Unprotect Inter-host Pod-to-pod Traffic of Specific Services

This applies to users who want to unprotect some services.

Prerequisites

• The ipsec-policy-operator system application is installed (applied).

  To check if the system application is installed, run the following command:

  ~(keystone_admin)$ system application-list
  

• There are policies created for the services.

  ~(keystone_admin)$ kubectl get ipsecpolicies -o yaml
  

Procedure

There are two methods to remove the IPsec policies for some services. One method is to edit the policies directly by using the kubectl edit ipsecpolicy <ipsec policy> command and the other method is to update the original yaml file, removing the policies for the services, and re-applying the updated yaml file.

1. Update the original yaml file to remove the services from IPsec protection.

   Using the same kube-dns and cert-manager example, remove the policy for kube-dns service so that no kube-dns traffic is protected.

   apiVersion: starlingx.io/v1
   kind: IPsecPolicy
   metadata:
     labels:
       app.kubernetes.io/name: ipsec-policy-manager-operator
       app.kubernetes.io/managed-by: kustomize
     name: ipsecpolicy-kube-dns-cert-manager-sample
   spec:
     policies:
       - name: cert-manager
         servicename: cm-cert-manager
         servicens: cert-manager
         serviceports: tcp/9402
   

2. Re-apply the yaml file to update the IPsec policies.

   ~(keystone_admin)$ kubectl apply -f ipsecpolicy_dns_cert-mananger.yaml
   

   Check if the IPsec policies are updated by running the following command:

   kubectl get ipsecpolicy ipsecpolicy-kube-dns-cert-manager-sample -o yaml
   

   The example output is as follows:

   [sysadmin@controller-0 ~(keystone_admin)]$ kubectl get ipsecpolicy ipsecpolicy-kube-dns-cert-manager-sample -o yaml
   apiVersion: starlingx.io/v1
   kind: IPsecPolicy
   metadata:
     annotations:
       kubectl.kubernetes.io/last-applied-configuration: |
         {"apiVersion":"starlingx.io/v1","kind":"IPsecPolicy","metadata":{"annotations":{},"labels":
   {"app.kubernetes.io/managed-by":"kustomize","app.kubernetes.io/name":"ipsec-policy-manager-
   operator"},"name":"ipsecpolicy-kube-dns-cert-manager-sample"},"spec":{"policies":[{"name":"kube-
   dns","servicename":"kube-dns","servicens":"kube-system","serviceports":"tcp/53,tcp/9153"},{"name":"cert-
   manager","servicename":"cm-cert-manager","servicens":"cert-manager","serviceports":"tcp/9402"}]}}
     creationTimestamp: "2025-08-06T21:17:17Z"
     generation: 2
     labels:
       app.kubernetes.io/managed-by: kustomize
       app.kubernetes.io/name: ipsec-policy-manager-operator
     name: ipsecpolicy-kube-dns-cert-manager-sample
     resourceVersion: "6515284"
     uid: 46fcaa15-1e24-45ba-b01a-ee63cbc4b33b
   spec:
     policies:
     - name: cert-manager
       servicename: cm-cert-manager
       servicens: cert-manager
       serviceports: tcp/9402
   

   Note

   The policy kube-dns is removed.

   Note

   If the service to be unprotected is the only service in an IPsec policy CR, you need to delete the IPsec policy CR in order to remove the policy.