feat: add documentation about required network policy for multitentan… (

#2432)

Co-authored-by: Max Leonov <mleonov@redhat.com>
Co-authored-by: David Kwon <dakwon@redhat.com>

modules/administration-guide/nav.adoc

@@ -54,6 +54,7 @@
 **** xref:monitoring-the-dev-workspace-operator.adoc[]
 **** xref:monitoring-che.adoc[]
 ** xref:configuring-networking.adoc[]
+*** xref:configuring-network-policies.adoc[]
 *** xref:configuring-che-hostname.adoc[]
 *** xref:importing-untrusted-tls-certificates.adoc[]
 *** xref:configuring-ingresses.adoc[]

modules/administration-guide/pages/configuring-network-policies.adoc

@@ -0,0 +1,47 @@
+:_content-type: CONCEPT
+:description: Configuring network policies
+:keywords: administration guide, configuring, namespace, network policy, network policies, multitenant isolation
+:navtitle: Configuring network policies
+:page-aliases: installation-guide:configuring-network-policies.adoc
+
+[id="configuring-networking-policies_{context}"]
+= Configuring network policies
+
+By default, all Pods in a {orch-name} cluster can communicate with each other even if they are in different namespaces.
+In the context of {prod-short}, this makes it possible for a workspace Pod in one user {orch-namespace} to send traffic to another workspace Pod in a different user {orch-namespace}.
+
+For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}.
+However, Pods in the {prod-short} {orch-namespace} must be able to communicate with Pods in user {orch-namespace}s.
+
+For a cluster with network restrictions such as multitenant isolation already configured, you must apply the `allow-from-{prod-namespace}` NetworkPolicy to each user {orch-namespace}. The `allow-from-{prod-namespace}` NetworkPolicy allows incoming traffic from the {prod-short} namespace to all Pods in the user {orch-namespace}.
+
+
+.`allow-from-{prod-namespace}.yaml`
+====
+[source,yaml,subs="+quotes,attributes"]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-from-{prod-namespace}
+spec:
+    ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+                kubernetes.io/metadata.name: {prod-namespace}   <1>
+    podSelector: {}   <2>
+    policyTypes:
+    - Ingress
+----
+====
+<1> The {prod-short} namespace. The default is `{prod-namespace}`.
+<2> The empty `podSelector` selects all Pods in the {orch-namespace}.
+
+.Additional resources
+
+* xref:configuring-namespace-provisioning.adoc[]
+
+* link:https://kubernetes.io/docs/concepts/security/multi-tenancy/#network-isolation[Network isolation]
+
+* link:https://docs.openshift.com/container-platform/{ocp4-ver}/networking/network_policy/multitenant-network-policy.html[Configuring multitenant isolation with network policy]

modules/administration-guide/pages/configuring-networking.adoc

@@ -7,6 +7,7 @@
 [id="configuring-networking_{context}"]
 = Configuring networking
 
+* xref:configuring-network-policies.adoc[]
 * xref:configuring-che-hostname.adoc[]
 * xref:importing-untrusted-tls-certificates.adoc[]
 * xref:configuring-ingresses.adoc[]