Please add examples of how to achieve via ACLs the effect that would be equivalent to combining ` natOutgoing: true` + `private: true`

[abravalheri]

Issue requested by kubeovn/kube-ovn#3408 (comment).

Motivation

In kubeovn/kube-ovn#3408 I noticed that it is not currently possible to combine natOutgoing: true + private: true.

The effect that I would like to achieve is internal isolation between the subnets, while also allowing the pods to access addresses on the internet (e.g. for downloading datasets) via NAT-ing (so that external internet addresses cannot initiate any connection with a pod inside the cluster).

Constraints

I don't know beforehand which CIDRs the pods need to access/not to access.

Basically the pods should be able to access the whole "external world"/internet, and I don't have a predefined list of all CIDRs inside the cluster (new subnets are created and deleted dynamically all the time).

Documentation Request

One of the OVN contributors suggested in kubeovn/kube-ovn#3408 (comment) that it is possible to achieve that via ACLs. However I find that it is very hard to figure that out by myself, and I imagine that other people might be struggling with that too.

It would be nice if the docs contain examples of how to achieve this by manipulating the ACLs.

[zbb88888]

[abravalheri]

Hi @bobz965 , thank you very much for pointing out in the docs what the meaning of the private configuration is. I think that is very clear in the current state of the docs.

The objective of this request is different, however: how to achieve the same effect as private by manipulating the ACLs, but without knowing beforehand all the subnets that are going to be crested in the future in the cluster?

The rationale is described in detail in kubeovn/kube-ovn#3408.

Ideally, what we wanted is natOutgoing: true + private: true, but in kubeovn/kube-ovn#3408 the maintainers said these 2 configuration don't work together. In kubeovn/kube-ovn#3408 (comment) however it is suggested that it is possible to implement the same effect as private: true by using ACLs.

It is not obvious to me how to do that, hence this request for documentation: please include in the docs an example of how to obtain the same effects as private: true without using private: true so that we can bypass the limitation and effectively achieve the effect that would be expected natOutgoing: true + private: true.

[zbb88888]

@oilbeater I'm not familiar with natoutGoing, cloud you please take a look at this?