starlingx/docs
Code Issues Proposed changes
Files
2373921485a57c9f1c4218ce8ccaeafd0946c054
docs/doc/source/usertasks/kubernetes/unprotect-inter-host-pod-to-pod-traffic-of-specific-services-co-c0eca384959d.rst
Ngairangbam Mili 6d3c7e25a3 Secure Inter-Host Pod-to-Pod Network Traffic using IPSEC 
Story: 2011127
Task: 52130

Change-Id: Iaf27c18ca465262860606b592a98fdfa634d3d23
Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
2025-08-26 16:20:17 +00:00

3.7 KiB
Raw Blame History

Unprotect Inter-host Pod-to-pod Traffic of Specific Services

This applies to users who want to unprotect some services.

  • The ipsec-policy-operator system application is installed (applied).

    To check if the system application is installed, run the following command:

    ~(keystone_admin)$ system application-list

  • There are policies created for the services.

    ~(keystone_admin)$ kubectl get ipsecpolicies -o yaml

There are two methods to remove the IPsec policies for some services. One method is to edit the policies directly by using the kubectl edit ipsecpolicy <ipsec policy> command and the other method is to update the original yaml file, removing the policies for the services, and re-applying the updated yaml file.

  1. Update the original yaml file to remove the services from IPsec protection.

    Using the same kube-dns and cert-manager example, remove the policy for kube-dns service so that no kube-dns traffic is protected.

    apiVersion: starlingx.io/v1
kind: IPsecPolicy
metadata:
  labels:
    app.kubernetes.io/name: ipsec-policy-manager-operator
    app.kubernetes.io/managed-by: kustomize
  name: ipsecpolicy-kube-dns-cert-manager-sample
spec:
  policies:
    - name: cert-manager
      servicename: cm-cert-manager
      servicens: cert-manager
      serviceports: tcp/9402

  2. Re-apply the yaml file to update the IPsec policies.

    ~(keystone_admin)$ kubectl apply -f ipsecpolicy_dns_cert-mananger.yaml

    Check if the IPsec policies are updated by running the following command:

    kubectl get ipsecpolicy ipsecpolicy-kube-dns-cert-manager-sample -o yaml

    The example output is as follows:

    [sysadmin@controller-0 ~(keystone_admin)]$ kubectl get ipsecpolicy ipsecpolicy-kube-dns-cert-manager-sample -o yaml
apiVersion: starlingx.io/v1
kind: IPsecPolicy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"starlingx.io/v1","kind":"IPsecPolicy","metadata":{"annotations":{},"labels":
{"app.kubernetes.io/managed-by":"kustomize","app.kubernetes.io/name":"ipsec-policy-manager-
operator"},"name":"ipsecpolicy-kube-dns-cert-manager-sample"},"spec":{"policies":[{"name":"kube-
dns","servicename":"kube-dns","servicens":"kube-system","serviceports":"tcp/53,tcp/9153"},{"name":"cert-
manager","servicename":"cm-cert-manager","servicens":"cert-manager","serviceports":"tcp/9402"}]}}
  creationTimestamp: "2025-08-06T21:17:17Z"
  generation: 2
  labels:
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/name: ipsec-policy-manager-operator
  name: ipsecpolicy-kube-dns-cert-manager-sample
  resourceVersion: "6515284"
  uid: 46fcaa15-1e24-45ba-b01a-ee63cbc4b33b
spec:
  policies:
  - name: cert-manager
    servicename: cm-cert-manager
    servicens: cert-manager
    serviceports: tcp/9402

    Note

    The policy kube-dns is removed.

    Note

    If the service to be unprotected is the only service in an IPsec policy , you need to delete the IPsec policy in order to remove the policy.

View Git Blame Copy Permalink