Merge pull request #4449 from aroradaman/nftables-reject-drop-non-dnat-cluster-ip

KEP-3866 : update service ip behaviour

Author: k8s-ci-robot

keps/sig-network/3866-nftables-proxy/README.md

@@ -1179,17 +1179,11 @@ don't necessarily know what that is ahead of time.) Admins can use
 
 #### Behavior of service IPs
 
-```
-<<[UNRESOLVED unused service IP ports ]>>
-
-@thockin has suggested that service IPs should reject connections on
-ports they aren't using. (This would most easily be implemented by
-adding a `--service-cidr` flag to kube-proxy so we could just "reject
-everything else", but even without that we could at least reject
-connections on inactive ports of active service IPs.)
+Traffic to invalid ports on active cluster IPs will be rejected by the
+nftables proxy. If the [MultiServiceCIDRAllocator] feature gate is
+enabled, it will additionally drop traffic to unassigned cluster IPs.
 
-<<[/UNRESOLVED]>>
-```
+[MultiServiceCIDRAllocator]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/1880-multiple-service-cidrs
 
 ```
 <<[UNRESOLVED service IP pings ]>>