feat: add SecurityProtectionTypes support for Auto-NLBs-V2 (#305)

- Support DDoS protection (AntiDDoS_Enhanced)
- Add SecurityProtectionTypes configuration parameter
- Update documentation with examples and restrictions
- Add comprehensive test cases
- Compatible with existing configurations (backward compatible)

Changes:
- cloudprovider: Add SecurityProtectionTypes config parsing
- cloudprovider: Apply SecurityProtectionTypes to EIP CR creation
- docs: Add SecurityProtectionTypes parameter documentation (EN/CN)
- docs: Add DDoS protection usage example
- test: Add 4 test cases for SecurityProtectionTypes

Test coverage: 41.0% (alibabacloud package)

Author: chrisliu1995

cloudprovider/alibabacloud/auto_nlbs.go

@@ -48,6 +48,8 @@ const (
 	MinPortConfigName       = "MinPort"
 	MaxPortConfigName       = "MaxPort"
 	BlockPortsConfigName    = "BlockPorts"
+	// EIP 高防护相关配置
+	SecurityProtectionTypesConfigName = "SecurityProtectionTypes" // EIP 安全防护类型，多个用逗号分隔
 
 	NLBZoneMapsServiceAnnotationKey = "service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps"
 	NLBAddressTypeAnnotationKey     = "service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type"
@@ -62,16 +64,17 @@ type AutoNLBsPlugin struct {
 }
 
 type autoNLBsConfig struct {
-	minPort               int32
-	maxPort               int32
-	blockPorts            []int32
-	zoneMaps              string
-	reserveNlbNum         int
-	targetPorts           []int
-	protocols             []corev1.Protocol
-	eipIspTypes           []string
-	externalTrafficPolicy corev1.ServiceExternalTrafficPolicyType
-	retainNLBOnDelete     bool // 是否在 GSS 删除时保留 NLB 和 EIP 资源（默认 true）
+	minPort                 int32
+	maxPort                 int32
+	blockPorts              []int32
+	zoneMaps                string
+	reserveNlbNum           int
+	targetPorts             []int
+	protocols               []corev1.Protocol
+	eipIspTypes             []string
+	externalTrafficPolicy   corev1.ServiceExternalTrafficPolicyType
+	retainNLBOnDelete       bool     // 是否在 GSS 删除时保留 NLB 和 EIP 资源（默认 true）
+	securityProtectionTypes []string // EIP 安全防护类型（如 AntiDDoS_Enhanced）
 	*nlbHealthConfig
 }
 
@@ -471,6 +474,7 @@ func parseAutoNLBsConfig(conf []gamekruiseiov1alpha1.NetworkConfParams) (*autoNL
 	blockPorts := make([]int32, 0)
 	minPort := int32(1000)
 	maxPort := int32(1499)
+	securityProtectionTypes := make([]string, 0) // 默认为空，不启用高防护
 
 	for _, c := range conf {
 		switch c.Name {
@@ -519,6 +523,15 @@ func parseAutoNLBsConfig(conf []gamekruiseiov1alpha1.NetworkConfParams) (*autoNL
 			} else {
 				maxPort = int32(val)
 			}
+		case SecurityProtectionTypesConfigName:
+			// 解析安全防护类型，支持逗号分隔多个类型
+			if c.Value != "" {
+				securityProtectionTypes = strings.Split(c.Value, ",")
+				// 去除空格
+				for i := range securityProtectionTypes {
+					securityProtectionTypes[i] = strings.TrimSpace(securityProtectionTypes[i])
+				}
+			}
 		}
 	}
 
@@ -541,16 +554,17 @@ func parseAutoNLBsConfig(conf []gamekruiseiov1alpha1.NetworkConfParams) (*autoNL
 	}
 
