With IPsec enabled, all pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec Transport mode.
IPsec is disabled by default. It can be enabled either during or after installing the cluster. For information about cluster installation, see OKD installation overview. If you need to enable IPsec after cluster installation, you must first resize your cluster MTU to account for the overhead of the IPsec ESP IP header.
The following support limitations exist for IPsec on a OKD cluster:
You must disable IPsec before updating to OKD 4.15. After disabling IPsec, you must also delete the associated IPsec daemonsets. There is a known issue that can cause interruptions in pod-to-pod communication if you update without disabling IPsec. (OCPBUGS-43323)
The following documentation describes how to enable and disable IPSec after cluster installation.
You have decreased the size of the cluster MTU by 46
bytes to allow for the additional overhead of the IPsec ESP header. For more information on resizing the MTU that your cluster uses, see Changing the MTU for the cluster network.
With IPsec enabled, only the following network traffic flows between pods are encrypted:
Traffic between pods on different nodes on the cluster network
Traffic from a pod on the host network to a pod on the cluster network
The following traffic flows are not encrypted:
Traffic between pods on the same node on the cluster network
Traffic between pods on the host network
Traffic from a pod on the cluster network to a pod on the host network
The encrypted and unencrypted flows are illustrated in the following diagram:
You must configure the network connectivity between machines to allow OKD cluster components to communicate. Each machine must be able to resolve the hostnames of all other machines in the cluster.
Protocol | Port | Description |
---|---|---|
UDP |
|
IPsec IKE packets |
|
IPsec NAT-T packets |
|
ESP |
N/A |
IPsec Encapsulating Security Payload (ESP) |
The encrypt cipher used is AES-GCM-16-256
. The integrity check value (ICV) is 16
bytes. The key length is 256
bits.
The IPsec mode used is Transport mode, a mode that encrypts end-to-end communication by adding an Encapsulated Security Payload (ESP) header to the IP header of the original packet and encrypts the packet data. OKD does not currently use or support IPsec Tunnel mode for pod-to-pod communication.
The Cluster Network Operator (CNO) generates a self-signed X.509 certificate authority (CA) that is used by IPsec for encryption. Certificate signing requests (CSRs) from each node are automatically fulfilled by the CNO.
The CA is valid for 10 years. The individual node certificates are valid for 5 years and are automatically rotated after 4 1/2 years elapse.
As a cluster administrator, you can enable IPsec encryption after cluster installation.
Install the OpenShift CLI (oc
).
Log in to the cluster as a user with cluster-admin
privileges.
You have reduced the size of your cluster maximum transmission unit (MTU) by 46
bytes to allow for the overhead of the IPsec ESP header.
To enable IPsec encryption, enter the following command:
$ oc patch networks.operator.openshift.io cluster --type=merge \
-p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"ipsecConfig":{ }}}}}'
To find the names of the OVN-Kubernetes control plane pods, enter the following command:
$ oc get pods -l app=ovnkube-master -n openshift-ovn-kubernetes
NAME READY STATUS RESTARTS AGE
ovnkube-master-fvtnh 6/6 Running 0 122m
ovnkube-master-hsgmm 6/6 Running 0 122m
ovnkube-master-qcmdc 6/6 Running 0 122m
Verify that IPsec is enabled on your cluster by entering the following command. The command output must state true
to indicate that the node has IPsec enabled.
$ oc -n openshift-ovn-kubernetes rsh ovnkube-master-<pod_number_sequence> \ (1)
ovn-nbctl --no-leader-only get nb_global . ipsec
1 | Replace <pod_number_sequence> with the random sequence of letters, fvtnh , for a data plane pod from the previous step. |
As a cluster administrator, you can disable IPsec encryption only if you enabled IPsec after cluster installation.
After disabling IPsec, you must delete the associated IPsec daemonsets pods. If you do not delete these pods, you might experience issues with your cluster. |
Install the OpenShift CLI (oc
).
Log in to the cluster with a user with cluster-admin
privileges.
To disable IPsec encryption, enter the following command:
$ oc patch networks.operator.openshift.io/cluster --type=json \
-p='[{"op":"remove", "path":"/spec/defaultNetwork/ovnKubernetesConfig/ipsecConfig"}]'
To find the name of the OVN-Kubernetes data plane pod that exists on the master
node in your cluster, enter the following command:
$ oc get pods -n openshift-ovn-kubernetes -l=app=ovnkube-master
ovnkube-master-5xqbf 8/8 Running 0 28m
...
Verify that the master
node in your cluster has IPsec disabled by entering the following command. The command output must state false
to indicate that the node has IPsec disabled.
$ oc -n openshift-ovn-kubernetes -c nbdb rsh ovnkube-master-<pod_number_sequence> \(1)
ovn-nbctl --no-leader-only get nb_global . ipsec
1 | Replace <pod_number_sequence> with the random sequence of letters, such as 5xqbf , for the data plane pod from the previous step. |
To remove the IPsec ovn-ipsec
daemonset pod from the openshift-ovn-kubernetes
namespace on the node, enter the following command:
$ oc delete daemonset ovn-ipsec -n openshift-ovn-kubernetes (1)
1 | The ovn-ipsec daemonset configures IPsec connections for east-west traffic on the node. |
Verify that the ovn-ipsec
daemonset pod was removed from the all nodes in your cluster by entering the following command. If the command output does not list the pod, the removal operation is successful.
$ oc get pods -n openshift-ovn-kubernetes -l=app=ovn-ipsec
You might need to re-run the command for deleting the pod because sometimes the initial command attempt might not delete the pod. |
Optional: You can increase the size of your cluster MTU by 46
bytes because there is no longer any overhead from the IPsec ESP header in IP packets.