diff --git a/README-zh_CN.md b/README-zh_CN.md
index 100e5c39..45badc6f 100644
--- a/README-zh_CN.md
+++ b/README-zh_CN.md
@@ -8,245 +8,43 @@ CNI plugin for alibaba cloud VPC/ENI
[English](./README.md) | 简体中文
-## 安装Kubernetes
-
-* 准备阿里云ECS机器,我们验证过的ECS镜像是`Centos 7.4/7.6`
-* 使用kubeadm的[指导文档](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/)来创建集群
-
-安装好了之后要:
-
-* 将iptables的policy换成ACCEPT,`iptables -P FORWARD ACCEPT`。
-* 检查节点上的"rp_filter"内核参数,并在每个节点上将其设置为"0"。
-
-通过`kubectl get cs`验证集群安装完成
-
-## 安装terway插件
-
-Terway有两种安装模式:
-
-* VPC模式
-
- VPC模式,使用Aliyun VPC路由来打通网络,可以使用独立ENI给Pod,安装方式:
- 修改[terway.yml](./terway.yml)文件中的eni.conf的配置中的授权和网段配置,以及Network的网段配置,然后通过`kubectl apply -f terway.yml`来安装terway插件。
-
-* ENI多IP模式
-
- ENI多IP模式,使用Aliyun ENI的辅助IP来打通网络,不受VPC的路由条目限制,安装方式:
- 修改[terway-multiip.yml](./terway-multiip.yml)文件中的eni.conf的配置中的授权和资源配置,然后通过`kubectl apply -f terway-multiip.yml`来安装terway插件。
-
-Terway需要授权中包含以下 [`RAM 权限`](https://ram.console.aliyun.com/)
-
-```json
-{
- "Version": "1",
- "Statement": [{
- "Action": [
- "ecs:CreateNetworkInterface",
- "ecs:DescribeNetworkInterfaces",
- "ecs:AttachNetworkInterface",
- "ecs:DetachNetworkInterface",
- "ecs:DeleteNetworkInterface",
- "ecs:DescribeInstanceAttribute",
- "ecs:DescribeInstanceTypes",
- "ecs:AssignPrivateIpAddresses",
- "ecs:UnassignPrivateIpAddresses",
- "ecs:DescribeInstances",
- "ecs:ModifyNetworkInterfaceAttribute"
- ],
- "Resource": [
- "*"
- ],
- "Effect": "Allow"
- },
- {
- "Action": [
- "vpc:DescribeVSwitches"
- ],
- "Resource": [
- "*"
- ],
- "Effect": "Allow"
- }
- ]
-}
-```
-
-使用`kubectl get ds terway`看到插件在每个节点上都运行起来后,表明插件安装成功。
-
-## 验证terway的功能
-
-### 一般VPC网络的容器
-
-在VPC安装模式下,在容器没有做任何特殊配置时,terway会通过在节点上的podCidr中去分配地址然后配置给容器。
-例如:
-
-```yaml
-[root@iZj6c86lmr8k9rk78ju0ncZ ~]# kubectl run -it --rm --image busybox busybox
-If you don't see a command prompt, try pressing enter.
