Updates UDN open-default-ports annotation

Steven Smith · Steven Smith · commit ecfdd4ba0471 · 2025-05-15T07:58:48.000-04:00
diff --git a/modules/nw-udn-limitations.adoc b/modules/nw-udn-limitations.adoc
@@ -24,6 +24,16 @@ While user-defined networks (UDN) offer highly customizable network configuratio
 
 * *Creation and modification limitation*: The `ClusterUserDefinedNetwork` CR and the `UserDefinedNetwork` CR cannot be modified after being created.
 
-* *Default network service access*: A user-defined network pod is isolated from the default network, which means that most default network services are inaccessible. For example, a user-defined network pod cannot currently access the {product-title} image registry. Because of this limitation, source-to-image builds do not work in a user-defined network namespace. Additionally, other functions do not work, including functions to create applications based on the source code in a Git repository, such as `oc new-app <command>`, and functions to create applications from an {product-title} template that use source-to-image builds. This limitation might also affect other `openshift-*.svc` services.
+* *Limited access to default network services (default outbound isolation)*: By default, pods running on a user-defined network are isolated from initiating connections to most services residing on the cluster's default network (those with IPs in the default network range) or `openshift-*.svc` services. This means that the following services are unreachable from user-defined network pods:
++
+** The {product-title} image registry (`image-registry.openshift-image-registry.svc`)
+** Monitoring services such as Prometheus or Alertmanager
+** Management services such as ACS, ACM, and cost management
++
+This limitation can affect features relying on these services, such as application creation from Git repositories, such as `oc new-app <command>`, or templates that use source-to-image builds. 
++
+Additional services might also be affected.
+
+* *Inbound access from default network services (default block)*: By default, services running on the default network, such as monitoring services, cannot initiate connections to pods running on user-defined networks. To allow specific default network services to connect to user-defined network pods, you can use the `k8s.ovn.org/open-default-ports` annotation on the user-defined network pod to explicitly open the required ports and protocols.
 
 * *Connectivity limitation*: NodePort services on user-defined networks are not guaranteed isolation. For example, NodePort traffic from a pod to a service on the same node is not accessible, whereas traffic from a pod on a different node succeeds.
