Configuring IPsec encryption

With IPsec enabled, you can encrypt both internal pod-to-pod cluster traffic between nodes and external traffic between pods and IPsec endpoints external to your cluster. All pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec Transport mode.

IPsec is disabled by default. It can be enabled either during or after installing the cluster. For information about cluster installation, see OKD installation overview. If you need to enable IPsec after cluster installation, you must first resize your cluster MTU to account for the overhead of the IPsec ESP IP header.

IPsec on IBM Cloud VPC supports only NAT-T. Using ESP is not supported.

Use the procedures in the following documentation to:

  • Enable and disable IPSec after cluster installation

  • Configure support for external IPsec endpoints outside the cluster

  • Verify that IPsec encrypts traffic between pods on different nodes

Prerequisites

  • You have decreased the size of the cluster MTU by 46 bytes to allow for the additional overhead of the IPsec ESP header. For more information on resizing the MTU that your cluster uses, see Changing the MTU for the cluster network.

Network connectivity requirements when IPsec is enabled

You must configure the network connectivity between machines to allow OKD cluster components to communicate. Each machine must be able to resolve the hostnames of all other machines in the cluster.

Table 1. Ports used for all-machine to all-machine communications
ProtocolPortDescription

UDP

500

IPsec IKE packets

4500

IPsec NAT-T packets

ESP

N/A

IPsec Encapsulating Security Payload (ESP)

IPsec encryption for pod-to-pod traffic

OKD supports IPsec encryption for network traffic between pods.

Types of network traffic flows encrypted by pod-to-pod IPsec

With IPsec enabled, only the following network traffic flows between pods are encrypted:

  • Traffic between pods on different nodes on the cluster network

  • Traffic from a pod on the host network to a pod on the cluster network

The following traffic flows are not encrypted:

  • Traffic between pods on the same node on the cluster network

  • Traffic between pods on the host network

  • Traffic from a pod on the cluster network to a pod on the host network

The encrypted and unencrypted flows are illustrated in the following diagram:

IPsec encrypted and unencrypted traffic flows

Encryption protocol and IPsec mode

The encrypt cipher used is AES-GCM-16-256. The integrity check value (ICV) is 16 bytes. The key length is 256 bits.

The IPsec mode used is Transport mode, a mode that encrypts end-to-end communication by adding an Encapsulated Security Payload (ESP) header to the IP header of the original packet and encrypts the packet data. OKD does not currently use or support IPsec Tunnel mode for pod-to-pod communication.

Security certificate generation and rotation

The Cluster Network Operator (CNO) generates a self-signed X.509 certificate authority (CA) that is used by IPsec for encryption. Certificate signing requests (CSRs) from each node are automatically fulfilled by the CNO.

The CA is valid for 10 years. The individual node certificates are valid for 5 years and are automatically rotated after 4 1/2 years elapse.

Enabling pod-to-pod IPsec encryption

As a cluster administrator, you can enable pod-to-pod IPsec encryption after cluster installation.

Prerequisites

  • Install the OpenShift CLI (oc).

  • You are logged in to the cluster as a user with cluster-admin privileges.

  • You have reduced the size of your cluster MTU by 46 bytes to allow for the overhead of the IPsec ESP header.

Procedure

  • To enable IPsec encryption, enter the following command:

    1. $ oc patch networks.operator.openshift.io cluster --type=merge \
    2. -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"ipsecConfig":{ }}}}}'

Verifying that IPsec is enabled

As a cluster administrator, you can verify that IPsec is enabled.

Verification

  1. To find the names of the OVN-Kubernetes data plane pods, enter the following command:

    1. $ oc get pods -n openshift-ovn-kubernetes -l=app=ovnkube-node

    Example output

    1. ovnkube-node-5xqbf                       8/8     Running   0              28m
    2. ovnkube-node-6mwcx                       8/8     Running   0              29m
    3. ovnkube-node-ck5fr                       8/8     Running   0              31m
    4. ovnkube-node-fr4ld                       8/8     Running   0              26m
    5. ovnkube-node-wgs4l                       8/8     Running   0              33m
    6. ovnkube-node-zfvcl                       8/8     Running   0              34m

  2. Verify that IPsec is enabled on your cluster:

    1. $ oc -n openshift-ovn-kubernetes -c nbdb rsh ovnkube-node-<XXXXX> ovn-nbctl --no-leader-only get nb_global . ipsec

    where:

    <XXXXX>

    Specifies the random sequence of letters for a pod from the previous step.

    Example output

    1. true

Disabling IPsec encryption

As a cluster administrator, you can disable IPsec encryption only if you enabled IPsec after cluster installation.

If you enabled IPsec when you installed your cluster, you cannot disable IPsec with this procedure.

Prerequisites

  • Install the OpenShift CLI (oc).

  • Log in to the cluster with a user with cluster-admin privileges.

Procedure

  1. To disable IPsec encryption, enter the following command:

    1. $ oc patch networks.operator.openshift.io/cluster --type=json \
    2.   -p='[{"op":"remove", "path":"/spec/defaultNetwork/ovnKubernetesConfig/ipsecConfig"}]'

  2. Optional: You can increase the size of your cluster MTU by 46 bytes because there is no longer any overhead from the IPsec ESP header in IP packets.