 	return &autoNLBsConfig{
-		blockPorts:            blockPorts,
-		minPort:               minPort,
-		maxPort:               maxPort,
-		nlbHealthConfig:       nlbHealthConfig,
-		reserveNlbNum:         reserveNlbNum,
-		eipIspTypes:           eipIspTypes,
-		protocols:             protocols,
-		targetPorts:           ports,
-		zoneMaps:              zoneMaps,
-		externalTrafficPolicy: externalTrafficPolicy,
-		retainNLBOnDelete:     retainNLBOnDelete,
+		blockPorts:              blockPorts,
+		minPort:                 minPort,
+		maxPort:                 maxPort,
+		nlbHealthConfig:         nlbHealthConfig,
+		reserveNlbNum:           reserveNlbNum,
+		eipIspTypes:             eipIspTypes,
+		protocols:               protocols,
+		targetPorts:             ports,
+		zoneMaps:                zoneMaps,
+		externalTrafficPolicy:   externalTrafficPolicy,
+		retainNLBOnDelete:       retainNLBOnDelete,
+		securityProtectionTypes: securityProtectionTypes,
 	}, nil
 }

cloudprovider/alibabacloud/auto_nlbs_v2.go

@@ -1230,12 +1230,13 @@ func (a *AutoNLBsV2Plugin) ensureEIPCR(ctx context.Context, c client.Client, nam
 			},
 		},
 		Spec: eipv1.EIPSpec{
-			Name:               eipName,
-			Bandwidth:          "5",                // 默认带宽 5Mbps，可以后续通过配置调整
-			InternetChargeType: internetChargeType, // 根据 ISP 类型选择计费方式
-			ISP:                eipIspType,         // 设置 ISP 线路类型（支持单线 EIP）
-			ReleaseStrategy:    "OnDelete",         // CR 删除时释放 EIP
-			Description:        fmt.Sprintf("EIP for GameServerSet %s, NLB index %d, zone %d", gssName, nlbIndex, zoneIndex),
+			Name:                    eipName,
+			Bandwidth:               "5",                // 默认带宽 5Mbps，可以后续通过配置调整
+			InternetChargeType:      internetChargeType, // 根据 ISP 类型选择计费方式
+			ISP:                     eipIspType,         // 设置 ISP 线路类型（支持单线 EIP）
+			ReleaseStrategy:         "OnDelete",         // CR 删除时释放 EIP
+			Description:             fmt.Sprintf("EIP for GameServerSet %s, NLB index %d, zone %d", gssName, nlbIndex, zoneIndex),
+			SecurityProtectionTypes: config.securityProtectionTypes, // 安全防护类型（高防护 EIP）
 		},
 	}
 