-/ # ip link
-1: lo: mtu 65536 qdisc noqueue qlen 1
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
-3: eth0@if7: mtu 1500 qdisc noqueue
- link/ether 46:02:02:6b:65:1e brd ff:ff:ff:ff:ff:ff
-/ # ip addr show
-1: lo: mtu 65536 qdisc noqueue qlen 1
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
-3: eth0@if7: mtu 1500 qdisc noqueue
- link/ether 46:02:02:6b:65:1e brd ff:ff:ff:ff:ff:ff
- inet 172.30.0.4/24 brd 172.30.0.255 scope global eth0
- valid_lft forever preferred_lft forever
- inet6 fe80::4402:2ff:fe6b:651e/64 scope link
- valid_lft forever preferred_lft forever
-```
-
-#### 使用ENI弹性网卡获得等同于底层网络的性能
-
-在VPC安装模式下,在Pod的其中一个container的`requests`中增加对eni的需求: `aliyun/eni: 1`, 下面的例子将创建一个Nginx Pod,并分配一个ENI
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
- name: nginx
-spec:
- containers:
- - name: nginx
- image: nginx
- resources:
- limits:
- aliyun/eni: 1
-```
-
-然后我们exec到这个容器中就可以看到terway创建并绑定了一个ECS的弹性网卡:
-
-```sh
-[root@iZj6c86lmr8k9rk78ju0ncZ ~]# kubectl exec -it nginx sh
-# ip addr show
-1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
-3: eth0: mtu 1500 qdisc mq state UNKNOWN qlen 1000
- link/ether 00:16:3e:02:38:05 brd ff:ff:ff:ff:ff:ff
- inet 172.31.80.193/20 brd 172.31.95.255 scope global eth0
- valid_lft forever preferred_lft forever
- inet6 fe80::216:3eff:fe02:3805/64 scope link
- valid_lft forever preferred_lft forever
-4: veth1@if8: mtu 1500 qdisc noqueue state UP
- link/ether 1e:60:c7:cb:1e:0e brd ff:ff:ff:ff:ff:ff
- inet6 fe80::1c60:c7ff:fecb:1e0e/64 scope link
- valid_lft forever preferred_lft forever
-```
-
-#### ENI辅助IP的容器
-
-在ENI多IP安装模式下,Terway会通过创建和分配ENI和ENI网卡上的辅助IP地址给Pod使用,Pod上的IP地址将和VPC和VSwitch的IP地址相同段,例如:
-
-```sh
-[root@iZj6c86lmr8k9rk78ju0ncZ ~]# kubectl get pod -o wide
-NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
-nginx-64f497f8fd-ckpdm 1/1 Running 0 4d 192.168.0.191 cn-hangzhou.i-j6c86lmr8k9rk78ju0nc
-[root@iZj6c86lmr8k9rk78ju0ncZ ~]# kubectl get node -o wide cn-hangzhou.i-j6c86lmr8k9rk78ju0nc
-NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
-cn-hangzhou.i-j6c86lmr8k9rk78ju0nc Ready 12d v1.11.5 192.168.0.154 CentOS Linux 7 (Core) 3.10.0-693.2.2.el7.x86_64 docker://17.6.2
-[root@iZj6c86lmr8k9rk78ju0ncZ ~]# kubectl exec -it nginx-64f497f8fd-ckpdm bash
-root@nginx-64f497f8fd-ckpdm:/# ip addr show
-1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
-3: eth0@if106: mtu 1500 qdisc noqueue state UP group default
- link/ether 4a:60:eb:97:f4:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
- inet 192.168.0.191/32 brd 192.168.0.191 scope global eth0
- valid_lft forever preferred_lft forever
-```
-
-### 使用NetworkPolicy来限制容器间访问
-
-Terway插件兼容标准的K8S中的NetworkPolicy来控制容器间的访问,例如:
-
-1. 启动一个用于测试的服务
-
- ```sh
- [root@iZbp126bomo449eksjknkeZ ~]# kubectl run nginx --image=nginx --replicas=2
- deployment "nginx" created
- [root@iZbp126bomo449eksjknkeZ ~]# kubectl expose deployment nginx --port=80
- service "nginx" exposed
- ```
-
-2. 验证到这个服务是可以访问的
-
- ```sh
- [root@iZbp126bomo449eksjknkeZ ~]# kubectl run busybox --rm -ti --image=busybox /bin/sh
- If you don't see a command prompt, try pressing enter.
- / # wget --spider --timeout=1 nginx
- Connecting to nginx (172.21.0.225:80)
- / #
- ```
-
-3. 配置network policy规则,只允许某些标签的服务访问
-
- ```sh
- kind: NetworkPolicy
- apiVersion: networking.k8s.io/v1
- metadata:
- name: access-nginx
- spec:
- podSelector:
- matchLabels:
- run: nginx
- ingress:
- - from:
- - podSelector:
- matchLabels:
- access: "true"
- ```
-
-4. 测试没有指定标签的Pod访问服务被拒绝了,而指定标签的容器能够正常的访问
-
- ```sh
- [root@iZbp126bomo449eksjknkeZ ~]# kubectl run busybox --rm -ti --image=busybox /bin/sh
- If you don't see a command prompt, try pressing enter.
