Merge pull request #100718 from theashiot/OBSDOCS-1806

OBSDOCS-1806: Tailored Network Policies for Loki Operator

Author: briandooley

configuring/configuring-the-log-store.adoc

@@ -66,6 +66,19 @@ include::modules/loki-zone-aware-replication.adoc[leveloffset=+2]
 include::modules/loki-zone-fail-recovery.adoc[leveloffset=+2]
 include::modules/loki-rate-limit-errors.adoc[leveloffset=+2]
 
+[id="loki-network-policies-for-added-security_{context}"]
+== Loki network policies for added security
+
+{loki-op} can deploy and manage a set of network policies that restrict the communications to and from the Loki components to enhance security.
+
+include::modules/loki-network-policies.adoc[leveloffset=+2]
+
+include::modules/configuring-a-network-policy-for-loki.adoc[leveloffset=+2]
+
+include::modules/loki-networkpolicy-resources.adoc[leveloffset=+2]
+
+include::modules/integrating-loki-network-policy-with-external-systems.adoc[leveloffset=+2]
+
 //log based alerts
 [id="log-based-alerts_{context}"]
 == Log-based alerts for Loki

modules/configuring-a-network-policy-for-loki.adoc

@@ -0,0 +1,56 @@
+:_newdoc-version: 2.18.4
+:_template-generated: 2025-10-17
+:_mod-docs-content-type: PROCEDURE
+
+[id="configuring-a-network-policy-for-loki_{context}"]
+= Configuring a network policy for Loki
+
+Enable or disable the deployment of `NetworkPolicies` per LokiStack by setting the `networkPolicies` field. 
+
+.Prerequisites
+* You have administrator permissions.
+* You have installed the {oc-first}.
+* You have installed the {loki-op}.
+* You have created a `LokiStack` custom resource (CR).
+
+.Procedure
+. Update the `LokiStack` CR:
++
+[source,yaml]
+----
+apiVersion: loki.grafana.com/v1
+kind: LokiStack
+metadata:
+  name: logging-loki
+  namespace: openshift-logging
+spec:
+  size: 1x.small
+  storage:
+    schemas:
+    - version: v13
+      effectiveDate: "<yyyy>-<mm>-<dd>"
+    secret:
+      name: logging-loki-s3
+      type: s3
+  storageClassName: <storage_class_name>
+  tenants:
+    mode: openshift-logging
+  networkPolicies:
+    ruleSet: RestrictIngressEgress
+----
++
+You can set one of the following values for the `spec.networkPolicies.ruleSet` field:
++
+`None`::
+{loki-op} will not deploy any network policy.
+`RestrictIngressEgress`::
+{loki-op} will deploy a set of network policies that restrict the communications to and from the Loki components.
++
+If you do not define a `spec.networkPolicies.ruleSet` value, the platform and operator default values are inherited and full network access is allowed.
+
+. Apply the `LokiStack` CR object by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f <filename>.yaml
+----

modules/integrating-loki-network-policy-with-external-systems.adoc

@@ -0,0 +1,52 @@
+:_newdoc-version: 2.18.4
+:_template-generated: 2025-10-17
+:_mod-docs-content-type: PROCEDURE
+
+[id="integrating-loki-network-policy-with-external-systems_{context}"]
+= Integrating Loki network policy with external systems
+
+To integrate Loki with external systems such as custom dashboards, or external alerting, create additional network policies.
+You can select specific components by using the label `app.kubernetes.io/component`.
+Always include the labels `app.kubernetes.io/name=lokistack` and `app.kubernetes.io/instance={name}` to avoid collision with other pods deployed in the namespace.
+
+.Prerequisites
+* You have administrator permissions.
+* You have installed the {oc-first}.
+* You have installed the {loki-op}.
+* You have created a `LokiStack` custom resource (CR).
+
+.Procedure
+. Create a network policy:
++
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: <name>
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: lokistack
+      app.kubernetes.io/instance: <instance_name>
+      app.kubernetes.io/component: <loki_component>
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: <namespace_name>
+    ports:
+    - protocol: TCP
+      port: <port_number>
+----
++
+Replace <component_name> with the component you want to integrate with.
+
+. Apply the network policy:
++
+[source,terminal]
+----
+$ oc apply -f <file_name>.yaml
+----

modules/loki-network-policies.adoc

@@ -0,0 +1,15 @@
+:_newdoc-version: 2.18.4
+:_template-generated: 2025-10-17
+:_mod-docs-content-type: CONCEPT
+
+[id="loki-network-policies_{context}"]
+= Loki network policies
+
+You can enable the {loki-op} to automatically create a `NetworkPolicy` resource that implements a "default deny" security model with explicit allow rules for required communications. 
+Network policies provide network segmentation for your LokiStack deployment by controlling ingress and egress traffic between Loki components and external services.
+The network policies in {loki-op} are designed to be secure by default while maintaining compatibility across diverse environments.
+
+Network policies for Loki on {ocp-product-title} include the following additional integrations:
+
+* Monitoring: Automatic integration with the {ocp-product-title} monitoring stack.
+* DNS: Support for both standard and {ocp-product-title} DNS services (port 5353).

modules/loki-networkpolicy-resources.adoc

@@ -0,0 +1,53 @@
+:_newdoc-version: 2.18.4
+:_template-generated: 2025-10-17
+:_mod-docs-content-type: REFERENCE
+
+[id="loki-networkpolicy-resources_{context}"]
+= Loki NetworkPolicy resources
+
+When network policies are enabled, the {loki-op} creates several NetworkPolicy resources to secure different aspects of your `LokiStack` deployment.
+
+[cols="1,1,1"]
+|====
+|Policy name
+|Purpose
+|Components affected
+
+|{name}-default-deny
+|A baseline deny-all policy
+|All LokiStack pods
+
+|{name}-loki-allow
+|Inter-component communication allowed
+|All Loki components
+
+|{name}-loki-allow-metrics
+|Allow metric scraping on the prometheus endpoint
+|All Loki components
+
+
+|{name}-loki-allow-bucket-egress
+|Policy for object storage access
+|ingester, querier, index-gateway, compactor, ruler
+
+|{name}-loki-allow-gateway-ingress
+|Allow gateway access to Loki components
+|distributor, query-frontend, ruler
+
+|{name}-gateway-allow
+|Gateway external and monitoring access
+|LokiStack-gateway
+
+|{name}-gateway-allow-metrics
+|Allow metric scraping on the prometheus endpoint
+|LokiStack-gateway
+
+|{name}-ruler-allow-alert-egress
+|Allow ruler egress to AlertManager
+|ruler
+
+|{name}-loki-allow-query-frontend
+|Query frontend external access
+|query-frontend (OpenShift network mode)
+
+|====