Bug 1565778

Summary: [DOCS] egress documentation is focused around multi-tenant
Product: OpenShift Container Platform Reporter: Ruchika K <rkharwar>
Component: DocumentationAssignee: brice <bfallonf>
Status: CLOSED CURRENTRELEASE QA Contact: Meng Bo <bmeng>
Severity: unspecified Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.9.0CC: aos-bugs, bbennett, jokerman, mmccomas, rkharwar, rpenta
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-19 04:14:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ruchika K 2018-04-10 18:56:49 UTC 
Document URL: 
https://docs.openshift.com/container-platform/3.9/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress

Section Number and Name: 
The documentation focuses around the multitenant plugin. With the network policy plugin now fully supported and being the popular choice as per the community, it is not clear if egress policies must ONLY need multitenant plugin or will they work with the network policy plugin also.

Describe the issue: 
Customers are confused what the caveats are and how to pick out what is relevant if they use the network policy plugin.

Suggestions for improvement: 
If lines could be added on how things would differ if the network policy plugin is used it would greatly makes things clearer.

Additional information:
Comment 2 Ben Bennett 2018-06-20 10:55:10 UTC 
Ravi: Does the egress firewall work with all three of our SDN plugins?  Thanks.
Comment 3 Ravi Sankar 2018-06-21 16:02:59 UTC 
Yes, egress network policy is compatible with all three SDN plugins. Keep in mind that networkpolicy plugin provides granular isolation (namespace or pod selector). Currently egress network policy can only be applied at the namespace level with some caveats: only one egress np for namespace allowed, namespace that share network with other namespaces are not allowed and global namespaces are not allowed.
Comment 4 Ravi Sankar 2018-06-21 16:34:38 UTC 
Correction to my previous comment, I gave contradicting statement: egress np compatible with all 3 SDN plugins but global namespaces are not allowed. Subnet network plugin only has global namespaces.

So the correct answer: egress network policy is compatible with 2 SDN plugins: multitenant and networkpolicy plugins.
Comment 5 brice 2018-06-26 04:31:19 UTC 
Thanks, Ben, Rajat

I've created a PR for this:

https://github.com/openshift/openshift-docs/pull/10421

Most of the caveats Rajat mentions is already there in an admonition, so I extended on that with the rest of the info.

Ruchika, can I verify that the information you're requesting is in the PR? I don't think writing the docs as though network policy is the one the reader will be using, because it is not yet the default. Once that happens, then I'd agree the docs would need a rewrite.
Comment 6 brice 2018-06-28 01:52:14 UTC 
Hmm looks like Ruchika's account has shut down. I think the information needed is there, so I'll move forward with this BZ, but if anyone watching has thoughts on the PR, please let me know.
Comment 7 openshift-github-bot 2018-06-29 00:59:51 UTC 
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/dd15654b7c12b619bf0d16bd105e2f3fddeb9066
Merge pull request #10421 from bfallonf/egressnetwork_1565778

Bug 1565778 Added caveats about egress policy and networkpolicy plugin
Comment 8 brice 2018-07-19 04:14:13 UTC 
Link to released docs:

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.9/html-single/cluster_administration/#admin-guide-limit-pod-access-egress
Comment 9 Red Hat Bugzilla 2023-09-14 04:26:36 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days