diff --git a/README.md b/README.md
index b90f8eea2..05052d72c 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@
## Background
-
+
Starting with 2021, we received some feedback as follows.
diff --git a/docs/README.en.md b/docs/README.en.md
index 5ee8ba9f1..f769f2546 100644
--- a/docs/README.en.md
+++ b/docs/README.en.md
@@ -1,6 +1,6 @@
The gateway provides network egress capabilities for Kubernetes clusters.
-
+
Starting with 2021, we received some feedback as follows.
@@ -15,7 +15,7 @@ There are two clusters A and B. Cluster A is VMWare-based and runs mainly Databa
* Can be used in low kernel version.
* Support multiple egress gateways instance.
* Support namespaced egress IP.
-* Supports automatic detection of cluster traffic for egress gateways policies.
+* Support automatic detection of cluster traffic for egress gateways policies.
* Support namespace default egress instances.
### Compatibility
@@ -45,4 +45,4 @@ Refer to [develop](develop/Develop.md).
## License
-EgressGateway is licensed under the Apache License, Version 2.0. See [LICENSE](https://github.com/spidernet-io/spiderpool/blob/main/LICENSE) for the full license text.
\ No newline at end of file
+EgressGateway is licensed under the Apache License, Version 2.0. See [LICENSE](https://github.com/spidernet-io/spiderpool/blob/main/LICENSE) for the full license text.
diff --git a/docs/README.zh.md b/docs/README.zh.md
index ed0d11b4c..8d0abf0fd 100644
--- a/docs/README.zh.md
+++ b/docs/README.zh.md
@@ -1,17 +1,17 @@
EgressGateway 项目为 Kubernetes 提供 Egress 能力。
-
+
从2021年开始,我们收到了以下反馈。
-有两个集群 A 和 B。集群 A 基于 VMWare 并主要运行数据库负载,集群 B 是一个 Kubernetes 集群。集群 B 中的某些应用需要访问集群 A 中的数据库,而网络管理员希望通过出口网关管理集群的 Pods。
+有两个集群 A 和 B。集群 A 基于 VMWare 并主要运行数据库负载,集群 B 是一个 Kubernetes 集群。集群 B 中的某些应用需要访问集群 A 中的数据库,而网络管理员希望通过出口网关管理集群的 Pod。
## 特性
* 解决 IPv4/IPv6 双栈连接问题
* 解决 Egress 节点的高可用性问题
-* 允许过滤 Pods 的 Egress 策略(_目标 CIDR_)
-* 允许过滤 Egress 应用(_Pods_)
+* 允许过滤 Pod 的 Egress 策略(_目标 CIDR_)
+* 允许过滤 Egress 应用(_Pod_)
* 可用于较低内核版本
* 支持多个出口网关实例
* 支持租户级别的 Egress IP
@@ -45,4 +45,4 @@ EgressGateway 项目为 Kubernetes 提供 Egress 能力。
## License
-EgressGateway 基于 Apache License,Version 2.0。详细参考 [LICENSE](https://github.com/spidernet-io/spiderpool/blob/main/LICENSE) 查看完整 LICENSE 内容。
\ No newline at end of file
+EgressGateway 基于 Apache License,Version 2.0。详细参考 [LICENSE](https://github.com/spidernet-io/spiderpool/blob/main/LICENSE) 查看完整 LICENSE 内容。
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index a25c36cbc..d16be8c7c 100644
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -89,7 +89,7 @@ nav:
- Concepts:
- Architecture: concepts/Architecture.md
- Datapath: concepts/Datapath.md
- - reference:
+ - Reference:
- CRD EgressTunnel: reference/EgressTunnel.md
- CRD EgressGateway: reference/EgressGateway.md
- CRD EgressPolicy: reference/EgressPolicy.md
@@ -98,7 +98,7 @@ nav:
- CRD EgressClusterEndpointSlice: reference/EgressClusterEndpointSlice.md
- CRD EgressClusterInfo: reference/EgressClusterInfo.md
- Troubleshooting: Troubleshooting.md
- - Develop:
+ - Development:
- DataFlow: develop/Dataflow.md
- Contribute: develop/Contribute.md
- Release: develop/Release.md
diff --git a/docs/proposal/01-egress-gateway/Agent Reconcile Flow.png b/docs/proposal/01-egress-gateway/Agent-Reconcile-Flow.png
similarity index 100%
rename from docs/proposal/01-egress-gateway/Agent Reconcile Flow.png
