Understanding Kube-OVN Security Group Implementation and Pod Port Security

Introduction

Kube-OVN is a Kubernetes network project built on OVS/OVN that brings mature OpenStack networking capabilities to Kubernetes, greatly enhancing container network security, operability, manageability, and performance.

The series introduces components such as kube-ovn-controller, pod IP management, CNI plugin, security groups, and a unified vagrant test environment.

Pod Port Security

Pod annotation %s.kubernetes.io/port_security indicates whether port security is enabled for the pod's network interface. Port security is implemented via the OVN lsp-set-port-security command, assigning MAC and IP to each OVN port and enforcing security policies.

Pod Security Groups

Security groups are represented by a custom SecurityGroup CRD. When a SecurityGroup is created or updated, the kube-ovn-controller processes the event, creates an OVN port_group , and associates address sets for IPv4 and IPv6 addresses of the ports belonging to the group.

Security group rules are stored in the CRD; their MD5 hash is used to detect changes. Updates trigger ovn acl-add / acl-del calls to modify ACLs attached to the port group.

After rule updates, the SecurityGroup status is refreshed and a syncSgPort event is fired. The syncSgLogicalPort handler gathers all OVN ports linked to the security group, adds them to the port group, and inserts their IPs into the corresponding address sets.

Pods associate with security groups via the annotation %s.kubernetes.io/security_groups , which lists security group names. During pod creation, update, or deletion, the controller ensures the pod's OVN port is added to or removed from the appropriate port groups.

Summary

Kube-OVN introduces a new SecurityGroup CRD to create OVN port groups, generate ACLs based on defined rules, and bind pod network interfaces to these groups, thereby providing a complete security‑group functionality within the Kubernetes ecosystem.