diff --git a/docs/advance/nat-policy-rule.en.md b/docs/advance/nat-policy-rule.en.md index 6d1c4fc0e..2f7838f86 100644 --- a/docs/advance/nat-policy-rule.en.md +++ b/docs/advance/nat-policy-rule.en.md @@ -1,10 +1,10 @@ -# NAT Policy Rule Function +# Default VPC NAT Policy Rule -## NAT Policy Rule Function Purpose +## Purpose -In the Overlay subnet under the default VPC, when the `natOutgoing` switch is turned on, all Pods in the subnet need to do SNAT to access the external network to the IP of the current node, but in some scenarios we do not want all Pods in the subnet to access the external network by SNAT. +In the Overlay Subnet under the default VPC, when the `natOutgoing` switch is turned on, all Pods in the subnet need to do SNAT to access the external network, but in some scenarios we do not want all Pods in the subnet to access the external network by SNAT. -So the NAT Policy Rule is to provide an interface for users to decide which CIDRs or IPs in the subnet to access the external network for SNAT. +So the NAT Policy Rule is to provide a way for users to decide which CIDRs or IPs in the subnet to access the external network need SNAT. ## How to use NAT Policy Rules @@ -30,8 +30,7 @@ The above case shows that there are two NAT policy rules: Field description: -Action: Indicates the action that will be executed for the message that meets the corresponding conditions of the "match". The action is divided into two types: `forward` and `nat`. SNAT. -When natOutgoingPolicyRules is not configured, packets are still SNAT by default. +`action`: The action that will be executed for packets that meets the corresponding conditions of the `match`. The action is divided into two types: `forward` and `nat`. When natOutgoingPolicyRules is not configured, packets are still SNAT by default. -match: Indicates the matching segment of the message, the matching segment includes srcIPs and dstIPs, here indicates the source IP and destination IP of the message from the subnet to the external network. `match.srcIPs` and `match.dstIPs` support multiple cidr and ip, separated by commas. -If several matches are repeated but the actions are different, the array position of natOutgoingPolicyRules shall prevail, and the lower the array index, the higher the priority. +`match`: Indicates the matching segment of the message, the matching segment includes `srcIPs` and `dstIPs`, here indicates the source IP and destination IP of the message from the subnet to the external network. `match.srcIPs` and `match.dstIPs` support multiple cidr and ip, separated by commas. +If multiple match rules overlap, the action that is matched first will be executed according to the order of the `natOutgoingPolicyRules` array. diff --git a/docs/advance/nat-policy-rule.md b/docs/advance/nat-policy-rule.md index 2c70d1948..cf9da1ff0 100644 --- a/docs/advance/nat-policy-rule.md +++ b/docs/advance/nat-policy-rule.md @@ -1,12 +1,12 @@ -# NAT 策略规则功能 +# 默认 VPC NAT 策略规则 -## NAT 策略规则功能用途 +## 用途 -默认 VPC 下的 Overlay 子网,打开 `natOutgoing` 开关时,subnet 下的所有 Pod 访问外网都需要做 SNAT 成当前节点的 IP,但是有些场景我们并不希望子网内所有 Pod 访问外网都做 SNAT。 +默认 VPC 下的 Overlay 子网,打开 `natOutgoing` 开关时,Subnet 下的所有 Pod 访问外网都需要做 SNAT 成节点的 IP,但是有些场景我们并不希望子网内所有 Pod 访问外网都做 SNAT。 -所以 NAT 策略就是为了提供一个接口让用户决定子网内的哪些 CIDR 或者 IP 访问外网做 SNAT。 +因此 NAT 策略就是为了提供一个接口让用户决定子网内的哪些 CIDR 或者 IP 访问外网做 SNAT。 -## NAT 策略规则使用方法 +## 使用方法 在 `subnet.Spec` 中开启 `natOutgoing`开关, 并且添加字段 `natOutgoingPolicyRules` 如下: @@ -30,8 +30,9 @@ spec: 字段描述: -action:表示满足 match 对应条件的报文,会执行的 action, action 分为两种 `forward` 和 `nat` ,`forward` 表示报文出外网不做 SNAT, `nat` 表示报文出外网做 SNAT。 +`action`:满足 `match` 对应条件的报文,会执行的 action, action 分为两种 `forward` 和 `nat` ,`forward` 表示报文出外网不做 SNAT, `nat` 表示报文出外网做 SNAT。 没有配置 natOutgoingPolicyRules 时,默认情况报文仍然是做 SNAT。 -match:表示报文的匹配段,匹配段有 srcIPs 和 dstIPs, 这里表示从子网内到外网方向上的报文的源 IP 和 目的 IP。`match.srcIPs` 和 `match.dstIPs` 支持多个 cidr 和 ip,之间用逗号隔开即可。 -如果出现几个 match 重复但是 action 不一样,按照 natOutgoingPolicyRules 的数组位置为准,数组索引越低的优先级越高。 +`match`:表示报文的匹配段,匹配段有 `srcIPs` 和 `dstIPs`, 这里表示从子网内到外网方向上的报文的源 IP 和 目的 IP。`match.srcIPs` 和 `match.dstIPs` 支持多个 CIDR 和 IP,之间用逗号间隔。 + +如果出现多个 match 规则重叠,则按照 `natOutgoingPolicyRules` 数组顺序进行匹配,最先被匹配的 action 会被执行。 diff --git a/docs/advance/overlay-with-route.en.md b/docs/advance/overlay-with-route.en.md index fe9310941..455ecada2 100644 --- a/docs/advance/overlay-with-route.en.md +++ b/docs/advance/overlay-with-route.en.md @@ -69,3 +69,5 @@ spec: gatewayNode: "node1" natOutgoing: false ``` + +If you still want to perform NAT processing for some traffic, such as traffic accessing the Internet, please refer to the [Default VPC NAT Policy Rule](../advance/nat-policy-rule.md). diff --git a/docs/advance/overlay-with-route.md b/docs/advance/overlay-with-route.md index 1eaba4d36..a4f537c36 100644 --- a/docs/advance/overlay-with-route.md +++ b/docs/advance/overlay-with-route.md @@ -64,3 +64,5 @@ spec: gatewayNode: "node1" natOutgoing: false ``` + +如果对于部分流量(如访问外网的流量)仍然希望进行 nat 处理,请参考[默认 VPC NAT 策略规则](../advance/nat-policy-rule.en.md)。 diff --git a/docs/guide/subnet.en.md b/docs/guide/subnet.en.md index 7d9d9bc3a..aa9138914 100644 --- a/docs/guide/subnet.en.md +++ b/docs/guide/subnet.en.md @@ -312,6 +312,7 @@ spec: ## Other Advanced Settings - [Configure IPPool](./ippool.en.md) +- [Default VPC NAT Policy Rule](../advance/nat-policy-rule.en.md) - [Manage QoS](./qos.en.md) - [Manage Multiple Interface](../advance/multi-nic.en.md) - [DHCP](../advance/dhcp.en.md) diff --git a/docs/guide/subnet.md b/docs/guide/subnet.md index 03bf4d5de..92db7d6a4 100644 --- a/docs/guide/subnet.md +++ b/docs/guide/subnet.md @@ -299,6 +299,7 @@ spec: ## 其他高级设置 - [IP 池使用](./ippool.md) +- [默认 VPC NAT 策略规则](../advance/nat-policy-rule.md) - [QoS 设置](./qos.md) - [多网卡管理](../advance/multi-nic.md) - [DHCP 选项](../advance/dhcp.md) diff --git a/mkdocs.yml b/mkdocs.yml index ded481b66..9a4ba1ac8 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -67,7 +67,7 @@ nav: - OVN IPsec 支持: 'advance/ovn-ipsec.md' - OVN 流量镜像: 'advance/ovn-remote-port-mirroring.md' - 节点本地 DNS 缓存和 Kube-OVN 适配 : 'advance/node-local-dns.md' - - NAT 策略规则功能 : 'advance/nat-policy-rule.md' + - 默认 VPC NAT 策略规则: 'advance/nat-policy-rule.md' - 技术参考: - 总体架构: 'reference/architecture.md' - 功能成熟度: 'reference/feature-stage.md' @@ -210,7 +210,7 @@ plugins: OVN IPsec 支持: OVN IPsec Support OVN 流量镜像: OVN Remote Port Mirroring 节点本地 DNS 缓存和 Kube-OVN 适配 : Node Local DNS Cache and Kube-OVN Adaptation - NAT 策略规则功能 : NAT Policy Rule Function + 默认 VPC NAT 策略规则: Default VPC NAT Policy Rule 调整日志等级: Change Log Level 使用 Sealos 一键部署 Kubernetes 和 Kube-OVN: Use Sealos to Deploy Kubernetes and Kube-OVN - git-revision-date-localized: