{"results":[{"id":"acl-audit-log-annotation-key","text":"Audit logging for network policies is enabled via the `k8s.ovn.org/acl-logging` annotation on namespaces (for NetworkPolicy/EgressFirewall) or directly on ANP/BANP CRs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acl-audit-logging-ovn-kubernetes-only","text":"Network policy audit logging is only available with the OVN-Kubernetes network plugin.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"admin-networkpolicy-cluster-scoped-alpha","text":"AdminNetworkPolicy and BaselineAdminNetworkPolicy (`policy.networking.k8s.io/v1alpha1`) are cluster-scoped network policy resources","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"admin-policy-external-route-dynamic-hop-empty-attachment","text":"When `networkAttachmentName` is empty on a dynamic hop, the system assumes the pod uses HostNetwork and the node IP is used as the gateway","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"alertingrule-namespace-openshift-monitoring","text":"AlertingRule resources for Network Observability alerts must be created in the `openshift-monitoring` namespace","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-banp-api-group","text":"AdminNetworkPolicy and BaselineAdminNetworkPolicy use API group `policy.networking.k8s.io/v1alpha1`","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-cluster-scoped-networkpolicy-namespace-scoped","text":"AdminNetworkPolicy is cluster-scoped while NetworkPolicy is namespace-scoped","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-cluster-scoped-v1alpha1","text":"AdminNetworkPolicy (ANP) is a cluster-scoped resource using API version `policy.networking.k8s.io/v1alpha1`","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-evaluation-order-anp-np-banp","text":"Network policy evaluation order is: AdminNetworkPolicy (by priority) → NetworkPolicy → BaselineAdminNetworkPolicy","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-host-networked-pods-excluded","text":"Host-networked pods are excluded from ANP subject and peer selection","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-ingress-peers-namespaces-pods-only","text":"ANP ingress peers support only namespaces and pods; egress additionally supports nodes and networks (CIDR)","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-nodes-networks-egress-only","text":"AdminNetworkPolicy `nodes` and `networks` peer types are valid for egress rules only","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-pass-delegates-to-networkpolicy","text":"ANP Pass action delegates the traffic decision to namespace-scoped NetworkPolicy, then to BANP if no NetworkPolicy matches","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-priority-range-0-99","text":"AdminNetworkPolicy priority range is 0–99 (maximum 100 ANP policies); lower value = higher precedence","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-supports-pass-action","text":"AdminNetworkPolicy (ANP) supports three actions in audit logging: allow, deny, and pass; the `pass` action delegates evaluation to NetworkPolicy or BANP.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-three-actions-allow-deny-pass","text":"ANP rules support three actions: Allow (overrides NetworkPolicy denials), Deny (blocks traffic), and Pass (delegates to NetworkPolicy then BaselineAdminNetworkPolicy)","truth_value":"IN","justification_count":0,"dependent_count":1,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"any-platform-upi-installation","text":"OpenShift supports \"any platform\" (platform-agnostic) installation for infrastructure without a dedicated installation method, requiring the administrator to manually provision all infrastructure components (DNS, load balancers, compute, networking).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"assisted-installer-preflight-validation","text":"The Assisted Installer performs pre-flight host validation (CPU, memory, disk, networking) before allowing installation to proceed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-lb-default-classic","text":"On AWS, the Ingress load balancer type defaults to `Classic`; can be set to `NLB` for network load balancing","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-stack-hub-separate-from-azure","text":"Azure Stack Hub is a distinct installation target from standard Azure, with different API endpoints, available VM sizes, and networking constraints.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":384,"limit":20,"offset":0}