Merge pull request #92866 from JoeAldinger/OCPBUGS-55471-4.17

[enteprise-4.17] OCPBUGS-55471:fixes OVN-K external IP docs

Author: JoeAldinger

modules/nw-networkpolicy-optimize-ovn.adoc

@@ -102,3 +102,42 @@ spec:
 ----
 +
 You can apply this optimization when only multiple selectors are expressed as one. In cases where selectors are based on different labels, it may not be possible to apply this optimization. In those cases, consider applying some new labels for network policy optimization specifically.
+
+[id="nw-networkpolicy-external-ip-ovn_{context}"]
+== NetworkPolicy CR and external IPs in OVN-Kubernetes
+
+In OVN-Kubernetes, the `NetworkPolicy` custom resource (CR) enforces strict isolation rules. If a service is exposed using an external IP, a network policy can block access from other namespaces unless explicitly configured to allow traffic.
+
+To allow access to external IPs across namespaces, create a `NetworkPolicy` CR that explicitly permits ingress from the required namespaces and ensures traffic is allowed to the designated service ports. Without allowing traffic to the required ports, access might still be restricted.
+
+.Example output
+[source,yaml]
+----
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    annotations:
+    name: <policy_name>
+    namespace: openshift-ingress
+  spec:
+    ingress:
+    - ports:
+      - port: 80
+        protocol: TCP
+    - ports:
+      - port: 443
+        protocol: TCP
+    - from:
+      - namespaceSelector:
+          matchLabels:
+          kubernetes.io/metadata.name: <my_namespace>
+    podSelector: {}
+    policyTypes:
+    - Ingress
+----
+where:
+
+`<policy_name>`:: Specifies your name for the policy.
+`<my_namespace>`:: Specifies the name of the namespace where the policy is deployed.
+
+For more details, see "About network policy".