Understanding Kube-OVN Security Groups and Pod Port Security

Kube-OVN is a Kubernetes networking project built on OVS/OVN that brings mature OpenStack networking capabilities to Kubernetes, enhancing security, operability, manageability, and performance.

The series will cover kube-ovn-controller, pod IP management, CNI plugin for pod NICs, pod security groups, and a unified Vagrant build and test environment.

Pod port security is controlled via the annotation "%s.kubernetes.io/port_security", which triggers OVN's lsp-set-port-security on the corresponding OVN logical switch port, assigning MAC and IP and enforcing source IP/MAC legitimacy.

Pod security groups are represented by a custom SecurityGroup CRD. When a SecurityGroup is created or updated, the kube-ovn-controller processes the event through handleAddOrUpdateSg , creates an OVN port_group , and associates an address_set for IPv4 and IPv6 addresses of all ports belonging to the group.

Security group rules are stored in the CRD; their MD5 hash is used to detect changes. Updated rules are applied by invoking OVN acl-add and acl-del commands, and the SecurityGroup status is refreshed.

The controller also synchronizes pod annotations "%s.kubernetes.io/security_groups" (a comma‑separated list of group names) during pod create, update, or delete, linking the pod's OVN ports to the appropriate port groups via pg-set-ports .

In summary, Kube-OVN introduces a SecurityGroup CRD that creates OVN port groups, generates ACLs from defined rules, and binds pod NICs to these groups, thereby providing a full security‑group functionality within a cloud‑native Kubernetes environment.