- / # wget --spider --timeout=1 nginx
- Connecting to nginx (172.21.0.225:80)
- wget: download timed out
- / #
-
- [root@iZbp126bomo449eksjknkeZ ~]# kubectl run busybox --rm -ti --labels="access=true" --image=busybox /bin/sh
- If you don't see a command prompt, try pressing enter.
- / # wget --spider --timeout=1 nginx
- Connecting to nginx (172.21.0.225:80)
- / #
- ```
-
-### 限制容器的出入带宽
-
-Terway插件通过配置容器网卡上的限流规则来实现对容器的流量控制,避免由于单个容器的流量占满整个节点的流量,通过配置Pod上的`kubernetes.io/ingress-bandwidth`和`kubernetes.io/egress-bandwidth`分别来配置容器上的进入的和出去的带宽,例如:
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
- name: nginx
- annotations:
- kubernetes.io/ingress-bandwidth: 10M
- kubernetes.io/egress-bandwidth: 10M
-spec:
- nodeSelector:
- kubernetes.io/hostname: cn-shanghai.i-uf63p6s96kf4jfh8wpwn
- containers:
- - name: nginx
- image: nginx:1.7.9
- ports:
- - containerPort: 80
-```
+## 简介
+
+Terway网络插件是ACK自研的容器网络接口(CNI)插件,基于阿里云的弹性网卡(ENI)构建网络,可以充分利用云上资源。Terway支持eBPF对网络流量进行加速,降低延迟,支持基于Kubernetes标准的网络策略(Network Policy)来定义容器间的访问策略。
+
+在Terway网络插件中,每个Pod都拥有自己的网络栈和IP地址。同一台ECS内的Pod之间通信,直接通过机器内部的转发,跨ECS的Pod通信、报文通过VPC的弹性网卡直接转发。由于不需要使用VxLAN等的隧道技术封装报文,因此Terway模式网络具有较高的通信性能。
+
+## 特性
+
+- ENI网络模式:分配 Elastic Network Interfaces (ENIs) 给Pod,优化资源利用率和网络性能。
+- Trunking功能:允许Pod配置独立的ENI,支持灵活安全组、交换机配置。
+- 节点池维度网络模式配置:支持节点池配置为独占ENI。
+- 安全策略:支持NetworkPolicyPolicy和传统的安全组,提供多维度的网络安全控制。
+- 高性能:使用eBPF加速协议栈,确保低延迟和高吞吐量。
+- IPv6: 支持IPv4/IPv6双栈。
+
+### 以下功能已经废弃
+
+- VPC网络模式:利用VPC路由,实现容器与VPC内其他资源的直接通信。
+- 独占ENI模式:将ENI直通进Pod,最大化网络性能。
+
+## 版本差异
+
+ACK 提供的版本和开源一致。仅Trunking功能无法在自建集群使用。
+
+## 贡献
+
+我们非常欢迎社区的贡献!无论是修复bug、新增功能、改进文档,或者仅仅是对现有代码的改进,你的帮助都将被我们珍视。
+
+[报告问题](https://github.com/AliyunContainerService/terway/issues/new)
+[提交Pull Request](https://github.com/AliyunContainerService/terway/compare)
## 安全
如果您发现了代码中的安全漏洞,请联系[kubernetes-security@service.aliyun.com](mailto:kubernetes-security@service.aliyun.com)。详见 [SECURITY.md](SECURITY.md)
+
+## 社区
+
+### 钉钉群
+
+通过钉钉群号 "35924643" 加入`钉钉`群组。
\ No newline at end of file
diff --git a/README.md b/README.md
index 56763eba..31246d7c 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# Terway CNI Network Plugin
+# Terway CNI Plugin
CNI plugin for Alibaba Cloud VPC/ENI
@@ -8,308 +8,41 @@ CNI plugin for Alibaba Cloud VPC/ENI
English | [简体中文](./README-zh_CN.md)
-## Try It
+## Introduction
-### Install Kubernetes
+Terway is a self-developed CNI (Container Network Interface) plugin for ACK (Alibaba Cloud Kubernetes), built on Alibaba Cloud's Elastic Network Interface (ENI) technology. It optimizes cloud resource usage and enhances network performance. Terway supports eBPF for traffic acceleration, reducing latency, and adheres to Kubernetes Network Policy standards for container-to-container access control.