cloudprovider/alibabacloud/auto_nlbs_v2_test.go

@@ -181,6 +181,101 @@ func TestParseAutoNLBsConfig(t *testing.T) {
 			expectError:   true,
 			errorContains: "MinPort",
 		},
+		{
+			name: "valid config with SecurityProtectionTypes - single type",
+			conf: []gamekruiseiov1alpha1.NetworkConfParams{
+				{Name: "ZoneMaps", Value: "vpc-xxx@cn-hangzhou-h:vsw-aaa,cn-hangzhou-i:vsw-bbb"},
+				{Name: "PortProtocols", Value: "8080/TCP"},
+				{Name: "EipIspTypes", Value: "BGP"},
+				{Name: "SecurityProtectionTypes", Value: "AntiDDoS_Enhanced"},
+				{Name: "MinPort", Value: "10000"},
+				{Name: "MaxPort", Value: "10999"},
+			},
+			expectConfig: &autoNLBsConfig{
+				zoneMaps:                "vpc-xxx@cn-hangzhou-h:vsw-aaa,cn-hangzhou-i:vsw-bbb",
+				eipIspTypes:             []string{"BGP"},
+				targetPorts:             []int{8080},
+				protocols:               []corev1.Protocol{corev1.ProtocolTCP},
+				minPort:                 10000,
+				maxPort:                 10999,
+				reserveNlbNum:           1,
+				externalTrafficPolicy:   corev1.ServiceExternalTrafficPolicyTypeLocal,
+				retainNLBOnDelete:       true,
+				securityProtectionTypes: []string{"AntiDDoS_Enhanced"},
+			},
+			expectError: false,
+		},
+		{
+			name: "valid config with SecurityProtectionTypes - whitespace trimming",
+			conf: []gamekruiseiov1alpha1.NetworkConfParams{
+				{Name: "ZoneMaps", Value: "vpc-xxx@cn-hangzhou-h:vsw-aaa,cn-hangzhou-i:vsw-bbb"},
+				{Name: "PortProtocols", Value: "8080/TCP,9000/UDP"},
+				{Name: "EipIspTypes", Value: "BGP"},
+				{Name: "SecurityProtectionTypes", Value: " AntiDDoS_Enhanced "},
+				{Name: "MinPort", Value: "10000"},
+				{Name: "MaxPort", Value: "10999"},
+			},
+			expectConfig: &autoNLBsConfig{
+				zoneMaps:                "vpc-xxx@cn-hangzhou-h:vsw-aaa,cn-hangzhou-i:vsw-bbb",
+				eipIspTypes:             []string{"BGP"},
+				targetPorts:             []int{8080, 9000},
+				protocols:               []corev1.Protocol{corev1.ProtocolTCP, corev1.ProtocolUDP},
+				minPort:                 10000,
+				maxPort:                 10999,
+				reserveNlbNum:           1,
+				externalTrafficPolicy:   corev1.ServiceExternalTrafficPolicyTypeLocal,
+				retainNLBOnDelete:       true,
+				securityProtectionTypes: []string{"AntiDDoS_Enhanced"},
+			},
+			expectError: false,
+		},
+		{
+			name: "empty SecurityProtectionTypes should result in empty slice",
+			conf: []gamekruiseiov1alpha1.NetworkConfParams{
+				{Name: "ZoneMaps", Value: "vpc-xxx@cn-hangzhou-h:vsw-aaa,cn-hangzhou-i:vsw-bbb"},
+				{Name: "PortProtocols", Value: "8080/TCP"},
+				{Name: "EipIspTypes", Value: "BGP"},
+				{Name: "SecurityProtectionTypes", Value: ""},
+				{Name: "MinPort", Value: "10000"},
+				{Name: "MaxPort", Value: "10999"},
+			},
+			expectConfig: &autoNLBsConfig{
+				zoneMaps:                "vpc-xxx@cn-hangzhou-h:vsw-aaa,cn-hangzhou-i:vsw-bbb",
+				eipIspTypes:             []string{"BGP"},
+				targetPorts:             []int{8080},
+				protocols:               []corev1.Protocol{corev1.ProtocolTCP},
+				minPort:                 10000,
+				maxPort:                 10999,
+				reserveNlbNum:           1,
+				externalTrafficPolicy:   corev1.ServiceExternalTrafficPolicyTypeLocal,
+				retainNLBOnDelete:       true,
+				securityProtectionTypes: []string{},
+			},
+			expectError: false,
+		},
+		{
+			name: "no SecurityProtectionTypes specified - default to empty",
+			conf: []gamekruiseiov1alpha1.NetworkConfParams{
+				{Name: "ZoneMaps", Value: "vpc-xxx@cn-hangzhou-h:vsw-aaa,cn-hangzhou-i:vsw-bbb"},
+				{Name: "PortProtocols", Value: "8080/TCP"},
+				{Name: "EipIspTypes", Value: "BGP"},
+				{Name: "MinPort", Value: "10000"},
+				{Name: "MaxPort", Value: "10999"},
+			},
+			expectConfig: &autoNLBsConfig{
+				zoneMaps:                "vpc-xxx@cn-hangzhou-h:vsw-aaa,cn-hangzhou-i:vsw-bbb",
+				eipIspTypes:             []string{"BGP"},
+				targetPorts:             []int{8080},
+				protocols:               []corev1.Protocol{corev1.ProtocolTCP},
+				minPort:                 10000,
+				maxPort:                 10999,
+				reserveNlbNum:           1,
+				externalTrafficPolicy:   corev1.ServiceExternalTrafficPolicyTypeLocal,
+				retainNLBOnDelete:       true,
+				securityProtectionTypes: []string{},
+			},
+			expectError: false,
+		},
 	}
 
 	for _, tt := range tests {
@@ -230,6 +325,10 @@ func TestParseAutoNLBsConfig(t *testing.T) {
 			if config.retainNLBOnDelete != tt.expectConfig.retainNLBOnDelete {
 				t.Errorf("retainNLBOnDelete: expected %v, got %v", tt.expectConfig.retainNLBOnDelete, config.retainNLBOnDelete)
 			}
+
+			if !stringSliceEqual(config.securityProtectionTypes, tt.expectConfig.securityProtectionTypes) {
+				t.Errorf("securityProtectionTypes: expected %v, got %v", tt.expectConfig.securityProtectionTypes, config.securityProtectionTypes)
+			}
 		})
 	}
 }

docs/en/user_manuals/network.md

@@ -845,6 +845,23 @@ EipIspTypes
 - Example: `BGP,BGP_PRO` or `ChinaTelecom,ChinaMobile,ChinaUnicom`
 - Configuration change supported: No
 
