mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
105 lines
6.4 KiB
Plaintext
105 lines
6.4 KiB
Plaintext
:_mod-docs-content-type: ASSEMBLY
|
|
[id="configuring-ipsec-ovn"]
|
|
= Configuring IPsec encryption
|
|
include::_attributes/common-attributes.adoc[]
|
|
:context: configuring-ipsec-ovn
|
|
|
|
toc::[]
|
|
|
|
By enabling IPsec, you can encrypt both internal pod-to-pod cluster traffic between nodes and external traffic between pods and IPsec endpoints external to your cluster. All pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec in _Transport mode_.
|
|
|
|
IPsec is disabled by default. You can enable IPsec either during or after installing the cluster. For information about cluster installation, see xref:../../installing/overview/index.adoc#ocp-installation-overview[{product-title} installation overview].
|
|
|
|
[NOTE]
|
|
====
|
|
Upgrading your cluster to {product-title} {product-version} when the `libreswan` and `NetworkManager-libreswan` packages have different {product-title} versions causes two consecutive compute node reboot operations. For the first reboot, the Cluster Network Operator (CNO) applies the IPsec configuration to compute nodes. For the second reboot, the Machine Config Operator (MCO) applies the latest machine configs to the cluster.
|
|
|
|
To combine the CNO and MCO updates into a single node reboot, complete the following tasks:
|
|
|
|
* Before upgrading your cluster, set the `paused` parameter to `true` in the `MachineConfigPools` custom resource (CR) that groups compute nodes.
|
|
* After you upgrade your cluster, set the parameter to `false`.
|
|
|
|
For more information, see xref:../../updating/updating_a_cluster/control-plane-only-update.adoc#control-plane-only-update[Performing a Control Plane Only update].
|
|
====
|
|
|
|
The following support limitations exist for IPsec on a {product-title} cluster:
|
|
|
|
* On {ibm-cloud-name}, IPsec supports only network address translation-traversal (NAT-T). Encapsulating Security Payload (ESP) is not supported on this platform.
|
|
* If your cluster uses link:https://www.redhat.com/en/topics/containers/what-are-hosted-control-planes[{hcp}] for Red{nbsp}Hat {product-title}, IPsec is not supported for IPsec encryption of either pod-to-pod or traffic to external hosts.
|
|
* Using ESP hardware offloading on any network interface is not supported if one or more of those interfaces is attached to Open vSwitch (OVS). Enabling IPsec for your cluster triggers the use of IPsec with interfaces attached to OVS. By default, {product-title} disables ESP hardware offloading on any interfaces attached to OVS.
|
|
* If you enabled IPsec for network interfaces that are not attached to OVS, a cluster administrator must manually disable ESP hardware offloading on each interface that is not attached to OVS.
|
|
|
|
The following list outlines key tasks in the IPsec documentation:
|
|
|
|
* Enable and disable IPsec after cluster installation.
|
|
* Configure IPsec encryption for traffic between the cluster and external hosts.
|
|
* Verify that IPsec encrypts traffic between pods on different nodes.
|
|
|
|
// Modes of operation
|
|
include::modules/nw-own-ipsec-modes.adoc[leveloffset=+1]
|
|
|
|
// Uses xrefs, so must be located here
|
|
[id="prerequisites_{context}"]
|
|
== Prerequisites
|
|
|
|
For IPsec support for encrypting traffic to external hosts, ensure that you meet the following prerequisites:
|
|
|
|
* Set `routingViaHost=true` in the `ovnKubernetesConfig.gatewayConfig` specification of the OVN-Kubernetes network plugin.
|
|
* Install the NMState Operator. This Operator is required for specifying the IPsec configuration. For more information, see xref:../../networking/networking_operators/k8s-nmstate-about-the-k8s-nmstate-operator.adoc#k8s-nmstate-about-the-k8s-nmstate-operator[Kubernetes NMState Operator].
|
|
+
|
|
--
|
|
[NOTE]
|
|
====
|
|
The NMState Operator is supported on {gcp-first} only for configuring IPsec.
|
|
====
|
|
--
|
|
* The Butane tool (`butane`) is installed. To install Butane, see xref:../../installing/install_config/installing-customizing.adoc#installation-special-config-butane-install_installing-customizing[Installing Butane].
|
|
|
|
These prerequisites are required to add certificates into the host NSS database and to configure IPsec to communicate with external hosts.
|
|
|
|
include::modules/nw-own-ipsec-required-ports.adoc[leveloffset=+1]
|
|
|
|
[id="pod-to-pod-ipsec_{context}"]
|
|
== IPsec encryption for pod-to-pod traffic
|
|
|
|
For IPsec encryption of pod-to-pod traffic, the following sections describe which specific pod-to-pod traffic is encrypted, what kind of encryption protocol is used, and how X.509 certificates are handled. These sections do not apply to IPsec encryption between the cluster and external hosts, which you must configure manually for your specific external network infrastructure.
|
|
|
|
// Types of network traffic flows encrypted by pod-to-pod IPsec
|
|
include::modules/nw-ovn-ipsec-traffic.adoc[leveloffset=+2]
|
|
|
|
// Encryption protocol and IPsec mode
|
|
include::modules/nw-ovn-ipsec-encryption.adoc[leveloffset=+2]
|
|
|
|
// Security certificate generation and rotation
|
|
include::modules/nw-ovn-ipsec-certificates.adoc[leveloffset=+2]
|
|
|
|
// IPsec encryption for external traffic
|
|
include::modules/nw-ovn-ipsec-external.adoc[leveloffset=+1]
|
|
|
|
// Enabling IPsec encryption
|
|
include::modules/nw-ovn-ipsec-enable.adoc[leveloffset=+1]
|
|
|
|
// Configuring IPsec encryption for external traffic
|
|
include::modules/nw-ovn-ipsec-north-south-enable.adoc[leveloffset=+1]
|
|
|
|
[role="_additional-resources"]
|
|
[id="additional-resources_{context}"]
|
|
== Additional resources
|
|
|
|
* link:https://nmstate.io/devel/yaml_api.html#ipsec-encryption[IPsec Encryption]
|
|
|
|
// Disabling IPsec encryption for an external IPsec endpoint
|
|
include::modules/nw-ovn-ipsec-north-south-disable.adoc[leveloffset=+1]
|
|
|
|
// Disabling IPsec encryption
|
|
include::modules/nw-ovn-ipsec-disable.adoc[leveloffset=+1]
|
|
|
|
[role="_additional-resources"]
|
|
== Additional resources
|
|
|
|
* link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/configuring_and_managing_networking/setting-up-an-ipsec-vpn[Configuring a VPN with IPsec] in {op-system-base-full} 10
|
|
* xref:../../installing/install_config/installing-customizing.adoc#installation-special-config-butane-install_installing-customizing[Installing Butane]
|
|
* xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes Container Network Interface (CNI) network plugin]
|
|
* xref:../../networking/advanced_networking/changing-cluster-network-mtu.adoc#changing-cluster-network-mtu[Changing the MTU for the cluster network]
|
|
* xref:../../rest_api/operator_apis/network-operator-openshift-io-v1.adoc#network-operator-openshift-io-v1[Network [operator.openshift.io/v1\]]API
|