IPsec encryption for external traffic

OKD supports IPsec encryption for traffic to external hosts.

You must supply a custom IPsec configuration, which includes the IPsec configuration file itself and TLS certificates.

Ensure that the following prohibitions are observed:

  • The custom IPsec configuration must not include any connection specifications that might interfere with the cluster’s pod-to-pod IPsec configuration.

  • Certificate common names (CN) in the provided certificate bundle must not begin with the ovs_ prefix, because this naming can collide with pod-to-pod IPsec CN names in the Network Security Services (NSS) database of each node.

IPsec support for external endpoints is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Enabling IPsec encryption for external IPsec endpoints

As a cluster administrator, you can enable IPsec encryption between the cluster and external IPsec endpoints. Because this procedure uses Butane to create machine configs, you must have the butane command installed.

After you apply the machine config, the Machine Config Operator reboots affected nodes in your cluster to rollout the new machine config.

Prerequisites

  • Install the OpenShift CLI (oc).

  • You are logged in to the cluster as a user with cluster-admin privileges.

  • You have reduced the size of your cluster MTU by 46 bytes to allow for the overhead of the IPsec ESP header.

  • You have installed the butane utility.

  • You have an existing PKCS#12 certificate for the IPsec endpoint and a CA cert in PEM format.

Procedure

As a cluster administrator, you can enable IPsec support for external IPsec endpoints.

  1. Create an IPsec configuration file named ipsec-endpoint-config.conf. The configuration is consumed in the next step. For more information, see Libreswan as an IPsec VPN implementation.

  2. Provide the following certificate files to add to the Network Security Services (NSS) database on each host. These files are imported as part of the Butane configuration in subsequent steps.

    • left_server.p12: The certificate bundle for the IPsec endpoints

    • ca.pem: The certificate authority that you signed your certificates with

  3. Create a machine config to apply the IPsec configuration to your cluster by using the following two steps:

    1. To add the IPsec configuration, create Butane config files for the control plane and worker nodes with the following contents:

      1. $ for role in master worker; do
      2.   cat >> "99-ipsec-${role}-endpoint-config.bu" <<-EOF
      3.   variant: openshift
      4.   version: 4.14.0
      5.   metadata:
      6.     name: 99-${role}-import-certs-enable-svc-os-ext
      7.     labels:
      8.       machineconfiguration.openshift.io/role: $role
      9.   openshift:
      10.     extensions:
      11.       - ipsec
      12.   systemd:
      13.     units:
      14.     - name: ipsec-import.service
      15.       enabled: true
      16.       contents: |
      17.         [Unit]
      18.         Description=Import external certs into ipsec NSS
      19.         Before=ipsec.service
      21.         [Service]
      22.         Type=oneshot
      23.         ExecStart=/usr/local/bin/ipsec-addcert.sh
      24.         RemainAfterExit=false
      25.         StandardOutput=journal
      27.         [Install]
      28.         WantedBy=multi-user.target
      29.     - name: ipsecenabler.service
      30.       enabled: true
      31.       contents: |
      32.         [Service]
      33.         Type=oneshot
      34.         ExecStart=systemctl enable --now ipsec.service
      36.         [Install]
      37.         WantedBy=multi-user.target
      38.   storage:
      39.     files:
      40.     - path: /etc/pki/certs/ca.pem
      41.       mode: 0400
      42.       overwrite: true
      43.       contents:
      44.         local: ca.pem
      45.     - path: /etc/pki/certs/left_server.p12
      46.       mode: 0400
      47.       overwrite: true
      48.       contents:
      49.         local: left_server.p12
      50.     - path: /usr/local/bin/ipsec-addcert.sh
      51.       mode: 0740
      52.       overwrite: true
      53.       contents:
      54.         inline: |
      55.           #!/bin/bash -e
      56.           echo "importing cert to NSS"
      57.           certutil -A -n "CA" -t "CT,C,C" -d /var/lib/ipsec/nss/ -i /etc/pki/certs/ca.pem
      58.           pk12util -W "" -i /etc/pki/certs/left_server.p12 -d /var/lib/ipsec/nss/
      59.           certutil -M -n "left_server" -t "u,u,u" -d /var/lib/ipsec/nss/
      60. EOF
      61. done

    2. To transform the Butane files that you created in the previous step into machine configs, enter the following command:

      1. $ for role in master worker; do
      2.   butane 99-ipsec-${role}-endpoint-config.bu -o ./99-ipsec-$role-endpoint-config.yaml
      3. done

  4. To apply the machine configs to your cluster, enter the following command:

    1. $ for role in master worker; do
    2.   oc apply -f 99-ipsec-${role}-endpoint-config.yaml
    3. done

    As the Machine Config Operator (MCO) updates machines in each machine config pool, it reboots each node one by one. You must wait until all the nodes are updated before external IPsec connectivity is available.

  5. Check the machine config pool status by entering the following command:

    1. $ oc get mcp

    A successfully updated node has the following status: UPDATED=true, UPDATING=false, DEGRADED=false.

    By default, the MCO updates one machine per pool at a time, causing the total time the migration takes to increase with the size of the cluster.

Additional resources