From 99b33d0aa28db5bb48cef4d56be363d64ca95afd Mon Sep 17 00:00:00 2001 From: Ngairangbam Mili Date: Mon, 15 Sep 2025 02:56:38 +0000 Subject: [PATCH] Add warning to alert customers on the CPU impact due to IPSec policies Story: 2011127 Task: 52808 Change-Id: Ib04943a119b807912e55314b168f381c6644c3c2 Signed-off-by: Ngairangbam Mili --- ...st-pod-to-pod-traffic-usi-8cb9b4342b5d.rst | 24 +++++++++++++++++++ ...erator-system-application-95ae437a67e2.rst | 18 ++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/doc/source/security/kubernetes/configure-ipsec-for-selected-inter-host-pod-to-pod-traffic-usi-8cb9b4342b5d.rst b/doc/source/security/kubernetes/configure-ipsec-for-selected-inter-host-pod-to-pod-traffic-usi-8cb9b4342b5d.rst index 04ee09045..ebb71e6d1 100644 --- a/doc/source/security/kubernetes/configure-ipsec-for-selected-inter-host-pod-to-pod-traffic-usi-8cb9b4342b5d.rst +++ b/doc/source/security/kubernetes/configure-ipsec-for-selected-inter-host-pod-to-pod-traffic-usi-8cb9b4342b5d.rst @@ -7,6 +7,30 @@ Configure IPsec for Selected Inter-host Pod-to-pod Traffic using IPsec Policies =============================================================================== +.. note:: + + Configuring IPSec policies on pod‑to‑pod traffic may degrade the CPU + performance. Refer to the following approximate pod and node impacts for + both transmitting and receiving sides based on the traffic rate between 25 + Mbps and 500 Mbps. + + +-----+--------------+-------------+ + | | Transmit | Receive | + +-----+--------------+-------------+ + | Pod | 50-100% | 0% | + +-----+--------------+-------------+ + | Node| 30-90% | 5-40% | + +-----+--------------+-------------+ + + Ensure that adequate resources are available to support sustained and peak + inter‑node traffic. + +.. rubric:: |prereq| + +The ipsec-policy-operator application must be installed and in the applied +state before configuring the IPsec policies |CRD|. To apply the application, +see :ref:`install-ipsec-policy-operator-system-application-95ae437a67e2`. + .. rubric:: |proc| #. Create the IPsec policy. diff --git a/doc/source/security/kubernetes/install-ipsec-policy-operator-system-application-95ae437a67e2.rst b/doc/source/security/kubernetes/install-ipsec-policy-operator-system-application-95ae437a67e2.rst index 0c9e37006..32d93b470 100644 --- a/doc/source/security/kubernetes/install-ipsec-policy-operator-system-application-95ae437a67e2.rst +++ b/doc/source/security/kubernetes/install-ipsec-policy-operator-system-application-95ae437a67e2.rst @@ -18,3 +18,21 @@ the following command: Once the system application is installed, ``ipsecpolicies.starlingx.io`` |CRD| will be created. + +.. note:: + + Configuring IPSec policies on pod‑to‑pod traffic may degrade the CPU + performance. Refer to the following approximate pod and node impacts for + both transmitting and receiving sides based on the traffic rate between 25 + Mbps and 500 Mbps. + + +-----+--------------+-------------+ + | | Transmit | Receive | + +-----+--------------+-------------+ + | Pod | 50-100% | 0% | + +-----+--------------+-------------+ + | Node| 30-90% | 5-40% | + +-----+--------------+-------------+ + + Ensure that adequate resources are available to support sustained and peak + inter‑node traffic.