-* Prepare Aliyun ECS instance. The ECS OS we tested is `Centos 7.4/7.6`.
-* Install Kubernetes via
- kubeadm: [create-cluster-kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/)
+In Terway, each Pod has its own network stack and IP address. Pods on the same ECS (Elastic Compute Service) instance communicate directly, while cross-ECS Pod communication transits directly through VPC ENIs, avoiding encapsulation with technologies like VxLAN for higher communication performance.
-After setup kubernetes cluster.
+## Features
-* Change `iptables` `Forward` default policy to `ACCEPT` on every node of cluster: `iptables -P FORWARD ACCEPT`.
-* Check the `rp_filter` in sysctl parameters, set them to "0" on every node of cluster.
+- **ENI Network Mode**: Allocates ENIs to Pods for optimized resource utilization and network performance.
+- **Trunking Feature**: Allows Pods to have independent ENIs for flexible security group and switch configurations.
+- **Node Pool Network Mode Configuration**: Supports configuring node pools for exclusive ENI usage.
+- **Security Policies**: Supports NetworkPolicy and traditional security groups for multi-dimensional network security control.
+- **High Performance**: Utilizes eBPF for protocol stack acceleration, ensuring low latency and high throughput.
+- **IPv6 Support**: Dual-stack support for both IPv4 and IPv6.
-Make sure cluster up and healthy by `kubectl get cs`.
+### Deprecated Features
-### Install Terway network plugin
+- **VPC Network Mode**: Direct communication to VPC resources using VPC routing.
-
-Terway plugin have two installation modes
+- **Exclusive ENI Mode**: Direct ENI attachment to Pods for maximum performance.
-* VPC Mode
+## Version Differences
- ```shell
- VPC Mode, Using `Aliyun VPC` route table to connect the pods. Can assign dedicated ENI to Pod. Install method:
- Replace `Network` and `access_key/access_secret` in [terway.yml](./terway.yml) with your cluster pod subnet and aliyun openapi credentials. Then use `kubectl apply -f terway.yml` to install Terway into kubernetes cluster.
- ```
+ACK-provided versions are identical to the open-source version, except the Trunking feature is not available in self-hosted clusters.
-* ENI Secondary IP Mode
+## Contributions
- ```shell
- ENI Secondary IP Mode, Using `Aliyun ENI's secondary ip` to connect the pods. This mode not limited by VPC route tables quotation. Install method:
- Replace `access_key/access_secret` and `security_group/vswitches` in [terway-multiip.yml](./terway-multiip.yml) with your aliyun openapi credentials and resources id. Then use `kubectl apply -f terway-multiip.yml` to install Terway into kubernetes cluster.
- ```
+We warmly welcome community contributions! Whether it's bug fixes, new features, documentation improvements, or code enhancements, your help is appreciated.
-Terway requires the `access_key` have following [RAM Permissions](https://ram.console.aliyun.com/)
+[Report Issues](https://github.com/AliyunContainerService/terway/issues/new)
+[Submit Pull Request](https://github.com/AliyunContainerService/terway/compare)
-```json
-{
- "Version": "1",
- "Statement": [
- {
- "Action": [
- "ecs:CreateNetworkInterface",
- "ecs:DescribeNetworkInterfaces",
- "ecs:AttachNetworkInterface",
- "ecs:DetachNetworkInterface",
- "ecs:DeleteNetworkInterface",
- "ecs:DescribeInstanceAttribute",
- "ecs:DescribeInstanceTypes",
- "ecs:AssignPrivateIpAddresses",
- "ecs:UnassignPrivateIpAddresses",
- "ecs:DescribeInstances",
- "ecs:ModifyNetworkInterfaceAttribute"
- ],
- "Resource": [
- "*"
- ],
- "Effect": "Allow"
- },
- {
- "Action": [
- "vpc:DescribeVSwitches"
- ],
- "Resource": [
- "*"
- ],
- "Effect": "Allow"
- }
- ]
-}
-```
-
-Using `kubectl get ds terway -n kube-system` to watch plugin launching. Plugin install completed while terway daemonset
-available pods equal to nodes.
-
-### Terway network plugin usage
-
-#### Vpc network container
-
-On VPC installation mode, Terway will config pod's address using node's `podCidr` when pod not have any special config.
-eg:
-
-```sh
-[root@iZj6c86lmr8k9rk78ju0ncZ ~]# kubectl run -it --rm --image busybox busybox
-If you don't see a command prompt, try pressing enter.
-/ # ip link
-1: lo: mtu 65536 qdisc noqueue qlen 1
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
-3: eth0@if7: mtu 1500 qdisc noqueue
- link/ether 46:02:02:6b:65:1e brd ff:ff:ff:ff:ff:ff
-/ # ip addr show
-1: lo: mtu 65536 qdisc noqueue qlen 1
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
-3: eth0@if7: mtu 1500 qdisc noqueue
- link/ether 46:02:02:6b:65:1e brd ff:ff:ff:ff:ff:ff
- inet 172.30.0.4/24 brd 172.30.0.255 scope global eth0
- valid_lft forever preferred_lft forever
- inet6 fe80::4402:2ff:fe6b:651e/64 scope link
- valid_lft forever preferred_lft forever
-```
-
-#### Using ENI network interface to get the performance equivalent to the underlying network
-
-On VPC installation mode, Config `eni` request `aliyun/eni: 1` in one container of pod. The following example will
-create an Nginx Pod and assign an ENI:
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
- name: nginx
-spec:
- containers:
- - name: nginx
- image: nginx
- resources:
- limits:
- aliyun/eni: 1
-```
-
-```sh
-[root@iZj6c86lmr8k9rk78ju0ncZ ~]# kubectl exec -it nginx sh
-# ip addr show
-1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
-3: eth0: mtu 1500 qdisc mq state UNKNOWN qlen 1000
- link/ether 00:16:3e:02:38:05 brd ff:ff:ff:ff:ff:ff
- inet 172.31.80.193/20 brd 172.31.95.255 scope global eth0
- valid_lft forever preferred_lft forever
- inet6 fe80::216:3eff:fe02:3805/64 scope link
- valid_lft forever preferred_lft forever
-4: veth1@if8: mtu 1500 qdisc noqueue state UP
- link/ether 1e:60:c7:cb:1e:0e brd ff:ff:ff:ff:ff:ff
- inet6 fe80::1c60:c7ff:fecb:1e0e/64 scope link
- valid_lft forever preferred_lft forever
-```
-
-#### ENI Secondary IP Pod
-
-On ENI secondary IP installation mode, Terway will create & allocate ENI secondary IP for pod. The IP of pod will in
-same IP Range:
-
-```sh
-[root@iZj6c86lmr8k9rk78ju0ncZ ~]# kubectl get pod -o wide
-NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
-nginx-64f497f8fd-ckpdm 1/1 Running 0 4d 192.168.0.191 cn-hangzhou.i-j6c86lmr8k9rk78ju0nc
-[root@iZj6c86lmr8k9rk78ju0ncZ ~]# kubectl get node -o wide cn-hangzhou.i-j6c86lmr8k9rk78ju0nc
-NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
-cn-hangzhou.i-j6c86lmr8k9rk78ju0nc Ready 12d v1.11.5 192.168.0.154 CentOS Linux 7 (Core) 3.10.0-693.2.2.el7.x86_64 docker://17.6.2
-[root@iZj6c86lmr8k9rk78ju0ncZ ~]# kubectl exec -it nginx-64f497f8fd-ckpdm bash
-root@nginx-64f497f8fd-ckpdm:/# ip addr show
-1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
-3: eth0@if106: mtu 1500 qdisc noqueue state UP group default
- link/ether 4a:60:eb:97:f4:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
- inet 192.168.0.191/32 brd 192.168.0.191 scope global eth0
- valid_lft forever preferred_lft forever
-```
-
-#### Using network policy to limit accessible between containers
-
-The Terway plugin is compatible with NetworkPolicy in the standard K8S to control access between containers, for
-example:
-
-1. Create and expose an deployment for test
-
- ```sh
- [root@iZbp126bomo449eksjknkeZ ~]# kubectl run nginx --image=nginx --replicas=2
- deployment "nginx" created
- [root@iZbp126bomo449eksjknkeZ ~]# kubectl expose deployment nginx --port=80
- service "nginx" exposed
- ```
-
-2. Run busybox to test connection to deployment:
-
- ```sh
- [root@iZbp126bomo449eksjknkeZ ~]# kubectl run busybox --rm -ti --image=busybox /bin/sh
- If you don't see a command prompt, try pressing enter.
