Kube-OVN Overlay Network Supports IPsec Encryption

This document provides a detailed guide on enabling and disabling IPsec encrypted tunnel traffic in the Kube-OVN Overlay network. Since OVN tunnel traffic is transmitted through physical routers and switches, which may be located in untrusted public networks or at risk of attacks, enabling IPsec encryption can effectively prevent traffic data from being monitored and tampered with.

Terminology

Term	Explanation
IPsec	A protocol and technology used to protect and validate data transmitted over the internet. It provides secure communication at the IP layer and is primarily used to create virtual private networks (VPNs) and protect the transmission of IP packets. IPsec ensures data security primarily through the following methods: Data Encryption: Through encryption technology, IPsec can ensure that data is not stolen or altered during transmission. Common encryption algorithms include AES, 3DES, etc. Data Integrity Check: IPsec uses hash functions (such as SHA-1, SHA-256) to verify the integrity of data, ensuring that data has not been modified during transmission. Authentication: IPsec can verify the identity of both parties involved in communication using various methods (such as pre-shared keys, digital certificates) to prevent unauthorized access. Key Management: IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and manage encryption keys.

Term

Explanation

IPsec

A protocol and technology used to protect and validate data transmitted over the internet. It provides secure communication at the IP layer and is primarily used to create virtual private networks (VPNs) and protect the transmission of IP packets. IPsec ensures data security primarily through the following methods:

Data Encryption: Through encryption technology, IPsec can ensure that data is not stolen or altered during transmission. Common encryption algorithms include AES, 3DES, etc.
Data Integrity Check: IPsec uses hash functions (such as SHA-1, SHA-256) to verify the integrity of data, ensuring that data has not been modified during transmission.
Authentication: IPsec can verify the identity of both parties involved in communication using various methods (such as pre-shared keys, digital certificates) to prevent unauthorized access.
Key Management: IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and manage encryption keys.

Notes

Enabling IPsec may cause a few seconds of network interruption.
If the kernel version is 3.10.0-1160.el7.x86_64, enabling the IPsec feature of Kube-OVN may encounter compatibility issues.

Prerequisites

Please execute the following command to check whether the current operating system kernel supports IPsec-related modules. If the output shows that all XFRM-related modules are y or m, it indicates support for IPsec.

cat /boot/config-$(uname -r) | grep CONFIG_XFRM

Output:

CONFIG_XFRM_ALGO=y
CONFIG_XFRM_USER=y
CONFIG_XFRM_SUB_POLICY=y
CONFIG_XFRM_MIGRATE=y
CONFIG_XFRM_STATISTICS=y
CONFIG_XFRM_IPCOMP=m

Procedure

Note: Unless otherwise specified, the following commands must be executed in the CLI tool on the cluster Master node.

Enable IPsec

Modify the configuration file of kube-ovn-controller.
1. Execute the following command to edit the YAML configuration file of kube-ovn-controller.
  kubectl edit deploy kube-ovn-controller -n kube-system
2. Modify the specified fields according to the following instructions.
  spec: template: spec: containers: - args: - --enable-ovn-ipsec=true # Add this field securityContext: runAsUser: 0 # Change the value to 0
  Field explanations:
  - spec.template.spec.containers[0].args: Add - --enable-ovn-ipsec=true under this field.
  - spec.template.spec.containers[0].securityContext.runAsUser: Change the value of this field to 0.
3. Save the changes.

Modify the kube-ovn-cni configuration file.

Execute the following command to edit the YAML configuration file of kube-ovn-cni.
```
kubectl edit ds kube-ovn-cni -n kube-system
```

Modify the specified fields according to the following instructions.

spec:
  template:
    spec:
      containers:
        - args:
            - --enable-ovn-ipsec=true # Add this field
          volumeMounts: # Add mount path, mount the volume named ovs-ipsec-keys to the container
            - mountPath: /etc/ovs_ipsec_keys
              name: ovs-ipsec-keys
      volumes: # Add a volume named ovs-ipsec-keys of type hostPath
        - name: ovs-ipsec-keys
          hostPath:
            path: /etc/origin/ovs_ipsec_keys

Field explanations:

spec.template.spec.containers[0].args: Add - --enable-ovn-ipsec=true under this field.
spec.template.spec.containers[0].volumeMounts: Add the mount path and mount the volume named ovs-ipsec-keys to the container.
spec.template.spec.volumes: Add a volume named ovs-ipsec-keys of type hostPath under this field.

Save the changes.

Verify whether the feature has been successfully enabled.

Execute the following command to enter the kube-ovn-cni Pod.

kubectl exec -it -n kube-system $(kubectl get pods -n kube-system -l app=kube-ovn-cni -o=jsonpath='{.items[0].metadata.name}') -- /bin/bash

Execute the following command to check the number of Security Associations connections. If there are (number of nodes - 1) up, it indicates a successful enablement.
```
ipsec status | grep "Security"
```
Output:
```
Security Associations (2 up, 0 connecting):  # Since there are 3 nodes in this cluster, you can see that the number of connections is 2 up
```

Disable IPsec

Modify the configuration file of kube-ovn-controller.
1. Execute the following command to edit the YAML configuration file of kube-ovn-controller.
  kubectl edit deploy kube-ovn-controller -n kube-system
2. Modify the specified fields according to the following instructions.
  spec: template: spec: containers: - args: - --enable-ovn-ipsec=false # Change to false securityContext: runAsUser: 65534 # Change the value to 65534
  Field explanations:
  - spec.template.spec.containers[0].args: Change the value of this field enable-ovn-ipsec to false.
  - spec.template.spec.containers[0].securityContext.runAsUser: Change the value of this field to 65534.
3. Save the changes.

Modify the kube-ovn-cni configuration file.

Execute the following command to edit the YAML configuration file of kube-ovn-cni.
```
kubectl edit ds kube-ovn-cni -n kube-system
```

Modify the specified fields according to the following instructions.

Configuration before modification

spec:
  template:
    spec:
      containers:
        - args:
            - --enable-ovn-ipsec=true # Change to false
          volumeMounts: # Remove the mount path named ovs-ipsec-keys
            - mountPath: /etc/ovs_ipsec_keys
              name: ovs-ipsec-keys
      volumes: # Remove the volume named ovs-ipsec-keys, type hostPath
        - name: ovs-ipsec-keys
          hostPath:
            path: /etc/origin/ovs_ipsec_keys

Field explanations:

spec.template.spec.containers[0].args: Change the value of this field enable-ovn-ipsec to false.
spec.template.spec.containers[0].volumeMounts: Remove the mount path named ovs-ipsec-keys under this field.
spec.template.spec.volumes: Remove the volume named ovs-ipsec-keys, type hostPath under this field.

Configuration after modification

spec:
  template:
    spec:
      containers:
        - args:
            - --enable-ovn-ipsec=false
          volumeMounts:
      volumes:

Save the changes.

Verify whether the feature has been successfully disabled.
1. Execute the following command to enter the kube-ovn-cni Pod.
  kubectl exec -it -n kube-system $(kubectl get pods -n kube-system -l app=kube-ovn-cni -o=jsonpath='{.items[0].metadata.name}') -- /bin/bash
2. Execute the following command to check the connection status. If there is no output, it indicates successful disabling.
  ipsec status

#Kube-OVN Overlay Network Supports IPsec Encryption

#TOC

#Terminology

#Notes

#Prerequisites

#Procedure

#Enable IPsec

#Disable IPsec