From a386883ead7bedae6dd01b2dfdd5781ed3a83056 Mon Sep 17 00:00:00 2001 From: Jeanine-tw <76861242+Jeanine-tw@users.noreply.github.com> Date: Tue, 7 Nov 2023 17:52:59 +0800 Subject: [PATCH] doc: fix minor errors (#941) * doc: fix minor errors * update egresspolicy --- docs/concepts/Datapath.en.md | 153 ++++++++++++----------- docs/reference/EgressClusterInfo.en.md | 20 +-- docs/reference/EgressClusterInfo.zh.md | 20 +-- docs/reference/EgressClusterPolicy.en.md | 2 +- docs/reference/EgressClusterPolicy.zh.md | 2 +- docs/reference/EgressGateway.en.md | 34 ++--- docs/reference/EgressGateway.zh.md | 34 ++--- docs/reference/EgressPolicy.en.md | 25 ++-- docs/reference/EgressPolicy.zh.md | 25 ++-- docs/reference/EgressTunnel.en.md | 16 +-- docs/reference/EgressTunnel.zh.md | 16 +-- 11 files changed, 173 insertions(+), 174 deletions(-) diff --git a/docs/concepts/Datapath.en.md b/docs/concepts/Datapath.en.md index 85aff10f4..27d5445e4 100644 --- a/docs/concepts/Datapath.en.md +++ b/docs/concepts/Datapath.en.md @@ -4,146 +4,147 @@ Rules that need to take effect are categorized into three categories: all nodes, ## All nodes -1. Detailed tunnel requirements between nodes are not listed. +1. Detailed tunnel requirements between nodes are not listed. 2. Traffic matching the policy is retagged. This update occurs when a node becomes a gateway node for the first time or during node join, but it is not updated thereafter. - ```shell - iptables -t mangle -N EGRESSGATEWAY-RESET-MARK - iptables -t mangle -I FORWARD 1 -j EGRESSGATEWAY-RESET-MARK -m comment --comment "egress gateway: mark egress packet" + ```shell + iptables -t mangle -N EGRESSGATEWAY-RESET-MARK + iptables -t mangle -I FORWARD 1 -j EGRESSGATEWAY-RESET-MARK -m comment --comment "egress gateway: mark egress packet" - iptables -t mangle -A EGRESSGATEWAY-RESET-MARK \ - -m mark --mark $NODE_MARK/0x26000000 \ - -j MARK --set-mark 0x12000000 \ - -m comment --comment "egress gateway: change mark" - \ -m -comment "egress gateway: change mark + iptables -t mangle -A EGRESSGATEWAY-RESET-MARK \ + -m mark --mark $NODE_MARK/0x26000000 \ + -j MARK --set-mark 0x12000000 \ + -m comment --comment "egress gateway: change mark" + \ -m -comment "egress gateway: change mark + ``` 3. Preserve the labels for traffic matching the policy. Create them once without requiring updates. - ```shell - iptables -t filter -I FORWARD 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark" + ```shell + iptables -t filter -I FORWARD 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark" - iptables -t filter -I OUTPUT 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark" + iptables -t filter -I OUTPUT 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark" - iptables -t mangle -I POSTROUTING 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark" - ``` + iptables -t mangle -I POSTROUTING 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark" + ``` 4. Aggregate chains for tagging policy-matched traffic. Create them once without needing updates. - ```shell - iptables -t mangle -N EGRESSGATEWAY-MARK-REQUEST + ```shell + iptables -t mangle -N EGRESSGATEWAY-MARK-REQUEST - iptables -t mangle -I PREROUTING 1 -j EGRESSGATEWAY-MARK-REQUEST -m comment --comment "egress gateway: mark egress packet" - ``` + iptables -t mangle -I PREROUTING 1 -j EGRESSGATEWAY-MARK-REQUEST -m comment --comment "egress gateway: mark egress packet" + ``` 5. Aggregate chains that do not need to do SNAT rules. It is created directly once and does not need to be updated; - ```shell - iptables -t nat -N EGRESSGATEWAY-NO-SNAT + ```shell + iptables -t nat -N EGRESSGATEWAY-NO-SNAT - iptables -t nat -I POSTROUTING 1 -j EGRESSGATEWAY-NO-SNAT -m comment --comment "egress gateway: no snat" + iptables -t nat -I POSTROUTING 1 -j EGRESSGATEWAY-NO-SNAT -m comment --comment "egress gateway: no snat" - iptables -t nat -A EGRESSGATEWAY-NO-SNAT -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: no snat" - ``` + iptables -t nat -A EGRESSGATEWAY-NO-SNAT -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: no snat" + ``` 6. Aggregate chains that need to do SNAT rules. It is created directly once and does not need to be updated. - ```shell - iptables -t nat -N EGRESSGATEWAY-SNAT-EIP + ```shell + iptables -t nat -N EGRESSGATEWAY-SNAT-EIP - # Need to insert after rules that don't require SNAT to keep the chain at the top - iptables -t nat -I POSTROUTING 1 -j EGRESSGATEWAY-SNAT-EIP -m comment --comment "egress gateway: snat EIP" - ``` + # Need to insert after rules that don't require SNAT to keep the chain at the top + iptables -t nat -I POSTROUTING 1 -j EGRESSGATEWAY-SNAT-EIP -m comment --comment "egress gateway: snat EIP" + ``` 7. egress-ingore-cidr When the `destSubnet` field of the EgressGatewayPolicy is empty, the data plane will automatically match traffic outside the CIDR in the EgressClusterStatus CR and forward it to the Egress gateway. ```shell - IPSET_RULE_DEST_NAME=egress-ingore-cidr + IPSET_RULE_DEST_NAME=egress-ingore-cidr - ipset x $IPSET_RULE_DEST_NAME + ipset x $IPSET_RULE_DEST_NAME - ipset create $IPSET_RULE_DEST_NAME hash:net + ipset create $IPSET_RULE_DEST_NAME hash:net - ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32 - ``` + ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32 + ``` ## Non-Egress Gateway node Relative to EIP 1. ipsets for policy-matched source and destination IPs. - ```shell - IPSET_RULE_DEST_NAME=egress-dest-uuid + ```shell + IPSET_RULE_DEST_NAME=egress-dest-uuid - ipset x $IPSET_RULE_DEST_NAME + ipset x $IPSET_RULE_DEST_NAME - ipset create $IPSET_RULE_DEST_NAME hash:net + ipset create $IPSET_RULE_DEST_NAME hash:net - ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32 + ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32 - IPSET_RULE_SRC_NAME=egress-src-uuid + IPSET_RULE_SRC_NAME=egress-src-uuid - ipset x $IPSET_RULE_SRC_NAME + ipset x $IPSET_RULE_SRC_NAME - ipset create $IPSET_RULE_SRC_NAME hash:net + ipset create $IPSET_RULE_SRC_NAME hash:net - ipset add $IPSET_RULE_SRC_NAME 172.29.234.173/32 - ``` + ipset add $IPSET_RULE_SRC_NAME 172.29.234.173/32 + ``` 2. Tag policy-matched traffic to ensure it goes through the tunnel. The NODE_MARK value depends on the node where the corresponding EIP resides. - ```shell - iptables -A EGRESSGATEWAY-MARK-REQUEST -t mangle -m conntrack --ctdir ORIGINAL \ - -m set --match-set $IPSET_RULE_DEST_NAME dst \ - -m set --match-set $IPSET_RULE_SRC_NAME src \ - -j MARK --set-mark $NODE_MARK -m comment --comment "rule uuid: mark request packet" - ``` + ```shell + iptables -A EGRESSGATEWAY-MARK-REQUEST -t mangle -m conntrack --ctdir ORIGINAL \ + -m set --match-set $IPSET_RULE_DEST_NAME dst \ + -m set --match-set $IPSET_RULE_SRC_NAME src \ + -j MARK --set-mark $NODE_MARK -m comment --comment "rule uuid: mark request packet" + ``` 3. Policy routing rules - ```shell - ip rule add fwmark $NODE_MARK table $TABLE_NUM - ``` + ```shell + ip rule add fwmark $NODE_MARK table $TABLE_NUM + ``` 4. Adapt Weave to avoiding SNAT into IPs for Egress tunnels. Make a switch - ```shell - iptables -t nat -A EGRESSGATEWAY-NO-SNAT \ \ - -m set --match-set $IPSET_RULE_DEST_NAME dst \ - -m set --match-set $IPSET_RULE_SRC_NAME src \ - -j ACCEPT -m comment --comment "egress gateway: weave does not do SNAT" - ``` + ```shell + iptables -t nat -A EGRESSGATEWAY-NO-SNAT \ \ + -m set --match-set $IPSET_RULE_DEST_NAME dst \ + -m set --match-set $IPSET_RULE_SRC_NAME src \ + -j ACCEPT -m comment --comment "egress gateway: weave does not do SNAT" + ``` ## Egress Gateway Node Relative to EIP 1. ipsets for policy-matched source and destination IPs. - ```shell - IPSET_RULE_DEST_NAME=egress-dest-uuid + ```shell + IPSET_RULE_DEST_NAME=egress-dest-uuid - ipset x $IPSET_RULE_DEST_NAME + ipset x $IPSET_RULE_DEST_NAME - ipset create $IPSET_RULE_DEST_NAME hash:net + ipset create $IPSET_RULE_DEST_NAME hash:net - ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32 + ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32 - IPSET_RULE_SRC_NAME=egress-src-uuid + IPSET_RULE_SRC_NAME=egress-src-uuid - ipset x $IPSET_RULE_SRC_NAME + ipset x $IPSET_RULE_SRC_NAME - ipset create $IPSET_RULE_SRC_NAME hash:net + ipset create $IPSET_RULE_SRC_NAME hash:net - ipset add $IPSET_RULE_SRC_NAME 172.29.234.173/32 - ``` + ipset add $IPSET_RULE_SRC_NAME 172.29.234.173/32 + ``` 2. Apply SNAT to policy-matched traffic during egress. Keep this rule updated in real-time. - ```shell - iptables -t nat -A EGRESSGATEWAY-SNAT-EIP \ - -m set --match-set $IPSET_RULE_SRC_NAME src \ - -m set --match-set $IPSET_RULE_DST_NAME dst \ - -j SNAT --to-source $EIP - ðŸñ'ðŸñ'ðŸñ'ðŸñ'ðŸñ'ñ + ```shell + iptables -t nat -A EGRESSGATEWAY-SNAT-EIP \ + -m set --match-set $IPSET_RULE_SRC_NAME src \ + -m set --match-set $IPSET_RULE_DST_NAME dst \ + -j SNAT --to-source $EIP + ðŸñ'ðŸñ'ðŸñ'ðŸñ'ðŸñ'ñ ``` ## Others @@ -152,5 +153,5 @@ Rules that need to take effect are categorized into three categories: all nodes, 2. TABLE_NUM: - * Since each host can have [0, 255] routing tables (where 0, 253, 254, and 255 are already used by the system), exceeding the