Alauda Container Platform

Configure Centralized Gateway

Centralized Gateway allows Pods within a subnet to access the external network using fixed IPs. This is particularly useful for security operations such as network auditing, IP whitelisting, and firewall rule management, where you need to identify and control traffic from specific source IPs. In centralized gateway mode, all outbound traffic from Pods is routed through designated gateway nodes, enabling centralized network policy enforcement and monitoring.

NOTE

Pods under a centralized subnet cannot be accessed through hostport or a NodePort type Service with externalTrafficPolicy: Local.

If you want traffic within the Subnet to access the external network using a fixed IP for security operations such as auditing and whitelisting, you can set the gateway type in the Subnet to centralized. In centralized gateway mode, packets from Pods accessing the external network are first routed to the ovn0 NIC of a specific nodes, and then outbound through the host's routing rules. When natOutgoing is true, the Pod will use the IP of a specific nodes when accessing the external network.

The centralized gateway example is as follows, where the gatewayType field is centralized and gatewayNode is the NodeName of the particular machine in Kubernetes.

apiVersion: kubeovn.io/v1
kind: Subnet
metadata:
  name: centralized
spec:
  protocol: IPv4
  cidrBlock: 10.166.0.0/16
  default: false
  excludeIps:
  - 10.166.0.1
  gateway: 10.166.0.1
  gatewayType: centralized
  gatewayNode: "node1,node2"
  natOutgoing: true
  • If a centralized gateway wants to specify a specific NIC of a machine for outbound networking, gatewayNode format can be changed to kube-ovn-worker:172.18.0.2, kube-ovn-control-plane:172.18.0.3.
  • The spec field enableEcmp has been added to the subnet crd definition since Kube-OVN v1.12.0 to migrate the ECMP switch to the subnet level. You can set whether to enable ECMP mode based on different subnets. The enable-ecmp parameter in the kube-ovn-controller deployment is no longer used. After the previous version is upgraded to v1.12.0, the subnet switch will automatically inherit the value of the original global switch parameter.
NOTE

In centralized gateway ECMP mode, kube-ovn-controller actively probes node status through ping, detecting failures within 5s and completing failover within 5s-10s, during which some traffic may fail.

In centralized gateway primary-backup mode, failover is based on Node Ready status, and it may take several minutes to complete failover in case of power outage.

TOC

Using Label Selectors to Specify Gateway Nodes

In addition to specifying node names directly, you can use gatewayNodeSelectors to dynamically select gateway nodes using label selectors. This approach is more flexible, especially useful when node names are not fixed or when you need to select gateways based on labels dynamically.

NOTE
  • If gatewayNode is not empty, it takes precedence and gatewayNodeSelectors is ignored.
  • Multiple selectors are evaluated with OR logic - a node matching any selector becomes a gateway node.
  • When node labels change, the system automatically updates the gateway node list.
apiVersion: kubeovn.io/v1
kind: Subnet
metadata:
  name: centralized-selector
spec:
  protocol: IPv4
  cidrBlock: 10.166.0.0/16
  default: false
  excludeIps:
  - 10.166.0.1
  gateway: 10.166.0.1
  gatewayType: centralized
  gatewayNodeSelectors:
    - matchLabels:
        role: gateway
    - matchExpressions:
        - key: node-type
          operator: In
          values: ["gateway", "egress"]
  natOutgoing: true