diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 5805b70a1aa..927964d855b 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -3740,8 +3740,7 @@ data: # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). #defaultMTU: 0 - # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported - # for the GRE tunnel type. + # Whether or not to enable IPsec encryption of tunnel traffic. #enableIPSecTunnel: false # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack @@ -3892,7 +3891,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-gdgb98gmfd + name: antrea-config-hk22hhtb9f namespace: kube-system --- apiVersion: v1 @@ -3963,7 +3962,7 @@ spec: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-gdgb98gmfd + value: antrea-config-hk22hhtb9f image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -4014,7 +4013,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-gdgb98gmfd + name: antrea-config-hk22hhtb9f name: antrea-config - name: antrea-controller-tls secret: @@ -4295,7 +4294,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-gdgb98gmfd + name: antrea-config-hk22hhtb9f name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index 2ac92a80b47..9dbb01a1cd8 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -3740,8 +3740,7 @@ data: # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). #defaultMTU: 0 - # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported - # for the GRE tunnel type. + # Whether or not to enable IPsec encryption of tunnel traffic. #enableIPSecTunnel: false # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack @@ -3892,7 +3891,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-gdgb98gmfd + name: antrea-config-hk22hhtb9f namespace: kube-system --- apiVersion: v1 @@ -3963,7 +3962,7 @@ spec: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-gdgb98gmfd + value: antrea-config-hk22hhtb9f image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -4014,7 +4013,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-gdgb98gmfd + name: antrea-config-hk22hhtb9f name: antrea-config - name: antrea-controller-tls secret: @@ -4297,7 +4296,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-gdgb98gmfd + name: antrea-config-hk22hhtb9f name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index 30ed457d73b..e02dd133632 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -3740,8 +3740,7 @@ data: # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). #defaultMTU: 0 - # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported - # for the GRE tunnel type. + # Whether or not to enable IPsec encryption of tunnel traffic. #enableIPSecTunnel: false # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack @@ -3892,7 +3891,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-dc9bfdb7f6 + name: antrea-config-2bk69mkcmb namespace: kube-system --- apiVersion: v1 @@ -3963,7 +3962,7 @@ spec: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-dc9bfdb7f6 + value: antrea-config-2bk69mkcmb image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -4014,7 +4013,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-dc9bfdb7f6 + name: antrea-config-2bk69mkcmb name: antrea-config - name: antrea-controller-tls secret: @@ -4298,7 +4297,7 @@ spec: path: /home/kubernetes/bin name: host-cni-bin - configMap: - name: antrea-config-dc9bfdb7f6 + name: antrea-config-2bk69mkcmb name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 8edd9ccdac0..08b5638a709 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -3740,8 +3740,7 @@ data: # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). #defaultMTU: 0 - # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported - # for the GRE tunnel type. + # Whether or not to enable IPsec encryption of tunnel traffic. enableIPSecTunnel: true # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be @@ -3897,7 +3896,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-cccf8b2ggf + name: antrea-config-fk4ff77ct6 namespace: kube-system --- apiVersion: v1 @@ -3977,7 +3976,7 @@ spec: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-cccf8b2ggf + value: antrea-config-fk4ff77ct6 image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -4028,7 +4027,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-cccf8b2ggf + name: antrea-config-fk4ff77ct6 name: antrea-config - name: antrea-controller-tls secret: @@ -4344,7 +4343,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-cccf8b2ggf + name: antrea-config-fk4ff77ct6 name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 03d947c714f..5199545e3d4 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -3740,8 +3740,7 @@ data: # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). #defaultMTU: 0 - # Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported - # for the GRE tunnel type. + # Whether or not to enable IPsec encryption of tunnel traffic. #enableIPSecTunnel: false # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be @@ -3897,7 +3896,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-mdd77fmc97 + name: antrea-config-t8cc9bfb6t namespace: kube-system --- apiVersion: v1 @@ -3968,7 +3967,7 @@ spec: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-mdd77fmc97 + value: antrea-config-t8cc9bfb6t image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -4019,7 +4018,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-mdd77fmc97 + name: antrea-config-t8cc9bfb6t name: antrea-config - name: antrea-controller-tls secret: @@ -4300,7 +4299,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-mdd77fmc97 + name: antrea-config-t8cc9bfb6t name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/base/conf/antrea-agent.conf b/build/yamls/base/conf/antrea-agent.conf index 40d0065d2c7..36193814a3c 100644 --- a/build/yamls/base/conf/antrea-agent.conf +++ b/build/yamls/base/conf/antrea-agent.conf @@ -77,8 +77,7 @@ featureGates: # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). #defaultMTU: 0 -# Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported -# for the GRE tunnel type. +# Whether or not to enable IPsec encryption of tunnel traffic. #enableIPSecTunnel: false # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be diff --git a/cmd/antrea-agent/config.go b/cmd/antrea-agent/config.go index 3d0f5f9c4ce..1fc2b825a2a 100644 --- a/cmd/antrea-agent/config.go +++ b/cmd/antrea-agent/config.go @@ -89,8 +89,7 @@ type AgentConfig struct { // --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. // No default value for this field. ServiceCIDRv6 string `yaml:"serviceCIDRv6,omitempty"` - // Whether or not to enable IPSec (ESP) encryption for Pod traffic across Nodes. IPSec encryption - // is supported only for the GRE tunnel type. Antrea uses Preshared Key (PSK) for IKE + // Whether or not to enable IPSec (ESP) encryption for Pod traffic across Nodes. Antrea uses Preshared Key (PSK) for IKE // authentication. When IPSec tunnel is enabled, the PSK value must be passed to Antrea Agent // through an environment variable: ANTREA_IPSEC_PSK. // Defaults to false. diff --git a/cmd/antrea-agent/options.go b/cmd/antrea-agent/options.go index a194615c19a..b6a28e02a36 100644 --- a/cmd/antrea-agent/options.go +++ b/cmd/antrea-agent/options.go @@ -116,9 +116,6 @@ func (o *Options) validate(args []string) error { o.config.TunnelType != ovsconfig.GRETunnel && o.config.TunnelType != ovsconfig.STTTunnel { return fmt.Errorf("tunnel type %s is invalid", o.config.TunnelType) } - if o.config.EnableIPSecTunnel && o.config.TunnelType != ovsconfig.GRETunnel { - return fmt.Errorf("IPSec encyption is supported only for GRE tunnel") - } if o.config.OVSDatapathType != string(ovsconfig.OVSDatapathSystem) && o.config.OVSDatapathType != string(ovsconfig.OVSDatapathNetdev) { return fmt.Errorf("OVS datapath type %s is not supported", o.config.OVSDatapathType) } diff --git a/docs/design/architecture.md b/docs/design/architecture.md index 2355cc2def9..05ccf8e86fe 100644 --- a/docs/design/architecture.md +++ b/docs/design/architecture.md @@ -331,7 +331,7 @@ the [Antrea IPsec deployment yaml](/build/yamls/antrea-ipsec.yml), which creates a Kubernetes Secret to save the PSK value and populates it to the `ANTREA_IPSEC_PSK` environment variable of the Antrea Agent container. -When IPsec is enabled, Antrea Agent will create a separate GRE tunnel port on +When IPsec is enabled, Antrea Agent will create a separate tunnel port on the OVS bridge for each remote Node, and write the PSK string and the remote Node IP address to two OVS interface options of the tunnel interface. Then `ovs-monitor-ipsec` can detect the tunnel and create IPsec Security Policies diff --git a/docs/ipsec-tunnel.md b/docs/ipsec-tunnel.md index 38be8311f95..6c1ad033853 100644 --- a/docs/ipsec-tunnel.md +++ b/docs/ipsec-tunnel.md @@ -1,8 +1,8 @@ # IPsec Encryption of Tunnel Traffic with Antrea -Antrea supports encrypting tunnel traffic across Nodes with IPsec ESP. At this -moment, IPsec encyption works only for GRE tunnel (but not Geneve, VXLAN, and -STT tunnel types). +Antrea supports encrypting tunnel traffic across Nodes with IPsec ESP. +IPsec encyption works for all OVS supported tunnel including GRE, Geneve, +VXLAN, and STT tunnel. ## Prerequisites