add limitation of centralized gateway subnet (#144)

Signed-off-by: oilbeater <[email protected]>

Author: oilbeater

docs/advance/ovn-ipsec.en.md

@@ -1,8 +1,8 @@
 # Encrypt inter-node communication using IPsec
 
-This function is supported after v1.10.11 and v1.11.4, and the kernel version is at least 3.10.0 or above.
+This function is supported after v1.10.11 and v1.11.4, the kernel version is at least 3.10.0 or above, and UDP ports 500 and 4500 are available.
 
-## start IPsec
+## Start IPsec
 
 Copy the script from the Kube-OVN source code [ipsec.sh](https://raw.githubusercontent.com/kubeovn/kube-ovn/master/dist/images/ipsec.sh), execute the command as follows, the script will call ovs-pki to generate and distribute the certificate required for encryption:
 

docs/advance/ovn-ipsec.md

@@ -1,6 +1,6 @@
 # 使用 IPsec 加密节点间通信
 
-该功能从 v1.10.11 和 v1.11.4 后开始支持，kernel 版本至少是 3.10.0 以上。
+该功能从 v1.10.11 和 v1.11.4 后开始支持，kernel 版本至少是 3.10.0 以上，同时需要保证主机 UDP 500 和 4500 端口可用。
 
 ## 启动 IPsec
 
@@ -13,7 +13,7 @@ bash ipsec.sh init
 执行完毕后，节点之间会协商一段时间建立 IPsec 隧道，经验值是十几秒到一分钟之间，可以通过如下命令来查看 IPsec 状态：
 
 ```bash
-# sh ipsec.sh status
+# bash ipsec.sh status
  Pod {ovs-ovn-d7hdt} ipsec status...
 Interface name: ovn-a4718e-0 v1 (CONFIGURED)
   Tunnel Type:    geneve

docs/guide/subnet.en.md

@@ -194,6 +194,8 @@ spec:
 
 ### Centralized Gateway
 
+> Note: Pods under a centralized subnet cannot be accessed through `hostport` or a NodePort type Service with `externalTrafficPolicy: Local`.
+
 ![](../static/centralized-gateway.png)
 
 If you want traffic within the Subnet to access the external network using a fixed IP for security operations such as auditing and whitelisting,

docs/guide/subnet.md

@@ -60,6 +60,8 @@ join 子网的 CIDR 请参考[修改 Join 子网](../ops/change-join-subnet.md)
 
 ### 查看 Join 子网
 
+> 注意：集中式子网下的 Pod 无法通过 `hostport`, 以及设置了 `externalTrafficPolicy: Local` 的 NodePort 类型 Service 进行访问，
+
 该子网默认名为 `join` 一般无需对该子网 CIDR 外的其他网络配置进行修改。
 
 ```bash