Subnet Access Control

By default, subnets created by Kube-OVN can communicate with each other, and pods can access external networks through gateways.

To control access between subnets, set private to true in the subnet CRD. In this way, the subnet is isolated from other subnets and external networks, and can only communicate with internal subnets. You can configure the whitelist by setting the allSubnets field in the YAML configuration file of Kube-OVN.

Access control can be further implemented using the network policy of Kubernetes. Kube-OVN implements network policy rules, which have higher priority than the access control settings in the subnet CRD.

The following is an example of configuring access control for a subnet.

vim subnet-acl.yaml

apiVersion: kubeovn.io/v1
kind: Subnet
metadata:
  name: subnet-acl
spec:
  protocol: IPv4
  default: false
  namespaces:
  - ns1
  - ns2
  cidrBlock: 10.69.0.0/16
  gateway: 100.64.0.1
  excludeIps:
  - 100.64.0.1
  private: true
  allowSubnets:
  - 10.16.0.0/16
  - 10.18.0.0/16

kubectl create -f subnet-acl.yaml