introducing security groups and subnet ACL priorities

Signed-off-by: zcq98 <[email protected]>
kubeovn · Aug 6, 2024 · 8aca4ec · 8aca4ec
1 parent 9d4e44e
commit 8aca4ec
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/docs/advance/security-group.en.md b/docs/advance/security-group.en.md
@@ -32,6 +32,11 @@ The specific meaning of each field of the SecurityGroup can be found in the [Kub
 Pods bind security-groups by adding annotations, two annotations are used.
 
 - port_security: source address verification. If this function is enabled, only packets with ip addresses assigned by kube-ovn ipam can be exported from the pod network adapter. After this function is disabled, any ip address can be exported
+
+- When configuring a security group, the `priority` value ranges from 1 to 200, with smaller values indicating higher priority. When implementing a security group through ACL, the security group's priority is mapped to the ACL priority. The specific mapping relationship is as follows:
+
+  ACL priority=2300−Security group priority，therefore, it is essential to distinguish between the priorities of security groups and subnet ACLs.
+
 - security_groups: indicates a security group that contains a series of ACL rules
 
 > These two annotations are responsible for functions that are independent of each other.

diff --git a/docs/advance/security-group.md b/docs/advance/security-group.md
@@ -44,7 +44,7 @@ Pod 通过添加 annotation 来绑定安全组，使用的 annotation 有两个
 ## 注意事项
 
 - 安全组最后是通过设置 ACL 规则来限制访问的，OVN 文档中提到，如果匹配到的两个 ACL 规则拥有相同的优先级，实际起作用的是哪个 ACL 是不确定的。因此设置安全组规则的时候，需要注意区分优先级。
-
+- 配置安全组时 priority 的取值范围为 1-200，值越小，安全组的优先级越高。通过 ACL 实现安全组时，会将安全组的优先级映射成 ACL 的优先级，具体映射关系如下：ACL优先级 = 2300 - 安全组优先级，因此需要注意区分安全组和子网 ACL 优先级。
 - 当添加安全组的时候，要清楚的知道是在添加什么限制。Kube-OVN 作为 CNI，创建 Pod 后会进行 Pod 到网关的连通性测试，如果访问不通网关，就会导致 Pod 一直处于 ContainerCreating 状态，无法顺利切换到 Running 状态。
 
 ## 实际测试