Inter-host Pod-to-pod Security Overview

On StarlingX, inter-host pod-to-pod traffic for a service can be configured to be protected by IPsec in tunnel mode over cluster host network. The configurations are defined as IPsec policies and managed by the ipsec-policy-operator Kubernetes system application.

Ipsec-policy-operator is an optional platform system application. IPsec policies are Kubernetes custom resources. You can create, update, and delete the IPsec policy CRs for services. Based on the user defined IPsec policies, the ipsec-policy-operator system application will configure/reconfigure IPsec on the cluster network to protect (or unprotect) the inter-host pod-to-pod traffic of services.

You need to install the ipsec-policy-operator system application first in order to protect the inter-host pod-to-pod traffic for services. You can then define IPsec policies in a yaml file and apply the yaml file using the kubectl command to create IPsec policies for services.

You can update the existing IPsec polices by updating and re-applying the yaml file or using the kubectl edit command.

An IPsec policy can also be deleted so that the specific traffic will no longer be protected by IPsec.