Protect Inter-host Pod-to-pod Traffic of Services¶
Prerequisites
The ipsec-policy-operator system application must be installed (applied). To check if the system application is installed, run the following command:
~(keystone_admin)$ system application-list
Procedure
Define the IPsec policies for services in a yaml file.
Example: The following ipsecpolicy_dns_cert-mananger.yaml file defines two policies:
kube-dns: Forkube-dnsservice in thekube-systemnamespace.The service’s traffic on UDP port 53, TCP port 53, and TCP port 9153 will be protected by IPsec.
cert-manager: Forcm-cert-managerin thecert-managernamespace.The service’s traffic on port TCP 9402 will be protected by IPsec.
apiVersion: starlingx.io/v1 kind: IPsecPolicy metadata: labels: app.kubernetes.io/name: ipsec-policy-manager-operator app.kubernetes.io/managed-by: kustomize name: ipsecpolicy-kube-dns-cert-manager-sample spec: policies: - name: kube-dns servicename: kube-dns servicens: kube-system serviceports: tcp/53,udp/53,tcp/9153 - name: cert-manager servicename: cm-cert-manager servicens: cert-manager serviceports: tcp/9402serviceportsfor a particular service in the policy is the target port of the service. For a deployed service, the target ports (and protocol) can be found by using the following command where the list of service protocol ports are in thespec.portslist:~(keystone_admin)$ kubectl get service <service name> -n <sevice namespace> -o yaml
For example, the following command will retrieve
kube-dnsservice’s target ports:[sysadmin@controller-0 ~(keystone_admin)]$ kubectl get service kube-dns -n kube-system -o yaml apiVersion: v1 kind: Service metadata: annotations: prometheus.io/port: "9153" prometheus.io/scrape: "true" creationTimestamp: "2025-06-11T14:53:54Z" labels: k8s-app: kube-dns kubernetes.io/cluster-service: "true" kubernetes.io/name: CoreDNS name: kube-dns namespace: kube-system resourceVersion: "258" uid: 7cde7d6c-7d49-4506-bc54-e31e89e26f67 spec: clusterIP: 10.96.0.10 clusterIPs: - 10.96.0.10 internalTrafficPolicy: Cluster ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: dns port: 53 protocol: UDP targetPort: 53 - name: dns-tcp port: 53 protocol: TCP targetPort: 53 - name: metrics port: 9153 protocol: TCP targetPort: 9153Apply the yaml file to create IPsec policies.
~(keystone_admin)$ kubectl apply -f ipsecpolicy_dns_cert-mananger.yaml
IPsec policies can be checked by running the following command:
~(keystone_admin)$ kubectl get ipsecpolicy [ -n <relevant-namespace> ]
The example output is as follows:
[sysadmin@controller-0 ~(keystone_admin)]$ kubectl get ipsecpolicy NAME AGE ipsecpolicy-kube-dns-cert-manager-sample 17h
The details of the IPsec policies created can be retrieved as follows:
[sysadmin@controller-0 ~(keystone_admin)]$ kubectl get ipsecpolicy ipsecpolicy-kube-dns-cert-manager-sample -o yaml apiVersion: starlingx.io/v1 kind: IPsecPolicy metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"starlingx.io/v1","kind":"IPsecPolicy","metadata":{"annotations":{},"labels": {"app.kubernetes.io/managed-by":"kustomize","app.kubernetes.io/name":"ipsec-policy-manager- operator"},"name":"ipsecpolicy-kube-dns-cert-manager-sample"},"spec":{"policies":[{"name":"kube- dns","servicename":"kube-dns","servicens":"kube-system","serviceports":"tcp/53,tcp/9153"},{"name":"cert- manager","servicename":"cm-cert-manager","servicens":"cert-manager","serviceports":"tcp/9402"}]}} creationTimestamp: "2025-08-06T21:17:17Z" generation: 2 labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: ipsec-policy-manager-operator name: ipsecpolicy-kube-dns-cert-manager-sample resourceVersion: "6515284" uid: 46fcaa15-1e24-45ba-b01a-ee63cbc4b33b spec: policies: - name: kube-dns servicename: kube-dns servicens: kube-system serviceports: tcp/53,udp/53,tcp/9153 - name: cert-manager servicename: cm-cert-manager servicens: cert-manager serviceports: tcp/9402
