[OSDOCS-16840] PR 1 of 4 for ANP ADV audits#112297
Open
stevsmit wants to merge 1 commit into
Open
Conversation
openshift-ci
Bot
added
the
size/S
|
@stevsmit: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
stevsmit
added
the
merge-review-needed
stevsmit
changed the title
JoeAldinger
added
merge-review-in-progress
JoeAldinger
reviewed
May 27, 2026
Contributor
JoeAldinger
left a comment
JoeAldinger
left a comment
There was a problem hiding this comment.
/lgtm small suggestion
|
|
||
| Audit logging is enabled per `AdminNetworkPolicy` CR by annotating an ANP policy with the `k8s.ovn.org/acl-logging` key such as in the following example: | ||
| [role="_abstract"] | ||
| You can enable audit logging for individual `AdminNetworkPolicy` custom resources in {product-title} by annotating each policy with the `k8s.ovn.org/acl-logging` key. Use the resulting logs to verify how `allow`, `deny`, and `pass` rules affect traffic between namespaces. |
Contributor
There was a problem hiding this comment.
Suggested change
| You can enable audit logging for individual `AdminNetworkPolicy` custom resources in {product-title} by annotating each policy with the `k8s.ovn.org/acl-logging` key. Use the resulting logs to verify how `allow`, `deny`, and `pass` rules affect traffic between namespaces. | |
| You can enable audit logging for individual `AdminNetworkPolicy` custom resources in {product-title} by annotating each policy with the `k8s.ovn.org/acl-logging` key. Use the resulting logs to verify how `Allow`, `Deny`, and `Pass` rules affect traffic between namespaces. |
| You can enable audit logging for individual `AdminNetworkPolicy` custom resources in {product-title} by annotating each policy with the `k8s.ovn.org/acl-logging` key. Use the resulting logs to verify how `allow`, `deny`, and `pass` rules affect traffic between namespaces. | ||
|
|
||
| .Example of annotation for `AdminNetworkPolicy` CR | ||
| [%collapsible] |
Contributor
There was a problem hiding this comment.
I'd take these out if it were me.
|
|
||
| As a cluster administrator, you can enable audit logging for a namespace. | ||
| [role="_abstract"] | ||
| To enable egress firewall and network policy audit logging for a namespace in {product-title}, you can add the `k8s.ovn.org/acl-logging` annotation with the `oc annotate` command. You can also apply a namespace YAML file that sets `allow` and `deny` log severity levels. |
Contributor
There was a problem hiding this comment.
Suggested change
| To enable egress firewall and network policy audit logging for a namespace in {product-title}, you can add the `k8s.ovn.org/acl-logging` annotation with the `oc annotate` command. You can also apply a namespace YAML file that sets `allow` and `deny` log severity levels. | |
| To enable egress firewall and network policy audit logging for a namespace in {product-title}, you can add the `k8s.ovn.org/acl-logging` annotation with the `oc annotate` command. You can also apply a namespace YAML file that sets `Allow` and `Deny` log severity levels. |
| toc::[] | ||
|
|
||
| [role="_abstract"] | ||
| The OVN-Kubernetes network plugin uses Open Virtual Network (OVN) access control lists (ACLs) to manage `AdminNetworkPolicy`, `BaselineAdminNetworkPolicy`, `NetworkPolicy`, and `EgressFirewall` objects. Audit logging exposes `allow` and `deny` ACL events for `NetworkPolicy`, `EgressFirewall` and `BaselineAdminNetworkPolicy` custom resources (CR). Logging also exposes `allow`, `deny`, and `pass` ACL events for `AdminNetworkPolicy` (ANP) CR. |
Contributor
There was a problem hiding this comment.
Suggested change
| The OVN-Kubernetes network plugin uses Open Virtual Network (OVN) access control lists (ACLs) to manage `AdminNetworkPolicy`, `BaselineAdminNetworkPolicy`, `NetworkPolicy`, and `EgressFirewall` objects. Audit logging exposes `allow` and `deny` ACL events for `NetworkPolicy`, `EgressFirewall` and `BaselineAdminNetworkPolicy` custom resources (CR). Logging also exposes `allow`, `deny`, and `pass` ACL events for `AdminNetworkPolicy` (ANP) CR. | |
| The OVN-Kubernetes network plugin uses Open Virtual Network (OVN) access control lists (ACLs) to manage `AdminNetworkPolicy`, `BaselineAdminNetworkPolicy`, `NetworkPolicy`, and `EgressFirewall` objects. Audit logging exposes `Allow` and `Deny` ACL events for `NetworkPolicy`, `EgressFirewall` and `BaselineAdminNetworkPolicy` custom resources (CR). Logging also exposes `Allow`, `Deny`, and `Pass` ACL events for `AdminNetworkPolicy` (ANP) CR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Version(s):
4.20+
Issue:
https://redhat.atlassian.net/browse/OSDOCS-16840
Link to docs preview:
https://112297--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/network_security/logging-network-security.html
https://112297--ocpdocs-pr.netlify.app/openshift-rosa-hcp/latest/networking/network_security/logging-network-security.html
https://112297--ocpdocs-pr.netlify.app/openshift-rosa/latest/networking/network_security/logging-network-security.html
QE review:
Additional information: