docs: add critical note about LB service IP prohibition for internal pod access

[changluyi]

Summary

• Add a critical warning in config_metallb_underlay.mdx that the MetalLB LoadBalancer Service IP must not be accessed by internal Pods

Changes

• docs/en/configure/networking/how_to/kube_ovn/config_metallb_underlay.mdx: Added critical note below the existing VIP-subnet constraint

Summary by CodeRabbit

• Documentation
  • Added a critical warning to the MetalLB underlay configuration guide clarifying that LoadBalancer Service IPs are not reachable from internal Pods and are intended only for external client traffic.
  • Documentation-only change; no configuration steps, examples, or code were modified.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a174f683-05e8-4d79-8549-69b45e8d0d94

📥 Commits

Reviewing files that changed from the base of the PR and between eebb113 and bac8f7f.

📒 Files selected for processing (1)

• docs/en/configure/networking/how_to/kube_ovn/config_metallb_underlay.mdx

✅ Files skipped from review due to trivial changes (1)

• docs/en/configure/networking/how_to/kube_ovn/config_metallb_underlay.mdx

---

Walkthrough

This pull request adds a critical warning to the MetalLB underlay configuration documentation, alerting users that LoadBalancer Service IPs cannot be accessed by internal Pods and are intended solely for external client traffic.

Changes

MetalLB Documentation

Layer / File(s)	Summary
Add Critical warning to MetalLB guide docs/en/configure/networking/how_to/kube_ovn/config_metallb_underlay.mdx	Added a "Critical" warning clarifying that LoadBalancer Service IPs are inaccessible to internal Pods and should only be used for external client traffic.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• config metallb underlay #415: Originally introduced the MetalLB underlay configuration documentation that this PR augments with an additional warning.

Suggested reviewers

• fanzy618
• oilbeater

Poem

🐰 A rabbit hops through docs at night,
And adds a note to set things right.
"Keep LB IPs for outside folks to see,"
It writes with care beneath the tree.
A tiny warning, safe and bright.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and specifically describes the main change: adding a critical documentation note about LoadBalancer service IP access restrictions for internal pods.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/add-lb-pod-access-warning

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

docs/en/configure/networking/how_to/kube_ovn/config_metallb_underlay.mdx (1)

13-13: Minor wording improvement: align “Service IP” vs “VIP” terminology.

In this doc, you already use “LoadBalancer VIP” (Line 11) and “Access Underlay Subnet VIP” in the diagram. Consider tweaking Line 13 to explicitly say the VIP/LoadBalancer Service IP are the same entity (e.g., “the LoadBalancer Service VIP / LoadBalancer VIP”), to avoid readers thinking these are distinct IPs.

Suggested wording tweak (optional)

-> ⚠️ **Critical**: The LoadBalancer Service IP is prohibited from being accessed by internal Pods. This IP is intended for external client access only.
+> ⚠️ **Critical**: The LoadBalancer VIP / Service IP is prohibited from being accessed by internal Pods. This IP is intended for external client access only.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/configure/networking/how_to/kube_ovn/config_metallb_underlay.mdx` at
line 13, Update the sentence that currently reads "The LoadBalancer Service IP
is prohibited..." to use consistent VIP terminology so readers know it's the
same entity as "LoadBalancer VIP" and the diagram's "Access Underlay Subnet
VIP"; replace "Service IP" with a combined term like "LoadBalancer Service VIP /
LoadBalancer VIP" (or similar) to make the equivalence explicit and keep
terminology aligned with the existing uses of "LoadBalancer VIP" and "Access
Underlay Subnet VIP".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/en/configure/networking/how_to/kube_ovn/config_metallb_underlay.mdx`:
- Line 13: Update the sentence that currently reads "The LoadBalancer Service IP
is prohibited..." to use consistent VIP terminology so readers know it's the
same entity as "LoadBalancer VIP" and the diagram's "Access Underlay Subnet
VIP"; replace "Service IP" with a combined term like "LoadBalancer Service VIP /
LoadBalancer VIP" (or similar) to make the equivalence explicit and keep
terminology aligned with the existing uses of "LoadBalancer VIP" and "Access
Underlay Subnet VIP".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 87dcaff3-0e62-42fc-8c0b-9539faf5325a

📥 Commits

Reviewing files that changed from the base of the PR and between 35846a8 and eebb113.

📒 Files selected for processing (1)

• docs/en/configure/networking/how_to/kube_ovn/config_metallb_underlay.mdx

[cloudflare-workers-and-pages]

Deploying alauda-container-platform with    Cloudflare Pages

Latest commit:	bac8f7f
Status:	✅  Deploy successful!
Preview URL:	https://c8b31933.alauda-container-platform.pages.dev
Branch Preview URL:	https://docs-add-lb-pod-access-warni-7vxf.alauda-container-platform.pages.dev

View logs