rename to docs/proposal/01-egress-gateway/Agent-Reconcile-Flow.png
diff --git a/docs/proposal/01-egress-gateway/Controller Reconcile Flow.png b/docs/proposal/01-egress-gateway/Controller-Reconcile-Flow.png
similarity index 100%
rename from docs/proposal/01-egress-gateway/Controller Reconcile Flow.png
rename to docs/proposal/01-egress-gateway/Controller-Reconcile-Flow.png
diff --git a/docs/proposal/01-egress-gateway/Egress Gateway Datapath.png b/docs/proposal/01-egress-gateway/Egress-Gateway-Datapath.png
similarity index 100%
rename from docs/proposal/01-egress-gateway/Egress Gateway Datapath.png
rename to docs/proposal/01-egress-gateway/Egress-Gateway-Datapath.png
diff --git a/docs/proposal/01-egress-gateway/Egress Gateway.png b/docs/proposal/01-egress-gateway/Egress-Gateway.png
similarity index 100%
rename from docs/proposal/01-egress-gateway/Egress Gateway.png
rename to docs/proposal/01-egress-gateway/Egress-Gateway.png
diff --git a/docs/proposal/01-egress-gateway/EgressGateway.md b/docs/proposal/01-egress-gateway/EgressGateway.md
index ff1759567..acc50b736 100644
--- a/docs/proposal/01-egress-gateway/EgressGateway.md
+++ b/docs/proposal/01-egress-gateway/EgressGateway.md
@@ -90,7 +90,7 @@ spec:
### Datapath
-
+
A combination of vxlan tunnel, ipset, iptables, route is required to complete policy control.
@@ -162,12 +162,12 @@ iptables -t nat -I POSTROUTING 1 -m mark --mark 0x12000000 -j ACCEPT -m comment
Controller consists of Webhook Validator and Reconcile Flow.
-
+
Controller has 2 control processes, the first Watch cluster nodes, generate tunnel IP address and MAC address for Node, then `Create` or `Update` EgressTunnel CR Status. The second control flow watch `EgressTunnel` and `Egressgateway`, sync match node list from `labelSelector`, election egress gateway node.
### Agent
-
+
Agent has two control processes, the first Watch `EgressTunnel` CR, which manages node tunnel, and node tunnel is a pluggable interface that can be replaced by Geneve. The second control process manages datapath policy, which watches `EgressTunnel`, `EgressGateway` and `Egresspolicy`, and sends them to the host through the police interface. It is currently implemented by a combination of *ipset*, *iptables*, and *route*, and it can be replaced by *eBPF*.
diff --git a/docs/usage/Install.en.md b/docs/usage/Install.en.md
index 0db6c3f8a..19e05f35f 100644
--- a/docs/usage/Install.en.md
+++ b/docs/usage/Install.en.md
@@ -1,139 +1,301 @@
-## Requirement
+# Installing EgressGateway on a Self-Managed Cluster
-Egressgateway currently supports collaboration with Calico CNI and will support collaboration with more CNIs in the future.
-Below are the configuration methods for different CNIs:
+## Introduction
-### Calico
+This guide will demonstrate the quick installation of EgressGateway on a self-managed cluster.
-Required settings `chainInsertMode` to `Append`, for example in the code,
-more reference [calico docs](https://projectcalico.docs.tigera.io/reference/resources/felixconfig):
+## Requirements
-```yaml
-apiVersion: projectcalico.org/v3
-kind: FelixConfiguration
-metadata:
- name: default
-spec:
- ipv6Support: false
- ipipMTU: 1400
- chainInsertMode: Append # (1)
-```
+1. You should already have a self-managed Kubernetes cluster with at least 2 nodes.
