Turn off Inter-host Pod-to-pod Traffic Protection in the Cluster

Prerequisites

• The ipsec-policy-operator system application must be installed (applied). To check if the system application is installed, run the following command:

  ~(keystone_admin)$ system application-list
  

• There are IPsec policies created for the services.

  ~(keystone_admin)$ kubectl get ipsecpolicies
  

This applies to users who decide to turn off the feature in the cluster.

Procedure

There are two methods to turn off the inter-host pod-to-pod IPsec feature in the cluster.

Method 1

Delete all the IPsec policies |CRs| in the system

1. List the IPsec policies CRs in the system by running the following command:

   ~(keystone_admin)$ kubectl get ipsecpolicies
   

2. Delete the listed policies by running the following command:

   ~(keystone_admin)$ kubectl delete ipsecpolicies <IPsec policy>
   

After all the IPsec policies CRs are deleted, there will be no IPsec for inter-host pod-to-pod network traffic.

Method 2

Remove the ipsec-policy-operator system application

The ipsec-policy-operator system application can be removed from the cluster by running the following command:

~(keystone_admin)$ system application-remove ipsec-policy-operator

When the system application is removed, the ipsec-policy-operator system application will be in the uploaded state. All the related resources including the existing IPsec policies will be deleted. All the existing IPsec tunnels for inter-host pod-to-pod traffic will also be removed. There will be no IPsec for inter-host pod-to-pod network traffic.