- / # wget --spider --timeout=1 nginx
- Connecting to nginx (172.21.0.225:80)
- / #
- ```
-
-3. Config network policy,only allow pod access which have `run: nginx` label:
-
- ```sh
- kind: NetworkPolicy
- apiVersion: networking.k8s.io/v1
- metadata:
- name: access-nginx
- spec:
- podSelector:
- matchLabels:
- run: nginx
- ingress:
- - from:
- - podSelector:
- matchLabels:
- access: "true"
- ```
-
-4. The Pod access service without the specified label is rejected, and the container of the specified label can be accessed normally.
-
- ```sh
- [root@iZbp126bomo449eksjknkeZ ~]# kubectl run busybox --rm -ti --image=busybox /bin/sh
- If you don't see a command prompt, try pressing enter.
- / # wget --spider --timeout=1 nginx
- Connecting to nginx (172.21.0.225:80)
- wget: download timed out
- / #
-
- [root@iZbp126bomo449eksjknkeZ ~]# kubectl run busybox --rm -ti --labels="access=true" --image=busybox /bin/sh
- If you don't see a command prompt, try pressing enter.
- / # wget --spider --timeout=1 nginx
- Connecting to nginx (172.21.0.225:80)
- / #
- ```
-
-#### Limit container in/out bandwidth
-
-The Terway network plugin can limit the container's traffic via limit policy in pod's annotations. For example:
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
- name: nginx
- annotations:
- kubernetes.io/ingress-bandwidth: 10M
- kubernetes.io/egress-bandwidth: 10M
-spec:
- nodeSelector:
- kubernetes.io/hostname: cn-shanghai.i-uf63p6s96kf4jfh8wpwn
- containers:
- - name: nginx
- image: nginx:1.7.9
- ports:
- - containerPort: 80
-```
-
-## Build Terway
-
-Prerequisites:
-
-* Docker >= 17.05 with multi-stage build
-
-```sh
-docker build -t acs/terway:latest .
-```
-
-## Test
-
-unit test:
-
-```sh
-git clone https://github.com/AliyunContainerService/terway.git
-docker run -i --rm \
- -v $(pwd)/terway:/go/src/github.com/AliyunContainerService/terway \
- -w /go/src/github.com/AliyunContainerService/terway \
- sunyuan3/gometalinter:v1 bash -c "go test -race ./..."
-```
-
-function test:
-
-```sh
-export KUBECONFIG=$HOME/.kube/config # path to your kubeconfig file
-cd terway/tests
-go test -tags e2e -timeout 30m0s -v ./
- -args -trunk=true/false -policy=true/false
-```
-
-example:
-
-```sh
-go test -tags e2e -timeout 30m0s -v ./
- -args -trunk=false -policy=false
-```
-
-## Contribute
-
-You are welcome to make new issues and pull requests.
-
-## Built With
-
-[Felix](https://github.com/projectcalico/felix): Terway's NetworkPolicy is implemented by
-integrating [`ProjectCalico`](https://projectcalico.org)'s `Felix` components. `Felix` watch `NetworkPolicy`
-configuration and config ACL rules on container `veth`.
+## Security
-[Cilium](https://github.com/cilium/cilium): In the `IPvlan` mode, `Terway`
-integrate [`Cilium`](https://github.com/cilium/cilium) components to support `NetworkPolicy` and optimize the `Service`
-performance. `Cilium` watch `NetworkPolicy` and `Service` configuration and inject `ebpf` program into pod's `IPvlan`
-slave device.
+If you discover a security vulnerability in the code, please contact [kubernetes-security@service.aliyun.com](mailto:kubernetes-security@service.aliyun.com). Refer to [SECURITY.md](SECURITY.md) for details.
## Community
@@ -317,6 +50,4 @@ slave device.
Join `DingTalk` group by `DingTalkGroup` id "35924643".
-## Security
-
-Please report vulnerabilities by email to [kubernetes-security@service.aliyun.com](mailto:kubernetes-security@service.aliyun.com). Also see our [SECURITY.md](SECURITY.md) file for details.
+
\ No newline at end of file