From 1c7774c240305a06e341539a6a605c0050217b76 Mon Sep 17 00:00:00 2001 From: Traci Morrison Date: Tue, 12 Nov 2019 12:26:26 -0500 Subject: [PATCH] Add info for SecureOverlay --- .../admin/configure/ucp-configuration-file.md | 3 +- .../kubernetes-network-encryption.md | 34 ++++++++++++------- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/ee/ucp/admin/configure/ucp-configuration-file.md b/ee/ucp/admin/configure/ucp-configuration-file.md index 5dc8bc1388..9ce1bfdf79 100644 --- a/ee/ucp/admin/configure/ucp-configuration-file.md +++ b/ee/ucp/admin/configure/ucp-configuration-file.md @@ -226,7 +226,8 @@ components. Assigning these values overrides the settings in a container's | `local_volume_collection_mapping` | no | Store data about collections for volumes in UCP's local KV store instead of on the volume labels. This is used for enforcing access control on volumes. | | `manager_kube_reserved_resources` | no | Reserve resources for Docker UCP and Kubernetes components which are running on manager nodes. | | `worker_kube_reserved_resources` | no | Reserve resources for Docker UCP and Kubernetes components which are running on worker nodes. | -| `kubelet_max_pods` | yes | Set Number of Pods that can run on a node. Default is `110`. +| `kubelet_max_pods` | yes | Set Number of Pods that can run on a node. Default is `110`.| +| `secure-overlay` | no | Set to `true` to enable IPSec network encryption in Kubernetes. Default is `false`. | > Note > diff --git a/ee/ucp/kubernetes/kubernetes-network-encryption.md b/ee/ucp/kubernetes/kubernetes-network-encryption.md index 9bd89581dd..47bf60d1a8 100644 --- a/ee/ucp/kubernetes/kubernetes-network-encryption.md +++ b/ee/ucp/kubernetes/kubernetes-network-encryption.md @@ -6,8 +6,8 @@ keywords: ucp, cli, administration, kubectl, Kubernetes, security, network, ipse Docker Enterprise Edition provides data-plane level IPSec network encryption to securely encrypt application traffic in a Kubernetes cluster. This secures application traffic within a cluster when running in untrusted -infrastructure or environments. It is an optional feature of UCP that is enabled by deploying the Secure Overlay -components on Kuberenetes when using the default Calico driver for networking configured for IPIP tunnelling +infrastructure or environments. It is an optional feature of UCP that is enabled by deploying the SecureOverlay +components on Kubernetes when using the default Calico driver for networking configured for IPIP tunneling (the default configuration). Kubernetes network encryption is enabled by two components in UCP: the SecureOverlay Agent and SecureOverlay @@ -27,7 +27,7 @@ interface in the UCP host. ## Requirements -Kubernetes Network Encryption is supported for the following platforms: +Kubernetes network encryption is supported for the following platforms: * Docker Enterprise 2.1+ (UCP 3.1+) * Kubernetes 1.11+ * On-premise, AWS, GCE @@ -37,15 +37,15 @@ Kubernetes Network Encryption is supported for the following platforms: ## Configuring MTUs -Before deploying the SecureOverlay components one must ensure that Calico is configured so that the IPIP tunnel -MTU leaves sufficient headroom for the encryption overhead. Encryption adds 26 bytes of overhead but every IPSec -packet size must be a multiple of 4 bytes. IPIP tunnels require 20 bytes of encapsulation overhead. So the IPIP -tunnel interface MTU must be no more than "EXTMTU - 46 - ((EXTMTU - 46) modulo 4)" where EXTMTU is the minimum MTU +Before deploying the SecureOverlay components, ensure that Calico is configured so that the IPIP tunnel +MTU maximum transmission unit (MTU), or the largest packet length that the container will allow, leaves sufficient headroom for the encryption overhead. Encryption adds 26 bytes of overhead, but every IPSec +packet size must be a multiple of 4 bytes. IPIP tunnels require 20 bytes of encapsulation overhead. The IPIP +tunnel interface MTU must be no more than "EXTMTU - 46 - ((EXTMTU - 46) modulo 4)", where EXTMTU is the minimum MTU of the external interfaces. An IPIP MTU of 1452 should generally be safe for most deployments. Changing UCP's MTU requires updating the UCP configuration. This process is described [here](/ee/ucp/admin/configure/ucp-configuration-file). -The user must update the following values to the new MTU: +Update the following values to the new MTU: [cluster_config] ... @@ -55,11 +55,21 @@ The user must update the following values to the new MTU: ## Configuring SecureOverlay -Once the cluster nodes’ MTUs are properly configured, deploy the SecureOverlay components using the Secure Overlay YAML file to UCP. +SecureOverlay allows you to enable IPSec network encryption in Kubernetes. Once the cluster nodes’ MTUs are properly configured, deploy the SecureOverlay components using the SecureOverlay YAML file to UCP. -[Download the Secure Overlay YAML file here.](ucp-secureoverlay.yml) +Beginning with UCP 3.2.4, you can configure SecureOverlay in two ways: +* Using the UCP configuration file or +* Using the SecureOverlay YAML file -After downloading the YAML file, run the following command from any machine with the properly configured kubectl environment and the proper UCP bundle's credentials: +### UCP configuration file + +Add `secure-overlay` to the UCP configuration file. Set this option to `true` to enable IPSec network encryption. The default is `false`. See [cluster_config options](https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#cluster_config-table-required) for more information. + +### SecureOverlay YAML file + +First, [download the SecureOverlay YAML file.](ucp-secureoverlay.yml) + +Next, issue the following command from any machine with the properly configured kubectl environment and the proper UCP bundle's credentials: ``` $ kubectl apply -f ucp-secureoverlay.yml @@ -67,7 +77,7 @@ $ kubectl apply -f ucp-secureoverlay.yml Run this command at cluster installation time before starting any workloads. -To remove the encryption from the system, issue the command: +To remove the encryption from the system, issue the following command: ``` $ kubectl delete -f ucp-secureoverlay.yml