Kubernetes network encryption

MKE provides data-plane level IPSec network encryption to securely encrypt application traffic in a Kubernetes cluster. This secures application traffic within a cluster when running in untrusted infrastructure or environments. It is an optional feature of MKE that is enabled by deploying the SecureOverlay components on Kubernetes when using the default Calico driver for networking configured for IPIP tunneling (the default configuration).

Kubernetes network encryption is enabled by two components in MKE:

  • SecureOverlay Agent

  • SecureOverlay Master

The agent is deployed as a per-node service that manages the encryption state of the data plane. The agent controls the IPSec encryption on Calico’s IPIP tunnel traffic between different nodes in the Kubernetes cluster. The master is the second component, deployed on a MKE manager node, which acts as the key management process that configures and periodically rotates the encryption keys.

Kubernetes network encryption uses AES Galois Counter Mode (AES-GCM) with 128-bit keys by default. Encryption is not enabled by default and requires the SecureOverlay Agent and Master to be deployed on MKE to begin encrypting traffic within the cluster. It can be enabled or disabled at any time during the cluster lifecycle. However, it should be noted that it can cause temporary traffic outages between pods during the first few minutes of traffic enabling/disabling. When enabled, Kubernetes pod traffic between hosts is encrypted at the IPIP tunnel interface in the MKE host.


Kubernetes network encryption is supported for the following platforms:

  • MKE 3.1+

  • Kubernetes 1.11+

  • On-premise, AWS, GCE

  • Azure is not supported for network encryption as encryption utilizes

  • Calico’s IPIP tunnel

  • Only supported when using MKE’s default Calico CNI plugin

  • Supported on all MKE-supported Linux OSes

Configuring MTUs

Before deploying the SecureOverlay components, ensure that Calico is configured so that the IPIP tunnel MTU maximum transmission unit (MTU), or the largest packet length that the container will allow, leaves sufficient headroom for the encryption overhead. Encryption adds 26 bytes of overhead, but every IPSec packet size must be a multiple of 4 bytes. IPIP tunnels require 20 bytes of encapsulation overhead. The IPIP tunnel interface MTU must be no more than “EXTMTU - 46 - ((EXTMTU - 46) modulo 4)”, where EXTMTU is the minimum MTU of the external interfaces. An IPIP MTU of 1452 should generally be safe for most deployments.

Changing MKE’s MTU requires updating the MKE configuration.

Update the following values to the new MTU:

 calico_mtu = "1452"
 ipip_mtu = "1452"

Configuring SecureOverlay

SecureOverlay allows you to enable IPSec network encryption in Kubernetes. Once the cluster nodes’ MTUs are properly configured, deploy the SecureOverlay components using the SecureOverlay YAML file to MKE.

Beginning with MKE 3.2.4, you can configure SecureOverlay in one of two ways:

  • Using the MKE configuration file

  • Using the SecureOverlay YAML file

Using the MKE configuration file

  1. Add secure-overlay to the MKE configuration file.

  2. Set to``true`` to enable IPSec network encryption. The default is``false``.

Using the SecureOverlay YAML file

  1. Download the SecureOverlay YAML file.

  2. Issue the following command from any machine with the properly configured kubectl environment and the proper MKE bundle’s credentials:

    $ kubectl apply -f ucp-secureoverlay.yml
  3. Run this command at cluster installation time before starting any workloads.

To remove the encryption from the system, issue the following command:

$ kubectl delete -f ucp-secureoverlay.yml

See also