+SecurityProtectionTypes
+
+- Meaning: EIP security protection types, supports DDoS protection
+- Format: `type1,type2,...` (comma-separated for multiple types)
+- Available values:
+  - `AntiDDoS_Enhanced`: DDoS Protection (Enhanced) - Provides Tbps-level professional DDoS protection
+- Example: `AntiDDoS_Enhanced`
+- Configuration change supported: No
+- Default: Empty (no protection enabled)
+- Usage restrictions:
+  - Only supports pay-as-you-go mode (`PostPaid`)
+  - Only supports BGP (multi-line) ISP type
+  - Not compatible with single-line ISP types (ChinaTelecom/ChinaMobile/ChinaUnicom)
+  - Supported regions: cn-beijing, cn-hangzhou, cn-shanghai, cn-hongkong, etc.
+  - Additional security protection fees apply
+- Note: Currently only `AntiDDoS_Enhanced` type is supported. If configured with incompatible ISP types, EIP CR creation will fail with error from Alibaba Cloud API
+
 MinPort
 
 - Meaning: Minimum value for NLB external port allocation
@@ -1148,6 +1165,50 @@ spec:
         name: gameserver
 ```
 
+**Example 5: Enable DDoS Protection (Enhanced)**
+
+```yaml
+apiVersion: game.kruise.io/v1alpha1
+kind: GameServerSet
+metadata:
+  name: gs-ddos-protected
+  namespace: default
+spec:
+  replicas: 5
+  updateStrategy:
+    rollingUpdate:
+      podUpdatePolicy: InPlaceIfPossible
+  network:
+    networkType: AlibabaCloud-AutoNLBs-V2
+    networkConf:
+    - name: ZoneMaps
+      value: "vpc-xxx@cn-hangzhou-h:vsw-aaa,cn-hangzhou-i:vsw-bbb"
+    - name: PortProtocols
+      value: "8080/TCP,9000/UDP"
+    - name: EipIspTypes
+      value: "BGP"  # DDoS protection requires BGP line
+    - name: SecurityProtectionTypes
+      value: "AntiDDoS_Enhanced"  # Enable DDoS Protection (Enhanced)
+    - name: MinPort
+      value: "10000"
+    - name: MaxPort
+      value: "10999"
+    - name: LBHealthCheckFlag
+      value: "on"
+  gameServerTemplate:
+    spec:
+      containers:
+      - image: registry.cn-hangzhou.aliyuncs.com/gs-demo/gameserver:network
+        name: gameserver
+```
+
+> **Important Notes for DDoS Protection:**
+> - Must use BGP line type (`EipIspTypes: BGP`), not compatible with single-line ISP (ChinaTelecom/ChinaMobile/ChinaUnicom)
+> - Only supports pay-as-you-go mode, cannot use subscription billing
+> - Additional security protection fees will apply
+> - Check EIP CR status to verify successful activation: `kubectl get eip -n default`
+> - If configuration is incompatible, EIP CR creation will fail with error message from Alibaba Cloud API
+
 #### Generated GameServer Network Status
 
 > **Note**: In Auto NLB V2 mode, `externalAddresses` will be populated with:
@@ -1287,7 +1348,7 @@ kubectl get svc -l game.kruise.io/owner-gss=gs-auto-nlb-v2
    - **Cascade deletion mode (`RetainNLBOnDelete=false`)**: NLB and EIP resources will be automatically deleted when GSS is deleted, no manual cleanup required
 
 2. **Network Configuration Immutability**
-   - Parameters like `ZoneMaps`, `PortProtocols`, `EipIspTypes` cannot be changed after creation
+   - Parameters like `ZoneMaps`, `PortProtocols`, `EipIspTypes`, `SecurityProtectionTypes` cannot be changed after creation
    - When changes are needed, recommend creating a new GameServerSet and migrating
 
 3. **Single-line ISP Billing**

docs/中文/用户手册/网络模型.md

@@ -843,6 +843,23 @@ EipIspTypes
 - 示例：`BGP,BGP_PRO` 或 `ChinaTelecom,ChinaMobile,ChinaUnicom`
 - 是否支持变更：否
 
+SecurityProtectionTypes
+
+- 含义：EIP 安全防护类型，支持 DDoS 高防护
+- 填写格式：`type1,type2,...`（多个类型用逗号分隔）
+- 可选值：
+  - `AntiDDoS_Enhanced`：DDoS 防护（增强版）- 提供 Tbps 级专业 DDoS 防护能力
+- 示例：`AntiDDoS_Enhanced`
+- 是否支持变更：否
+- 默认值：空（不启用防护）
+- 使用限制：
+  - 仅支持按量付费模式（`PostPaid`）
+  - 仅支持 BGP（多线）线路类型
+  - 不兼容单线 ISP 类型（ChinaTelecom/ChinaMobile/ChinaUnicom）
+  - 支持地域：华北2（北京）、华东1（杭州）、华东2（上海）、中国香港等
+  - 会产生额外的安全防护费用
+- 说明：目前仅支持 `AntiDDoS_Enhanced` 类型。如果配置了不兼容的 ISP 类型，EIP CR 创建将失败，错误信息由阿里云 API 返回
+
 MinPort
 
 - 含义：NLB 外部端口分配的最小值
@@ -1146,6 +1163,50 @@ spec:
         name: gameserver
 ```
 