+
+2. The cluster should have helm tool installed and ready to use.
+
+3. Currently, EgressGateway supports the following CNI (Container Network Interface):
+
+ * "Calico"
+
+ If your cluster is using [Calico](https://www.tigera.io/project-calico/) CNI, please execute the following command.
+ This command ensures that the iptables rules of EgressGateway are not overridden by Calico rules; otherwise,
+ EgressGateway will not function properly.
+
+ ```shell
+ # set chainInsertMode
+ $ kubectl patch FelixConfiguration default --patch '{"spec": {"chainInsertMode": "Append"}}'
+
+ # check status
+ $ kubectl get FelixConfiguration default -o yaml
+ apiVersion: crd.projectcalico.org/v1
+ kind: FelixConfiguration
+ metadata:
+ generation: 2
+ name: default
+ resourceVersion: "873"
+ uid: 0548a2a5-f771-455b-86f7-27e07fb8223d
+ spec:
+ chainInsertMode: Append
+ ......
+ ```
+
+ > For details about `spec.chainInsertMode`, see [Calico docs](https://projectcalico.docs.tigera.io/reference/resources/felixconfig).
+
+ * "Flannel"
+
+ [Flannel](https://github.com/flannel-io/flannel) CNI does not require any configuration. You can skip this step.
+
+ * "Weave"
+
+ [Weave](https://github.com/flannel-io/flannel) CNI does not require any configuration. You can skip this step.
+
+ * "Spiderpool"
-1. add this line
+ If your cluster is using [Spiderpool](https://github.com/spidernet-io/spiderpool) with another CNI, follow these steps:
-## Install
+ Add the addresses of external services outside the cluster to the 'hijackCIDR' field in the 'default' object of
+ spiderpool.spidercoordinators. This ensures that when Pods access these external services, the traffic goes through
+ the host where the Pod is located and matches the EgressGateway rules.
-### Add helm repository
+ ```shell
+ # "1.1.1.1/32", "2.2.2.2/32" are the addresses of external services. For already running Pods, you need to restart them for these routing rules to take effect within the Pods.
+ kubectl patch spidercoordinators default --type='merge' -p '{"spec": {"hijackCIDR": ["1.1.1.1/32", "2.2.2.2/32"]}}'
+ ```
+
+## Install EgressGateway
+
+### Add EgressGateway Repository
```shell
helm repo add egressgateway https://spidernet-io.github.io/egressgateway/
helm repo update
```
-### Install egressgateway
+### Install EgressGateway
-The following is a common chart setting option:
+1. You can use the following command to quickly install EgressGateway:
-```yaml
-feature:
- enableIPv4: true
- enableIPv6: false # (1)
- tunnelIpv4Subnet: "192.200.0.1/16" # (2)
- tunnelIpv6Subnet: "fd01::21/112" # (3)
-```
+ ```shell
+ helm install egressgateway egressgateway/egressgateway \
+ -n kube-system \
+ --set feature.tunnelIpv4Subnet="192.200.0.1/16" \
+ --wait --debug
+ ```
-1. Required pod support IPv6 Stack
-2. IPv4 tunnel subnet
-3. IPv6 tunnel subnet
+ In the installation command, please note the following:
+ * In the command, you need to provide an IPv4 and IPv6 subnet for the EgressGateway tunnel nodes.
+ Make sure this subnet does not conflict with other addresses in the cluster.
+ * You can customize the network interface used by the EgressGateway tunnel by using the option
+ `--set feature.tunnelDetectMethod="interface=eth0"`. Otherwise, the default route interface is used.
+ * If you want to enable IPv6, use the option `--set feature.enableIPv6=true` and set `feature.tunnelIpv6Subnet`.
