When attempting to restrict or allow traffic from Worker Node hosts to Pods using Antrea ClusterNetworkPolicy (ACNP) ,rules specifying source IP as worker Node IPs are not matched.

VMware vSphere Kubernetes Service (VKS)

Antrea CNI

In the Antrea OVS data path, traffic originating from a host and destined for a Pod undergoes Source Network Address Translation (SNAT).

The destination node's OVS pipeline (Tables 110 and 115) replaces the source physical IP with the local antrea-gw0 interface IP to ensure symmetric routing. Since NetworkPolicy matching (Table 145) occurs after this translation, the policy engine sees the antrea-gw0 IP rather than the original host IP.

1. Modify the ACNP rules.
2. Replace physical Node IP addresses in the from section with the IP addresses of the antrea-gw0 interfaces.

Antrea OVS pipeline