Unprotect Inter-host Pod-to-pod Traffic at Specific Ports of Services

This applies to users who want to protect services at only certain ports.

Prerequisites

• The ipsec-policy-operator system application is installed (applied).

  To check if the system application is installed, run the following command:

  ~(keystone_admin)$ system application-list
  

• There are policies created for the services.

  ~(keystone_admin)$ kubectl get ipsecpolicies -o yaml
  

Procedure

There are two methods to update the IPsec policies to remove certain ports for a service. One method is to edit the policies directly by using the kubectl edit ipsecpolicy <ipsec policy> command and the second method is to update the original yaml file and re-apply the updated yaml file.

1. Update the original yaml file to remove a service’s ports from IPsec protection.

   Using the same kube-dns and cert-manager example, remove UDP port 53 for kube-dns service so that only the traffic on TCP port 53 and 9153 are protected.

   apiVersion: starlingx.io/v1
   kind: IPsecPolicy
   metadata:
    labels:
      app.kubernetes.io/name: ipsec-policy-manager-operator
      app.kubernetes.io/managed-by: kustomize
    name: ipsecpolicy-kube-dns-cert-manager-sample
   spec:
     policies:
        - name: kube-dns
          servicename: kube-dns
          servicens: kube-system
          serviceports: tcp/53,tcp/9153
        - name: cert-manager
          servicename: cm-cert-manager
          servicens: cert-manager
          serviceports: tcp/9402
   

2. Re-apply the yaml file to update the IPsec policies.

   ~(keystone_admin)$ kubectl apply -f ipsecpolicy_dns_cert-mananger.yaml
   

   Check if the IPsec policies are updated by running the following command:

   ~(keystone_admin)$ kubectl get ipsecpolicy ipsecpolicy-kube-dns-cert-manager-sample -o yaml
   

   The example output is as follows:

   [sysadmin@controller-0 ~(keystone_admin)]$ kubectl get ipsecpolicy ipsecpolicy-kube-dns-cert-manager-sample -o yaml
   apiVersion: starlingx.io/v1
   kind: IPsecPolicy
   metadata:
     annotations:
       kubectl.kubernetes.io/last-applied-configuration: |
         {"apiVersion":"starlingx.io/v1","kind":"IPsecPolicy","metadata":{"annotations":{},"labels":
   {"app.kubernetes.io/managed-by":"kustomize","app.kubernetes.io/name":"ipsec-policy-manager-
   operator"},"name":"ipsecpolicy-kube-dns-cert-manager-sample"},"spec":{"policies":[{"name":"kube-
   dns","servicename":"kube-dns","servicens":"kube-system","serviceports":"tcp/53,tcp/9153"},{"name":"cert-
   manager","servicename":"cm-cert-manager","servicens":"cert-manager","serviceports":"tcp/9402"}]}}
     creationTimestamp: "2025-08-06T21:17:17Z"
     generation: 2
     labels:
       app.kubernetes.io/managed-by: kustomize
       app.kubernetes.io/name: ipsec-policy-manager-operator
      name: ipsecpolicy-kube-dns-cert-manager-sample
     resourceVersion: "6515284"
     uid: 46fcaa15-1e24-45ba-b01a-ee63cbc4b33b
   spec:
     policies:
     - name: kube-dns
       servicename: kube-dns
       servicens: kube-system
       serviceports: tcp/53,tcp/9153
     - name: cert-manager
       servicename: cm-cert-manager
       servicens: cert-manager
       serviceports: tcp/9402
   

   Note

   The UDP port 53 is removed for kube-dns policy.