From d34c2ae17e5d474a7645c139e3456ab9e18dcba3 Mon Sep 17 00:00:00 2001 From: dfitzmau Date: Thu, 23 Apr 2026 15:46:16 +0100 Subject: [PATCH] OSDOCS-18201: Added note about default NPs OCP includes in its namespaces --- modules/nw-networkpolicy-about.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nw-networkpolicy-about.adoc b/modules/nw-networkpolicy-about.adoc index 80d57f60ae04..92ec9c06a43a 100644 --- a/modules/nw-networkpolicy-about.adoc +++ b/modules/nw-networkpolicy-about.adoc @@ -8,6 +8,11 @@ By default, all pods in a project are accessible from other pods and network endpoints. To isolate one or more pods in a project, you can create `NetworkPolicy` objects in that project to indicate the allowed incoming connections. Project administrators can create and delete `NetworkPolicy` objects within their own project. +[IMPORTANT] +==== +From {product-title} 4.22, {product-title} now includes `NetworkPolicy` objects in its own namespaces by default. This inclusion improves overall security and better protects control plane components. Do not modify the `NetworkPolicy` objects that {product-title} includes in its own namespaces by default. +==== + If a pod is matched by selectors in one or more `NetworkPolicy` objects, then the pod will accept only connections that are allowed by at least one of those `NetworkPolicy` objects. A pod that is not selected by any `NetworkPolicy` objects is fully accessible. A network policy applies to only the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and Stream Control Transmission Protocol (SCTP) protocols. Other protocols are not affected.