Skip to content

add docs for u2oInterconnection subnet isolate #573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
changluyi merged 5 commits into from
Feb 28, 2026
Merged

add docs for u2oInterconnection subnet isolate #573

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e24b4e3
add docs for u2oInterconnection subnet isolate
changluyi Feb 25, 2026
f58e32d
add more detail explain
changluyi Feb 26, 2026
0c60e91
add more explain
changluyi Feb 27, 2026
14d7a10
Merge branch 'master' into docs/u2o-interconnection-subnet-isolation
changluyi Feb 28, 2026
80b49cf
fix ACSI
changluyi Feb 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions docs/en/configure/networking/how_to/kube_ovn/underlay_overlay_st.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,67 @@ To achieve automatic interconnection between Underlay and Overlay subnets, you c
6. Click **Update**.

**Note**: Existing compute components in the Underlay subnet need to be recreated for the changes to take effect.

## Isolation Between Underlay Subnets with u2oInterconnection Enabled

When multiple Underlay subnets have `u2oInterconnection: true` enabled, traffic between them no longer goes through the physical gateway but is routed directly via the internal OVN network.

If you need to isolate two Underlay subnets while both have `u2oInterconnection` enabled, you must first configure the kube-ovn-controller parameter, then configure the subnet isolation.

### Step 1: Configure kube-ovn-controller

Modify the kube-ovn-controller Deployment to disable connection tracking skip for destination logical port IPs:

```bash
kubectl edit deployment kube-ovn-controller -n kube-system
```

Add or modify the following argument:

```yaml
spec:
template:
spec:
containers:
- name: kube-ovn-controller
args:
- --ls-ct-skip-dst-lport-ips=false
```

:::caution

`--ls-ct-skip-dst-lport-ips` controls whether to skip connection tracking (conntrack) for traffic destined to logical port IPs. The default value is `true`, which skips conntrack to improve performance. Setting it to `false` does not affect functionality but may slightly impact performance.

However, for Underlay subnets with ACL-based isolation, you **must** set it to `false`. Otherwise, gateway-to-Pod traffic will fail (e.g., ping requests reach the Pod but replies are dropped), because ACL isolation uses `allow-related` which requires conntrack state; without it, replies cannot be identified as "related" and get dropped.

:::

### Step 2: Configure Subnet Isolation

Configure the subnet with the following parameters:

```yaml
spec:
u2oInterconnection: true
private: true
allowSubnets:
- 10.0.0.0/24 # CIDR of the subnet allowed for inbound access
- 172.16.0.0/16 # Node network CIDR (REQUIRED)
```
Comment on lines +61 to +72
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Step 2 is missing instructions on how to apply the subnet configuration.

Step 1 provides an explicit kubectl edit command, but Step 2 only presents a bare spec: YAML fragment with no guidance on how to apply it — no kubectl edit subnet <name>, no kubectl patch, and no reference to the existing UI workflow from the Procedure section above. Users unfamiliar with Kube-OVN will not know how to apply this config.

✏️ Suggested addition before the YAML block 
 Configure the subnet with the following parameters:
 
+```bash
+kubectl edit subnet <subnet-name>
+```
+
+Add or modify the following fields under `spec`:
+
 ```yaml
 spec:
   u2oInterconnection: true
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docs/en/configure/networking/how_to/kube_ovn/underlay_overlay_st.mdx` around
lines 59 - 70, Add explicit application instructions before the presented spec
YAML: tell the user to run a kubectl edit subnet <subnet-name> (or kubectl patch
subnet <subnet-name> --type=merge -p ...) to add/modify the spec fields
u2oInterconnection, private and allowSubnets, and also mention the alternative
of applying the same changes via the Kube-OVN UI subnet edit workflow; ensure
the text says "Add or modify the following fields under spec:" immediately
before the YAML so users know how to apply the config.


**Parameters**:

- `private: true`: Enables subnet isolation. This restricts inbound traffic to only the subnets specified in `allowSubnets`.
- `allowSubnets`: An array of CIDR strings specifying which subnets are allowed for inbound access.

:::caution

**You must include the node network CIDR in `allowSubnets`**. Otherwise, nodes will not be able to communicate with Pods in this subnet, which may cause health checks, log collection, and other node-to-pod traffic to fail.

:::

:::note

Setting `private: true` only restricts inbound traffic to the subnet. It does not affect outbound traffic from Pods within the subnet.

:::