+ * EgressGateway Controller supports high availability. You can set `--set controller.replicas=2` to have two replicas.
+ * To enable the return routing rules on the gateway nodes, use `--set feature.enableGatewayReplyRoute=true`.
+ This option must be enabled if you want to use Spiderpool with underlay CNI.
-```shell
-helm install egressgateway egressgateway/egressgateway \
- --values values.yaml \
- --wait --debug
-```
+2. Confirm that all EgressGateway Pods are running properly.
-```shell
-kubectl get crd | grep egress
-```
+ ```shell
+ $ kubectl get pod -n kube-system | grep egressgateway
+ egressgateway-agent-29lt5 1/1 Running 0 9h
+ egressgateway-agent-94n8k 1/1 Running 0 9h
+ egressgateway-agent-klkhf 1/1 Running 0 9h
+ egressgateway-controller-5754f6658-7pn4z 1/1 Running 0 9h
+ ```
-## Create EgressGateway
-
-Create an EgressGateway CR that can set a node as an egress gateway node through matchLabels.
-
-```yaml
-apiVersion: egressgateway.spidernet.io/v1beta1
-kind: EgressGateway
-metadata:
- name: default
-spec:
- clusterDefault: true
- ippools:
- ipv4:
- - "10.6.1.60-10.6.1.66" # (1)
- nodeSelector:
- selector:
- matchLabels:
- kubernetes.io/hostname: workstation2 # (2)
-```
+3. Any feature configurations can be achieved by adjusting the Helm Values of the EgressGateway application.
-1. Egress address pool
-2. Change me, select a node in your cluster
-
-## Create Example App
-
-Create a testing Pod to simulate an application that requires egress.
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
- labels:
- app: mock-app
- name: mock-app
- namespace: default
-spec:
- containers:
- - image: nginx
- imagePullPolicy: IfNotPresent
- name: nginx
- resources: {}
- dnsPolicy: ClusterFirst
- enableServiceLinks: true
- nodeName: workstation1 # (1)
-```
+## Creat an EgressGateway Instance
-1. Change me, select a non-egress gateway node in your cluster
+1. EgressGateway defines a set of nodes as an exit gateway for the cluster. The egress traffic from within the cluster
+ will be forwarded through this set of nodes. Therefore, we need to define a set of EgressGateway instances in advance.
+ Here is an example:
-## Create EgressPolicy
+ ```shell
+ cat < `spec.chainInsertMode` 的意义可参考 [Calico 文档](https://projectcalico.docs.tigera.io/reference/resources/felixconfig)
+ > 有关 `spec.chainInsertMode` 的含义可参考 [Calico 文档](https://projectcalico.docs.tigera.io/reference/resources/felixconfig)。
-* "Flannel"
+ * "Flannel"
- [Flannel](https://github.com/flannel-io/flannel) CNI 不需要任何配置,您可以跳过此步骤。
+ [Flannel](https://github.com/flannel-io/flannel) CNI 不需要任何配置,您可以跳过此步骤。
