Kubernetes network encryption¶
MKE provides data-plane level IPSec network encryption to securely encrypt application traffic in a Kubernetes cluster. This secures application traffic within a cluster when running in untrusted infrastructure or environments. It is an optional feature of MKE that is enabled by deploying the SecureOverlay components on Kubernetes when using the default Calico driver for networking configured for IPIP tunneling (the default configuration).
Kubernetes network encryption is enabled by two components in MKE:
The agent is deployed as a per-node service that manages the encryption state of the data plane. The agent controls the IPSec encryption on Calico’s IPIP tunnel traffic between different nodes in the Kubernetes cluster. The master is the second component, deployed on a MKE manager node, which acts as the key management process that configures and periodically rotates the encryption keys.
Kubernetes network encryption uses AES Galois Counter Mode (AES-GCM) with 128-bit keys by default. Encryption is not enabled by default and requires the SecureOverlay Agent and Master to be deployed on MKE to begin encrypting traffic within the cluster. It can be enabled or disabled at any time during the cluster lifecycle. However, it should be noted that it can cause temporary traffic outages between pods during the first few minutes of traffic enabling/disabling. When enabled, Kubernetes pod traffic between hosts is encrypted at the IPIP tunnel interface in the MKE host.
Kubernetes network encryption is supported for the following platforms:
On-premise, AWS, GCE
Azure is not supported for network encryption as encryption utilizes
Calico’s IPIP tunnel
Only supported when using MKE’s default Calico CNI plugin
Supported on all MKE-supported Linux OSes
Before deploying the SecureOverlay components, ensure that Calico is configured so that the IPIP tunnel MTU maximum transmission unit (MTU), or the largest packet length that the container will allow, leaves sufficient headroom for the encryption overhead. Encryption adds 26 bytes of overhead, but every IPSec packet size must be a multiple of 4 bytes. IPIP tunnels require 20 bytes of encapsulation overhead. The IPIP tunnel interface MTU must be no more than “EXTMTU - 46 - ((EXTMTU - 46) modulo 4)”, where EXTMTU is the minimum MTU of the external interfaces. An IPIP MTU of 1452 should generally be safe for most deployments.
Changing MKE’s MTU requires updating the MKE configuration.
Update the following values to the new MTU:
[cluster_config] ... calico_mtu = "1452" ipip_mtu = "1452" ...
SecureOverlay allows you to enable IPSec network encryption in Kubernetes. Once the cluster nodes’ MTUs are properly configured, deploy the SecureOverlay components using the SecureOverlay YAML file to MKE.
Beginning with MKE 3.2.4, you can configure SecureOverlay in one of two ways:
Using the MKE configuration file
Using the SecureOverlay YAML file
Using the MKE configuration file¶
secure-overlayto the MKE configuration file.
Set to``true`` to enable IPSec network encryption. The default is``false``.
Using the SecureOverlay YAML file¶
Download the SecureOverlay YAML file.
Issue the following command from any machine with the properly configured kubectl environment and the proper MKE bundle’s credentials:
$ kubectl apply -f ucp-secureoverlay.yml
Run this command at cluster installation time before starting any workloads.
To remove the encryption from the system, issue the following command:
$ kubectl delete -f ucp-secureoverlay.yml