diff --git a/docs/advance/ovn-ipsec.en.md b/docs/advance/ovn-ipsec.en.md index c6192b275..658c9fe13 100644 --- a/docs/advance/ovn-ipsec.en.md +++ b/docs/advance/ovn-ipsec.en.md @@ -1,8 +1,8 @@ # Encrypt inter-node communication using IPsec -This function is supported after v1.10.11 and v1.11.4, and the kernel version is at least 3.10.0 or above. +This function is supported after v1.10.11 and v1.11.4, the kernel version is at least 3.10.0 or above, and UDP ports 500 and 4500 are available. -## start IPsec +## Start IPsec Copy the script from the Kube-OVN source code [ipsec.sh](https://raw.githubusercontent.com/kubeovn/kube-ovn/master/dist/images/ipsec.sh), execute the command as follows, the script will call ovs-pki to generate and distribute the certificate required for encryption: diff --git a/docs/advance/ovn-ipsec.md b/docs/advance/ovn-ipsec.md index 2e2b0b0ec..aabdbc343 100644 --- a/docs/advance/ovn-ipsec.md +++ b/docs/advance/ovn-ipsec.md @@ -1,6 +1,6 @@ # 使用 IPsec 加密节点间通信 -该功能从 v1.10.11 和 v1.11.4 后开始支持,kernel 版本至少是 3.10.0 以上。 +该功能从 v1.10.11 和 v1.11.4 后开始支持,kernel 版本至少是 3.10.0 以上,同时需要保证主机 UDP 500 和 4500 端口可用。 ## 启动 IPsec @@ -13,7 +13,7 @@ bash ipsec.sh init 执行完毕后,节点之间会协商一段时间建立 IPsec 隧道,经验值是十几秒到一分钟之间,可以通过如下命令来查看 IPsec 状态: ```bash -# sh ipsec.sh status +# bash ipsec.sh status Pod {ovs-ovn-d7hdt} ipsec status... Interface name: ovn-a4718e-0 v1 (CONFIGURED) Tunnel Type: geneve diff --git a/docs/guide/subnet.en.md b/docs/guide/subnet.en.md index b88548c68..5c2b13023 100644 --- a/docs/guide/subnet.en.md +++ b/docs/guide/subnet.en.md @@ -194,6 +194,8 @@ spec: ### Centralized Gateway +> Note: Pods under a centralized subnet cannot be accessed through `hostport` or a NodePort type Service with `externalTrafficPolicy: Local`. + ![](../static/centralized-gateway.png) If you want traffic within the Subnet to access the external network using a fixed IP for security operations such as auditing and whitelisting, diff --git a/docs/guide/subnet.md b/docs/guide/subnet.md index 9a5025fe7..9c5bb82f5 100644 --- a/docs/guide/subnet.md +++ b/docs/guide/subnet.md @@ -60,6 +60,8 @@ join 子网的 CIDR 请参考[修改 Join 子网](../ops/change-join-subnet.md) ### 查看 Join 子网 +> 注意:集中式子网下的 Pod 无法通过 `hostport`, 以及设置了 `externalTrafficPolicy: Local` 的 NodePort 类型 Service 进行访问, + 该子网默认名为 `join` 一般无需对该子网 CIDR 外的其他网络配置进行修改。 ```bash