From cf8399dc23256653c3555843d0334c5d4528cfee Mon Sep 17 00:00:00 2001
From: bobz965 <zhangbingbing2_yewu@cmss.chinamobile.com>
Date: Sun, 7 Apr 2024 17:47:52 +0800
Subject: [PATCH] diff sg  with port-security

Signed-off-by: bobz965 <zhangbingbing2_yewu@cmss.chinamobile.com>
---
 docs/advance/security-group.en.md | 5 +++++
 docs/advance/security-group.md    | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/docs/advance/security-group.en.md b/docs/advance/security-group.en.md
index 57ccdb908..508363685 100644
--- a/docs/advance/security-group.en.md
+++ b/docs/advance/security-group.en.md
@@ -31,6 +31,11 @@ The specific meaning of each field of the SecurityGroup can be found in the [Kub
 
 Pods bind security-groups by adding annotations, two annotations are used.
 
+- port_security: source address verification. If this function is enabled, only packets with ip addresses assigned by kube-ovn ipam can be exported from the pod network adapter. After this function is disabled, any ip address can be exported
+- security_groups: indicates a security group that contains a series of ACL rules
+
+> These two annotations are responsible for functions that are independent of each other.
+
 ```yaml
     ovn.kubernetes.io/port_security: "true"
     ovn.kubernetes.io/security_groups: sg-example
diff --git a/docs/advance/security-group.md b/docs/advance/security-group.md
index 76a0a0835..fd92e0cb8 100644
--- a/docs/advance/security-group.md
+++ b/docs/advance/security-group.md
@@ -31,6 +31,11 @@ spec:
 
 Pod 通过添加 annotation 来绑定安全组，使用的 annotation 有两个：
 
+- port_security: 源地址校验，如果开启，只能 kube-ovn ipam 分配到的 ip 地址的包可以从 pod 网卡出去，关闭后任意 ip 都可以。
+- security_groups： 安全组，包含一系列 ACL 规则。
+
+> 这两个 annotation 负责的功能是互相独立的。
+
 ```yaml
     ovn.kubernetes.io/port_security: "true"
     ovn.kubernetes.io/security_groups: sg-example