maximum number of tables will result in the inability to calculate routes for nodes, leading to node disconnection. Additionally, table names must match the table ID, and if there is no match, the kernel will assign a random name. To be on the safe side, the number of controlled tables (represented by variable n with a default value of 100) is limited, which also serves as the upper limit for gateway nodes. - * TABLE_NUM algorithm: users can set a starting value (represented by variable s with a default value of 3000), and the range of table names will be [s, (s+n)]. Users need to ensure that the table names within this range are not occupied. Start with a randomly selected value from [s, (s+n)] and increment it circularly until an unused table name for the current node is obtained. If none is found, an error is reported. + * Since each host can have [0, 255] routing tables (where 0, 253, 254, and 255 are already used by the system), exceeding the maximum number of tables will result in the inability to calculate routes for nodes, leading to node disconnection. Additionally, table names must match the table ID, and if there is no match, the kernel will assign a random name. To be on the safe side, the number of controlled tables (represented by variable n with a default value of 100) is limited, which also serves as the upper limit for gateway nodes. + * TABLE_NUM algorithm: users can set a starting value (represented by variable s with a default value of 3000), and the range of table names will be [s, (s+n)]. Users need to ensure that the table names within this range are not occupied. Start with a randomly selected value from [s, (s+n)] and increment it circularly until an unused table name for the current node is obtained. If none is found, an error is reported. diff --git a/docs/reference/EgressClusterInfo.en.md b/docs/reference/EgressClusterInfo.en.md index dcfa183fd..999240c22 100644 --- a/docs/reference/EgressClusterInfo.en.md +++ b/docs/reference/EgressClusterInfo.en.md @@ -4,23 +4,23 @@ The EgressClusterInfo CRD introduces the Egress Ignore CIDR feature to simplify apiVersion: egressgateway.spidernet.io/v1beta1 kind: EgressClusterInfo metadata: - name: default # 1 + name: default # (1) spec: autoDetect: - clusterIP: true # 2 - nodeIP: true # 3 - podCidrMode: auto # 4 - extraCidr: # 5 + clusterIP: true # (2) + nodeIP: true # (3) + podCidrMode: auto # (4) + extraCidr: # (5) - 10.10.10.1 status: - clusterIP: # 6 + clusterIP: # (6) ipv4: - 172.41.0.0/16 ipv6: - fd41::/108 - extraCidr: # 7 + extraCidr: # (7) - 10.10.10.1 - nodeIP: # 8 + nodeIP: # (8) egressgateway-control-plane: ipv4: - 172.18.0.3 @@ -36,7 +36,7 @@ status: - 172.18.0.4 ipv6: - fc00:f853:ccd:e793::4 - podCIDR: # 9 + podCIDR: # (9) default-ipv4-ippool: ipv4: - 172.40.0.0/16 @@ -46,7 +46,7 @@ status: test-ippool: ipv4: - 177.70.0.0/16 - podCidrMode: calico # 10 + podCidrMode: calico # (10) ``` 1. The name is `default`.Only one can be created by the system maintenance; diff --git a/docs/reference/EgressClusterInfo.zh.md