docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update kubernetes-network-encryption.md

This commit is contained in:
Anne Henmi 2018-09-12 13:56:53 -06:00 committed by GitHub
parent 317c326e1e
commit 44bfbbdcee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
ee/ucp/kubernetes/kubernetes-network-encryption.md
View File

@ -4,11 +4,23 @@ description: Learn how to configure network encryption in Kubernetes
keywords: ucp, cli, administration, kubectl, Kubernetes, security, network, ipsec, ipip, esp, calico
---
Docker Enterprise provides data-plane level IPSec network encryption to securely encrypt application traffic in a Kubernetes cluster. This secures application traffic within a cluster when running in untrusted infrastructure or environments. It is an optional feature of UCP that is enabled by deploying the Secure Overlay components on Kuberenetes when using the default Calico driver for networking configured for IPIP tunnelling (the default configuration).
Docker Enterprise provides data-plane level IPSec network encryption to securely encrypt application traffic in
a Kubernetes cluster. This secures application traffic within a cluster when running in untrusted infrastructure
or environments. It is an optional feature of UCP that is enabled by deploying the Secure Overlay components on
Kuberenetes when using the default Calico driver for networking configured for IPIP tunnelling (the default configuration).
Kubernetes network encryption is enabled by two components in UCP: the SecureOverlay Agent and SecureOverlay Master. The agent is deployed as a per-node service that manages the encryption state of the data plane. The agent controls the IPSec encryption on Calicos IPIP tunnel traffic between different nodes in the Kubernetes cluster. The master is the second component, which acts as the key management process that configures and periodically rotates the encryption keys.
Kubernetes network encryption is enabled by two components in UCP: the SecureOverlay Agent and SecureOverlay Master.
The agent is deployed as a per-node service that manages the encryption state of the data plane. The agent controls
the IPSec encryption on Calicos IPIP tunnel traffic between different nodes in the Kubernetes cluster. The master
is the second component, which acts as the key management process that configures and periodically rotates the
encryption keys.
Kubernetes network encryption uses AES-GCM with 128-bit keys (by default) and encrypts traffic between pods residing on different nodes. Encryption is not enabled by default and requires the SecureOverlay Agent and Master to be deployed on UCP to begin encrypting traffic within the cluster. It can be enabled or disabled at any time during the cluster lifecycle. However, note that enabling or disabling traffic can cause temporary inter-pod traffic outages during the first few minutes of encryption reconfiguration. When enabled, Kubernetes pod traffic between hosts is encrypted at the IPIP tunnel interface in the UCP host.
Kubernetes network encryption uses AES-GCM with 128-bit keys (by default) and encrypts traffic between pods residing
on different nodes. Encryption is not enabled by default and requires the SecureOverlay Agent and Master to be deployed
on UCP to begin encrypting traffic within the cluster. It can be enabled or disabled at any time during the cluster
lifecycle. However, note that enabling or disabling traffic can cause temporary inter-pod traffic outages during the
first few minutes of encryption reconfiguration. When enabled, Kubernetes pod traffic between hosts is encrypted at
the IPIP tunnel interface in the UCP host.
## Requirements