You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With IPsec enabled, you can encrypt both internal pod-to-pod cluster traffic between nodes and external traffic between pods and IPsec endpoints external to your cluster. All pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec in _Transport mode_.
9
+
By enabling IPsec, you can encrypt both internal pod-to-pod cluster traffic between nodes and external traffic between pods and IPsec endpoints external to your cluster. All pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec in _Transport mode_.
10
10
11
-
IPsec is disabled by default. It can be enabled either during or after installing the cluster. For information about cluster installation, see xref:../../installing/overview/index.adoc#ocp-installation-overview[{product-title} installation overview].
11
+
IPsec is disabled by default. You can enable IPsec either during or after installing the cluster. For information about cluster installation, see xref:../../installing/overview/index.adoc#ocp-installation-overview[{product-title} installation overview].
12
12
13
-
[IMPORTANT]
14
-
====
15
-
If your cluster uses link:https://www.redhat.com/en/topics/containers/what-are-hosted-control-planes[{hcp}] for Red Hat {product-title}, IPsec is not supported for IPsec encryption of either pod-to-pod or traffic to external hosts.
16
-
====
13
+
The following support limitations exist for IPsec on a {product-title} cluster:
17
14
18
-
[NOTE]
19
-
====
20
-
IPsec on {ibm-cloud-name} supports only NAT-T. Using ESP is not supported.
21
-
====
15
+
* On {ibm-cloud-name}, IPsec supports only NAT-T. Encapsulating Security Payload (ESP) is not supported on this platform.
16
+
* If your cluster uses link:https://www.redhat.com/en/topics/containers/what-are-hosted-control-planes[{hcp}] for Red{nbsp}Hat {product-title}, IPsec is not supported for IPsec encryption of either pod-to-pod or traffic to external hosts.
17
+
* Using ESP hardware offloading on any network interface is not supported if one or more of those interfaces is attached to Open vSwitch (OVS). Enabling IPsec for your cluster triggers the use of IPsec with interfaces attached to OVS. By default, {product-title} disables ESP hardware offloading on any interfaces attached to OVS.
18
+
* If you enabled IPsec for network interfaces that are not attached to OVS, a cluster administrator must manually disable ESP hardware offloading on each interface that is not attached to OVS.
22
19
23
-
Use the procedures in the following documentation to:
20
+
The following list outlines key tasks in the IPsec documentation:
24
21
25
-
* Enable and disable IPSec after cluster installation
26
-
* Configure IPsec encryption for traffic between the cluster and external hosts
27
-
* Verify that IPsec encrypts traffic between pods on different nodes
22
+
* Enable and disable IPsec after cluster installation.
23
+
* Configure IPsec encryption for traffic between the cluster and external hosts.
24
+
* Verify that IPsec encrypts traffic between pods on different nodes.
For IPsec encryption of pod-to-pod traffic, the following sections describe which specific pod-to-pod traffic is encrypted, what kind of encryption protocol is used, and how X.509 certificates are handled. These sections do not apply to IPsec encryption between the cluster and external hosts, which you must configure manually for your specific external network infrastructure.
56
54
55
+
// Types of network traffic flows encrypted by pod-to-pod IPsec
0 commit comments