b/docs/reference/EgressClusterInfo.zh.md index 3dc2c5c60..c519fa910 100644 --- a/docs/reference/EgressClusterInfo.zh.md +++ b/docs/reference/EgressClusterInfo.zh.md @@ -4,23 +4,23 @@ EgressClusterInfo CRD 为了简化 Egress 策略的配置,引入 Egress Ignore apiVersion: egressgateway.spidernet.io/v1beta1 kind: EgressClusterInfo metadata: - name: default # 1 + name: default # (1) spec: autoDetect: - clusterIP: true # 2 - nodeIP: true # 3 - podCidrMode: auto # 4 - extraCidr: # 5 + clusterIP: true # (2) + nodeIP: true # (3) + podCidrMode: auto # (4) + extraCidr: # (5) - 10.10.10.1 status: - clusterIP: # 6 + clusterIP: # (6) ipv4: - 172.41.0.0/16 ipv6: - fd41::/108 - extraCidr: # 7 + extraCidr: # (7) - 10.10.10.1 - nodeIP: # 8 + nodeIP: # (8) egressgateway-control-plane: ipv4: - 172.18.0.3 @@ -36,7 +36,7 @@ status: - 172.18.0.4 ipv6: - fc00:f853:ccd:e793::4 - podCIDR: # 9 + podCIDR: # (9) default-ipv4-ippool: ipv4: - 172.40.0.0/16 @@ -46,7 +46,7 @@ status: test-ippool: ipv4: - 177.70.0.0/16 - podCidrMode: calico # 10 + podCidrMode: calico # (10) ``` 1. 名称为 `default`,由系统维护只能创建一个; diff --git a/docs/reference/EgressClusterPolicy.en.md b/docs/reference/EgressClusterPolicy.en.md index 626340cbf..e5a82e8ad 100644 --- a/docs/reference/EgressClusterPolicy.en.md +++ b/docs/reference/EgressClusterPolicy.en.md @@ -19,7 +19,7 @@ spec: podSubnet: - "172.29.16.0/24" - 'fd00:1/126' - namespaceSelector: # 1 + namespaceSelector: # (1) matchLabels: app: "shopping" destSubnet: diff --git a/docs/reference/EgressClusterPolicy.zh.md b/docs/reference/EgressClusterPolicy.zh.md index e03b2746b..ea2d7b9d5 100644 --- a/docs/reference/EgressClusterPolicy.zh.md +++ b/docs/reference/EgressClusterPolicy.zh.md @@ -19,7 +19,7 @@ spec: podSubnet: - "172.29.16.0/24" - 'fd00:1/126' - namespaceSelector: # 1 + namespaceSelector: # (1) matchLabels: app: "shopping" destSubnet: diff --git a/docs/reference/EgressGateway.en.md b/docs/reference/EgressGateway.en.md index 3ab77bba7..3b632ecb9 100644 --- a/docs/reference/EgressGateway.en.md +++ b/docs/reference/EgressGateway.en.md @@ -6,30 +6,30 @@ kind: EgressGateway metadata: name: "eg1" spec: - ippools: # 1 - ipv4: # 2 + ippools: # (1) + ipv4: # (2) - "10.6.1.55" - "10.6.1.60-10.6.1.65" - "10.6.1.70/28" - ipv6: # 3 + ipv6: # (3) - "" - ipv4DefaultEIP: "" # 4 - ipv6DefaultEIP: "" # 5 - nodeSelector: # 6 - selector: # 7 + ipv4DefaultEIP: "" # (4) + ipv6DefaultEIP: "" # (5) + nodeSelector: # (6) + selector: # (7) matchLabels: egress: "true" - policy: "doing" # 8 + policy: "doing" # (8) status: - nodeList: # 9 - - name: "node1" # 10 - status: "Ready" # 11 - epis: # 12 - - ipv4: "10.6.1.55" # 13 - ipv6: "fd00::55" # 14 - policies: # 15 - - name: "app" # 16 - namespace: "default" # 17 + nodeList: # (9) + - name: "node1" # (10) + status: "Ready" # (11) + epis: # (12) + - ipv4: "10.6.1.55" # (13) + ipv6: "fd00::55" # (14) + policies: # (15) + - name: "app" # (16) + namespace: "default" # (17) ``` 1. Set the range of egress IP pool that EgressGateway can use; diff --git a/docs/reference/EgressGateway.zh.md