+**示例 5：启用 DDoS 高防护（增强版）**
+
+```yaml
+apiVersion: game.kruise.io/v1alpha1
+kind: GameServerSet
+metadata:
+  name: gs-ddos-protected
+  namespace: default
+spec:
+  replicas: 5
+  updateStrategy:
+    rollingUpdate:
+      podUpdatePolicy: InPlaceIfPossible
+  network:
+    networkType: AlibabaCloud-AutoNLBs-V2
+    networkConf:
+    - name: ZoneMaps
+      value: "vpc-xxx@cn-hangzhou-h:vsw-aaa,cn-hangzhou-i:vsw-bbb"
+    - name: PortProtocols
+      value: "8080/TCP,9000/UDP"
+    - name: EipIspTypes
+      value: "BGP"  # DDoS 高防护必须使用 BGP 线路
+    - name: SecurityProtectionTypes
+      value: "AntiDDoS_Enhanced"  # 启用 DDoS 防护（增强版）
+    - name: MinPort
+      value: "10000"
+    - name: MaxPort
+      value: "10999"
+    - name: LBHealthCheckFlag
+      value: "on"
+  gameServerTemplate:
+    spec:
+      containers:
+      - image: registry.cn-hangzhou.aliyuncs.com/gs-demo/gameserver:network
+        name: gameserver
+```
+
+> **DDoS 高防护重要说明：**
+> - 必须使用 BGP 线路类型（`EipIspTypes: BGP`），不兼容单线 ISP（ChinaTelecom/ChinaMobile/ChinaUnicom）
+> - 仅支持按量付费模式，不能使用包年包月
+> - 会产生额外的安全防护费用
+> - 查看 EIP CR 状态确认是否成功激活：`kubectl get eip -n default`
+> - 如果配置不兼容，EIP CR 创建将失败，错误信息由阿里云 API 返回
+
 #### 生成的 GameServer 网络状态
 
 > **注意**：Auto NLB V2 模式下，`externalAddresses` 中会填充：
@@ -1285,7 +1346,7 @@ kubectl get svc -l game.kruise.io/owner-gss=gs-auto-nlb-v2
    - **级联删除模式（`RetainNLBOnDelete=false`）**：删除 GSS 时会自动删除对应的 NLB 和 EIP 资源，无需手动清理
 
 2. **网络配置不可变**
-   - `ZoneMaps`、`PortProtocols`、`EipIspTypes` 等参数创建后不可修改
+   - `ZoneMaps`、`PortProtocols`、`EipIspTypes`、`SecurityProtectionTypes` 等参数创建后不可修改
    - 需要变更时，建议创建新的 GameServerSet 并迁移
 
 3. **单线 ISP 计费**