Docs/u2o interconnection subnet isolation

[changluyi]

Summary by CodeRabbit

• Documentation
  • Replaced prior subnet isolation guidance with an ACL-based approach for ingress traffic, including two drop-rule examples using IP matches.
  • Added an "ACL Parameters" table and updated YAML snippet descriptions.
  • Revised caution/note sections and removed the old allowSubnets instructions; updated practical examples and setup steps accordingly.

[coderabbitai]

Warning

Rate limit exceeded

@changluyi has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 1 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Run ID: 1900965c-7a29-472e-9dd9-63076eadb968

📥 Commits

Reviewing files that changed from the base of the PR and between f042674 and 3f73596.

📒 Files selected for processing (1)

• docs/en/configure/networking/how_to/kube_ovn/underlay_overlay_st.mdx

Walkthrough

Replaces the previous subnet isolation fields (private, allowSubnets) with an ACL-based acls configuration in the kube-ovn underlay/overlay documentation, adds ACL parameter table and two example ingress drop rules; documentation-only changes, no runtime code edits.

Changes

Cohort / File(s)	Summary
Documentation docs/en/configure/networking/how_to/kube_ovn/underlay_overlay_st.mdx	Replaced subnet isolation guidance using private/allowSubnets with an ACL-based acls approach; added ACL Parameters table, two example ingress drop rules matching IPs, updated caution/note text, and removed old allowSubnets guidance.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• add docs for u2oInterconnection subnet isolate #573: Modifies the same kube-ovn underlay/overlay subnet isolation documentation and introduces ACL-based configuration for u2oInterconnection.

Suggested reviewers

• fanzy618

Poem

🐰 I hopped through docs to tidy the lanes,
Swapped old subnets for ACL refrains,
Two drop rules planted neat and clear,
Notes polished, guidance here to steer,
A rabbit's nod — the network cheers! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating documentation for subnet isolation in U2O (underlay-overlay) interconnection using an ACL-based approach instead of the previous configuration method.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

docs/en/configure/networking/how_to/kube_ovn/underlay_overlay_st.mdx (2)

67-76: Consider using placeholder notation for example CIDRs.

The specific CIDRs 172.20.0.0/16 and 192.50.0.0/16 may confuse users about their purpose. Consider adding a comment or using placeholder notation (e.g., <OTHER_SUBNET_CIDR>) to clarify these should be replaced with the actual CIDRs of subnets the user wants to block.

📝 Suggested improvement

 spec:
   u2oInterconnection: true
   acls:
   - action: drop
     direction: to-lport  # Ingress direction (traffic entering the logical port)
-    match: ip4.src == 172.20.0.0/16
+    match: ip4.src == 172.20.0.0/16  # Replace with the CIDR of the subnet to isolate from
     priority: 1001
   - action: drop
     direction: to-lport  # Ingress direction
-    match: ip4.src == 192.50.0.0/16
+    match: ip4.src == 192.50.0.0/16  # Replace with another subnet CIDR as needed
     priority: 1001

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/configure/networking/how_to/kube_ovn/underlay_overlay_st.mdx` around
lines 67 - 76, The example ACLs use concrete CIDRs (match: ip4.src ==
172.20.0.0/16 and match: ip4.src == 192.50.0.0/16) which can confuse readers;
update the ACL examples under the acls block to use clearly-labeled placeholders
like <BLOCKED_SUBNET_CIDR_1> and <BLOCKED_SUBNET_CIDR_2> or add a trailing
comment clarifying these must be replaced with the user’s actual subnet CIDRs so
readers know to substitute their own values for the match entries.

---

1-2: Filename uses underscores instead of kebab-case.

The file is named underlay_overlay_st.mdx, but coding guidelines require kebab-case for MDX files (e.g., underlay-overlay-st.mdx). Since this is an existing file, renaming may be out of scope for this PR, but consider addressing it in a follow-up to maintain consistency.

As per coding guidelines: "Use kebab-case for all MDX file and directory names".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/configure/networking/how_to/kube_ovn/underlay_overlay_st.mdx` around
lines 1 - 2, The filename underlay_overlay_st.mdx uses underscores instead of
the required kebab-case; rename the file to underlay-overlay-st.mdx (and update
any internal links or imports referencing underlay_overlay_st.mdx such as in
navigation, sidebar, or other MDX/MD references) to comply with the project's
MDX naming convention; if renaming in this PR is out of scope, add a TODO or
issue to track renaming and include the exact target name
underlay-overlay-st.mdx so the follow-up can update references safely.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/en/configure/networking/how_to/kube_ovn/underlay_overlay_st.mdx`:
- Around line 67-76: The example ACLs use concrete CIDRs (match: ip4.src ==
172.20.0.0/16 and match: ip4.src == 192.50.0.0/16) which can confuse readers;
update the ACL examples under the acls block to use clearly-labeled placeholders
like <BLOCKED_SUBNET_CIDR_1> and <BLOCKED_SUBNET_CIDR_2> or add a trailing
comment clarifying these must be replaced with the user’s actual subnet CIDRs so
readers know to substitute their own values for the match entries.
- Around line 1-2: The filename underlay_overlay_st.mdx uses underscores instead
of the required kebab-case; rename the file to underlay-overlay-st.mdx (and
update any internal links or imports referencing underlay_overlay_st.mdx such as
in navigation, sidebar, or other MDX/MD references) to comply with the project's
MDX naming convention; if renaming in this PR is out of scope, add a TODO or
issue to track renaming and include the exact target name
underlay-overlay-st.mdx so the follow-up can update references safely.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b899196 and f042674.

📒 Files selected for processing (1)

• docs/en/configure/networking/how_to/kube_ovn/underlay_overlay_st.mdx