b/docs/reference/EgressGateway.zh.md index ba53ec55a..38cfca8ae 100644 --- a/docs/reference/EgressGateway.zh.md +++ b/docs/reference/EgressGateway.zh.md @@ -6,30 +6,30 @@ kind: EgressGateway metadata: name: "eg1" spec: - ippools: # 1 - ipv4: # 2 + ippools: # (1) + ipv4: # (2) - "10.6.1.55" - "10.6.1.60-10.6.1.65" - "10.6.1.70/28" - ipv6: # 3 + ipv6: # (3) - "" - ipv4DefaultEIP: "" # 4 - ipv6DefaultEIP: "" # 5 - nodeSelector: # 6 - selector: # 7 + ipv4DefaultEIP: "" # (4) + ipv6DefaultEIP: "" # (5) + nodeSelector: # (6) + selector: # (7) matchLabels: egress: "true" - policy: "doing" # 8 + policy: "doing" # (8) status: - nodeList: # 9 - - name: "node1" # 10 - status: "Ready" # 11 - epis: # 12 - - ipv4: "10.6.1.55" # 13 - ipv6: "fd00::55" # 14 - policies: # 15 - - name: "app" # 16 - namespace: "default" # 17 + nodeList: # (9) + - name: "node1" # (10) + status: "Ready" # (11) + epis: # (12) + - ipv4: "10.6.1.55" # (13) + ipv6: "fd00::55" # (14) + policies: # (15) + - name: "app" # (16) + namespace: "default" # (17) ``` 1. 设置 EgressGateway 可使用的 Egress IP 池的范围; diff --git a/docs/reference/EgressPolicy.en.md b/docs/reference/EgressPolicy.en.md index a432f3285..b5562f8d9 100644 --- a/docs/reference/EgressPolicy.en.md +++ b/docs/reference/EgressPolicy.en.md @@ -7,22 +7,22 @@ metadata: namespace: "default" name: "policy-test" spec: - egressGatewayName: "eg1" # 1 - egressIP: # 2 + egressGatewayName: "eg1" # (1) + egressIP: # (2) ipv4: "" ipv6: "" - useNodeIP: false # 3 - appliedTo: # 4 - podSelector: # 4-a + useNodeIP: false # (3) + appliedTo: + podSelector: # (4) matchLabels: app: "shopping" - podSubnet: # 4-b + podSubnet: # (5) - "172.29.16.0/24" - 'fd00:1/126' - destSubnet: # 5 + destSubnet: # (6) - "10.6.1.92/32" - "fd00::92/128" - priority: 100 # 6 + priority: 100 # (7) ``` 1. Select the EgressGateway referenced by the EgressPolicy. @@ -32,8 +32,7 @@ spec: * If `ipv4` or `ipv6` addresses are not defined when creating and `useNodeIP` is `false`, an IP address will be automatically allocated from the EgressGateway's `.ranges` (when IPv6 is enabled, both an IPv4 and IPv6 address will be requested). * `egressGatewayName` must not be empty. 3. Support using the Node IP as the Egress IP (only one option can be chosen). -4. Select the Pods to which the EgressPolicy should be applied. - 1. Select by using Label - 2. Specify the Pod subnet directly (options a and b cannot be used simultaneously) -5. When specifying the destination addresses for Egress access, if no specific destination address is provided, the following policy will be enforced: requests with destination addresses outside of the cluster's internal CIDR range will be forwarded to the Egress node. -6. Priority of the policy. \ No newline at end of file +4. Select the Pods to which the EgressPolicy should be applied by using Label. +5. Select the Pods to which the EgressPolicy should be applied by specifying the Pod subnet directly (options 4 and 5 cannot be used simultaneously) +6. When specifying the destination