BZ#1988324]. ==== +endif::ovn[] ifdef::openshift-sdn[] [IMPORTANT] @@ -120,7 +121,7 @@ ifdef::openshift-sdn[] - Projects merged by using the `oc adm pod-network join-projects` command cannot use an egress firewall in any of the joined projects. -* If you create a selectorless service and manually define endpoints or `EndpointSlices` that point to external IPs, traffic to the service IP might still be allowed, even if your `EgressNetworkPolicy` is configured to deny all egress traffic. This occurs because OpenShift SDN does not fully enforce egress network policies for these external endpoints. Consequently, this might result in unexpected access to external services. +* If you create a selectorless service and manually define endpoints or `EndpointSlices` that point to external IPs, traffic to the service IP might still be allowed, even if your `EgressNetworkPolicy` is configured to deny all egress traffic. This occurs because OpenShift SDN does not fully enforce egress network policies for these external endpoints. Consequently, this might result in unexpected access to external services. endif::openshift-sdn[] Violating any of these restrictions results in a broken egress firewall for the project. Consequently, all external network traffic is dropped, which can cause security risks for your organization.