Add warning to alert customers on the CPU impact due to IPSec policies

Story: 2011127 Task: 52808 Change-Id: Ib04943a119b807912e55314b168f381c6644c3c2 Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
2025-09-15 02:56:38 +00:00
parent 6c4689af7f
commit 99b33d0aa2
2 changed files with 42 additions and 0 deletions
--- a/doc/source/security/kubernetes/configure-ipsec-for-selected-inter-host-pod-to-pod-traffic-usi-8cb9b4342b5d.rst
+++ b/doc/source/security/kubernetes/configure-ipsec-for-selected-inter-host-pod-to-pod-traffic-usi-8cb9b4342b5d.rst
@@ -7,6 +7,30 @@
 Configure IPsec for Selected Inter-host Pod-to-pod Traffic using IPsec Policies
 ===============================================================================

+.. note::
+
+    Configuring IPSec policies on pod‑to‑pod traffic may degrade the CPU
+    performance. Refer to the following approximate pod and node impacts for
+    both transmitting and receiving sides based on the traffic rate between 25
+    Mbps and 500 Mbps.
+
+    +-----+--------------+-------------+
+    |     | Transmit     | Receive     |
+    +-----+--------------+-------------+
+    | Pod | 50-100%      | 0%          |
+    +-----+--------------+-------------+
+    | Node| 30-90%       | 5-40%       |
+    +-----+--------------+-------------+
+
+    Ensure that adequate resources are available to support sustained and peak
+    inter‑node traffic.
+
+.. rubric:: |prereq|
+
+The ipsec-policy-operator application must be installed and in the applied
+state before configuring the IPsec policies |CRD|. To apply the application,
+see :ref:`install-ipsec-policy-operator-system-application-95ae437a67e2`.
+
 .. rubric:: |proc|

 #. Create the IPsec policy.
--- a/doc/source/security/kubernetes/install-ipsec-policy-operator-system-application-95ae437a67e2.rst
+++ b/doc/source/security/kubernetes/install-ipsec-policy-operator-system-application-95ae437a67e2.rst
@@ -18,3 +18,21 @@ the following command:

 Once the system application is installed, ``ipsecpolicies.starlingx.io`` |CRD|
 will be created.
+
+.. note::
+
+    Configuring IPSec policies on pod‑to‑pod traffic may degrade the CPU
+    performance. Refer to the following approximate pod and node impacts for
+    both transmitting and receiving sides based on the traffic rate between 25
+    Mbps and 500 Mbps.
+
+    +-----+--------------+-------------+
+    |     | Transmit     | Receive     |
+    +-----+--------------+-------------+
+    | Pod | 50-100%      | 0%          |
+    +-----+--------------+-------------+
+    | Node| 30-90%       | 5-40%       |
+    +-----+--------------+-------------+
+
+    Ensure that adequate resources are available to support sustained and peak
+    inter‑node traffic.