addresses for Egress access, if no specific destination address is provided, the following policy will be enforced: requests with destination addresses outside of the cluster's internal CIDR range will be forwarded to the Egress node. +7. Priority of the policy. \ No newline at end of file diff --git a/docs/reference/EgressPolicy.zh.md b/docs/reference/EgressPolicy.zh.md index bcdc8b0fc..a7e40ea4b 100644 --- a/docs/reference/EgressPolicy.zh.md +++ b/docs/reference/EgressPolicy.zh.md @@ -7,22 +7,22 @@ metadata: namespace: "default" name: "policy-test" spec: - egressGatewayName: "eg1" # 1 - egressIP: # 2 + egressGatewayName: "eg1" # (1) + egressIP: # (2) ipv4: "" ipv6: "" - useNodeIP: false # 3 - appliedTo: # 4 - podSelector: # 4-a + useNodeIP: false # (3) + appliedTo: + podSelector: # (4) matchLabels: app: "shopping" - podSubnet: # 4-b + podSubnet: # (5) - "172.29.16.0/24" - 'fd00:1/126' - destSubnet: # 5 + destSubnet: # (6) - "10.6.1.92/32" - "fd00::92/128" - priority: 100 # 6 + priority: 100 # (7) ``` 1. 选择 EgressPolicy 引用的 EgressGateway: @@ -33,8 +33,7 @@ spec: * 则自动从 EgressGateway 的 `.ranges` 中分配一个 IP 地址(开启 IPv6 时,请求分配一个 IPv4 和 一个 IPv6 地址)。 * `egressGatewayName` 不能为空。 3. 支持使用节点 IP 作为 Egress IP(只允许选择一种); -4. 选择需要应用 EgressPolicy 的 Pod; - 1. 以 Label 的方式进行选择 - 2. 直接指定 Pod 的网段 (a 和 b 不能同时使用) -5. 指定访问 Egress 的目标地址,若未指定目标地址,则以下策略将生效:对于那些目标地址不属于集群内部 CIDR 的请求,将全部转发到 Egress 节点。 -6. 策略的优先级。 +4. 以 Label 的方式选择需要应用 EgressPolicy 的 Pod; +5. 通过直接指定 Pod 的网段选择需要应用 EgressPolicy 的 Pod(4 和 5 不能同时使用) +6. 指定访问 Egress 的目标地址,若未指定目标地址,则以下策略将生效:对于那些目标地址不属于集群内部 CIDR 的请求,将全部转发到 Egress 节点。 +7. 策略的优先级。 diff --git a/docs/reference/EgressTunnel.en.md b/docs/reference/EgressTunnel.en.md index 0fb60790b..b1e6fe146 100644 --- a/docs/reference/EgressTunnel.en.md +++ b/docs/reference/EgressTunnel.en.md @@ -7,15 +7,15 @@ metadata: name: "node1" status: tunnel: - ipv4: "192.200.222.157" # 1 - ipv6: "fd01::f2" # 2 - mac: "66:50:85:cb:b2:bf" # 3 + ipv4: "192.200.222.157" # (1) + ipv6: "fd01::f2" # (2) + mac: "66:50:85:cb:b2:bf" # (3) parent: - name: "ens160" # 4 - ipv4: "10.6.1.21/16" # 5 - ipv6: "fd00::21/112" # 6 - phase: "Ready" # 7 - mark: "0x26000000" # 8 + name: "ens160" # (4) + ipv4: "10.6.1.21/16" # (5) + ipv6: "fd00::21/112" # (6) + phase: "Ready" # (7) + mark: "0x26000000" # (8) ``` 1. Tunnel IPv4 address diff --git a/docs/reference/EgressTunnel.zh.md b/docs/reference/EgressTunnel.zh.md index ca54fb57f..59c34d884 100644 --- a/docs/reference/EgressTunnel.zh.md +++ b/docs/reference/EgressTunnel.zh.md @@ -7,15 +7,15 @@ metadata: name: "node1" status: tunnel: - ipv4: "192.200.222.157" # 1 - ipv6: "fd01::f2" # 2 - mac: "66:50:85:cb:b2:bf" # 3 + ipv4: "192.200.222.157" # (1) + ipv6: "fd01::f2" # (2) + mac: "66:50:85:cb:b2:bf" # (3) parent: - name: "ens160" # 4 - ipv4: "10.6.1.21/16" # 5 - ipv6: "fd00::21/112" # 6 - phase: "Ready" # 7 - mark: "0x26000000" # 8 + name: "ens160" # (4) + ipv4: "10.6.1.21/16" # (5) + ipv6: "fd00::21/112" # (6) + phase: "Ready" # (7) + mark: "0x26000000" # (8) ``` 1. 隧道 IPv4 地址