To ensure encrypted communication between pods and services, the SBC CNe supports the following requirements to comply with Zero Trust Architecture:

  • Encryption for all data in transit
  • Authentication and authorization of all services
  • Least privileges
  • Logging and monitoring of security events

IPsec is used to establish secure VPN tunnels between various workloads. The traffic that travels through the tunnels is encrypted. Attach a sidecar container to the pods to establish secure channels/tunnels using IPsec. IPsec tunnels/SAs are established between PODs only for the configured inter-pod communication interface (eth0/ha0). This does not affect other interfaces like pkt, and mgt. 

Traffic between the pods is encrypted and decrypted by the Linux kernel using the IPsec SAs.

Prerequisite for Inter-Pod Security

To enable IPsec functionality, load the following kernel modules in the worker node:

  • esp4
  • esp6
  • xfrm4_tunnel
  • xfrm6_tunnel
  • xfrm_user
  • ip_tunnel
  • tunnel
  • tunnel6
  • xfrm4_mode_tunnel
  • xfrm6_mode_tunnel

Some kernel modules are built into newer kernels, while others may be enabled explicitly.

For more information regarding required kernel modules, refer to the following documentation: https://docs.strongswan.org/docs/5.9/install/kernelModules.html

HELM Configurations

The global.interPodSecurity.enable is set to true in values to enable inter-pod security.yaml.

Strongswan uses certificate-based authentication for IKE negotiation. The certificates are provided by the cert-manager. If the cert-manager is disabled, the certificates are provided through a secret object.

When the cert-manager is used, the global.interPodSecurity.certificate.provider option is set to either csi or cert-object. Specify the issuer's name in the global.interPodSecurity.certificate.issuer field.

When the provided certificate is set to user-provided-secret (cert-manager is not used), specify the secret name in the global.interPodSecurity.certificate.secretName field instead of the issuer field. In this case, create the secret object before installing the helm chart. The secret object contains the CA certificate, pod certificate, and private key corresponding to the pod certificate.

Other configurable parameters:

  1. An option to enable/disable probe
  2. Options to change the log level for Strongswan daemon and IPsec agent (program to automate IPsec policy creation and deletion).
  3. Options to modify different parameters related to IKE negotiations
    1. Reauthentication time
    2. IKE_SA and Child SA proposals (set of algorithms for IKE negotiation, includes an encryption algorithm, an integrity algorithm, a pseudo-random function (PRF), and a Diffie-Hellman key exchange group)
    3. Rekey parameters (rekey time, rekey bytes, rekey packets)
    4. IPsec mode (tunnel/transport)
    5. IKE version
values.yaml
global:

  interPodSecurity:
    enable: true  # Switch to enable or disable inter-pod security
    probe: true  # Enable or disable probes

    service_discovery_mode: "kube_api" # "dns/kube_api"

    charon_logs: # Strongswan Charon daemon logs
      general:
        enable: true
        logLevel:  # option to configure log levels for strongswan daemon
          default: 1 # valid options: -1, 0, 1, 2, 3, 4
          ike: 1  # log level for ike sas
          child_sa: 1 # log level for child sas
          kernel: 1 # log level for kernel events
    agent_config:
      log: # Agent logs
        logLevel: "debug" # valid options: debug, info, warning, error, critical
        backupCount: 5 
        maxBytes: 10485760
      ike:
        version: 2   # option to configure IKE version, IKEv2 is recommended
        reauth_time: 1800  # time (in seconds) to schedule IKE reauthentication
        proposals: ["aes128-sha256-x25519"] # set of algorithms for IKE SA negotiation
      child_sa:
        mode: "transport" # option to change IPSec mode (tunnel/transport)
       # IKE rekeying refreshes key material using a Diffie-Hellman key exchange, but does not re-check associated credentials.
    # It is supported with IKEv2 only.
        rekey_time: 5400 # time (in seconds) to refresh key material in CHILD_SA using a Diffie-Hellman key exchange
        rekey_bytes: 500000000 # number of bytes processed before initiating CHILD_SA rekeying
        rekey_packets: 1000000 # number of packets processed before initiating CHILD_SA rekeying

        start_action: "none"

        esp_proposals: ["aes128gcm128-x25519"] # set of algorithms for IPSec SA/Child SA negotiation

    certificate:
      # Madatory Attributes
      # options ["csi", "cert-object", "user-provided-secret"] 
      provider: "csi"

      # User shall specify Issuer name & kind if "csi" or "cert-object" are selected as cert provider
      issuer: "" # Issuer name need to be specified if cert-manager is used (csi/cert-object)
      # Issuer/ClusterIssuer
      issuerKind: "Issuer"

      # User shall specify secret name if "user-provided-secret" is selected as the cert provider
      # The secret shall include 3 files, root ca certifcate, host certificate/chain, private key
      secretName: "" # Secret name need to be specified if cert-manager is not used (provider: user-provided-secret)

      files:
        private_key: "tls.key" # File name of the private key
        host_cert: "tls.crt"   # File name of host certificate or certificate chain
        ca_cert: "ca.crt"      # File name of root CA certificate