-* "Weave"
+ * "Weave"
- [Weave](https://github.com/flannel-io/flannel) CNI 不需要任何配置,您可以跳过此步骤。
+ [Weave](https://github.com/flannel-io/flannel) CNI 不需要任何配置,您可以跳过此步骤。
-* "Spiderpool"
+ * "Spiderpool"
- 如果您的集群使用 [Spiderpool](https://github.com/spidernet-io/spiderpool) 搭配其他CNI,需要进行如下操作。
+ 如果您的集群使用 [Spiderpool](https://github.com/spidernet-io/spiderpool) 搭配其他CNI,需要进行如下操作。
- 将集群外的服务地址添加到 spiderpool.spidercoordinators 的 'default' 对象的 'hijackCIDR' 中,使 Pod 访问这些外部服务时,流量先经过 Pod 所在的主机,从而被 EgressGateway 规则匹配。
+ 将集群外的服务地址添加到 spiderpool.spidercoordinators 的 'default' 对象的 'hijackCIDR' 中,使 Pod 访问这些外部服务时,流量先经过 Pod 所在的主机,从而被 EgressGateway 规则匹配。
- ```
+ ```shell
# "1.1.1.1/32", "2.2.2.2/32" 为外部服务地址。对于已经运行的 Pod,需要重启 Pod,这些路由规则才会在 Pod 中生效。
kubectl patch spidercoordinators default --type='merge' -p '{"spec": {"hijackCIDR": ["1.1.1.1/32", "2.2.2.2/32"]}}'
- ```
-
+ ```
## 安装 EgressGateway
@@ -117,11 +117,11 @@ helm repo update
EOF
```
- 创建命令中:
+ 创建命令中:
- * 如上 YAML 例子中,`spec.ippools.ipv4` 定义了一组 egress 的 出口 IP 地址,需要根据具体环境的实际情况调整,
- * 其中,`spec.ippools.ipv4` 的 CIDR 应该是与网关节点上的出口网卡(一般情况下是默认路由的网卡)的子网相同,否则,极有可能导致 egress 访问不通。
- * 通过 EgressGateway 的 `spec.nodeSelector` 来 select 一组节点作为出口网关,它支持 select 多个节点来实现高可用。
+ * 如上 YAML 例子中,`spec.ippools.ipv4` 定义了一组 egress 的 出口 IP 地址,需要根据具体环境的实际情况调整,
+ * 其中,`spec.ippools.ipv4` 的 CIDR 应该是与网关节点上的出口网卡(一般情况下是默认路由的网卡)的子网相同,否则,极有可能导致 egress 访问不通。
+ * 通过 EgressGateway 的 `spec.nodeSelector` 来 select 一组节点作为出口网关,它支持 select 多个节点来实现高可用。
2. 给出口网关节点打上 label,可以给多个 node 打上 label,作为生成环境,建议 2 个节点,作为 POC 环境, 建议 1 个节点即可
@@ -156,10 +156,11 @@ helm repo update
status: Ready
```
- 在如上输出中:
+ 在如上输出中:
- * `status.nodeList` 字段已经识别到了符合 `spec.nodeSelector` 的节点及该节点对应的 EgressTunnel 对象的状态
- * `spec.ippools.ipv4DefaultEIP` 字段会从 `spec.ippools.ipv4` 中随机选择一个 IP 地址作为该组 EgressGateway 的默认 VIP,它的作用是:当为应用创建 EgressPolicy 对象时,如果未指定 VIP 地址,则默认分配使用该默认 VIP
+ * `status.nodeList` 字段已经识别到了符合 `spec.nodeSelector` 的节点及该节点对应的 EgressTunnel 对象的状态
+ * `spec.ippools.ipv4DefaultEIP` 字段会从 `spec.ippools.ipv4` 中随机选择一个 IP 地址作为该组 EgressGateway 的默认 VIP,
+ 它的作用是:当为应用创建 EgressPolicy 对象时,如果未指定 VIP 地址,则默认分配使用该默认 VIP
## 创建应用和出口策略
@@ -171,8 +172,8 @@ helm repo update
2. 为应用创建 EgressPolicy CR 对象。
EgressPolicy 实例用于定义哪些 Pod 的出口流量要经过 EgressGateway 节点转发,以及其它的配置细节。
- 可创建如下例子,当匹配的 Pod 访问任意集群外部的地址(任意不是 Node IP、CNI Pod CIDR、ClusterIP 的地址)时,都会被 EgressGateway Node 转发。注意的是,
- EgressPolicy 对象是租户级别的,因此,它务必创建在 selected 应用的租户下
+ 可创建如下例子,当匹配的 Pod 访问任意集群外部的地址(任意不是 Node IP、CNI Pod CIDR、ClusterIP 的地址)时,
+ 都会被 EgressGateway Node 转发。注意的是,EgressPolicy 对象是租户级别的,因此,它务必创建在 selected 应用的租户下。
```shell
cat <